Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Archived » OHF » Connectathon ATNA Certificates for OHF users
Connectathon ATNA Certificates for OHF users [message #37836] Mon, 03 December 2007 17:06 Go to next message
Matthew DavisFriend
Messages: 269
Registered: July 2009
Senior Member
Hi All,

If you are planning to use OHF to conduct ATNA mutual TLS authentication
tests at Connectathon, you will need to generate a suitable keystore and
truststore that can be read by a Java JVM. Based on the PEM output
format of the keys that the Connectathon managers use, it is not a
straightforward task to complete this.

We will be happy to generate this keystore and provide a master
truststore for all Connectathon users. If you need help in this task,
please send me an email directly (mattadav@us.ibm.com) with a copy of
your private key (systemXX.ihe.net.key.pem ) *AND* your public
certificate (systemXX.ihe.net.cert.pem). To download these files,
please see:
http://ihe-kudu.wustl.edu/na2008/certificates.php?highlight= 6_6. DO NOT
post these files to the newsgroup, as that will make the Connectathon
managers very mad.

Also, please do this in a timely manner. Please don't wait until the
Friday before Connectathon to request a keystore and truststore :) You
will need this same keystore/truststore for use with NIST MESA testing.

Thanks,
-Matt
Re: Connectathon ATNA Certificates for OHF users [message #38040 is a reply to message #37836] Tue, 04 December 2007 20:45 Go to previous messageGo to next message
Jesse Pangburn is currently offline Jesse PangburnFriend
Messages: 166
Registered: July 2009
Senior Member
Hi Matt,
I tried to send you mine but got the following error:
The following recipient(s) could not be reached:

mattadav@ibm.com on 12/4/2007 12:43 PM
The message reached the recipient's e-mail system, but
delivery was refused. Attempt to resend the message. If it still fails,
contact your system administrator.
<irvfexchg01.healthvision.com #5.2.1 smtp;550 5.2.1
<mattadav@ibm.com>... Mailbox disabled for this recipient>

In your post, it showed your company name in your email as xxxxxx, which I
guessed should be replaced with "ibm". Is that not correct?

thanks,
Jesse

Matthew Davis wrote:

> Hi All,

> If you are planning to use OHF to conduct ATNA mutual TLS authentication
> tests at Connectathon, you will need to generate a suitable keystore and
> truststore that can be read by a Java JVM. Based on the PEM output
> format of the keys that the Connectathon managers use, it is not a
> straightforward task to complete this.

> We will be happy to generate this keystore and provide a master
> truststore for all Connectathon users. If you need help in this task,
> please send me an email directly (mattadav@us.ibm.com) with a copy of
> your private key (systemXX.ihe.net.key.pem ) *AND* your public
> certificate (systemXX.ihe.net.cert.pem). To download these files,
> please see:
> http://ihe-kudu.wustl.edu/na2008/certificates.php?highlight= 6_6. DO NOT
> post these files to the newsgroup, as that will make the Connectathon
> managers very mad.

> Also, please do this in a timely manner. Please don't wait until the
> Friday before Connectathon to request a keystore and truststore :) You
> will need this same keystore/truststore for use with NIST MESA testing.

> Thanks,
> -Matt
Re: Connectathon ATNA Certificates for OHF users [message #38471 is a reply to message #37836] Thu, 06 December 2007 02:27 Go to previous messageGo to next message
Takeo Satomi is currently offline Takeo SatomiFriend
Messages: 32
Registered: July 2009
Member
Hello everyone,

Since the NIST's server for 2007 pre-connectathon has gone now and I will
not implement any registries, the new server (hcxw2k1.nist.gov) is a
single registry available for me. But I've never made a secured
connection successfully with it and always get the handshake error saying
"Error Sending SOAP
Message/norg.eclipse.ohf.ihe.common.ws.OHFSOAPException: Error Sending
SOAP Message [Caused by javax.net.ssl.SSLHandshakeException: Remote host
closed connection during handshake]"

I have some choices for keystore and truststore.

keystore:
1. Key created from test_sys_1.cert.pem and test_sys_1.key.pem contained
in MESA_TEST\runtime\certificates
2. Key craeted from mysystem.ihe.net.cert.pem and mysystem.ihe.net.key.pem
downloaded from http://ihe-kudu.wustl.edu/na2008/certificates.php
3. test_sys_1.2008.jks contained in conf/keystores directory of
org.eclipse.ohf.bridge.install_0.3.0.v20071203102303.zip

truststore:
A. A keystore into which test_sys_1.cert.pem mentioned above has been
imported
B. A keystore into which mysystem.ihe.net.cert.pem mentioned above has
been imported
C. mesatrusts.2008.jks contained in conf/keystores directory of
org.eclipse.ohf.bridge.install_0.3.0.v20071203102303.zip

I thought 2-C or 3-C would work but failed. What kind of combination is
correct? None of them could be?

And I make keystores as below. Am I doing right?

keystore:
> openssl.exe pkcs12 -export -out mykeystore.p12 -in my.cert.pem -inkey
my.key.pem
> java -cp "C:\Program Files\jetty-6.1.5\lib\jetty-6.1.5.jar"
org.mortbay.jetty.security.PKCS12Import mykeystore.p12 mykeystore.jks

truststore:
> keytool.exe -import -alias mesa -file my.cert.pem -keystore mytruststore.jks

Thanks in advance,
Takeo Satomi

Matthew Davis wrote:

> Hi All,

> If you are planning to use OHF to conduct ATNA mutual TLS authentication
> tests at Connectathon, you will need to generate a suitable keystore and
> truststore that can be read by a Java JVM. Based on the PEM output
> format of the keys that the Connectathon managers use, it is not a
> straightforward task to complete this.

> We will be happy to generate this keystore and provide a master
> truststore for all Connectathon users. If you need help in this task,
> please send me an email directly (mattadav@us.ibm.com) with a copy of
> your private key (systemXX.ihe.net.key.pem ) *AND* your public
> certificate (systemXX.ihe.net.cert.pem). To download these files,
> please see:
> http://ihe-kudu.wustl.edu/na2008/certificates.php?highlight= 6_6. DO NOT
> post these files to the newsgroup, as that will make the Connectathon
> managers very mad.

> Also, please do this in a timely manner. Please don't wait until the
> Friday before Connectathon to request a keystore and truststore :) You
> will need this same keystore/truststore for use with NIST MESA testing.

