WebSphere Application Server & Liberty

Hello,

We have Java code to connect to remote site using ssl ( https) using trust.p12 ( nodedefaulttruststore)

Also we load the client pfx's ( sevaral ) on Nodedefaultkeystore.

How could we select what alias we want use ?

On On Java Oracle ( Apache Tomcat )  we can use the properties to decide and works fine

            System.setProperty("javax.net.ssl.keyStore", PfxFileName );
            System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");
            System.setProperty("javax.net.ssl.keyStorePassword", PfxPwd );

We can open simultaus conversations using differents client certificates pfx,

But in Websphere when we use the first we can not change to others

Hi, I am not understanding fully if you are using mutual authentication or presenting a certificate for inbound access.  If it is mutual authentication you would set which certificate you want to present based on URL (dynamic outbound endpoint).  I am not sure why you would load the client's certs into the keystore of tWAS as it would defeat the purpose of securing an application if more than 1 application have the same certificates.  And the example above does not set the alias name found in the keystore.

Your example overrides all certificates so the next time the request will use whatever is set last time.  If you really want to do this, though I recommend NOT to do this, you can set this programmatically by following the steps here> https://www.ibm.com/docs/en/was/8.5.5?topic=ascdoprse-programmatically-specifying-outbound-ssl-configuration-using-jssehelper-api-2

And remember Tomcat is NOT an application server so it is a bit of comparing apples and oranges.

Brian

Hello,

We have Java code to connect to remote site using ssl ( https) using trust.p12 ( nodedefaulttruststore)

Also we load the client pfx's ( sevaral ) on Nodedefaultkeystore.

How could we select what alias we want use ?

On On Java Oracle ( Apache Tomcat )  we can use the properties to decide and works fine

            System.setProperty("javax.net.ssl.keyStore", PfxFileName );
            System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");
            System.setProperty("javax.net.ssl.keyStorePassword", PfxPwd );

We can open simultaus conversations using differents client certificates pfx,

But in Websphere when we use the first we can not change to others

Hello Brian,
Thank you for your help, and I apologize because I don't speak English very well.

Our JAVA application consumes a web service based on WSDL schemas.

When we connect to the web service on the remote host, we use the cacerts truststore to validate the HTTPS connection. We do this by specifying the following properties:

System.setProperty("javax.net.ssl.trustStore", "path to certificate");System.setProperty("javax.net.ssl.trustStorePassword", "password");System.setProperty("javax.net.ssl.trustStoreType", "jks");

This first part works well whether we deploy it in an Oracle JAVA 1.8 JVM or an IBM JVM. We can connect to different remote hosts, and it always knows which CA certificate to use. It also works if we use trust.p12 or our own cacerts truststore.

When the connection is established, the web service requires a keystore, so we specify the following properties:

System.setProperty("javax.net.ssl.keyStore", "path to keystore.pfx");System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");System.setProperty("javax.net.ssl.keyStorePassword", "password");

In this case, Oracle JAVA uses the certificate specified in the javax.net.ssl.keyStore property for each connection.

However, IBM JAVA forces us to load the certificates into the key.p12 of WebSphere under NodeDefaultKeyStore -> Personal Certificates, ignoring the javax.net.ssl.keyStore property.

When the connection is established with IBM JAVA, during validation, it doesn't uses the  keystore.p12 specified on javax.net.ssl.keyStore (as seen in the logs), it always uses key.p12 but it use the first certificate in the list.

The difference I find is that IBM JAVA forces me to load all the certificates into a single keystore and doesn't seem capable of managing which one to use.

I've tried countless combinations but haven't found a solution yet. I attach a simple code to show it

Thank you again!

Hi, I am not understanding fully if you are using mutual authentication or presenting a certificate for inbound access.  If it is mutual authentication you would set which certificate you want to present based on URL (dynamic outbound endpoint).  I am not sure why you would load the client's certs into the keystore of tWAS as it would defeat the purpose of securing an application if more than 1 application have the same certificates.  And the example above does not set the alias name found in the keystore.

Your example overrides all certificates so the next time the request will use whatever is set last time.  If you really want to do this, though I recommend NOT to do this, you can set this programmatically by following the steps here> https://www.ibm.com/docs/en/was/8.5.5?topic=ascdoprse-programmatically-specifying-outbound-ssl-configuration-using-jssehelper-api-2

And remember Tomcat is NOT an application server so it is a bit of comparing apples and oranges.

Brian

Hello,

We have Java code to connect to remote site using ssl ( https) using trust.p12 ( nodedefaulttruststore)

Also we load the client pfx's ( sevaral ) on Nodedefaultkeystore.

How could we select what alias we want use ?

On On Java Oracle ( Apache Tomcat )  we can use the properties to decide and works fine

            System.setProperty("javax.net.ssl.keyStore", PfxFileName );
            System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");
            System.setProperty("javax.net.ssl.keyStorePassword", PfxPwd );

We can open simultaus conversations using differents client certificates pfx,

But in Websphere when we use the first we can not change to others

Using the cacerts for certificates is an extremely bad practice and I would suggest stop using it.  What you are doing is called mutual authentication.  You should preload the keys and truststore certificates in the WebSphere key and truststores.  This can be changed within he console using the dynamic outbound connections (https://www.ibm.com/docs/en/was/8.5.5?topic=endpoint-dynamic-outbound-ssl-configuration-settings).  This allows you to specify the certificate to present when asked by the remote system without using code. 

Brian

Hello Brian,
Thank you for your help, and I apologize because I don't speak English very well.

Our JAVA application consumes a web service based on WSDL schemas.

When we connect to the web service on the remote host, we use the cacerts truststore to validate the HTTPS connection. We do this by specifying the following properties:

System.setProperty("javax.net.ssl.trustStore", "path to certificate");System.setProperty("javax.net.ssl.trustStorePassword", "password");System.setProperty("javax.net.ssl.trustStoreType", "jks");

This first part works well whether we deploy it in an Oracle JAVA 1.8 JVM or an IBM JVM. We can connect to different remote hosts, and it always knows which CA certificate to use. It also works if we use trust.p12 or our own cacerts truststore.

