Error accessing Java Web service over SSL with X.509

[JohnD]

Hello

I’ve got a problem consuming a Web service made by another company (who use
J2EE). The Web service requires an X.509 certificate, which I pass in using
the ClientCertificates property of the service proxy object.

I’m using .NET Framework v1.1.4322.

The issue is bizarre in that it behaves differently on different machines.

On my development machine (Windows XP Pro SP2, VS 2003 Ent Arch), accessing
the service works fine when I’m in a Windows Forms (or console) application.
When I use the *exact* same code on a Web application (or Web service),
however, I get this error message:

---
[Win32Exception (0x80004005): The message received was unexpected or badly
formatted]

[WebException: The underlying connection was closed: Could not establish
secure channel for SSL/TLS.]
---

The error is happening on the call to the Invoke method inside the proxy.
I’ve tried tracing the SOAP messages using the SOAP Trace utility in the
Office SOAP toolkit, but no messages seem to get transferred. This makes
sense, since I also looked at the Event Log and found this entry (after
setting SCHANNEL EventLogging to 7):

---
The remote server has requested SSL client authentication, but no suitable
client certificate could be found. An anonymous connection will be attempted.
This SSL connection request may succeed or fail, depending on the server's
policy settings.
---

When I tried this procedure on another machine (also running Windows XP SP2,
VS 2003 Standard) it came up with this error message all the time – it didn’t
even work for a Windows or console app. I also tried it on a Windows Server
2003 box (without VS) and it didn’t work at all there either.

I went back to my development machine and tried accessing one of our own Web
services (written in .NET, and doesn’t require X.509 client certificates) and
it worked perfectly, on all machines, with all types of application.

I’ve spent much of the day trying to figure this out, and can’t really see
very much information on it anywhere. The main thing that has me stumped is
that it works on Windows on my dev machine but not under a web app, and that
it doesn’t work at all on the other machines.

Any help would be gratefully accepted.

Thanks

John Downs

 

[Dan Rogers]

Hi,

The primary issue would appear to be understanding how SSL works. When you
use a winforms application, the certificate that is used is one that is
negotiated on demand - this is how the interactive client code will work.
When calling from a non-user application however, you have to explicitely
provide a certificate. This means you need to have a level 3 cert
installed on the machine where the invocation will be called from, and then
associate the certificate to be used with the call. This difference is why
you are seeing different behaviors on an interactive client and in web
service code.

There are good examples of setting up certificate controlled communications
in the samples that come with the WSE 2.0 SP1 toolkit download on MSDN.

I hope this helps

Dan Rogers
Microsoft Corporation
--------------------

Thread-Topic: Error accessing Java Web service over SSL with X.509
thread-index: AcTR0VEc3cljVxDgQPqPcxWcBAWwEw==
X-WBNR-Posting-Host: 222.152.61.31
From: "=?Utf-8?B?Sm9obkQ=?=" <[email protected]>
Subject: Error accessing Java Web service over SSL with X.509
Date: Tue, 23 Nov 2004 18:57:21 -0800
Lines: 55
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 8bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.framework.aspnet.webservices:26796
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices

Hello

I’ve got a problem consuming a Web service made by another company (who use
J2EE). The Web service requires an X.509 certificate, which I pass in using
the ClientCertificates property of the service proxy object.

I’m using .NET Framework v1.1.4322.

The issue is bizarre in that it behaves differently on different machines.

On my development machine (Windows XP Pro SP2, VS 2003 Ent Arch), accessing
the service works fine when I’m in a Windows Forms (or console) application.
When I use the *exact* same code on a Web application (or Web service),
however, I get this error message:

---
[Win32Exception (0x80004005): The message received was unexpected or badly
formatted]

[WebException: The underlying connection was closed: Could not establish
secure channel for SSL/TLS.]
---

The error is happening on the call to the Invoke method inside the proxy.
I’ve tried tracing the SOAP messages using the SOAP Trace utility in the
Office SOAP toolkit, but no messages seem to get transferred. This makes
sense, since I also looked at the Event Log and found this entry (after
setting SCHANNEL EventLogging to 7):

---
The remote server has requested SSL client authentication, but no suitable
client certificate could be found. An anonymous connection will be attempted.
This SSL connection request may succeed or fail, depending on the server's
policy settings.
---

When I tried this procedure on another machine (also running Windows XP SP2,
VS 2003 Standard) it came up with this error message all the time – it didn’t
even work for a Windows or console app. I also tried it on a Windows Server
2003 box (without VS) and it didn’t work at all there either.

