Can someone help to me to understand this error? Is is due to some configuration problem? Or is because the permissions are not properly set?
xyz#tatlo .globus]$ voms-proxy-init
Credentials couldn't be loaded
[/mnt/t3nfs01/data01/shome/xyz/.globus/userkey.pem,
/mnt/t3nfs01/data01/shome/xyz/.globus/usercert.pem]:
Can not load the PEM private key: java.io.IOException:
Can not load the PEM private key: no input data (empty source?)
No credentials found!
[xyz#tatlo .globus]$ ls
mycert.p12 usercert.pem userkey.pem
I hope you have configured VOMS server endpoints properly. Also, check if the credentials are in the correct directory.
They should generally go into $HOME/.globus directory. Certificates encoded in PKCS12 and PEM formats are correctly handled by the VOMS clients.
The default path for looking up PKCS12 credentials is:
$HOME/.globus/usercred.p12
Also, check the permissions set on the formats if not set accordingly.
Permissions on $HOME/.globus/usercred.p12 must be 600.
For PEM credentials the following paths are used:
$HOME/.globus/usercert.pem (certificate)
$HOME/.globus/userkey.pem (private key)
Permissions on the pem files must be:
644 for $HOME/.globus/usercert.pem
400 for $HOME/.globus/userkey.pem
In case both the PEM and PKCS12 formats are present, PEM takes precedence.
Refer link for more guidelines.
Related
I need help, first of all, in any of stackoverflow posts I can't found a correct answer.
I'm tring to set my Web application in tomcat server with SSL using Keytool and Certbot
First I used Certbot and generated the respectives .pem files (privkey.pem, fullchain.pem, etc).
After that I did this steps:
Add with OpenSSL my privkey.pem to JKS
My password is too simple "123456", impossible to forget. (I'm just trying)
After that I convert the pkcs12 to JKS with:
Finally Add the chain.pem to my Keystore. In this step I enter the password that I entered previously. And I get the meesage:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
If I edit my server.xml file in Tomcat server with connector 8443 and my keystore, when I start server I get the same error in catalina.out.
The password of your MyDSKeyStore.jks file is '-destkeypass', as a consequence of the way keytool parses the second commandline you used: -deststorepass should be followed be the password. In your case it is followed by -destkeypass.
Remark: Your question seems to be na XY problem: you want to configure a Tomcat SSL connector using certificates in PEM format, so you ask how to transform a PEM certificate into JKS. While the procedure you show is almost correct, it is useless on modern Tomcat's (cf. this answer): Tomcat supports PKCS12 files since version 5.5 at least and supports certificates in PEM format since version 8.5. There is no need to convert anything.
I am getting this error everytime I tried to generate my signed apk through Android Studio:
No key with alias 'Operator_keystore' found in keystore PATH/OrderOperator_keystore
Previously I successfully submitted builts with the same keystore. The problem arises when I move my whole project folder to another folder, also I invalidated the cache of android studio.
I am signing apk like this
Any help would be appreciated.
Open a terminal and run the following command:
keytool -list -v -keystore </path/to/your/keystore.jks>
After you enter the keystore password, it will display the list of certificates stored in that keystore, including the alias names, e.g.
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: androiddebugkey
Creation date: Nov 19, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
...
Look at the alias name displayed, and compare that with the value you put in the Key alias field in that Studio window.
Make sure you key store path is correct with the location of the new folder and also make sure you're entering the correct password for both key store and alias. If that doesn't work try changing
keystore PATH/OrderOperator_keystore
To
keystore PATH/
There shouldn't be any space between keystone Path also
you can use Gradle into signingReport and generate a hash key or sha1 key and also refresh the app level build.gradle file after submitting the form for keystore
I want to enable SSL for my spring boot application.
I generated a keystore with this command:
keytool -genkey -alias myapp -keyalg RSA -keystore tomcat.keystore
application.properties contains:
server.port = 8443
server.ssl.key-store = classpath:tomcat.keystore
server.ssl.key-store-password = ###
server.ssl.key-password = !&*
server.ssl.enabled=true
First I had created JKS key store with this command:
keytool -genkey -alias tomcat -keystore keystore.jks -validity 3650
But I received error when visited https://localhost:8443:
This site can’t provide a secure connection
localhost uses an unsupported protocol.
