AnsweredAssumed Answered

Anyone have experience testing client auth with SOAPUI?

Question asked by StPaulPete on Jun 14, 2016
Latest reply on Jun 30, 2016 by StPaulPete


I'm trying to test a part of the OTK Toolkit that uses the standard 'Require SSL/TLS with Client Authentication'.  I can't seem to get SOAPUI to provide the client certificate.

 

SOAPUI apparently doesn't pick up a certificate from the system it's running on, my Windows laptop in this case, and getting a cert there can be a challenge in itself.  Here is the configuration I have applied.

 

I needed a certificate so rather than deal with all the command line complexity of openssl and such I used the API Gateway's 'Manage Private Keys' task to generate one (myuserid.mmm.com) for my user id, specifying it could be used to sign other certs.  As self signed is quite acceptable for my purpose I did not generate a CSR and send it to a CA.  I then exported this cert to a file, which the gateway does in PKCS12 format (myuserid.p12), exactly as I should need.  Note the only purpose for doing this with the gateway tasks was convenience. 

 

I then used the 'Manage Certificates Task' to add this certificate to the gateway store (let's say as myuserid.mmm.com and assigned it the 'Sign Client Certificates' attribute under options.  This should cause it to be included in the list, sent to a connecting client, of certificates the gateway is willing to accept in response to its client authentication request.  With that, the gateway should be adequately configured.

 

I then took the PKCS12 file (myuserid.p12) and used Java 1.8's keytool utility to generate a certificate store file (myuserid.jks).

 

keytool -importkeystore -deststorepass myuserpw -destkeypass myuserpw -destkeystore myuserid.jks -srckeystore myuserid.p12 -srcstoretype PKCS12 -srcstorepass myuserpw

 

In SOAPUI I have a project with a request to https://gatewaynam.mmm.com:8443//oauth/tokenstore/get.  In SOAPUI, under File - Preferences - SSL Settings - KeyStore I specified the location of the myuserid.jks file and assigned the password.  In the 'Request Parameters' of the project I was now able to see myuserid.jks in the drop down of the 'SSL Keystore' property, and selected it.  When I start SOAPUI (version 5.2.1) it looks like the keystore initializes. 

 

In the SOAPUI log I see "Tue Jun 14 08:31:14 CDT 2016:INFO:Initializing KeyStore".

 

And when I submit the request it looks like is accesses it:

 

Tue Jun 14 08:45:27 CDT 2016:INFO:Initializing Keystore from [X:\Software\Certificates and Signing Requests\3m\myuserid.jks]

Tue Jun 14 08:45:27 CDT 2016:DEBUG:Attempt 1 to execute request

Tue Jun 14 08:45:27 CDT 2016:DEBUG:Sending request: GET /oauth/tokenstore/get HTTP/1.1

Tue Jun 14 08:45:27 CDT 2016:DEBUG:Receiving response: HTTP/1.1 403 Forbidden

 

At the gateway we see the classic failure saying no client cert was provided.

 

20160614 08:45:27.843INFO4113No Client Certificate was present in the request.

 

Does anyone have any idea what I have to do to get SOAPUI to send the client certificate?

 

 

Outcomes