> Thanks,
> -Matt
Re: Connectathon ATNA Certificates for OHF users [message #38536 is a reply to message #38471] Thu, 06 December 2007 16:26 Go to previous messageGo to next message
Matthew DavisFriend
Messages: 269
Registered: July 2009
Senior Member
Hi Takeo,

Here's the general rundown:
- For the ATNA certificate tests (11141-11143) that require the MESA
software, you will use the test_sys_1.cert and the associated public
certificates that are distributed with the MESA software. The
keystore/truststore distributed with the OHF Bridge should contain that
the necessary certificates to handle that.

- For the NIST XDS TLS tests (11739-11743), it requires the Connectathon
certificate you downloaded from Kudu, converted to PKCS12 and imported
into a Java Keystore.

To place the Connectathon private keys in a keystore, it requires a
separate tool. The Java keytool is not sufficient. I do see that you
found a tool in Jetty that should work (we wrote a proprietary library
to do it a few years ago). Now, I'm not sure why this isn't working -
but it may be because you're not completing the truststore. The
truststore should contain the public certificates of all Connectathon
participants, not just your own (or, more specifically, you need to
trust the systems that you're testing with - in this case it's the NIST
certificate - nist1.ihe.net.cert.pem and nist2.ihe.net.cert.pem). Try
adding the NIST certificates into the truststore and try again. I can
also send you the necessary files to do this if you wish.

Thanks,
-Matt

Takeo Satomi wrote:
> Hello everyone,
>
> Since the NIST's server for 2007 pre-connectathon has gone now and I
> will not implement any registries, the new server (hcxw2k1.nist.gov) is
> a single registry available for me. But I've never made a secured
> connection successfully with it and always get the handshake error
> saying "Error Sending SOAP
> Message/norg.eclipse.ohf.ihe.common.ws.OHFSOAPException: Error Sending
> SOAP Message [Caused by javax.net.ssl.SSLHandshakeException: Remote
> host closed connection during handshake]"
>
> I have some choices for keystore and truststore.
>
> keystore:
> 1. Key created from test_sys_1.cert.pem and test_sys_1.key.pem contained
> in MESA_TEST\runtime\certificates
> 2. Key craeted from mysystem.ihe.net.cert.pem and mysystem.ihe.net.key.pem
> downloaded from http://ihe-kudu.wustl.edu/na2008/certificates.php
> 3. test_sys_1.2008.jks contained in conf/keystores directory of
> org.eclipse.ohf.bridge.install_0.3.0.v20071203102303.zip
>
> truststore:
> A. A keystore into which test_sys_1.cert.pem mentioned above has been
> imported
> B. A keystore into which mysystem.ihe.net.cert.pem mentioned above has
> been imported
> C. mesatrusts.2008.jks contained in conf/keystores directory of
> org.eclipse.ohf.bridge.install_0.3.0.v20071203102303.zip
>
> I thought 2-C or 3-C would work but failed. What kind of combination
> is correct? None of them could be?
>
> And I make keystores as below. Am I doing right?
>
> keystore:
>> openssl.exe pkcs12 -export -out mykeystore.p12 -in my.cert.pem -inkey
> my.key.pem
>> java -cp "C:\Program Files\jetty-6.1.5\lib\jetty-6.1.5.jar"
> org.mortbay.jetty.security.PKCS12Import mykeystore.p12 mykeystore.jks
>
> truststore:
>> keytool.exe -import -alias mesa -file my.cert.pem -keystore
>> mytruststore.jks
>
> Thanks in advance,
> Takeo Satomi
>
> Matthew Davis wrote:
>
>> Hi All,
>
>> If you are planning to use OHF to conduct ATNA mutual TLS
>> authentication tests at Connectathon, you will need to generate a
>> suitable keystore and truststore that can be read by a Java JVM.
>> Based on the PEM output format of the keys that the Connectathon
>> managers use, it is not a straightforward task to complete this.
>
>> We will be happy to generate this keystore and provide a master
>> truststore for all Connectathon users. If you need help in this task,
>> please send me an email directly (mattadav@us.ibm.com) with a copy of
>> your private key (systemXX.ihe.net.key.pem ) *AND* your public
>> certificate (systemXX.ihe.net.cert.pem). To download these files,
>> please see:
>> http://ihe-kudu.wustl.edu/na2008/certificates.php?highlight= 6_6. DO
>> NOT post these files to the newsgroup, as that will make the
>> Connectathon managers very mad.
>
>> Also, please do this in a timely manner. Please don't wait until the
>> Friday before Connectathon to request a keystore and truststore :)
>> You will need this same keystore/truststore for use with NIST MESA
>> testing.
>
>> Thanks,
>> -Matt
>
>
Re: Connectathon ATNA Certificates for OHF users [message #38635 is a reply to message #38471] Thu, 06 December 2007 18:49 Go to previous messageGo to next message
Jesse Pangburn is currently offline Jesse PangburnFriend
Messages: 166
Registered: July 2009
Senior Member
Hi Takeo,
I highly recommend you email your certificate and private key to Matt:
mattadavis at us dot ibm dot com, as he so kindly offered at the top of
this email chain. I did so and used the keystore/truststore he sent back
to me and have successfully connected to the new NIST reg/repo. This also
has the benefit of trusting all the certificates of the other IHE people
so when you take it to Connectathon and connect to the other reg/repo
systems, you won't have to fool around with your trust store again.

That's the easy way. If you want to do it the hard way, you're very close
already. However, instead of trusting your own certificate, you need to
trust the certificates of those systems to which you want to connect. As
Matt stated, you need to trust the nist certificates. Just as you
imported the mesa certificate into your truststore, so you need to import
the NIST certificates (there are two of them). But again, I highly
recommend going the other route and using the keystore/truststore Matt
generated- though this harder route is very educational about java
keystores/truststores and you're very close :-)

thanks,
Jesse

Takeo Satomi wrote:

> Hello everyone,

> Since the NIST's server for 2007 pre-connectathon has gone now and I will
> not implement any registries, the new server (hcxw2k1.nist.gov) is a
> single registry available for me. But I've never made a secured
> connection successfully with it and always get the handshake error saying
> "Error Sending SOAP
> Message/norg.eclipse.ohf.ihe.common.ws.OHFSOAPException: Error Sending
> SOAP Message [Caused by javax.net.ssl.SSLHandshakeException: Remote host
> closed connection during handshake]"

> I have some choices for keystore and truststore.