When the connection is established, the web service requires a keystore, so we specify the following properties:

System.setProperty("javax.net.ssl.keyStore", "path to keystore.pfx");System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");System.setProperty("javax.net.ssl.keyStorePassword", "password");

In this case, Oracle JAVA uses the certificate specified in the javax.net.ssl.keyStore property for each connection.

However, IBM JAVA forces us to load the certificates into the key.p12 of WebSphere under NodeDefaultKeyStore -> Personal Certificates, ignoring the javax.net.ssl.keyStore property.

When the connection is established with IBM JAVA, during validation, it doesn't uses the  keystore.p12 specified on javax.net.ssl.keyStore (as seen in the logs), it always uses key.p12 but it use the first certificate in the list.

The difference I find is that IBM JAVA forces me to load all the certificates into a single keystore and doesn't seem capable of managing which one to use.

I've tried countless combinations but haven't found a solution yet. I attach a simple code to show it

Thank you again!

Hi, I am not understanding fully if you are using mutual authentication or presenting a certificate for inbound access.  If it is mutual authentication you would set which certificate you want to present based on URL (dynamic outbound endpoint).  I am not sure why you would load the client's certs into the keystore of tWAS as it would defeat the purpose of securing an application if more than 1 application have the same certificates.  And the example above does not set the alias name found in the keystore.

Your example overrides all certificates so the next time the request will use whatever is set last time.  If you really want to do this, though I recommend NOT to do this, you can set this programmatically by following the steps here> https://www.ibm.com/docs/en/was/8.5.5?topic=ascdoprse-programmatically-specifying-outbound-ssl-configuration-using-jssehelper-api-2

And remember Tomcat is NOT an application server so it is a bit of comparing apples and oranges.

Brian

Hello,

We have Java code to connect to remote site using ssl ( https) using trust.p12 ( nodedefaulttruststore)

Also we load the client pfx's ( sevaral ) on Nodedefaultkeystore.

How could we select what alias we want use ?

On On Java Oracle ( Apache Tomcat )  we can use the properties to decide and works fine

            System.setProperty("javax.net.ssl.keyStore", PfxFileName );
            System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");
            System.setProperty("javax.net.ssl.keyStorePassword", PfxPwd );

We can open simultaus conversations using differents client certificates pfx,

But in Websphere when we use the first we can not change to others

Using the cacerts for certificates is an extremely bad practice and I would suggest stop using it.  What you are doing is called mutual authentication.  You should preload the keys and truststore certificates in the WebSphere key and truststores.  This can be changed within he console using the dynamic outbound connections (https://www.ibm.com/docs/en/was/8.5.5?topic=endpoint-dynamic-outbound-ssl-configuration-settings).  This allows you to specify the certificate to present when asked by the remote system without using code. 

Brian

Hello Brian,
Thank you for your help, and I apologize because I don't speak English very well.

Our JAVA application consumes a web service based on WSDL schemas.

When we connect to the web service on the remote host, we use the cacerts truststore to validate the HTTPS connection. We do this by specifying the following properties:

System.setProperty("javax.net.ssl.trustStore", "path to certificate");System.setProperty("javax.net.ssl.trustStorePassword", "password");System.setProperty("javax.net.ssl.trustStoreType", "jks");

This first part works well whether we deploy it in an Oracle JAVA 1.8 JVM or an IBM JVM. We can connect to different remote hosts, and it always knows which CA certificate to use. It also works if we use trust.p12 or our own cacerts truststore.

When the connection is established, the web service requires a keystore, so we specify the following properties:

System.setProperty("javax.net.ssl.keyStore", "path to keystore.pfx");System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");System.setProperty("javax.net.ssl.keyStorePassword", "password");

In this case, Oracle JAVA uses the certificate specified in the javax.net.ssl.keyStore property for each connection.

However, IBM JAVA forces us to load the certificates into the key.p12 of WebSphere under NodeDefaultKeyStore -> Personal Certificates, ignoring the javax.net.ssl.keyStore property.

When the connection is established with IBM JAVA, during validation, it doesn't uses the  keystore.p12 specified on javax.net.ssl.keyStore (as seen in the logs), it always uses key.p12 but it use the first certificate in the list.

The difference I find is that IBM JAVA forces me to load all the certificates into a single keystore and doesn't seem capable of managing which one to use.

I've tried countless combinations but haven't found a solution yet. I attach a simple code to show it

Thank you again!

Hi, I am not understanding fully if you are using mutual authentication or presenting a certificate for inbound access.  If it is mutual authentication you would set which certificate you want to present based on URL (dynamic outbound endpoint).  I am not sure why you would load the client's certs into the keystore of tWAS as it would defeat the purpose of securing an application if more than 1 application have the same certificates.  And the example above does not set the alias name found in the keystore.

Your example overrides all certificates so the next time the request will use whatever is set last time.  If you really want to do this, though I recommend NOT to do this, you can set this programmatically by following the steps here> https://www.ibm.com/docs/en/was/8.5.5?topic=ascdoprse-programmatically-specifying-outbound-ssl-configuration-using-jssehelper-api-2

And remember Tomcat is NOT an application server so it is a bit of comparing apples and oranges.

Brian

Hello,

We have Java code to connect to remote site using ssl ( https) using trust.p12 ( nodedefaulttruststore)

Also we load the client pfx's ( sevaral ) on Nodedefaultkeystore.

How could we select what alias we want use ?

On On Java Oracle ( Apache Tomcat )  we can use the properties to decide and works fine

            System.setProperty("javax.net.ssl.keyStore", PfxFileName );
            System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");
            System.setProperty("javax.net.ssl.keyStorePassword", PfxPwd );

We can open simultaus conversations using differents client certificates pfx,

But in Websphere when we use the first we can not change to others

When you use the dynamic outbound connections  you can select which certificate to serve to the endpoint.  No programming required.  (https://www.ibm.com/docs/en/was/8.5.5?topic=endpoint-dynamic-outbound-ssl-configuration-settings)

Using the cacerts for certificates is an extremely bad practice and I would suggest stop using it.  What you are doing is called mutual authentication.  You should preload the keys and truststore certificates in the WebSphere key and truststores.  This can be changed within he console using the dynamic outbound connections (https://www.ibm.com/docs/en/was/8.5.5?topic=endpoint-dynamic-outbound-ssl-configuration-settings).  This allows you to specify the certificate to present when asked by the remote system without using code. 

