Different SSL client certificates for same webservice
Hi all, I have the following challenge and would appreciate your thoughts. For one of our customers, we need to invoke a webservice which provides sensitive information. As such, it is secured using mutual authenticated SSL. However, the application we're developing is used in a SaaS scenario, which requires each group of users to use a specific client certificate (for auditing purposes). Question 1: How would I go about using a different client certificate for each group of users? Question 2: I haven't managed to get my local Mendix development to play nice with the client SSL certificate and the webservice. Does Mendix actually support this?? UPDATE 1: I've found this discussion to be similar: http://stackoverflow.com/questions/3712366/choosing-ssl-client-certificate-in-java However, in Mendix I don't have access to the Webservice stack... UPDATE 2 - SOLVED!: I've been able to develop a solution to my problem, consisting of 3 parts: A custom javax.net.ssl.X509KeyManager wrapper implementation, which supports selecting a specific client certificate, A Mendix Java action that initializes the X509KeyManager wrapper and copies PrivateKeyEntries (client certificates) from 1 or more customer specific PKCS12 files to the Mendix keystore, A simple Mendix Java action that selects the correct client certificate prior to invoking the Webservice. The whole solution is thread-safe, i.e. allows concurrent use of any Webservice with different client certificates. If you're interested in this solution, contact me at: jvalteren/AT/flowfabric/DOT/com :-)
Jonathan van Alteren
I've answered my own question, see UPDATE 2 - SOLVED! in the question.