> keystore:
> 1. Key created from test_sys_1.cert.pem and test_sys_1.key.pem contained
> in MESA_TESTruntimecertificates
> 2. Key craeted from mysystem.ihe.net.cert.pem and mysystem.ihe.net.key.pem
> downloaded from http://ihe-kudu.wustl.edu/na2008/certificates.php
> 3. test_sys_1.2008.jks contained in conf/keystores directory of
> org.eclipse.ohf.bridge.install_0.3.0.v20071203102303.zip

> truststore:
> A. A keystore into which test_sys_1.cert.pem mentioned above has been
> imported
> B. A keystore into which mysystem.ihe.net.cert.pem mentioned above has
> been imported
> C. mesatrusts.2008.jks contained in conf/keystores directory of
> org.eclipse.ohf.bridge.install_0.3.0.v20071203102303.zip

> I thought 2-C or 3-C would work but failed. What kind of combination is
> correct? None of them could be?

> And I make keystores as below. Am I doing right?

> keystore:
>> openssl.exe pkcs12 -export -out mykeystore.p12 -in my.cert.pem -inkey
> my.key.pem
>> java -cp "C:Program Filesjetty-6.1.5libjetty-6.1.5.jar"
> org.mortbay.jetty.security.PKCS12Import mykeystore.p12 mykeystore.jks

> truststore:
>> keytool.exe -import -alias mesa -file my.cert.pem -keystore mytruststore.jks

> Thanks in advance,
> Takeo Satomi

> Matthew Davis wrote:

>> Hi All,

>> If you are planning to use OHF to conduct ATNA mutual TLS authentication
>> tests at Connectathon, you will need to generate a suitable keystore and
>> truststore that can be read by a Java JVM. Based on the PEM output
>> format of the keys that the Connectathon managers use, it is not a
>> straightforward task to complete this.

>> We will be happy to generate this keystore and provide a master
>> truststore for all Connectathon users. If you need help in this task,
>> please send me an email directly (mattadav@us.ibm.com) with a copy of
>> your private key (systemXX.ihe.net.key.pem ) *AND* your public
>> certificate (systemXX.ihe.net.cert.pem). To download these files,
>> please see:
>> http://ihe-kudu.wustl.edu/na2008/certificates.php?highlight= 6_6. DO NOT
>> post these files to the newsgroup, as that will make the Connectathon
>> managers very mad.

>> Also, please do this in a timely manner. Please don't wait until the
>> Friday before Connectathon to request a keystore and truststore :) You
>> will need this same keystore/truststore for use with NIST MESA testing.

>> Thanks,
>> -Matt
Re: Connectathon ATNA Certificates for OHF users [message #38676 is a reply to message #38635] Fri, 07 December 2007 02:38 Go to previous messageGo to next message
Takeo Satomi is currently offline Takeo SatomiFriend
Messages: 32
Registered: July 2009
Member
Matte, Jesse, thanks a lot for your help. I didn't notice nist1/2
certificates are available at
http://ihe-kudu.wustl.edu/na2008/certificates.php so I thought the nist
servers also use the test_sys_1 certificate.

Unfortunately I can't make it yet, even after importing nist1/2
certificates into my truststore. My guess is the keystore, not the
truststore, has something wrong because the connection is closed by the
remote server according to the error message, which seems to me that the
key/certificate assigned to my system is not valid.

I wanted to go it the "hard" way so that I could shoot any connection
trouble that would happen at Connectathon, but it looks it's too hard for
me now. Anyway I'll follow Jesse's advice and ask Matt to make keystores
later (I guess the truststore is common for all participants since it just
has to have all certificates issued for Connectathon, is that true?)

Thanks again,
Takeo Satomi

Jesse Pangburn wrote:

> Hi Takeo,
> I highly recommend you email your certificate and private key to Matt:
> mattadavis at us dot ibm dot com, as he so kindly offered at the top of
> this email chain. I did so and used the keystore/truststore he sent back
> to me and have successfully connected to the new NIST reg/repo. This also
> has the benefit of trusting all the certificates of the other IHE people
> so when you take it to Connectathon and connect to the other reg/repo
> systems, you won't have to fool around with your trust store again.

> That's the easy way. If you want to do it the hard way, you're very close
> already. However, instead of trusting your own certificate, you need to
> trust the certificates of those systems to which you want to connect. As
> Matt stated, you need to trust the nist certificates. Just as you
> imported the mesa certificate into your truststore, so you need to import
> the NIST certificates (there are two of them). But again, I highly
> recommend going the other route and using the keystore/truststore Matt
> generated- though this harder route is very educational about java
> keystores/truststores and you're very close :-)

> thanks,
> Jesse

> Takeo Satomi wrote:

>> Hello everyone,

>> Since the NIST's server for 2007 pre-connectathon has gone now and I will
>> not implement any registries, the new server (hcxw2k1.nist.gov) is a
>> single registry available for me. But I've never made a secured
>> connection successfully with it and always get the handshake error saying
>> "Error Sending SOAP
>> Message/norg.eclipse.ohf.ihe.common.ws.OHFSOAPException: Error Sending
>> SOAP Message [Caused by javax.net.ssl.SSLHandshakeException: Remote host
>> closed connection during handshake]"

>> I have some choices for keystore and truststore.

>> keystore:
>> 1. Key created from test_sys_1.cert.pem and test_sys_1.key.pem contained
>> in MESA_TESTruntimecertificates
>> 2. Key craeted from mysystem.ihe.net.cert.pem and mysystem.ihe.net.key.pem
>> downloaded from http://ihe-kudu.wustl.edu/na2008/certificates.php
>> 3. test_sys_1.2008.jks contained in conf/keystores directory of
>> org.eclipse.ohf.bridge.install_0.3.0.v20071203102303.zip

>> truststore:
>> A. A keystore into which test_sys_1.cert.pem mentioned above has been
>> imported
>> B. A keystore into which mysystem.ihe.net.cert.pem mentioned above has
>> been imported
>> C. mesatrusts.2008.jks contained in conf/keystores directory of
>> org.eclipse.ohf.bridge.install_0.3.0.v20071203102303.zip

>> I thought 2-C or 3-C would work but failed. What kind of combination is
>> correct? None of them could be?

>> And I make keystores as below. Am I doing right?

>> keystore:
>>> openssl.exe pkcs12 -export -out mykeystore.p12 -in my.cert.pem -inkey
>> my.key.pem
>>> java -cp "C:Program Filesjetty-6.1.5libjetty-6.1.5.jar"
>> org.mortbay.jetty.security.PKCS12Import mykeystore.p12 mykeystore.jks

>> truststore:
>>> keytool.exe -import -alias mesa -file my.cert.pem -keystore
mytruststore.jks

>> Thanks in advance,
>> Takeo Satomi

>> Matthew Davis wrote:

>>> Hi All,

>>> If you are planning to use OHF to conduct ATNA mutual TLS authentication
>>> tests at Connectathon, you will need to generate a suitable keystore and
>>> truststore that can be read by a Java JVM. Based on the PEM output
>>> format of the keys that the Connectathon managers use, it is not a
>>> straightforward task to complete this.