Brian

Hello Brian,
Thank you for your help, and I apologize because I don't speak English very well.

Our JAVA application consumes a web service based on WSDL schemas.

When we connect to the web service on the remote host, we use the cacerts truststore to validate the HTTPS connection. We do this by specifying the following properties:

System.setProperty("javax.net.ssl.trustStore", "path to certificate");System.setProperty("javax.net.ssl.trustStorePassword", "password");System.setProperty("javax.net.ssl.trustStoreType", "jks");

This first part works well whether we deploy it in an Oracle JAVA 1.8 JVM or an IBM JVM. We can connect to different remote hosts, and it always knows which CA certificate to use. It also works if we use trust.p12 or our own cacerts truststore.

When the connection is established, the web service requires a keystore, so we specify the following properties:

System.setProperty("javax.net.ssl.keyStore", "path to keystore.pfx");System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");System.setProperty("javax.net.ssl.keyStorePassword", "password");

In this case, Oracle JAVA uses the certificate specified in the javax.net.ssl.keyStore property for each connection.

However, IBM JAVA forces us to load the certificates into the key.p12 of WebSphere under NodeDefaultKeyStore -> Personal Certificates, ignoring the javax.net.ssl.keyStore property.

When the connection is established with IBM JAVA, during validation, it doesn't uses the  keystore.p12 specified on javax.net.ssl.keyStore (as seen in the logs), it always uses key.p12 but it use the first certificate in the list.

The difference I find is that IBM JAVA forces me to load all the certificates into a single keystore and doesn't seem capable of managing which one to use.

I've tried countless combinations but haven't found a solution yet. I attach a simple code to show it

Thank you again!

Hi, I am not understanding fully if you are using mutual authentication or presenting a certificate for inbound access.  If it is mutual authentication you would set which certificate you want to present based on URL (dynamic outbound endpoint).  I am not sure why you would load the client's certs into the keystore of tWAS as it would defeat the purpose of securing an application if more than 1 application have the same certificates.  And the example above does not set the alias name found in the keystore.

Your example overrides all certificates so the next time the request will use whatever is set last time.  If you really want to do this, though I recommend NOT to do this, you can set this programmatically by following the steps here> https://www.ibm.com/docs/en/was/8.5.5?topic=ascdoprse-programmatically-specifying-outbound-ssl-configuration-using-jssehelper-api-2

And remember Tomcat is NOT an application server so it is a bit of comparing apples and oranges.

Brian

Hello,

We have Java code to connect to remote site using ssl ( https) using trust.p12 ( nodedefaulttruststore)

Also we load the client pfx's ( sevaral ) on Nodedefaultkeystore.

How could we select what alias we want use ?

On On Java Oracle ( Apache Tomcat )  we can use the properties to decide and works fine

            System.setProperty("javax.net.ssl.keyStore", PfxFileName );
            System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");
            System.setProperty("javax.net.ssl.keyStorePassword", PfxPwd );

We can open simultaus conversations using differents client certificates pfx,

But in Websphere when we use the first we can not change to others

Hi Brian

We change the code to follow your notes. But the issue persists.
The reason is that the server we connect to is the same, and the only difference in each connection is the client certificate used. In the case of IBM Java, these certificates have been loaded into p12.pfx.
In Oracle Java, we decide which alias or certificate we want to use, we have the properties javax.net.ssl.keyStore, javax.net.ssl.keyStoreType, and javax.net.ssl.keyStorePassword. With these, JAXB knows how to establish the conversation. However, in IBM Java, these properties are not used, and WebSphere decides which certificate to use, always selecting the first one from key.p12.

Best regards

When you use the dynamic outbound connections  you can select which certificate to serve to the endpoint.  No programming required.  (https://www.ibm.com/docs/en/was/8.5.5?topic=endpoint-dynamic-outbound-ssl-configuration-settings)

Using the cacerts for certificates is an extremely bad practice and I would suggest stop using it.  What you are doing is called mutual authentication.  You should preload the keys and truststore certificates in the WebSphere key and truststores.  This can be changed within he console using the dynamic outbound connections (https://www.ibm.com/docs/en/was/8.5.5?topic=endpoint-dynamic-outbound-ssl-configuration-settings).  This allows you to specify the certificate to present when asked by the remote system without using code. 

Brian

Hello Brian,
Thank you for your help, and I apologize because I don't speak English very well.

Our JAVA application consumes a web service based on WSDL schemas.

When we connect to the web service on the remote host, we use the cacerts truststore to validate the HTTPS connection. We do this by specifying the following properties:

System.setProperty("javax.net.ssl.trustStore", "path to certificate");System.setProperty("javax.net.ssl.trustStorePassword", "password");System.setProperty("javax.net.ssl.trustStoreType", "jks");

This first part works well whether we deploy it in an Oracle JAVA 1.8 JVM or an IBM JVM. We can connect to different remote hosts, and it always knows which CA certificate to use. It also works if we use trust.p12 or our own cacerts truststore.

When the connection is established, the web service requires a keystore, so we specify the following properties:

System.setProperty("javax.net.ssl.keyStore", "path to keystore.pfx");System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");System.setProperty("javax.net.ssl.keyStorePassword", "password");

In this case, Oracle JAVA uses the certificate specified in the javax.net.ssl.keyStore property for each connection.

However, IBM JAVA forces us to load the certificates into the key.p12 of WebSphere under NodeDefaultKeyStore -> Personal Certificates, ignoring the javax.net.ssl.keyStore property.

When the connection is established with IBM JAVA, during validation, it doesn't uses the  keystore.p12 specified on javax.net.ssl.keyStore (as seen in the logs), it always uses key.p12 but it use the first certificate in the list.

The difference I find is that IBM JAVA forces me to load all the certificates into a single keystore and doesn't seem capable of managing which one to use.

I've tried countless combinations but haven't found a solution yet. I attach a simple code to show it

Thank you again!

