000026125 - How to connect RSA BSAFE SSL-J and SSL-C sample programs

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000026125
IssueHow to connect RSA BSAFE SSL-J and SSL-C sample programs
The RSA BSAFE SSL-C toolkit provides some simple example programs (and code) called 'server' and 'client', they demonstrate how to set up both ends of the connection and transfer some data. The SSL-J toolkit provides similar examples as 'SSLClient' and 'SSLServer'.
When connecting into the SSL-C 'server' program from the RSA BSAFE SSL-J 'SSLClient' program you get the error:

[SSLClient]  Creating SSLSocket.
[SSLClient]  Caught an exception.
com.rsa.ssl.AlertedException: Certificate unknown
       at com.rsa.ssl.common.ClientProtocol.sendHello(ClientProtocol.java:261)
       at com.rsa.ssl.SSLSocket.startHandshake(SSLSocket.java:403)
       at com.rsa.ssl.SSLSocket.getInputStream(SSLSocket.java:192)
       at SSLClient.go(SSLClient.java:153)
       at SSLClient.main(SSLClient.java:88)
CauseThis is because the Root CA certificate that signed the server certificate used by the RSA BSAFE  SSL-C 'server' program was not loaded by the SSL-J client. The SSL-C 'client' program works because it is configured not to actually do a certificate verification for the SSL handshake to be successful. The SSL-C 'server' program uses a data file called 'server.pem',  however the root CA certificate for the SSL-C example is not present.
ResolutionThe programmer should provide their own data for this system to work. At a minimum, they need 3 data items:

1. A Root CA certificate

2. A private key for the server

3. A certificate for the server signed by the Root CA

On the SSL-C 'server' end, the three items are stored as B64 encoded items in the 'server.pem' file.  At the SSL-J 'SSLClient' end, the Root CA certificate is stored in DER format in the 'certs' directory, note also that the 'AppletCode' class needs to be modified to include the name of this additional certificate.

See also: How to convert between PEM and DER format certificate files.
Legacy Article IDa386