>>> We will be happy to generate this keystore and provide a master
>>> truststore for all Connectathon users. If you need help in this task,
>>> please send me an email directly (mattadav@us.ibm.com) with a copy of
>>> your private key (systemXX.ihe.net.key.pem ) *AND* your public
>>> certificate (systemXX.ihe.net.cert.pem). To download these files,
>>> please see:
>>> http://ihe-kudu.wustl.edu/na2008/certificates.php?highlight= 6_6. DO NOT
>>> post these files to the newsgroup, as that will make the Connectathon
>>> managers very mad.

>>> Also, please do this in a timely manner. Please don't wait until the
>>> Friday before Connectathon to request a keystore and truststore :) You
>>> will need this same keystore/truststore for use with NIST MESA testing.

>>> Thanks,
>>> -Matt
Re: Connectathon ATNA Certificates for OHF users [message #38703 is a reply to message #38676] Fri, 07 December 2007 17:26 Go to previous message
Matthew DavisFriend
Messages: 269
Registered: July 2009
Senior Member
Hi Everyone,

I'm working to get our library open sourced. Unfortunately the group
working on OHF doesn't "own" the code, so it'll likely have to go
through some vetting. I'm really surprised that the Jetty tool doesn't
work as expected. I'm going to download it later today and compare the
stores generated to see if I can pinpoint the problem.

Thanks,
-Matt


Takeo Satomi wrote:
> Matte, Jesse, thanks a lot for your help. I didn't notice nist1/2
> certificates are available at
> http://ihe-kudu.wustl.edu/na2008/certificates.php so I thought the nist
> servers also use the test_sys_1 certificate.
>
> Unfortunately I can't make it yet, even after importing nist1/2
> certificates into my truststore. My guess is the keystore, not the
> truststore, has something wrong because the connection is closed by the
> remote server according to the error message, which seems to me that the
> key/certificate assigned to my system is not valid.
>
> I wanted to go it the "hard" way so that I could shoot any connection
> trouble that would happen at Connectathon, but it looks it's too hard
> for me now. Anyway I'll follow Jesse's advice and ask Matt to make
> keystores later (I guess the truststore is common for all participants
> since it just has to have all certificates issued for Connectathon, is
> that true?)
>
> Thanks again,
> Takeo Satomi
>
> Jesse Pangburn wrote:
>
>> Hi Takeo,
>> I highly recommend you email your certificate and private key to Matt:
>> mattadavis at us dot ibm dot com, as he so kindly offered at the top
>> of this email chain. I did so and used the keystore/truststore he
>> sent back to me and have successfully connected to the new NIST
>> reg/repo. This also has the benefit of trusting all the certificates
>> of the other IHE people so when you take it to Connectathon and
>> connect to the other reg/repo systems, you won't have to fool around
>> with your trust store again.
>
>> That's the easy way. If you want to do it the hard way, you're very
>> close already. However, instead of trusting your own certificate, you
>> need to trust the certificates of those systems to which you want to
>> connect. As Matt stated, you need to trust the nist certificates.
>> Just as you imported the mesa certificate into your truststore, so you
>> need to import the NIST certificates (there are two of them). But
>> again, I highly recommend going the other route and using the
>> keystore/truststore Matt generated- though this harder route is very
>> educational about java keystores/truststores and you're very close :-)
>
>> thanks,
>> Jesse
>
>> Takeo Satomi wrote:
>
>>> Hello everyone,
>
>>> Since the NIST's server for 2007 pre-connectathon has gone now and I
>>> will not implement any registries, the new server (hcxw2k1.nist.gov)
>>> is a single registry available for me. But I've never made a
>>> secured connection successfully with it and always get the handshake
>>> error saying "Error Sending SOAP
>>> Message/norg.eclipse.ohf.ihe.common.ws.OHFSOAPException: Error
>>> Sending SOAP Message [Caused by javax.net.ssl.SSLHandshakeException:
>>> Remote host closed connection during handshake]"
>
>>> I have some choices for keystore and truststore.
>
>>> keystore:
>>> 1. Key created from test_sys_1.cert.pem and test_sys_1.key.pem
>>> contained in MESA_TESTruntimecertificates
>>> 2. Key craeted from mysystem.ihe.net.cert.pem and
>>> mysystem.ihe.net.key.pem
>>> downloaded from http://ihe-kudu.wustl.edu/na2008/certificates.php
>>> 3. test_sys_1.2008.jks contained in conf/keystores directory of
>>> org.eclipse.ohf.bridge.install_0.3.0.v20071203102303.zip
>
>>> truststore:
>>> A. A keystore into which test_sys_1.cert.pem mentioned above has been
>>> imported
>>> B. A keystore into which mysystem.ihe.net.cert.pem mentioned above
>>> has been imported
>>> C. mesatrusts.2008.jks contained in conf/keystores directory of
>>> org.eclipse.ohf.bridge.install_0.3.0.v20071203102303.zip
>
>>> I thought 2-C or 3-C would work but failed. What kind of
>>> combination is correct? None of them could be?
>
>>> And I make keystores as below. Am I doing right?
>
>>> keystore:
>>>> openssl.exe pkcs12 -export -out mykeystore.p12 -in my.cert.pem -inkey
>>> my.key.pem
>>>> java -cp "C:Program Filesjetty-6.1.5libjetty-6.1.5.jar"
>>> org.mortbay.jetty.security.PKCS12Import mykeystore.p12 mykeystore.jks
>
>>> truststore:
>>>> keytool.exe -import -alias mesa -file my.cert.pem -keystore
> mytruststore.jks
>
>>> Thanks in advance,
>>> Takeo Satomi
>
>>> Matthew Davis wrote:
>
>>>> Hi All,
>
>>>> If you are planning to use OHF to conduct ATNA mutual TLS
>>>> authentication tests at Connectathon, you will need to generate a
>>>> suitable keystore and truststore that can be read by a Java JVM.
>>>> Based on the PEM output format of the keys that the Connectathon
>>>> managers use, it is not a straightforward task to complete this.
>
>>>> We will be happy to generate this keystore and provide a master
>>>> truststore for all Connectathon users. If you need help in this
>>>> task, please send me an email directly (mattadav@us.ibm.com) with a
>>>> copy of your private key (systemXX.ihe.net.key.pem ) *AND* your
>>>> public certificate (systemXX.ihe.net.cert.pem). To download these
>>>> files, please see:
>>>> http://ihe-kudu.wustl.edu/na2008/certificates.php?highlight= 6_6. DO
>>>> NOT post these files to the newsgroup, as that will make the
>>>> Connectathon managers very mad.
>
>>>> Also, please do this in a timely manner. Please don't wait until
>>>> the Friday before Connectathon to request a keystore and truststore
>>>> :) You will need this same keystore/truststore for use with NIST
>>>> MESA testing.
>
>>>> Thanks,
>>>> -Matt
>
>
Re: Connectathon ATNA Certificates for OHF users [message #583502 is a reply to message #37836] Tue, 04 December 2007 20:45 Go to previous message
Jesse Pangburn is currently offline Jesse PangburnFriend
Messages: 166
Registered: July 2009
Senior Member
Hi Matt,
I tried to send you mine but got the following error:
The following recipient(s) could not be reached:

mattadav@ibm.com on 12/4/2007 12:43 PM
The message reached the recipient's e-mail system, but
delivery was refused. Attempt to resend the message. If it still fails,
contact your system administrator.
<irvfexchg01.healthvision.com #5.2.1 smtp;550 5.2.1
<mattadav@ibm.com>... Mailbox disabled for this recipient>

In your post, it showed your company name in your email as xxxxxx, which I
guessed should be replaced with "ibm". Is that not correct?

thanks,
Jesse

Matthew Davis wrote:

> Hi All,

> If you are planning to use OHF to conduct ATNA mutual TLS authentication
> tests at Connectathon, you will need to generate a suitable keystore and
> truststore that can be read by a Java JVM. Based on the PEM output
> format of the keys that the Connectathon managers use, it is not a
> straightforward task to complete this.

> We will be happy to generate this keystore and provide a master
> truststore for all Connectathon users. If you need help in this task,
> please send me an email directly (mattadav@us.ibm.com) with a copy of
> your private key (systemXX.ihe.net.key.pem ) *AND* your public
> certificate (systemXX.ihe.net.cert.pem). To download these files,
> please see:
> http://ihe-kudu.wustl.edu/na2008/certificates.php?highlight= 6_6 DO NOT
> post these files to the newsgroup, as that will make the Connectathon
> managers very mad.

> Also, please do this in a timely manner. Please don't wait until the
> Friday before Connectathon to request a keystore and truststore :) You
> will need this same keystore/truststore for use with NIST MESA testing.

> Thanks,
> -Matt
Re: Connectathon ATNA Certificates for OHF users [message #583649 is a reply to message #37836] Thu, 06 December 2007 02:27 Go to previous message
Takeo Satomi is currently offline Takeo SatomiFriend
Messages: 32
Registered: July 2009
Member
Hello everyone,

Since the NIST's server for 2007 pre-connectathon has gone now and I will
not implement any registries, the new server (hcxw2k1.nist.gov) is a
single registry available for me. But I've never made a secured
connection successfully with it and always get the handshake error saying
"Error Sending SOAP
Message/norg.eclipse.ohf.ihe.common.ws.OHFSOAPException: Error Sending
SOAP Message [Caused by javax.net.ssl.SSLHandshakeException: Remote host
closed connection during handshake]"

I have some choices for keystore and truststore.

keystore:
1. Key created from test_sys_1.cert.pem and test_sys_1.key.pem contained
in MESA_TEST\runtime\certificates
2. Key craeted from mysystem.ihe.net.cert.pem and mysystem.ihe.net.key.pem
downloaded from http://ihe-kudu.wustl.edu/na2008/certificates.php
3. test_sys_1.2008.jks contained in conf/keystores directory of
org.eclipse.ohf.bridge.install_0.3.0.v20071203102303.zip

truststore:
A. A keystore into which test_sys_1.cert.pem mentioned above has been
imported
B. A keystore into which mysystem.ihe.net.cert.pem mentioned above has
been imported
C. mesatrusts.2008.jks contained in conf/keystores directory of
org.eclipse.ohf.bridge.install_0.3.0.v20071203102303.zip

I thought 2-C or 3-C would work but failed. What kind of combination is
correct? None of them could be?

And I make keystores as below. Am I doing right?

keystore:
> openssl.exe pkcs12 -export -out mykeystore.p12 -in my.cert.pem -inkey
my.key.pem
> java -cp "C:\Program Files\jetty-6.1.5\lib\jetty-6.1.5.jar"
org.mortbay.jetty.security.PKCS12Import mykeystore.p12 mykeystore.jks

truststore:
> keytool.exe -import -alias mesa -file my.cert.pem -keystore mytruststore.jks

Thanks in advance,
Takeo Satomi

Matthew Davis wrote:

> Hi All,

> If you are planning to use OHF to conduct ATNA mutual TLS authentication
> tests at Connectathon, you will need to generate a suitable keystore and
> truststore that can be read by a Java JVM. Based on the PEM output
> format of the keys that the Connectathon managers use, it is not a
> straightforward task to complete this.

> We will be happy to generate this keystore and provide a master
> truststore for all Connectathon users. If you need help in this task,
> please send me an email directly (mattadav@us.ibm.com) with a copy of
> your private key (systemXX.ihe.net.key.pem ) *AND* your public
> certificate (systemXX.ihe.net.cert.pem). To download these files,
> please see:
> http://ihe-kudu.wustl.edu/na2008/certificates.php?highlight= 6_6 DO NOT
> post these files to the newsgroup, as that will make the Connectathon
> managers very mad.

> Also, please do this in a timely manner. Please don't wait until the
> Friday before Connectathon to request a keystore and truststore :) You
> will need this same keystore/truststore for use with NIST MESA testing.

> Thanks,
> -Matt
Re: Connectathon ATNA Certificates for OHF users [message #583675 is a reply to message #38471] Thu, 06 December 2007 16:26 Go to previous message
Matthew DavisFriend
Messages: 269
Registered: July 2009
Senior Member
Hi Takeo,

Here's the general rundown:
- For the ATNA certificate tests (11141-11143) that require the MESA
software, you will use the test_sys_1.cert and the associated public
certificates that are distributed with the MESA software. The
keystore/truststore distributed with the OHF Bridge should contain that
the necessary certificates to handle that.

- For the NIST XDS TLS tests (11739-11743), it requires the Connectathon
certificate you downloaded from Kudu, converted to PKCS12 and imported
into a Java Keystore.