Hi, I am not understanding fully if you are using mutual authentication or presenting a certificate for inbound access.  If it is mutual authentication you would set which certificate you want to present based on URL (dynamic outbound endpoint).  I am not sure why you would load the client's certs into the keystore of tWAS as it would defeat the purpose of securing an application if more than 1 application have the same certificates.  And the example above does not set the alias name found in the keystore.

Your example overrides all certificates so the next time the request will use whatever is set last time.  If you really want to do this, though I recommend NOT to do this, you can set this programmatically by following the steps here> https://www.ibm.com/docs/en/was/8.5.5?topic=ascdoprse-programmatically-specifying-outbound-ssl-configuration-using-jssehelper-api-2

And remember Tomcat is NOT an application server so it is a bit of comparing apples and oranges.

Brian

Hello,

We have Java code to connect to remote site using ssl ( https) using trust.p12 ( nodedefaulttruststore)

Also we load the client pfx's ( sevaral ) on Nodedefaultkeystore.

How could we select what alias we want use ?

On On Java Oracle ( Apache Tomcat )  we can use the properties to decide and works fine

            System.setProperty("javax.net.ssl.keyStore", PfxFileName );
            System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");
            System.setProperty("javax.net.ssl.keyStorePassword", PfxPwd );

We can open simultaus conversations using differents client certificates pfx,

But in Websphere when we use the first we can not change to others

Did you add the keystore to WebSphere?  If you did then you should have an option to use the keystore and the keys inside of it from the dropdown menus in my post above.  Can you post an image of the configuration?  Did you see the key you want to use?  I know this works because I have setup an example of it working.

The reason why the javax setting are not working has nothing to do with the IBM JDK, but the way WebSphere and Liberty handle certificates to make it more secure and easier to manage.

Brian

Hi Brian

We change the code to follow your notes. But the issue persists.
The reason is that the server we connect to is the same, and the only difference in each connection is the client certificate used. In the case of IBM Java, these certificates have been loaded into p12.pfx.
In Oracle Java, we decide which alias or certificate we want to use, we have the properties javax.net.ssl.keyStore, javax.net.ssl.keyStoreType, and javax.net.ssl.keyStorePassword. With these, JAXB knows how to establish the conversation. However, in IBM Java, these properties are not used, and WebSphere decides which certificate to use, always selecting the first one from key.p12.

Best regards

When you use the dynamic outbound connections  you can select which certificate to serve to the endpoint.  No programming required.  (https://www.ibm.com/docs/en/was/8.5.5?topic=endpoint-dynamic-outbound-ssl-configuration-settings)

Using the cacerts for certificates is an extremely bad practice and I would suggest stop using it.  What you are doing is called mutual authentication.  You should preload the keys and truststore certificates in the WebSphere key and truststores.  This can be changed within he console using the dynamic outbound connections (https://www.ibm.com/docs/en/was/8.5.5?topic=endpoint-dynamic-outbound-ssl-configuration-settings).  This allows you to specify the certificate to present when asked by the remote system without using code. 

Brian

Hello Brian,
Thank you for your help, and I apologize because I don't speak English very well.

Our JAVA application consumes a web service based on WSDL schemas.

When we connect to the web service on the remote host, we use the cacerts truststore to validate the HTTPS connection. We do this by specifying the following properties:

System.setProperty("javax.net.ssl.trustStore", "path to certificate");System.setProperty("javax.net.ssl.trustStorePassword", "password");System.setProperty("javax.net.ssl.trustStoreType", "jks");

This first part works well whether we deploy it in an Oracle JAVA 1.8 JVM or an IBM JVM. We can connect to different remote hosts, and it always knows which CA certificate to use. It also works if we use trust.p12 or our own cacerts truststore.

When the connection is established, the web service requires a keystore, so we specify the following properties:

System.setProperty("javax.net.ssl.keyStore", "path to keystore.pfx");System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");System.setProperty("javax.net.ssl.keyStorePassword", "password");

In this case, Oracle JAVA uses the certificate specified in the javax.net.ssl.keyStore property for each connection.

However, IBM JAVA forces us to load the certificates into the key.p12 of WebSphere under NodeDefaultKeyStore -> Personal Certificates, ignoring the javax.net.ssl.keyStore property.

When the connection is established with IBM JAVA, during validation, it doesn't uses the  keystore.p12 specified on javax.net.ssl.keyStore (as seen in the logs), it always uses key.p12 but it use the first certificate in the list.

The difference I find is that IBM JAVA forces me to load all the certificates into a single keystore and doesn't seem capable of managing which one to use.

I've tried countless combinations but haven't found a solution yet. I attach a simple code to show it

Thank you again!

Hi, I am not understanding fully if you are using mutual authentication or presenting a certificate for inbound access.  If it is mutual authentication you would set which certificate you want to present based on URL (dynamic outbound endpoint).  I am not sure why you would load the client's certs into the keystore of tWAS as it would defeat the purpose of securing an application if more than 1 application have the same certificates.  And the example above does not set the alias name found in the keystore.

Your example overrides all certificates so the next time the request will use whatever is set last time.  If you really want to do this, though I recommend NOT to do this, you can set this programmatically by following the steps here> https://www.ibm.com/docs/en/was/8.5.5?topic=ascdoprse-programmatically-specifying-outbound-ssl-configuration-using-jssehelper-api-2

And remember Tomcat is NOT an application server so it is a bit of comparing apples and oranges.

Brian

Hello,

We have Java code to connect to remote site using ssl ( https) using trust.p12 ( nodedefaulttruststore)

Also we load the client pfx's ( sevaral ) on Nodedefaultkeystore.

How could we select what alias we want use ?

On On Java Oracle ( Apache Tomcat )  we can use the properties to decide and works fine

            System.setProperty("javax.net.ssl.keyStore", PfxFileName );
            System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");
            System.setProperty("javax.net.ssl.keyStorePassword", PfxPwd );

We can open simultaus conversations using differents client certificates pfx,

But in Websphere when we use the first we can not change to others

Hi Brian

yes, I upload the pfx files into NodeDefaultkeyStore. Attach image ( Img1)

On Outbounds dynamic outbound connections  I can see all certificates Attach Img2 and Img3

Did you add the keystore to WebSphere?  If you did then you should have an option to use the keystore and the keys inside of it from the dropdown menus in my post above.  Can you post an image of the configuration?  Did you see the key you want to use?  I know this works because I have setup an example of it working.

