Forum Discussion

Synesso's avatar
Synesso
15 years ago

Request using client auth (keystore)

I have been gathering info on how to get a request that requires client authentication via an asymmetric key pair in a keystore. It still does not work and I need some ideas. Here's what I have done.


(I have also tried with and without setting the keystore in Preferences/SSL Settings. I'm not sure what that global configuration is for.)

The server (IIS) responds with "403.7 - Forbidden: SSL client certificate is required"

Wireshark reports a message flow that is something like this:

  • client->server: SSLv2 Client Hello

  • server->client: TLSv1 Server Hello, Certificate, Server Hello Done

  • ... followed by the TLS client key exchange, cipher spec change, handshake message, application data etc etc.



The final response is an IIS generated web page with 403.7 HTTP header and HTML that says "HTTP Error 403.7 - Forbidden: SSL client certificate is required".

It certainly looks like SoapUI is not presenting the client cert. Have I configured it correctly?
  • endorf's avatar
    endorf
    15 years ago
    Hi,

    after a lot of frustration I got it to work!
    I'll share this with you, hopefully it'll help someone

    I first followed all tips from the first post (to avoid the handshake error etc). I still got the 403 .
    I made a little test page to see the client certificate info (see below), and saw that there was no certificate being presented at all by SoapUI.
    Then I started messing around and finally got it to work.
    What made the difference was to include the whole key CA trust chain, up to and including the root CA, in the keystore.

    On windows I did this by re-exporting the pfx (=keystore file):

    • Install all the intermediate CA's and the root CA (any windows system will do for this, doesn't have to be the server or even the soapUI client system).
      In my case, it was a test hierarchy so I got a bunch of .cer files from the test certificate provider's website. To install them, double-click them in windows explorer and hit install. Be sure to select the 'Trusted Root CA' store for your root certificate and the 'Intermediate CA' store for the others.

    • Install the client certificate in the 'personal' store. Just double-click the pfx file and hit 'Install'. Be sure to check 'mark as exportable'.

    • Re-Export the client certificate.
      You can do this from the certificate management console or open the system certificates store from Internet Explorer settings dialog (Internet Options > Content > Certificates).
      • At this point, your client certificate should be in the 'personal' store. if you double click it, it should show as valid AND it should say 'you have a private key corresponding to this certificate'. On the tab 'certification path' of the client certificate, the whole CA hierachy should show up and you should be able to open every one of them.

      Now hit the 'export' button to start the certificate export wizard.
      • Choose 'Yes, export the private key'.

      • Next, select 'Include all certificates in the certificate path'

      • Enter a new password to protect your new pfx file and choose a filename to save it





    Put your new pfx in the soapUI project settings (project view > security config > keystores /certificates). Use the new password you entered when exporting the pfx. Now, the file name of the pfx file should show up in the dropdown 'keystore' of each request properties (box in the bottom left).

    That's all!

    [hr:1pwt12g7][/hr:1pwt12g7]
    Here's the small aspx info page which I used to see if the certificate was presented and dump the client certificate info.
    (I use IIS7 server by the way, but this should also work on IIS6):

    <%@ Page language="C#" %>
    <!DOCTYPE html >
    <html>
     <head><title>Certificate Info Page </title></head>
     <body>
      <h1>Server: <%= System.Environment.MachineName %></h1>
      Request.IsAuthenticated: <%= Request.IsAuthenticated %><br />
      IsSecureConnection:<%= Request.IsSecureConnection %>

      <H3>Client Certificate Information</H3>
      <%  if (!Request.ClientCertificate.IsPresent)
        Response.Write("<h4>No certificate was presented.</h4>");
       else foreach (string key in Request.ClientCertificate.AllKeys)
        Response.Write(string.Format("<p><b>{0}&nbsp;:&nbsp;</b>{1}</p>", key, Request.ClientCertificate[key]));  
      %>
     </body>
    </html>

    [hr:1pwt12g7][/hr:1pwt12g7]

    Hope this helps someone!
    • krusolu's avatar
      krusolu
      New Member
      10 years ago

      @endorf Thank You so much!!!  you saved me much time and frustration.

       

      One note for the version I am using (4.6.2), in the project configuration, it is the WS-Security Configurations, Keystores tabs where it has to be added.

  • PL-007's avatar
    PL-007
    15 years ago
    Interesting question, I shall follows the results as i'm having the exact same problem.

    I havn't found the solution (obviously), but I do get this same error (403.7) when I try to communicate from a simple Java class using javax.net.ssl package. I'm not really sure if its a java configuration problem when attempting to communicate with a windows based ssl / tls server or totally something else.

    When I couldn't obtains results with my simple class, i've switched to do some test with SoapUI. I have been trying to execute exactly what you have described in your post, and I do get the same http error message.

    Now, I have been browsing the web searching for a way to specify directly the 'Windows Certificate Registry' instead of a custom made keystore. I havn't found how, nor any trails that could hint at the possibility of doing this.

    I wish for a solution, as I've been plagued by this ssl / tls communication problem between Java base application and a C# / .net application for the last month!