OSB Http Transport Client Certificate Authentication Common Pitfall

I recently worked with a customer to help them resolve some issues they were having with configuring client certificate authentication (2-way SSL) for an Http Business Service in Oracle Service Bus (OSB).  This blog is to discuss a common issue encountered and how to fix it.

The customer’s use case was to invoke a service provided by an external provider that required 2-way SSL.  The provider issued a client certificate to the customer to be used as its client credentials that was signed by its own certificate authority (CA).  The certificate was in PKCS#12 format, containing both the certificate and the private key, which was password protected.

The customer completed the steps required for configuring the use of client certificate authentication with HTTP:

  1. 1. Create a keystore containing the client certificates
    2. Configure a PKI Credential Mapping Provider, referencing the keystore
  2. 3. Create a Service Key Provider referencing the correct certificate from the keystore.
  3. 4. Configure an HTTP Transport based business service, indicating client certificate authentication

Everything seemed to be correct, but the request to the external service was denied with a 403 -forbidden error.  After several iterations of debugging and contacting the external service provider, the root cause was determined.  When establishing a client 2-way SSL connection, as part of the SSL handshake, the server will request the client’s certificate.  Along with this request message, the server will send a list of certificate authorities (CA) that it will accept a certificate from.  The SSL library will then scan the certificates contained in its designated keystore for a certificate originating from one of the acceptable CAs.

The problem in this case was that the certificate entry in the keystore did not contain a chain of certificates back to an accepted CA, so the client never sent the certificate during the handshake.  To resolve this, the client certificate and its chain of certificates back to a CA accepted by the provider’s server had to be imported into the keystore.

Add Your Comment