To place the Connectathon private keys in a keystore, it requires a
separate tool. The Java keytool is not sufficient. I do see that you
found a tool in Jetty that should work (we wrote a proprietary library
to do it a few years ago). Now, I'm not sure why this isn't working -
but it may be because you're not completing the truststore. The
truststore should contain the public certificates of all Connectathon
participants, not just your own (or, more specifically, you need to
trust the systems that you're testing with - in this case it's the NIST
certificate - nist1.ihe.net.cert.pem and nist2.ihe.net.cert.pem). Try
adding the NIST certificates into the truststore and try again. I can
also send you the necessary files to do this if you wish.

Thanks,
-Matt

Takeo Satomi wrote:
> Hello everyone,
>
> Since the NIST's server for 2007 pre-connectathon has gone now and I
> will not implement any registries, the new server (hcxw2k1.nist.gov) is
> a single registry available for me. But I've never made a secured
> connection successfully with it and always get the handshake error
> saying "Error Sending SOAP
> Message/norg.eclipse.ohf.ihe.common.ws.OHFSOAPException: Error Sending
> SOAP Message [Caused by javax.net.ssl.SSLHandshakeException: Remote
> host closed connection during handshake]"
>
> I have some choices for keystore and truststore.
>
> keystore:
> 1. Key created from test_sys_1.cert.pem and test_sys_1.key.pem contained
> in MESA_TEST\runtime\certificates
> 2. Key craeted from mysystem.ihe.net.cert.pem and mysystem.ihe.net.key.pem
> downloaded from http://ihe-kudu.wustl.edu/na2008/certificates.php
> 3. test_sys_1.2008.jks contained in conf/keystores directory of
> org.eclipse.ohf.bridge.install_0.3.0.v20071203102303.zip
>
> truststore:
> A. A keystore into which test_sys_1.cert.pem mentioned above has been
> imported
> B. A keystore into which mysystem.ihe.net.cert.pem mentioned above has
> been imported
> C. mesatrusts.2008.jks contained in conf/keystores directory of
> org.eclipse.ohf.bridge.install_0.3.0.v20071203102303.zip
>
> I thought 2-C or 3-C would work but failed. What kind of combination
> is correct? None of them could be?
>
> And I make keystores as below. Am I doing right?
>
> keystore:
>> openssl.exe pkcs12 -export -out mykeystore.p12 -in my.cert.pem -inkey
> my.key.pem
>> java -cp "C:\Program Files\jetty-6.1.5\lib\jetty-6.1.5.jar"
> org.mortbay.jetty.security.PKCS12Import mykeystore.p12 mykeystore.jks
>
> truststore:
>> keytool.exe -import -alias mesa -file my.cert.pem -keystore
>> mytruststore.jks
>
> Thanks in advance,
> Takeo Satomi
>
> Matthew Davis wrote:
>
>> Hi All,
>
>> If you are planning to use OHF to conduct ATNA mutual TLS
>> authentication tests at Connectathon, you will need to generate a
>> suitable keystore and truststore that can be read by a Java JVM.
>> Based on the PEM output format of the keys that the Connectathon
>> managers use, it is not a straightforward task to complete this.
>
>> We will be happy to generate this keystore and provide a master
>> truststore for all Connectathon users. If you need help in this task,
>> please send me an email directly (mattadav@us.ibm.com) with a copy of
>> your private key (systemXX.ihe.net.key.pem ) *AND* your public
>> certificate (systemXX.ihe.net.cert.pem). To download these files,
>> please see:
>> http://ihe-kudu.wustl.edu/na2008/certificates.php?highlight= 6_6 DO
>> NOT post these files to the newsgroup, as that will make the
>> Connectathon managers very mad.
>
>> Also, please do this in a timely manner. Please don't wait until the
>> Friday before Connectathon to request a keystore and truststore :)
>> You will need this same keystore/truststore for use with NIST MESA
>> testing.
>
>> Thanks,
>> -Matt
>
>
Re: Connectathon ATNA Certificates for OHF users [message #583722 is a reply to message #38471] Thu, 06 December 2007 18:49 Go to previous message
Jesse Pangburn is currently offline Jesse PangburnFriend
Messages: 166
Registered: July 2009
Senior Member
Hi Takeo,
I highly recommend you email your certificate and private key to Matt:
mattadavis at us dot ibm dot com, as he so kindly offered at the top of
this email chain. I did so and used the keystore/truststore he sent back
to me and have successfully connected to the new NIST reg/repo. This also
has the benefit of trusting all the certificates of the other IHE people
so when you take it to Connectathon and connect to the other reg/repo
systems, you won't have to fool around with your trust store again.

That's the easy way. If you want to do it the hard way, you're very close
already. However, instead of trusting your own certificate, you need to
trust the certificates of those systems to which you want to connect. As
Matt stated, you need to trust the nist certificates. Just as you
imported the mesa certificate into your truststore, so you need to import
the NIST certificates (there are two of them). But again, I highly
recommend going the other route and using the keystore/truststore Matt
generated- though this harder route is very educational about java
keystores/truststores and you're very close :-)

thanks,
Jesse

Takeo Satomi wrote:

> Hello everyone,

> Since the NIST's server for 2007 pre-connectathon has gone now and I will
> not implement any registries, the new server (hcxw2k1.nist.gov) is a
> single registry available for me. But I've never made a secured
> connection successfully with it and always get the handshake error saying
> "Error Sending SOAP
> Message/norg.eclipse.ohf.ihe.common.ws.OHFSOAPException: Error Sending
> SOAP Message [Caused by javax.net.ssl.SSLHandshakeException: Remote host
> closed connection during handshake]"

> I have some choices for keystore and truststore.

> keystore:
> 1. Key created from test_sys_1.cert.pem and test_sys_1.key.pem contained
> in MESA_TESTruntimecertificates
> 2. Key craeted from mysystem.ihe.net.cert.pem and mysystem.ihe.net.key.pem
> downloaded from http://ihe-kudu.wustl.edu/na2008/certificates.php
> 3. test_sys_1.2008.jks contained in conf/keystores directory of
> org.eclipse.ohf.bridge.install_0.3.0.v20071203102303.zip

> truststore:
> A. A keystore into which test_sys_1.cert.pem mentioned above has been
> imported
> B. A keystore into which mysystem.ihe.net.cert.pem mentioned above has
> been imported
> C. mesatrusts.2008.jks contained in conf/keystores directory of
> org.eclipse.ohf.bridge.install_0.3.0.v20071203102303.zip

> I thought 2-C or 3-C would work but failed. What kind of combination is
> correct? None of them could be?

> And I make keystores as below. Am I doing right?