The reason why the javax setting are not working has nothing to do with the IBM JDK, but the way WebSphere and Liberty handle certificates to make it more secure and easier to manage.

Brian

Hi Brian

We change the code to follow your notes. But the issue persists.
The reason is that the server we connect to is the same, and the only difference in each connection is the client certificate used. In the case of IBM Java, these certificates have been loaded into p12.pfx.
In Oracle Java, we decide which alias or certificate we want to use, we have the properties javax.net.ssl.keyStore, javax.net.ssl.keyStoreType, and javax.net.ssl.keyStorePassword. With these, JAXB knows how to establish the conversation. However, in IBM Java, these properties are not used, and WebSphere decides which certificate to use, always selecting the first one from key.p12.

Best regards

When you use the dynamic outbound connections  you can select which certificate to serve to the endpoint.  No programming required.  (https://www.ibm.com/docs/en/was/8.5.5?topic=endpoint-dynamic-outbound-ssl-configuration-settings)

Using the cacerts for certificates is an extremely bad practice and I would suggest stop using it.  What you are doing is called mutual authentication.  You should preload the keys and truststore certificates in the WebSphere key and truststores.  This can be changed within he console using the dynamic outbound connections (https://www.ibm.com/docs/en/was/8.5.5?topic=endpoint-dynamic-outbound-ssl-configuration-settings).  This allows you to specify the certificate to present when asked by the remote system without using code. 

Brian

Hello Brian,
Thank you for your help, and I apologize because I don't speak English very well.

Our JAVA application consumes a web service based on WSDL schemas.

When we connect to the web service on the remote host, we use the cacerts truststore to validate the HTTPS connection. We do this by specifying the following properties:

System.setProperty("javax.net.ssl.trustStore", "path to certificate");System.setProperty("javax.net.ssl.trustStorePassword", "password");System.setProperty("javax.net.ssl.trustStoreType", "jks");

This first part works well whether we deploy it in an Oracle JAVA 1.8 JVM or an IBM JVM. We can connect to different remote hosts, and it always knows which CA certificate to use. It also works if we use trust.p12 or our own cacerts truststore.

When the connection is established, the web service requires a keystore, so we specify the following properties:

System.setProperty("javax.net.ssl.keyStore", "path to keystore.pfx");System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");System.setProperty("javax.net.ssl.keyStorePassword", "password");

In this case, Oracle JAVA uses the certificate specified in the javax.net.ssl.keyStore property for each connection.

However, IBM JAVA forces us to load the certificates into the key.p12 of WebSphere under NodeDefaultKeyStore -> Personal Certificates, ignoring the javax.net.ssl.keyStore property.

When the connection is established with IBM JAVA, during validation, it doesn't uses the  keystore.p12 specified on javax.net.ssl.keyStore (as seen in the logs), it always uses key.p12 but it use the first certificate in the list.

The difference I find is that IBM JAVA forces me to load all the certificates into a single keystore and doesn't seem capable of managing which one to use.

I've tried countless combinations but haven't found a solution yet. I attach a simple code to show it

Thank you again!

Hi, I am not understanding fully if you are using mutual authentication or presenting a certificate for inbound access.  If it is mutual authentication you would set which certificate you want to present based on URL (dynamic outbound endpoint).  I am not sure why you would load the client's certs into the keystore of tWAS as it would defeat the purpose of securing an application if more than 1 application have the same certificates.  And the example above does not set the alias name found in the keystore.

Your example overrides all certificates so the next time the request will use whatever is set last time.  If you really want to do this, though I recommend NOT to do this, you can set this programmatically by following the steps here> https://www.ibm.com/docs/en/was/8.5.5?topic=ascdoprse-programmatically-specifying-outbound-ssl-configuration-using-jssehelper-api-2

And remember Tomcat is NOT an application server so it is a bit of comparing apples and oranges.

Brian

Hello,

We have Java code to connect to remote site using ssl ( https) using trust.p12 ( nodedefaulttruststore)

Also we load the client pfx's ( sevaral ) on Nodedefaultkeystore.

How could we select what alias we want use ?

On On Java Oracle ( Apache Tomcat )  we can use the properties to decide and works fine

            System.setProperty("javax.net.ssl.keyStore", PfxFileName );
            System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");
            System.setProperty("javax.net.ssl.keyStorePassword", PfxPwd );

We can open simultaus conversations using differents client certificates pfx,

But in Websphere when we use the first we can not change to others

Hi Brian

yes, I upload the pfx files into NodeDefaultkeyStore. Attach image ( Img1)

On Outbounds dynamic outbound connections  I can see all certificates Attach Img2 and Img3

Did you add the keystore to WebSphere?  If you did then you should have an option to use the keystore and the keys inside of it from the dropdown menus in my post above.  Can you post an image of the configuration?  Did you see the key you want to use?  I know this works because I have setup an example of it working.

The reason why the javax setting are not working has nothing to do with the IBM JDK, but the way WebSphere and Liberty handle certificates to make it more secure and easier to manage.

Brian

Hi Brian

We change the code to follow your notes. But the issue persists.
The reason is that the server we connect to is the same, and the only difference in each connection is the client certificate used. In the case of IBM Java, these certificates have been loaded into p12.pfx.
In Oracle Java, we decide which alias or certificate we want to use, we have the properties javax.net.ssl.keyStore, javax.net.ssl.keyStoreType, and javax.net.ssl.keyStorePassword. With these, JAXB knows how to establish the conversation. However, in IBM Java, these properties are not used, and WebSphere decides which certificate to use, always selecting the first one from key.p12.

Best regards

When you use the dynamic outbound connections  you can select which certificate to serve to the endpoint.  No programming required.  (https://www.ibm.com/docs/en/was/8.5.5?topic=endpoint-dynamic-outbound-ssl-configuration-settings)

Using the cacerts for certificates is an extremely bad practice and I would suggest stop using it.  What you are doing is called mutual authentication.  You should preload the keys and truststore certificates in the WebSphere key and truststores.  This can be changed within he console using the dynamic outbound connections (https://www.ibm.com/docs/en/was/8.5.5?topic=endpoint-dynamic-outbound-ssl-configuration-settings).  This allows you to specify the certificate to present when asked by the remote system without using code. 

