On Jul 13, 2007, at 11:30 AM, legolas wrote:
Hi
thank you for reading my post
Is there any article or tutorial that shows how we can use Geronimo
with a
pkcs-11 store for mutual authentication ?
For example a swing based client in client side and some web
services in
server side deployed into Geronimo, Now i want to be able to have
mutual
authentication between this two objects based on thier digital
certifications.
i'm not exactly a certificate expert, but I'm not clear on exactly
why pkcs-11 is necessary or sufficient here. Do you need to securely
identify your geronimo server with a hardware token? I would expect
in many circumstances you'd only use a hardware token for the client.
In any case you need to set up your web service to use a jetty or
tomcat web connector that requires a client certificate.
Whether your client is a plain swing app or a geronimo javaee app
client, you can log in using the sun pkcs11 login module. I don't
think this would require setting up pkcs11 as a geronimo keystore
instance gbean. I don't recall what if anything else you need to do
to make the client cert available to the http client that the web
services client uses. I'm pretty sure we have had client certs for
web services working. There may even be an example somewhere.
Does this relate to what you are trying to do?
If you do need more geronimo management of the pkcs11 keystore, it
looks to me from a glance at http://java.sun.com/j2se/1.5.0/docs/
guide/security/p11guide.html and the KeystoreInstance interface that
the first step would be to implement a PKCS11KeystoreInstance gbean
more or less similar to the FileKeystoreInstance gbean.
There's some slightly related discussion about PKCS12 at https://
issues.apache.org/jira/browse/GERONIMO-2015.
thanks
david jencks
thanks
--
View this message in context: http://www.nabble.com/where-to-find-
information-about-pkcs-11-certificate-store-manipulation-in-geronimo
%2C-for-example-for-mutual-authentication-tf4075148s134.html#a11581860
Sent from the Apache Geronimo - Users mailing list archive at
Nabble.com.
