
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 01-24-2014 04:11 PM
Subject: RE: Two step (mutual authentication) SSL - CVP/Tomcat - 403 response
Replied by: Hemal Mehta on 07-08-2012 01:39:34 PM
What are the commands you used to import the security certs into tomcat. Did you import a .cer ?
This document was generated from CDN thread
Created by: Jason Jackson on 07-08-2012 11:16:49 AM
Hi everyone.
I'm in the process of helping our application developers figure out an issue.
In summary:
We have an application that lives on the vxml app server (tomcat). This application is required to hit a webservice from a third party using https. We are required to use SSL obvisouly and we are also required to present a .pfx (digitl certificate) when challenged.
We have the digital cert and all the certificate chains loaded up properly (at least I think we do). I can do a list on the keystore and see my personal key entry and the cert chains. A packet capture proves we get the SSL handshake started but when challenged for the cert I don't think tomcat knows what to do or which certificate to present to the third party.
This writes an error out in the STD out log in the Tomcat folder complaining about a 403 failure. Which it's probably a 403.4 or 403.7 (SSL required) error. I've loaded the certs up in the windows key store and can hit the same URL from the IE browser. IE prompts me to select the cert I want to use when challenged and then SSL starts and I can see the data from the webservice.
So - is two step or mutual SSL even possible on CVP (tomcat) version 8.5.1(ES4)? If so, is there any other way to debug SSL and figure out why tomcat can't or does not present the correct cert?
Thanks in advance,
Jason
Subject: RE: Two step (mutual authentication) SSL - CVP/Tomcat - 403 response
Replied by: Jason Jackson on 07-08-2012 02:51:45 PM
What are the commands you used to import the security certs into tomcat. Did you import a .cer ?
Hi.
We were issued a .pfx file. In that file is the private key, and the certificate chain. We point our keytore to a specific keystore using the java options in the tomcat confing.
Here is the command I used to import the file:
keytool -importkeystore -srckeystore C:\mycert.pfx -srcstoretype PKCS12 -destkeystore C:\cvp.keystore
Everything seemed to work with the keytool. I can do a list on the keystore and the private key entry is there.
Subject: RE: Two step (mutual authentication) SSL - CVP/Tomcat - 403 response
Replied by: Hemal Mehta on 08-08-2012 09:12:55 AM
Did you import the root certificate also. I do this all the time. I mainly work with .cer though I store it on cacerts. Can you make sure and check the certs using the command:
C:\Cisco\CVP\jre1.6\lib\security>C:\Cisco\CVP\jre1.6\bin\keytool -list -v -keyst
ore cacerts
replace it with your dir and keystore
Subject: RE: Two step (mutual authentication) SSL - CVP/Tomcat - 403 response
Replied by: Jason Jackson on 08-08-2012 02:31:51 PM
Did you import the root certificate also. I do this all the time. I mainly work with .cer though I store it on cacerts. Can you make sure and check the certs using the command:
C:\Cisco\CVP\jre1.6\lib\security>C:\Cisco\CVP\jre1.6\bin\keytool -list -v -keyst
ore cacerts
replace it with your dir and keystore
Hi.
Yes, the list command shows all the certs and no issues.
I actually just got word back from Cisco TAC that mutual SSL is not even supported on tomcat/cvp 8.5(1) ES4 yet. I'm not sure I buy that answer yet but I will keep digging.
Subject: RE: Two step (mutual authentication) SSL - CVP/Tomcat - 403 response
Replied by: Jason Jackson on 17-08-2012 10:54:22 AM
Did you import the root certificate also. I do this all the time. I mainly work with .cer though I store it on cacerts. Can you make sure and check the certs using the command:
C:\Cisco\CVP\jre1.6\lib\security>C:\Cisco\CVP\jre1.6\bin\keytool -list -v -keyst
ore cacerts
replace it with your dir and keystore
Hi.
Yes, the list command shows all the certs and no issues.
I actually just got word back from Cisco TAC that mutual SSL is not even supported on tomcat/cvp 8.5(1) ES4 yet. I'm not sure I buy that answer yet but I will keep digging.
Last update on this:
Turns out that CVP/TOMCAT will not do this internally but we were told it can be done from the application perspective with java. Developers are still researching how to make that actually work.

If anyone has any code snippets I can send over that would be great.
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Saw this old post, Ive a similar requirement.. does the below feature in CVP 11.0 help in any way?
Rest_Client Element
In Release 11.0(1), Cisco Unified Call Studio includes a new element called the Rest_Client element. The Rest_Client element provides a flexible interface in order to interact with REST endpoints. The communication between the REST client and server is made completely secure using two-way Secure Sockets Layer (SSL). The Rest_Client element permits users to send GET, POST, PUT, or DELETE requests to application servers.T
Create Two-Way Communication Between VXML and REST Server
Two-Way secure communication between VXML and REST Server involves importing the VXML Server CA certificate into the REST Server trust store.
Perform the following steps to import the VXML Server CA certificate on the REST Server:
Rgds, lili