Brian

Hello Brian,
Thank you for your help, and I apologize because I don't speak English very well.

Our JAVA application consumes a web service based on WSDL schemas.

When we connect to the web service on the remote host, we use the cacerts truststore to validate the HTTPS connection. We do this by specifying the following properties:

System.setProperty("javax.net.ssl.trustStore", "path to certificate");System.setProperty("javax.net.ssl.trustStorePassword", "password");System.setProperty("javax.net.ssl.trustStoreType", "jks");

This first part works well whether we deploy it in an Oracle JAVA 1.8 JVM or an IBM JVM. We can connect to different remote hosts, and it always knows which CA certificate to use. It also works if we use trust.p12 or our own cacerts truststore.

When the connection is established, the web service requires a keystore, so we specify the following properties:

System.setProperty("javax.net.ssl.keyStore", "path to keystore.pfx");System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");System.setProperty("javax.net.ssl.keyStorePassword", "password");

In this case, Oracle JAVA uses the certificate specified in the javax.net.ssl.keyStore property for each connection.

However, IBM JAVA forces us to load the certificates into the key.p12 of WebSphere under NodeDefaultKeyStore -> Personal Certificates, ignoring the javax.net.ssl.keyStore property.

When the connection is established with IBM JAVA, during validation, it doesn't uses the  keystore.p12 specified on javax.net.ssl.keyStore (as seen in the logs), it always uses key.p12 but it use the first certificate in the list.

The difference I find is that IBM JAVA forces me to load all the certificates into a single keystore and doesn't seem capable of managing which one to use.

I've tried countless combinations but haven't found a solution yet. I attach a simple code to show it

Thank you again!

Hi, I am not understanding fully if you are using mutual authentication or presenting a certificate for inbound access.  If it is mutual authentication you would set which certificate you want to present based on URL (dynamic outbound endpoint).  I am not sure why you would load the client's certs into the keystore of tWAS as it would defeat the purpose of securing an application if more than 1 application have the same certificates.  And the example above does not set the alias name found in the keystore.

Your example overrides all certificates so the next time the request will use whatever is set last time.  If you really want to do this, though I recommend NOT to do this, you can set this programmatically by following the steps here> https://www.ibm.com/docs/en/was/8.5.5?topic=ascdoprse-programmatically-specifying-outbound-ssl-configuration-using-jssehelper-api-2

And remember Tomcat is NOT an application server so it is a bit of comparing apples and oranges.

Brian

Hello,

We have Java code to connect to remote site using ssl ( https) using trust.p12 ( nodedefaulttruststore)

Also we load the client pfx's ( sevaral ) on Nodedefaultkeystore.

How could we select what alias we want use ?

On On Java Oracle ( Apache Tomcat )  we can use the properties to decide and works fine

            System.setProperty("javax.net.ssl.keyStore", PfxFileName );
            System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");
            System.setProperty("javax.net.ssl.keyStorePassword", PfxPwd );

We can open simultaus conversations using differents client certificates pfx,

But in Websphere when we use the first we can not change to others

Hi Brian

yes, I upload the pfx files into NodeDefaultkeyStore. Attach image ( Img1)

On Outbounds dynamic outbound connections  I can see all certificates Attach Img2 and Img3

Did you add the keystore to WebSphere?  If you did then you should have an option to use the keystore and the keys inside of it from the dropdown menus in my post above.  Can you post an image of the configuration?  Did you see the key you want to use?  I know this works because I have setup an example of it working.

The reason why the javax setting are not working has nothing to do with the IBM JDK, but the way WebSphere and Liberty handle certificates to make it more secure and easier to manage.

Brian

Hi Brian

We change the code to follow your notes. But the issue persists.
The reason is that the server we connect to is the same, and the only difference in each connection is the client certificate used. In the case of IBM Java, these certificates have been loaded into p12.pfx.
In Oracle Java, we decide which alias or certificate we want to use, we have the properties javax.net.ssl.keyStore, javax.net.ssl.keyStoreType, and javax.net.ssl.keyStorePassword. With these, JAXB knows how to establish the conversation. However, in IBM Java, these properties are not used, and WebSphere decides which certificate to use, always selecting the first one from key.p12.

Best regards

When you use the dynamic outbound connections  you can select which certificate to serve to the endpoint.  No programming required.  (https://www.ibm.com/docs/en/was/8.5.5?topic=endpoint-dynamic-outbound-ssl-configuration-settings)

Using the cacerts for certificates is an extremely bad practice and I would suggest stop using it.  What you are doing is called mutual authentication.  You should preload the keys and truststore certificates in the WebSphere key and truststores.  This can be changed within he console using the dynamic outbound connections (https://www.ibm.com/docs/en/was/8.5.5?topic=endpoint-dynamic-outbound-ssl-configuration-settings).  This allows you to specify the certificate to present when asked by the remote system without using code. 

Brian

Hello Brian,
Thank you for your help, and I apologize because I don't speak English very well.

Our JAVA application consumes a web service based on WSDL schemas.

When we connect to the web service on the remote host, we use the cacerts truststore to validate the HTTPS connection. We do this by specifying the following properties:

System.setProperty("javax.net.ssl.trustStore", "path to certificate");System.setProperty("javax.net.ssl.trustStorePassword", "password");System.setProperty("javax.net.ssl.trustStoreType", "jks");

This first part works well whether we deploy it in an Oracle JAVA 1.8 JVM or an IBM JVM. We can connect to different remote hosts, and it always knows which CA certificate to use. It also works if we use trust.p12 or our own cacerts truststore.

When the connection is established, the web service requires a keystore, so we specify the following properties:

System.setProperty("javax.net.ssl.keyStore", "path to keystore.pfx");System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");System.setProperty("javax.net.ssl.keyStorePassword", "password");

In this case, Oracle JAVA uses the certificate specified in the javax.net.ssl.keyStore property for each connection.

