Tomcat Version 5.0.25
JDK Version 1.5
One of our vendor required client authentication to retrieve data. So, we got
a Thwate Freemail Certificate, send the vendor our serial number. Our vendor
added that serial number to their application to allow us to contact their
.aspx url.
We got the certificate .pfx file with the certificate chain. For our java
code to interact successfully with their URL, we had to import the certificate
with the private key in a keystore. We created a Keystore by extracting the
private key from the .pfx file. So every time we connect using the httpsurl
connection, we put the keystore as follows:
System.setProperty("java.protocol.handler.pkgs",
"com.sun.net.ssl.internal.www.protocol");
System.setProperty("javax.net.ssl.keyStorePassword", _storePwd);
System.setProperty("javax.net.ssl.keyStore", _keystorePath);
URL urlToConnect = new URL(_url);
HttpURLConnection conn = (HttpURLConnection)
urlToConnect.openConnection();
conn.setRequestMethod("POST");
conn.setDoOutput(true);
OutputStreamWriter wr;
wr = new OutputStreamWriter(conn.getOutputStream());
wr.write(_parameter);
wr.flush();
wr.close();
This works fine, when we are connecting through the code, no tomcat any
standalone application works fine. Even on our development machine tomcat works
fine in exchanging data with the vendor. On our development machine we do not
have IIS forwarding the request via redirector.
On our production its not working, somehow when we are sending the https
request, its not taking affect that the keystore is mentioned. Everytime
instead of the expected result we get an error page from them as follows:
<html><head><title>Error</title></head><body><head><title>Secure Channel
Client Authentication Required</title></head><body><h1>Secure Channel Client
Authentication Required</h1>This Virtual Directory requires a browser that
supports the configured encryption options.</body></body></html>
On the production servers, if we directly connect to tomcat via the http port
mentioned in the server.xml, bypassing the IIS, it works fine.
http://localhost:9001/<url> to test the connectivity to vendor.
When we put the IIS back in mixture, it does not work anymore.
When the http request comes from IIS to tomcat, and tomcat initiates the
httpsurlconnection to the URL specified, in this roundtrip to the vendor URL no
IIS is involved right? The IIS will forward any request meant for tomcat, and
the HTML generated by tomcat is forwarded back to IIS, is that the only link
between IIS and tomcat or they interact more?
When the java code executes, it only looks at the keystore specified right?
Does having the .pfx file imported with the cert chain in the personal store
matter to JAVA code?(On local machine I did delete the certificate imported in
the personal store and the java code still worked fine.)
Thanks a lot for reading,
Rumpa Giri
---------------------------------
Feel free to call! Free PC-to-PC calls. Low rates on PC-to-Phone. Get Yahoo!
Messenger with Voice
