powered by Jive Software

Spark and PKI Authentication - does anybody actually have it working?

I have spent significant time reading support posts and massive ammounts of time Googling. I have Openfire 3.8.1 running, using PKI authentication, and it works. I can only make it work using other clients, however. I would like to get it working with Spark.

For instance, using Swift, I am able to authenticate and sign-in using a client certificate. Works great, I’ve confirmed with SSLDump and Wireshark that it’s actually doing client authentication. Openfire is using a CRL, and certificate chaining and trust all works great. It took a long time to get here, but I’m here. I even have 2 Openfire servers in a HazelCast cluster working with this. woohoo!

Now onto Spark…

I have Spark installed on CentOS 6.4 x64, it works fine, other than the PKI authentication issue. I also have Spark installed on my Windows 7 desktop PC, again works fine other than the PKI authentication.

On the CentOS box, when I run spark from a terminal window, the output in the background give me an error:

java.security.UnrecoverableKeyException: Cannot recover key

at sun.security.provider.KeyProtector.recover(Unknown Source)

at sun.security.provider.JavaKeyStore.engineGetKey(Unknown Source)

at sun.security.provider.JavaKeyStore$JKS.engineGetKey(Unknown Source)

at java.security.KeyStore.getKey(Unknown Source)

at com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.(Unknown Source)

at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(Unknown Source)

at javax.net.ssl.KeyManagerFactory.init(Unknown Source)

at org.jivesoftware.smack.XMPPConnection.proceedTLSReceived(XMPPConnection.java:78 4)

at org.jivesoftware.smack.PacketReader.parsePackets(PacketReader.java:267)

at org.jivesoftware.smack.PacketReader.access$000(PacketReader.java:43)

at org.jivesoftware.smack.PacketReader$1.run(PacketReader.java:70)

This inline with what the SSLdump and wireshark are showing me, and the debug log from Openfire. It seems Spark is having issues accessing the client certificate/key. I have spark configured using the Java Keystore PKI method, and I have a proper and good truststore in place and specified in the configuration. The password I’m entering on the login screen is the password to the keystore file, which I’ve verified works using keytool.

I have also tried PKCS#11 PKI method, using a PFX file, and I get a similar error.

Is there any futher debugging I can do on this? Does this functionality work in Spark? Any tips?