Comments on: The Fifteen Minute Guide to Mutual Authentication

By: IMAP on the iPhone with SSL client certificates « #!/bin/blog

IMAP on the iPhone with SSL client certificates « #!/bin/blog — Thu, 12 Nov 2009 22:06:02 +0000

[...] IMAP on the iPhone with SSL client certificates Filed under: iphone — Tags: certificate, imap, iphone, ssl — martin @ 11:02 pm The IMAP server in my office is configured to not just accept username/password authenticated connections from the internet. As an additional security measure, it requires the client to present a valid SSL client certificate, issued by the internal CA, resulting in mutual SSL authentication. [...]

By: Lee

Lee — Wed, 26 Aug 2009 17:35:17 +0000

Mike – We were looking at authN based solely on client certs (mapping them to users or roles has to differed). I was hesitant to use self-signed certs, but that may be the best solution out of the four options — a white-list of allowed clients.

Appreciate your valuable feedback.

By: Mike Fleming

Mike Fleming — Wed, 26 Aug 2009 01:08:50 +0000

Lee,

You’ve laid out your options nicely. One and four are essentially the same, though. If validation is an issue in #4 you could always use your own validator.

Any of your options will work but there are two other possibilities to consider. The first is to map users to groups and groups to roles. Protect your web service using the roles and then only users in your group are authorized to use the web service. That would solve the anybody-signed-by-the-CA-has-access problem.

The other option is to have a look at WebLogic’s built-in certificate registry. It’s like a reverse CRL lookup in that only certificates present in the registry are accepted. Here’s a snippet from the WLS docs:

“The WebLogic Server Certificate Registry is an out-of-the-box CertPath provider that allows the administrator to configure a list of trusted end certificates via the Administration Console. The Certificate Registry is a builder/validator. The selection criteria can be EndCertificateSelector, SubjectDNSelector, IssuerDNSerialNumberSelector, or SubjectKeyIdentifier. The certificate chain that is returned has only the end certificate. When it validates a chain, it makes sure only that the end certificate is registered; no further checking is done.”

So, really, I think your decision comes down to how do you want to administer users? Adding certs to trust stores requires file system access while a WLS admin can add a user to the registry or a group via WLS Console. If you use an external user store you’d add/remove users as appropriate for the product.

HTH,

Mike

By: Lee

Lee — Tue, 25 Aug 2009 21:43:19 +0000

Thanks for simplifying a complicated topic. My question:

What is the best approach for restricting access to your webservice to specific clients only? There seem to be a few options, some more restrictive than others:

1. Clients use self-signed certs. They share their self-signed certs with us out-of-band and we import them into our truststore. We remove all other certs (CAs, intermediaries) from our truststore, so now only those clients can connect whose end-entity, self-signed certs are in our truststore.

2. client uses a CA-signed cert. We add the CA to our trust store (if it’s not already there by default). But now anyone with a cert issued by that CA can connect. This is the most basic option.

3. Our internal CA signs the client’s cert. (The clients submit the CSR to our CA.) Our truststore contains only our internal CA’s cert. So now only those clients can connect that have certs issued by our CA.

4. The client uses a cert issued by another CA. We add the client’s end-entity cert into our truststore. The truststore doesn’t contain any CA/intermediary certs, it contains only client end-entity certs. Would this even work when our service performs cert path validation, as the end-entity issuing CA certs will not be in our truststore?

Any suggestions would be appreciated. Thanks!

By: Mike Fleming

Mike Fleming — Fri, 14 Aug 2009 00:16:30 +0000

Asi,

You’ll get that error unless the CN for your certificate happens to be “localhost” which it is not. Basically, it’s working as it should. The browser is warning you that while you requested website “localhost,” the site presented its ID as “abc.com” or whatever your certificate’s CN is.

To make the error go away you can add an exception (which you normally wouldn’t want to do) or use DNS to route “abc.com” to the machine where you’re running WebLogic. Then, you can go to https://abc.com:7002/console and the browser won’t complain.

HTH,

Mike

By: asi

asi — Thu, 13 Aug 2009 06:27:24 +0000

Hi,
Thanks for publishing such a nice article! it was so helpful. I tried to install the client side certificate in the browser and do the required changes in weblogic for two way ssl authentication. Now,when i access https://localhost:7002/console –>it gives me a certificate error
————————-
“The security certificate presented by this website was issued for a different website’s address.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.”
—————————
No warnings display in the console as well
could you please help me on this?

Thanks,
asi

By: Mike Fleming

Mike Fleming — Tue, 28 Jul 2009 01:57:25 +0000

Melvin,

Yes, each client needs a certificate to present to the web service. They could even be the same certificate if you wish. It doesn’t matter as long as the web service trusts the signer of the client cert.

DNS doesn’t matter for the client certificate. In fact, in the article the client certificate is for a user named “Spongebob.” However, a server could have its own certificate such as “bank.com.” It’s very common for middleware to use such certs for client authentication to other services.

HTH,

Mike

By: Melvin

Melvin — Mon, 27 Jul 2009 22:08:52 +0000

A great post – thank you so much.
I have some questions –

if I have two java runtime (exactly duplicate), but in different servers, trying to access a web service using mutual SSL.

1> do I need DNS name for my client runtime – or I could just give my client any name I like;
2> do I need to have a certificate for each of my client runtime?

Thanks

By: Mike Fleming

Mike Fleming — Wed, 13 May 2009 02:33:02 +0000

Sanyam,

Thanks for the encouragement!

Your question inspired me to write “Certificate to User Mapping in WebLogic” (http://monduke.com/2009/05/12/certificate-to-user-mapping-in-weblogic/).

Thanks, and feel free to comment either here or there if I didn’t answer your question.

By: Sanyam

Sanyam — Tue, 12 May 2009 10:14:20 +0000

I was wondering that we still hasn’t achieved the true authentication by this. we still have to define a mapping b/w user and certs.
any commnets?

By: Sanyam

Sanyam — Tue, 12 May 2009 05:45:12 +0000

hey thanks for the wonderful single page guide .keep blogging

By: Mike Fleming

Mike Fleming — Fri, 20 Apr 2007 01:03:14 +0000

Mek,

To my knowledge, the 8.1 plugin doesn’t support two-way SSL. I don’t know about WLS 9.x.

By: mek

mek — Thu, 19 Apr 2007 16:36:20 +0000

very good work ..
Do you know how to configure apache2 and weblogic plugin with 2-way ssl ? I need to use apache2 as fron-end for load balancig and architercural restrictions ..

thanks.

By: James Turnbull

James Turnbull — Thu, 22 Mar 2007 00:27:01 +0000

Excellent article! I was looking for a simple explanation of MASSL to give to some people and this fits the bill perfectly. *claps*

By: Red-3

Red-3 — Thu, 26 Oct 2006 21:44:49 +0000

Thanks. This is great. The BEA documentation is like a map showing you all the locations but with no indication of where you need to go. Posts like this are like much needed directions! Keep ‘em coming.