I went back to my development machine and tried accessing one of our own Web
services (written in .NET, and doesn’t require X.509 client certificates) and
it worked perfectly, on all machines, with all types of application.

I’ve spent much of the day trying to figure this out, and can’t really see
very much information on it anywhere. The main thing that has me stumped is
that it works on Windows on my dev machine but not under a web app, and that
it doesn’t work at all on the other machines.

Any help would be gratefully accepted.

Thanks

John Downs

 

[JohnD]

Hi Dan

Thanks for your help.

You were right, the certificate needed to be installed correctly. I also had
to use the WinHttpCertCfg tool to grant the ASP.NET worker process account
permission to use it.

Thanks

- John

Hi,

The primary issue would appear to be understanding how SSL works. When you
use a winforms application, the certificate that is used is one that is
negotiated on demand - this is how the interactive client code will work.
When calling from a non-user application however, you have to explicitely
provide a certificate. This means you need to have a level 3 cert
installed on the machine where the invocation will be called from, and then
associate the certificate to be used with the call. This difference is why
you are seeing different behaviors on an interactive client and in web
service code.

There are good examples of setting up certificate controlled communications
in the samples that come with the WSE 2.0 SP1 toolkit download on MSDN.

I hope this helps

Dan Rogers
Microsoft Corporation
--------------------

Thread-Topic: Error accessing Java Web service over SSL with X.509
thread-index: AcTR0VEc3cljVxDgQPqPcxWcBAWwEw==
X-WBNR-Posting-Host: 222.152.61.31
From: "=?Utf-8?B?Sm9obkQ=?=" <[email protected]>
Subject: Error accessing Java Web service over SSL with X.509
Date: Tue, 23 Nov 2004 18:57:21 -0800
Lines: 55
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 8bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.framework.aspnet.webservices:26796
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices

Hello

I’ve got a problem consuming a Web service made by another company (who use
J2EE). The Web service requires an X.509 certificate, which I pass in using
the ClientCertificates property of the service proxy object.

I’m using .NET Framework v1.1.4322.

The issue is bizarre in that it behaves differently on different machines.

On my development machine (Windows XP Pro SP2, VS 2003 Ent Arch), accessing
the service works fine when I’m in a Windows Forms (or console) application.
When I use the *exact* same code on a Web application (or Web service),
however, I get this error message:

---
[Win32Exception (0x80004005): The message received was unexpected or badly
formatted]

[WebException: The underlying connection was closed: Could not establish
secure channel for SSL/TLS.]
---

The error is happening on the call to the Invoke method inside the proxy.
I’ve tried tracing the SOAP messages using the SOAP Trace utility in the
Office SOAP toolkit, but no messages seem to get transferred. This makes
sense, since I also looked at the Event Log and found this entry (after
setting SCHANNEL EventLogging to 7):

---
The remote server has requested SSL client authentication, but no suitable
client certificate could be found. An anonymous connection will be attempted.
This SSL connection request may succeed or fail, depending on the server's
policy settings.
---

When I tried this procedure on another machine (also running Windows XP SP2,
VS 2003 Standard) it came up with this error message all the time – it didn’t
even work for a Windows or console app. I also tried it on a Windows Server
2003 box (without VS) and it didn’t work at all there either.

I went back to my development machine and tried accessing one of our own Web
services (written in .NET, and doesn’t require X.509 client certificates) and
it worked perfectly, on all machines, with all types of application.

I’ve spent much of the day trying to figure this out, and can’t really see
very much information on it anywhere. The main thing that has me stumped is
that it works on Windows on my dev machine but not under a web app, and that
it doesn’t work at all on the other machines.

Any help would be gratefully accepted.

Thanks

John Downs