> keystore:
>> openssl.exe pkcs12 -export -out mykeystore.p12 -in my.cert.pem -inkey
> my.key.pem
>> java -cp "C:Program Filesjetty-6.1.5libjetty-6.1.5.jar"
> org.mortbay.jetty.security.PKCS12Import mykeystore.p12 mykeystore.jks

> truststore:
>> keytool.exe -import -alias mesa -file my.cert.pem -keystore mytruststore.jks

> Thanks in advance,
> Takeo Satomi

> Matthew Davis wrote:

>> Hi All,

>> If you are planning to use OHF to conduct ATNA mutual TLS authentication
>> tests at Connectathon, you will need to generate a suitable keystore and
>> truststore that can be read by a Java JVM. Based on the PEM output
>> format of the keys that the Connectathon managers use, it is not a
>> straightforward task to complete this.

>> We will be happy to generate this keystore and provide a master
>> truststore for all Connectathon users. If you need help in this task,
>> please send me an email directly (mattadav@us.ibm.com) with a copy of
>> your private key (systemXX.ihe.net.key.pem ) *AND* your public
>> certificate (systemXX.ihe.net.cert.pem). To download these files,
>> please see:
>> http://ihe-kudu.wustl.edu/na2008/certificates.php?highlight= 6_6 DO NOT
>> post these files to the newsgroup, as that will make the Connectathon
>> managers very mad.

>> Also, please do this in a timely manner. Please don't wait until the
>> Friday before Connectathon to request a keystore and truststore :) You
>> will need this same keystore/truststore for use with NIST MESA testing.

>> Thanks,
>> -Matt
Re: Connectathon ATNA Certificates for OHF users [message #583728 is a reply to message #38635] Fri, 07 December 2007 02:38 Go to previous message
Takeo Satomi is currently offline Takeo SatomiFriend
Messages: 32
Registered: July 2009
Member
Matte, Jesse, thanks a lot for your help. I didn't notice nist1/2
certificates are available at
http://ihe-kudu.wustl.edu/na2008/certificates.php so I thought the nist
servers also use the test_sys_1 certificate.

Unfortunately I can't make it yet, even after importing nist1/2
certificates into my truststore. My guess is the keystore, not the
truststore, has something wrong because the connection is closed by the
remote server according to the error message, which seems to me that the
key/certificate assigned to my system is not valid.

I wanted to go it the "hard" way so that I could shoot any connection
trouble that would happen at Connectathon, but it looks it's too hard for
me now. Anyway I'll follow Jesse's advice and ask Matt to make keystores
later (I guess the truststore is common for all participants since it just
has to have all certificates issued for Connectathon, is that true?)

Thanks again,
Takeo Satomi

Jesse Pangburn wrote:

> Hi Takeo,
> I highly recommend you email your certificate and private key to Matt:
> mattadavis at us dot ibm dot com, as he so kindly offered at the top of
> this email chain. I did so and used the keystore/truststore he sent back
> to me and have successfully connected to the new NIST reg/repo. This also
> has the benefit of trusting all the certificates of the other IHE people
> so when you take it to Connectathon and connect to the other reg/repo
> systems, you won't have to fool around with your trust store again.

> That's the easy way. If you want to do it the hard way, you're very close
> already. However, instead of trusting your own certificate, you need to
> trust the certificates of those systems to which you want to connect. As
> Matt stated, you need to trust the nist certificates. Just as you
> imported the mesa certificate into your truststore, so you need to import
> the NIST certificates (there are two of them). But again, I highly
> recommend going the other route and using the keystore/truststore Matt
> generated- though this harder route is very educational about java
> keystores/truststores and you're very close :-)

> thanks,
> Jesse

> Takeo Satomi wrote:

>> Hello everyone,

>> Since the NIST's server for 2007 pre-connectathon has gone now and I will
>> not implement any registries, the new server (hcxw2k1.nist.gov) is a
>> single registry available for me. But I've never made a secured
>> connection successfully with it and always get the handshake error saying
>> "Error Sending SOAP
>> Message/norg.eclipse.ohf.ihe.common.ws.OHFSOAPException: Error Sending
>> SOAP Message [Caused by javax.net.ssl.SSLHandshakeException: Remote host
>> closed connection during handshake]"

>> I have some choices for keystore and truststore.

>> keystore:
>> 1. Key created from test_sys_1.cert.pem and test_sys_1.key.pem contained
>> in MESA_TESTruntimecertificates
>> 2. Key craeted from mysystem.ihe.net.cert.pem and mysystem.ihe.net.key.pem
>> downloaded from http://ihe-kudu.wustl.edu/na2008/certificates.php
>> 3. test_sys_1.2008.jks contained in conf/keystores directory of
>> org.eclipse.ohf.bridge.install_0.3.0.v20071203102303.zip

>> truststore:
>> A. A keystore into which test_sys_1.cert.pem mentioned above has been
>> imported
>> B. A keystore into which mysystem.ihe.net.cert.pem mentioned above has
>> been imported
>> C. mesatrusts.2008.jks contained in conf/keystores directory of
>> org.eclipse.ohf.bridge.install_0.3.0.v20071203102303.zip

>> I thought 2-C or 3-C would work but failed. What kind of combination is
>> correct? None of them could be?

>> And I make keystores as below. Am I doing right?

>> keystore:
>>> openssl.exe pkcs12 -export -out mykeystore.p12 -in my.cert.pem -inkey
>> my.key.pem
>>> java -cp "C:Program Filesjetty-6.1.5libjetty-6.1.5.jar"
>> org.mortbay.jetty.security.PKCS12Import mykeystore.p12 mykeystore.jks

>> truststore:
>>> keytool.exe -import -alias mesa -file my.cert.pem -keystore
mytruststore.jks

>> Thanks in advance,
>> Takeo Satomi

>> Matthew Davis wrote:

>>> Hi All,

>>> If you are planning to use OHF to conduct ATNA mutual TLS authentication
>>> tests at Connectathon, you will need to generate a suitable keystore and
>>> truststore that can be read by a Java JVM. Based on the PEM output
>>> format of the keys that the Connectathon managers use, it is not a
>>> straightforward task to complete this.

>>> We will be happy to generate this keystore and provide a master
>>> truststore for all Connectathon users. If you need help in this task,
>>> please send me an email directly (mattadav@us.ibm.com) with a copy of
>>> your private key (systemXX.ihe.net.key.pem ) *AND* your public
>>> certificate (systemXX.ihe.net.cert.pem). To download these files,
>>> please see:
>>> http://ihe-kudu.wustl.edu/na2008/certificates.php?highlight= 6_6 DO NOT
>>> post these files to the newsgroup, as that will make the Connectathon
>>> managers very mad.

