Reputation: 2781
Verify X.509 certificate being sent
I'm trying to set up SSL mutual auth with a client certificate on a WebAS. With a SOAP Webservice that I wrote with JavaEE. I'm trying to test this using SOAP UI - however I'm having difficulties trying to find out if SOAP UI sends everything that is needed, for example, after having configured my PFX as a key store in the project settings (including private key specified there), I still see a plain text request in Charles Proxy. I have tried tcpmon but it didn't yield any better results.
Is there any way I can verify the request is being sent correctly on the client side? Because on the server side I only see "Authentication failed". I saw in a documentation from Oracle, that there is a header field called USER_CERT - but is this standard? I don't see it anywhere in my request. I need to check if the client side is correct until I can do some trial & error on server side.
many thanks!
Upvotes: 0
Views: 907
Answers (2)
Reputation: 122599
You should be able to see whether the client-certificate is being sent using the javax.net.debug system property, as described in "Debugging SSL/TLS Connections".
At best, Fiddler itself could sent its client-certificate, but that's not quite the same as having your application send it directly to the server. Fiddler may be able to mimic that behaviour sufficiently if it asks for a client cert to your application too (I'm not sure whether it can do that), but that would effectively be independent of the actual client cert seen by your target server (although you might use the same in practice).
Upvotes: 1
Reputation: 2781
Apparently my SOAP UI is not able to send the client certificate for some reason. So I set up Fiddler in the middle between SOAP UI and my server.
A message pops up in Fiddler that the server is requesting a certificate and when I place the correct certificate in the specified path, the login works!
I have read through tons of soap ui docs and discussion threads, had to replace soap ui two times with another version due to bugs (4.5.0 was not able to read the key store), 4.5.1 displayed a class cast exception, I went back to 4.0.1 - only to have it working with Fiddler in under five minutes :)
Upvotes: 0
Related Questions
- Verify SOAP request using the X509 certificate
- How to verify the signature of a x509 certificate?
- Signing SOAP messages using X.509 certificate from WCF service to Java webservice
- SoapFault: No trusted certs found
- Getting the trusted X509Certificate for a Java SSLSocket
- Getting certificate from XMLSignature in Java
- Validate X509 certificates using Java APis
- how do I check if the X509Certificate issuer is trusted?
- Getting a X509Certificate from a SOAP Security Header
- How to get WS-Security certificate to be accepted by Java application