RE: Error accessing Java Web service over SSL with X.509

From: Dan Rogers (danro_at_microsoft.com)
Date: 11/29/04

Next message: Arne: "RE: Calling webservices from a Pocket PC"

Previous message: Dan Rogers: "RE: EnumerateSecurityPackagesW"
In reply to: JohnD: "Error accessing Java Web service over SSL with X.509"
Messages sorted by: [ date ] [ thread ]

Date: Mon, 29 Nov 2004 21:27:37 GMT

Hi,

The primary issue would appear to be understanding how SSL works. When you
use a winforms application, the certificate that is used is one that is
negotiated on demand - this is how the interactive client code will work.
When calling from a non-user application however, you have to explicitely
provide a certificate. This means you need to have a level 3 cert
installed on the machine where the invocation will be called from, and then
associate the certificate to be used with the call. This difference is why
you are seeing different behaviors on an interactive client and in web
service code.

There are good examples of setting up certificate controlled communications
in the samples that come with the WSE 2.0 SP1 toolkit download on MSDN.

I hope this helps

Dan Rogers
Microsoft Corporation
--------------------
>Thread-Topic: Error accessing Java Web service over SSL with X.509
>thread-index: AcTR0VEc3cljVxDgQPqPcxWcBAWwEw==
>X-WBNR-Posting-Host: 222.152.61.31
>From: "=?Utf-8?B?Sm9obkQ=?=" <JohnD@discussions.microsoft.com>
>Subject: Error accessing Java Web service over SSL with X.509
>Date: Tue, 23 Nov 2004 18:57:21 -0800
>Lines: 55
>Message-ID: <50961F22-154A-44BF-9B23-078CD4C3E5F4@microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 8bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
>Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: cpmsftngxa10.phx.gbl
microsoft.public.dotnet.framework.aspnet.webservices:26796
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
>
>Hello
>
>I’ve got a problem consuming a Web service made by another company (who
use
>J2EE). The Web service requires an X.509 certificate, which I pass in
using
>the ClientCertificates property of the service proxy object.
>
>I’m using .NET Framework v1.1.4322.
>
>The issue is bizarre in that it behaves differently on different machines.
>
>On my development machine (Windows XP Pro SP2, VS 2003 Ent Arch),
accessing
>the service works fine when I’m in a Windows Forms (or console)
application.
>When I use the *exact* same code on a Web application (or Web service),
>however, I get this error message:
>
>---
>[Win32Exception (0x80004005): The message received was unexpected or badly
>formatted]
>
>[WebException: The underlying connection was closed: Could not establish
>secure channel for SSL/TLS.]
>---
>
>The error is happening on the call to the Invoke method inside the proxy.
>I’ve tried tracing the SOAP messages using the SOAP Trace utility in the
>Office SOAP toolkit, but no messages seem to get transferred. This makes
>sense, since I also looked at the Event Log and found this entry (after
>setting SCHANNEL EventLogging to 7):
>
>---
>The remote server has requested SSL client authentication, but no suitable
>client certificate could be found. An anonymous connection will be
attempted.
>This SSL connection request may succeed or fail, depending on the server's
>policy settings.
>---
>
>When I tried this procedure on another machine (also running Windows XP
SP2,
>VS 2003 Standard) it came up with this error message all the time – it
didn’t
>even work for a Windows or console app. I also tried it on a Windows
Server
>2003 box (without VS) and it didn’t work at all there either.
>
>I went back to my development machine and tried accessing one of our own
Web
>services (written in .NET, and doesn’t require X.509 client
certificates) and
>it worked perfectly, on all machines, with all types of application.
>
>I’ve spent much of the day trying to figure this out, and can’t really
see
>very much information on it anywhere. The main thing that has me stumped
is
>that it works on Windows on my dev machine but not under a web app, and
that
>it doesn’t work at all on the other machines.
>
>Any help would be gratefully accepted.
>
>Thanks
>
>John Downs
>

Next message: Arne: "RE: Calling webservices from a Pocket PC"

Previous message: Dan Rogers: "RE: EnumerateSecurityPackagesW"
In reply to: JohnD: "Error accessing Java Web service over SSL with X.509"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: Proposal for a new PKI model (At least I hope its new)
... > Then the world would have no problem trusting your domain level PKI ... coined the term "certificate manufacturing" to distinquish from actual ... it turns out that one of the reasons for the SSL server domain name ...
(sci.crypt)
Re: New Method for Authenticated Public Key Exchange without Digital Certificates
... one of the motivating factors for the SSL domain name server ... server certificate, ... Was: PKI International Consortium ...
(sci.crypt)
Re: Is that secure :

... for that URL (via checking for a valid domain name certificate and the ... when they discovered that using SSL cut their thruput/performance ... The scenario about the website that you thought you were ... "payment" URL (for some website that the attackers were able to obtain ...
(comp.security.misc)
Re: MOD_SSL and MOD_AUTH_OPENVMS
... ## for proper server startup. ... ## SSL Support ... # List the ciphers that the client is permitted to negotiate. ... # Point SSLCertificateFile at a PEM encoded certificate. ...
(comp.os.vms)
Certification Problem when Using SSL -Errors 2146762486, 214676248
... I have configured my web service for SSL. ... ' Default policy for certificate validation. ... Dim ProblemMessage As String = "" ...
(microsoft.public.dotnet.framework.compactframework)