However, IBM JAVA forces us to load the certificates into the key.p12 of WebSphere under NodeDefaultKeyStore -> Personal Certificates, ignoring the javax.net.ssl.keyStore property.

When the connection is established with IBM JAVA, during validation, it doesn't uses the  keystore.p12 specified on javax.net.ssl.keyStore (as seen in the logs), it always uses key.p12 but it use the first certificate in the list.

The difference I find is that IBM JAVA forces me to load all the certificates into a single keystore and doesn't seem capable of managing which one to use.

I've tried countless combinations but haven't found a solution yet. I attach a simple code to show it

Thank you again!

Hi, I am not understanding fully if you are using mutual authentication or presenting a certificate for inbound access.  If it is mutual authentication you would set which certificate you want to present based on URL (dynamic outbound endpoint).  I am not sure why you would load the client's certs into the keystore of tWAS as it would defeat the purpose of securing an application if more than 1 application have the same certificates.  And the example above does not set the alias name found in the keystore.

Your example overrides all certificates so the next time the request will use whatever is set last time.  If you really want to do this, though I recommend NOT to do this, you can set this programmatically by following the steps here> https://www.ibm.com/docs/en/was/8.5.5?topic=ascdoprse-programmatically-specifying-outbound-ssl-configuration-using-jssehelper-api-2

And remember Tomcat is NOT an application server so it is a bit of comparing apples and oranges.

Brian

Hello,

We have Java code to connect to remote site using ssl ( https) using trust.p12 ( nodedefaulttruststore)

Also we load the client pfx's ( sevaral ) on Nodedefaultkeystore.

How could we select what alias we want use ?

On On Java Oracle ( Apache Tomcat )  we can use the properties to decide and works fine

            System.setProperty("javax.net.ssl.keyStore", PfxFileName );
            System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");
            System.setProperty("javax.net.ssl.keyStorePassword", PfxPwd );

We can open simultaus conversations using differents client certificates pfx,

But in Websphere when we use the first we can not change to others

Hi, I got your email, but I could not reply directly to it for some reason.  What I suspect is that you created the SSL Configs, but never actually mapped them to anything,  You should import the keys to the NodeDefaultKeystore and then use that to present the correct key or have another keystore that can be used to present outbound settings.

Brian

Hi Brian

yes, I upload the pfx files into NodeDefaultkeyStore. Attach image ( Img1)

On Outbounds dynamic outbound connections  I can see all certificates Attach Img2 and Img3

Did you add the keystore to WebSphere?  If you did then you should have an option to use the keystore and the keys inside of it from the dropdown menus in my post above.  Can you post an image of the configuration?  Did you see the key you want to use?  I know this works because I have setup an example of it working.

The reason why the javax setting are not working has nothing to do with the IBM JDK, but the way WebSphere and Liberty handle certificates to make it more secure and easier to manage.

Brian

Hi Brian

We change the code to follow your notes. But the issue persists.
The reason is that the server we connect to is the same, and the only difference in each connection is the client certificate used. In the case of IBM Java, these certificates have been loaded into p12.pfx.
In Oracle Java, we decide which alias or certificate we want to use, we have the properties javax.net.ssl.keyStore, javax.net.ssl.keyStoreType, and javax.net.ssl.keyStorePassword. With these, JAXB knows how to establish the conversation. However, in IBM Java, these properties are not used, and WebSphere decides which certificate to use, always selecting the first one from key.p12.

Best regards

When you use the dynamic outbound connections  you can select which certificate to serve to the endpoint.  No programming required.  (https://www.ibm.com/docs/en/was/8.5.5?topic=endpoint-dynamic-outbound-ssl-configuration-settings)

Using the cacerts for certificates is an extremely bad practice and I would suggest stop using it.  What you are doing is called mutual authentication.  You should preload the keys and truststore certificates in the WebSphere key and truststores.  This can be changed within he console using the dynamic outbound connections (https://www.ibm.com/docs/en/was/8.5.5?topic=endpoint-dynamic-outbound-ssl-configuration-settings).  This allows you to specify the certificate to present when asked by the remote system without using code. 

Brian

Hello Brian,
Thank you for your help, and I apologize because I don't speak English very well.

Our JAVA application consumes a web service based on WSDL schemas.

When we connect to the web service on the remote host, we use the cacerts truststore to validate the HTTPS connection. We do this by specifying the following properties:

System.setProperty("javax.net.ssl.trustStore", "path to certificate");System.setProperty("javax.net.ssl.trustStorePassword", "password");System.setProperty("javax.net.ssl.trustStoreType", "jks");

This first part works well whether we deploy it in an Oracle JAVA 1.8 JVM or an IBM JVM. We can connect to different remote hosts, and it always knows which CA certificate to use. It also works if we use trust.p12 or our own cacerts truststore.

When the connection is established, the web service requires a keystore, so we specify the following properties:

System.setProperty("javax.net.ssl.keyStore", "path to keystore.pfx");System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");System.setProperty("javax.net.ssl.keyStorePassword", "password");

In this case, Oracle JAVA uses the certificate specified in the javax.net.ssl.keyStore property for each connection.

However, IBM JAVA forces us to load the certificates into the key.p12 of WebSphere under NodeDefaultKeyStore -> Personal Certificates, ignoring the javax.net.ssl.keyStore property.

When the connection is established with IBM JAVA, during validation, it doesn't uses the  keystore.p12 specified on javax.net.ssl.keyStore (as seen in the logs), it always uses key.p12 but it use the first certificate in the list.

The difference I find is that IBM JAVA forces me to load all the certificates into a single keystore and doesn't seem capable of managing which one to use.

I've tried countless combinations but haven't found a solution yet. I attach a simple code to show it

Thank you again!

Hi, I am not understanding fully if you are using mutual authentication or presenting a certificate for inbound access.  If it is mutual authentication you would set which certificate you want to present based on URL (dynamic outbound endpoint).  I am not sure why you would load the client's certs into the keystore of tWAS as it would defeat the purpose of securing an application if more than 1 application have the same certificates.  And the example above does not set the alias name found in the keystore.

