Troubleshooting Client Authentication with Java

Regarding the following errors:

"Status acknowledgement failed: FAIL Invalid command"
or
"Message Sending Failed. Authentication failed: FAIL Client certificate expected but not present."
or
"Error: Authentication failed: FAIL Client certificate expected but not present."

The errors above occur when the client certificate is not presented correctly by your software. Please ensure the keystore has been loaded correctly.

The keystore file contains your private key and client authentication certificate, and the trustStore file contains the EMR Direct trust anchor. It is possible to use the same file for both purposes, though this is not required. Either way, the system treats them as two things that need to be registered separately.

When either of the above errors are encountered, the phiMail connector class does not know about the keystore file containing your private key and client authentication certificate.

There are two ways to register the keystore with the connector.

1. Use the system-wide properties. For example, if you're using our sample code, after

   System.setProperty("javax.net.ssl.trustStore", "/path/to/my/truststore");
   System.setProperty("javax.net.ssl.trustStorePassword", "mySecretTruststorePwd");

add the following:

   System.setProperty("javax.net.ssl.keyStore", "/path/to/my/keystore");
   System.setProperty("javax.net.ssl.keyStorePassword", "mySecretKeystorePwd");

Note that this should point to the keystore .jks file that you created while following the CSR generation instructions from EMR Direct. These methods need to be called once before you open any SSL connections as once the first connection is opened, subsequent calls to set these properties will be ignored.

To be sure your system does not ignore the system-wide properties:

- Be certain the keystore file is readable by your application (with respect to permissions, path to file location, etc)
- Confirm the correct keystore password is being used
- Confirm the correct key password is being used; the key inside the keystore may have a different password than the keystore itself (however, this should not occur if the documentation from EMR Direct was followed carefully)
- Confirm the keystore file was properly constructed (see below)
- Confirm your system is opening an SSLSocket after the System.setProperty(...) call is reached.

Please note that all of the above conditions can occur without throwing any exceptions or warnings. A custom SSLContext will only solve the last of these issues.

2. Alternatively, if system-wide properties cannot be used in your application, you can construct a custom SSLContext referencing your keystore and trustStore and register that with the connector using the static method:

   PhiMailConnector.setSSLContext(myCustomSSLContext);

This also needs to be called only once before opening your connection.

When you use one .jks file for both purposes (keystore and trustStore), you still have to make separate trustStore and keystore configuration calls. The JVM will treat them as if they were two different files and use different parts of the file for each context.

See the topic on Client certificate troubleshooting for additional suggestions.


Did this article answer your question? If not, please contact us.