WSO2 EI - 2 way SSL - handshake_failure

Question

I've a problem setting up a two-way SSL authentication. I need to access an HTTPS endpoint from wso2 entreprise integrator. The service provider gave me a pfx keystore that containes certificates and private key that i have to provide to the server.

I installed this pfx keystore on my windows computer and tried to access the endpoint from Chrome (the endpoint has a GET service at root context that return hello message). When accessing this endpoint, chrome tell me to choose a certificate to provide to the server... i choose the good one and the hello message is returned... fine, the certificate works.

I tried with curl too, providing key, cacert and cert (extracted from pfx files using openssl). Everything worked fine.

The problem is when i try to access this endpoint from wso2 ei service. I imported my pfx file into default keystore (wso2carbon.jks), following these steps, using keytool:

1. Import pfx in jks

   keytool -importkeystore -srckeystore .pfx -srcstoretype pkcs12 -destkeystore wso2carbon.jks -deststoretype JKS -srcstorepass -deststorepass wso2carbon

2. Export jks public key

   keytool -export -alias "" -keystore wso2carbon.jks -file publickey.pem -storepass wso2carbon

3. Import public key in default client-trustore.jks

   keytool -import -alias "" -file publickey.pem -keystore client-truststore.jks -storepass wso2carbon

4. Update password of alias in wso2carbon keystore (must be the same as jks pwd)

   keytool -keypasswd -alias "" -new wso2carbon -keystore wso2carbon.jks -keypass -storepass wso2carbon

5. Added root & intermediate server certificates to trustore

   keytool -import -v -trustcacerts -alias root -file root.cer -keystore client-truststore.jks -storepass wso2carbon keytool -import -v -trustcacerts -alias intermed -file intermed.cer -keystore client-truststore.jks -storepass wso2carbon

Restarted WSO2 EI then tried to access endpoint (handshake failure !!!)

I activated -Djavax.net.debug=ssl:handshake, below the trace of error. Seems like WSO2 EI cannot find certificates asked by server

...
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, Unknown (hash:0x4, signature:0x2), SHA256withECDSA, SHA224withRSA, Unknown (hash:0x3, signature:0x2), SHA224withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<CN=Autorite Bureau RTE, O=RTE, L=Pacy, ST=Eure, C=FR>
<CN=Autorite Racine RTE, O=RTE, L=Pacy, ST=Eure, C=FR>
<CN=Autorite Bureau Machine RTE, DC=bureau, DC=si, DC=interne>
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1.2
PassThroughMessageProcessor-2, WRITE: TLSv1.2 Handshake, length = 320
SESSION KEYGEN:
PreMaster Secret:
... no IV derived for this protocol
PassThroughMessageProcessor-2, WRITE: TLSv1.2 Change Cipher Spec, length = 64
*** Finished
verify_data:  { 111, 185, 151, 74, 99, 156, 152, 185, 240, 222, 162, 116 }
***
PassThroughMessageProcessor-2, WRITE: TLSv1.2 Handshake, length = 80
PassThroughMessageProcessor-2, READ: TLSv1.2 Alert, length = 64
PassThroughMessageProcessor-2, RECV TLSv1.2 ALERT:  fatal, handshake_failure
%% Invalidated:  [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA256]
%% Invalidated:  [Session-2, TLS_RSA_WITH_AES_256_CBC_SHA256]
PassThroughMessageProcessor-2, called closeSocket()
PassThroughMessageProcessor-2, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
PassThroughMessageProcessor-2, called close()
PassThroughMessageProcessor-2, called closeInternal(true)

I tried with SOAP UI, referencing the previously created keystore, and the GET call returns the hello message (handshake succeeded).

I also tried with a snippet java class that use that keystore and the ssl handshake process goes fine.

System.setProperty("javax.net.ssl.keyStore", keystorePath);
        System.setProperty("javax.net.ssl.keyStorePassword", CERT_PASSWORD);
        System.setProperty("javax.net.ssl.keyStoreType", "JKS");
        URL myUrl;
        try {
            myUrl = new URL(endpoint);
            HttpsURLConnection conn = (HttpsURLConnection) myUrl.openConnection();
            InputStream is = conn.getInputStream();
            InputStreamReader isr = new InputStreamReader(is);
            BufferedReader br = new BufferedReader(isr);

            String inputLine;

            while ((inputLine = br.readLine()) != null) {
                System.out.println(inputLine);
            }

Cert Authorities:
<CN=Autorite Bureau RTE, O=RTE, L=Pacy, ST=Eure, C=FR>
<CN=Autorite Racine RTE, O=RTE, L=Pacy, ST=Eure, C=FR>
<CN=Autorite Bureau Machine RTE, DC=bureau, DC=si, DC=interne>
*** ServerHelloDone
matching alias: alias-cert

I appreciate any help. Thanks.

Kind regards, Rudy

Answer 1

To solve this review your configuration on axis2.xml file, observe the element transportSender with name="https", and insert the config for customSSLProfiles.

The how-to, is at this documentation:

https://docs.wso2.com/display/EI660/HTTPS-NIO+Transport+