Your example overrides all certificates so the next time the request will use whatever is set last time.  If you really want to do this, though I recommend NOT to do this, you can set this programmatically by following the steps here> https://www.ibm.com/docs/en/was/8.5.5?topic=ascdoprse-programmatically-specifying-outbound-ssl-configuration-using-jssehelper-api-2

And remember Tomcat is NOT an application server so it is a bit of comparing apples and oranges.

Brian

Hello,

We have Java code to connect to remote site using ssl ( https) using trust.p12 ( nodedefaulttruststore)

Also we load the client pfx's ( sevaral ) on Nodedefaultkeystore.

How could we select what alias we want use ?

On On Java Oracle ( Apache Tomcat )  we can use the properties to decide and works fine

            System.setProperty("javax.net.ssl.keyStore", PfxFileName );
            System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");
            System.setProperty("javax.net.ssl.keyStorePassword", PfxPwd );

We can open simultaus conversations using differents client certificates pfx,

But in Websphere when we use the first we can not change to others

Hi Brian,

thanks a lot.

I test using NodeDefaultKeystore  and also y test using a keystore for each connextion.

I give up, "throw in the towel". 

I am going to contact to Spain Labs services and request help to get it.

If we get it I send your the information

Endless thanks

Hi, I got your email, but I could not reply directly to it for some reason.  What I suspect is that you created the SSL Configs, but never actually mapped them to anything,  You should import the keys to the NodeDefaultKeystore and then use that to present the correct key or have another keystore that can be used to present outbound settings.

Brian

Hi Brian

yes, I upload the pfx files into NodeDefaultkeyStore. Attach image ( Img1)

On Outbounds dynamic outbound connections  I can see all certificates Attach Img2 and Img3

Did you add the keystore to WebSphere?  If you did then you should have an option to use the keystore and the keys inside of it from the dropdown menus in my post above.  Can you post an image of the configuration?  Did you see the key you want to use?  I know this works because I have setup an example of it working.

The reason why the javax setting are not working has nothing to do with the IBM JDK, but the way WebSphere and Liberty handle certificates to make it more secure and easier to manage.

Brian

Hi Brian

We change the code to follow your notes. But the issue persists.
The reason is that the server we connect to is the same, and the only difference in each connection is the client certificate used. In the case of IBM Java, these certificates have been loaded into p12.pfx.
In Oracle Java, we decide which alias or certificate we want to use, we have the properties javax.net.ssl.keyStore, javax.net.ssl.keyStoreType, and javax.net.ssl.keyStorePassword. With these, JAXB knows how to establish the conversation. However, in IBM Java, these properties are not used, and WebSphere decides which certificate to use, always selecting the first one from key.p12.

Best regards

When you use the dynamic outbound connections  you can select which certificate to serve to the endpoint.  No programming required.  (https://www.ibm.com/docs/en/was/8.5.5?topic=endpoint-dynamic-outbound-ssl-configuration-settings)

Using the cacerts for certificates is an extremely bad practice and I would suggest stop using it.  What you are doing is called mutual authentication.  You should preload the keys and truststore certificates in the WebSphere key and truststores.  This can be changed within he console using the dynamic outbound connections (https://www.ibm.com/docs/en/was/8.5.5?topic=endpoint-dynamic-outbound-ssl-configuration-settings).  This allows you to specify the certificate to present when asked by the remote system without using code. 

Brian

Hello Brian,
Thank you for your help, and I apologize because I don't speak English very well.

Our JAVA application consumes a web service based on WSDL schemas.

When we connect to the web service on the remote host, we use the cacerts truststore to validate the HTTPS connection. We do this by specifying the following properties:

System.setProperty("javax.net.ssl.trustStore", "path to certificate");System.setProperty("javax.net.ssl.trustStorePassword", "password");System.setProperty("javax.net.ssl.trustStoreType", "jks");

This first part works well whether we deploy it in an Oracle JAVA 1.8 JVM or an IBM JVM. We can connect to different remote hosts, and it always knows which CA certificate to use. It also works if we use trust.p12 or our own cacerts truststore.

When the connection is established, the web service requires a keystore, so we specify the following properties:

System.setProperty("javax.net.ssl.keyStore", "path to keystore.pfx");System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");System.setProperty("javax.net.ssl.keyStorePassword", "password");

In this case, Oracle JAVA uses the certificate specified in the javax.net.ssl.keyStore property for each connection.

However, IBM JAVA forces us to load the certificates into the key.p12 of WebSphere under NodeDefaultKeyStore -> Personal Certificates, ignoring the javax.net.ssl.keyStore property.

When the connection is established with IBM JAVA, during validation, it doesn't uses the  keystore.p12 specified on javax.net.ssl.keyStore (as seen in the logs), it always uses key.p12 but it use the first certificate in the list.

The difference I find is that IBM JAVA forces me to load all the certificates into a single keystore and doesn't seem capable of managing which one to use.

I've tried countless combinations but haven't found a solution yet. I attach a simple code to show it

Thank you again!

Hi, I am not understanding fully if you are using mutual authentication or presenting a certificate for inbound access.  If it is mutual authentication you would set which certificate you want to present based on URL (dynamic outbound endpoint).  I am not sure why you would load the client's certs into the keystore of tWAS as it would defeat the purpose of securing an application if more than 1 application have the same certificates.  And the example above does not set the alias name found in the keystore.

Your example overrides all certificates so the next time the request will use whatever is set last time.  If you really want to do this, though I recommend NOT to do this, you can set this programmatically by following the steps here> https://www.ibm.com/docs/en/was/8.5.5?topic=ascdoprse-programmatically-specifying-outbound-ssl-configuration-using-jssehelper-api-2

And remember Tomcat is NOT an application server so it is a bit of comparing apples and oranges.

Brian

Hello,

We have Java code to connect to remote site using ssl ( https) using trust.p12 ( nodedefaulttruststore)

Also we load the client pfx's ( sevaral ) on Nodedefaultkeystore.

How could we select what alias we want use ?

On On Java Oracle ( Apache Tomcat )  we can use the properties to decide and works fine

            System.setProperty("javax.net.ssl.keyStore", PfxFileName );
            System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");
            System.setProperty("javax.net.ssl.keyStorePassword", PfxPwd );

We can open simultaus conversations using differents client certificates pfx,

But in Websphere when we use the first we can not change to others