>>> Also, please do this in a timely manner. Please don't wait until the
>>> Friday before Connectathon to request a keystore and truststore :) You
>>> will need this same keystore/truststore for use with NIST MESA testing.

>>> Thanks,
>>> -Matt
Re: Connectathon ATNA Certificates for OHF users [message #583746 is a reply to message #38676] Fri, 07 December 2007 17:26 Go to previous message
Matthew DavisFriend
Messages: 269
Registered: July 2009
Senior Member
Hi Everyone,

I'm working to get our library open sourced. Unfortunately the group
working on OHF doesn't "own" the code, so it'll likely have to go
through some vetting. I'm really surprised that the Jetty tool doesn't
work as expected. I'm going to download it later today and compare the
stores generated to see if I can pinpoint the problem.

Thanks,
-Matt


Takeo Satomi wrote:
> Matte, Jesse, thanks a lot for your help. I didn't notice nist1/2
> certificates are available at
> http://ihe-kudu.wustl.edu/na2008/certificates.php so I thought the nist
> servers also use the test_sys_1 certificate.
>
> Unfortunately I can't make it yet, even after importing nist1/2
> certificates into my truststore. My guess is the keystore, not the
> truststore, has something wrong because the connection is closed by the
> remote server according to the error message, which seems to me that the
> key/certificate assigned to my system is not valid.
>
> I wanted to go it the "hard" way so that I could shoot any connection
> trouble that would happen at Connectathon, but it looks it's too hard
> for me now. Anyway I'll follow Jesse's advice and ask Matt to make
> keystores later (I guess the truststore is common for all participants
> since it just has to have all certificates issued for Connectathon, is
> that true?)
>
> Thanks again,
> Takeo Satomi
>
> Jesse Pangburn wrote:
>
>> Hi Takeo,
>> I highly recommend you email your certificate and private key to Matt:
>> mattadavis at us dot ibm dot com, as he so kindly offered at the top
>> of this email chain. I did so and used the keystore/truststore he
>> sent back to me and have successfully connected to the new NIST
>> reg/repo. This also has the benefit of trusting all the certificates
>> of the other IHE people so when you take it to Connectathon and
>> connect to the other reg/repo systems, you won't have to fool around
>> with your trust store again.
>
>> That's the easy way. If you want to do it the hard way, you're very
>> close already. However, instead of trusting your own certificate, you
>> need to trust the certificates of those systems to which you want to
>> connect. As Matt stated, you need to trust the nist certificates.
>> Just as you imported the mesa certificate into your truststore, so you
>> need to import the NIST certificates (there are two of them). But
>> again, I highly recommend going the other route and using the
>> keystore/truststore Matt generated- though this harder route is very
>> educational about java keystores/truststores and you're very close :-)
>
>> thanks,
>> Jesse
>
>> Takeo Satomi wrote:
>
>>> Hello everyone,
>
>>> Since the NIST's server for 2007 pre-connectathon has gone now and I
>>> will not implement any registries, the new server (hcxw2k1.nist.gov)
>>> is a single registry available for me. But I've never made a
>>> secured connection successfully with it and always get the handshake
>>> error saying "Error Sending SOAP
>>> Message/norg.eclipse.ohf.ihe.common.ws.OHFSOAPException: Error
>>> Sending SOAP Message [Caused by javax.net.ssl.SSLHandshakeException:
>>> Remote host closed connection during handshake]"
>
>>> I have some choices for keystore and truststore.
>
>>> keystore:
>>> 1. Key created from test_sys_1.cert.pem and test_sys_1.key.pem
>>> contained in MESA_TESTruntimecertificates
>>> 2. Key craeted from mysystem.ihe.net.cert.pem and
>>> mysystem.ihe.net.key.pem
>>> downloaded from http://ihe-kudu.wustl.edu/na2008/certificates.php
>>> 3. test_sys_1.2008.jks contained in conf/keystores directory of
>>> org.eclipse.ohf.bridge.install_0.3.0.v20071203102303.zip
>
>>> truststore:
>>> A. A keystore into which test_sys_1.cert.pem mentioned above has been
>>> imported
>>> B. A keystore into which mysystem.ihe.net.cert.pem mentioned above
>>> has been imported
>>> C. mesatrusts.2008.jks contained in conf/keystores directory of
>>> org.eclipse.ohf.bridge.install_0.3.0.v20071203102303.zip
>
>>> I thought 2-C or 3-C would work but failed. What kind of
>>> combination is correct? None of them could be?
>
>>> And I make keystores as below. Am I doing right?
>
>>> keystore:
>>>> openssl.exe pkcs12 -export -out mykeystore.p12 -in my.cert.pem -inkey
>>> my.key.pem
>>>> java -cp "C:Program Filesjetty-6.1.5libjetty-6.1.5.jar"
>>> org.mortbay.jetty.security.PKCS12Import mykeystore.p12 mykeystore.jks
>
>>> truststore:
>>>> keytool.exe -import -alias mesa -file my.cert.pem -keystore
> mytruststore.jks
>
>>> Thanks in advance,
>>> Takeo Satomi
>
>>> Matthew Davis wrote:
>
>>>> Hi All,
>
>>>> If you are planning to use OHF to conduct ATNA mutual TLS
>>>> authentication tests at Connectathon, you will need to generate a
>>>> suitable keystore and truststore that can be read by a Java JVM.
>>>> Based on the PEM output format of the keys that the Connectathon
>>>> managers use, it is not a straightforward task to complete this.
>
>>>> We will be happy to generate this keystore and provide a master
>>>> truststore for all Connectathon users. If you need help in this
>>>> task, please send me an email directly (mattadav@us.ibm.com) with a
>>>> copy of your private key (systemXX.ihe.net.key.pem ) *AND* your
>>>> public certificate (systemXX.ihe.net.cert.pem). To download these
>>>> files, please see:
>>>> http://ihe-kudu.wustl.edu/na2008/certificates.php?highlight= 6_6 DO
>>>> NOT post these files to the newsgroup, as that will make the
>>>> Connectathon managers very mad.
>
>>>> Also, please do this in a timely manner. Please don't wait until
>>>> the Friday before Connectathon to request a keystore and truststore
>>>> :) You will need this same keystore/truststore for use with NIST
>>>> MESA testing.
>
>>>> Thanks,
>>>> -Matt
>
>
Previous Topic:XUA use at Connectathon
Next Topic:authorPerson metadata not in XCN format
Goto Forum:
  


Current Time: Mon Dec 22 18:43:49 GMT 2014

Powered by FUDForum. Page generated in 0.16514 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software