Why it's working now and not then ?
I have a few other questions:
1.I looked at a few tutorials and they all suggested to put the keystore file in src/main/resources. Is this really a good idea?
2.What is the key-store-password? what is the key-password?
3.Is this all we have to do to enable SSL ? what about crt and cer files? where are they used ?
About localhost uses an unsupported protocol. make sure the server is supporting a cipher which client can support.
This site can’t provide a secure connection, the message could be becasue the connection is not trusted! of course. here you would simply tell the client to ignore it.
You also set an alias in your JKS file, make sure you tell the server to load the correct alias.
placing the JKS in src/main/resources could be a good practice, but not essential, just make sure it's safe and accessible.
crt and cer are not required explicitly for java, but once you get a signed certificate by a CA, you would import the cert into the JKS to let the server finds the intermediate and root certs(if exists, root is not essential)
Once you generate a key by keytool, just keep the file safe. You need to generate the CSR value, also the same jKS is needed for trusted cert importing.
I also suggest to get some hand of OpenSSL(if possible) over JSSE.
How does my Java program know where my keystore containing the certificate is?
Or alternatively: How do I tell my Java program where to look for the keystore?
After specifying the keystore in some way, how to specify the certificate to use for authenticating the server to client?
SSL properties are set at the JVM level via system properties. Meaning you can either set them when you run the program (java -D....) Or you can set them in code by doing System.setProperty.
The specific keys you have to set are below:
javax.net.ssl.keyStore- Location of
the Java keystore file containing an
application process's own certificate
and private key. On Windows, the
specified pathname must use forward
slashes, /, in place of backslashes.
javax.net.ssl.keyStorePassword - Password
to access the private key from the
keystore file specified by
javax.net.ssl.keyStore. This password
is used twice: To unlock the keystore
file (store password), and To decrypt
the private key stored in the keystore
(key password).
javax.net.ssl.trustStore - Location of
the Java keystore file containing the
collection of CA certificates trusted
by this application process (trust
store). On Windows, the specified
pathname must use forward slashes, /,
in place of backslashes, \.
If a trust store location is not
specified using this property, the
SunJSSE implementation searches for
and uses a keystore file in the
following locations (in order):
$JAVA_HOME/lib/security/jssecacerts
$JAVA_HOME/lib/security/cacerts
javax.net.ssl.trustStorePassword -
Password to unlock the keystore file
(store password) specified by
javax.net.ssl.trustStore.
javax.net.ssl.trustStoreType - (Optional)
For Java keystore file format, this
property has the value jks (or JKS).
You do not normally specify this
property, because its default value is
already jks.
javax.net.debug - To switch
on logging for the SSL/TLS layer, set
this property to ssl.
System.setProperty("javax.net.ssl.trustStore", path_to_your_jks_file);
Just a word of caution. If you are trying to open an existing JKS keystore in Java 9 onwards, you need to make sure you mention the following properties too with value as "JKS":
javax.net.ssl.keyStoreType
javax.net.ssl.trustStoreType
The reason being that the default keystore type as prescribed in java.security file has been changed to pkcs12 from jks from Java 9 onwards.
you can also mention the path at runtime using -D properties as below
-Djavax.net.ssl.trustStore=/home/user/SSL/my-cacerts
-Djavax.net.ssl.keyStore=/home/user/SSL/server_keystore.jks
In my apache spark application, I used to provide the path of certs and keystore using --conf option and extraJavaoptions in spark-submit as below
--conf 'spark.driver.extraJavaOptions=
-Djavax.net.ssl.trustStore=/home/user/SSL/my-cacerts
-Djavax.net.ssl.keyStore=/home/user/SSL/server_keystore.jks'
First of all, there're two kinds of keystores.
Individual and General
The application will use the one indicated in the startup or the default of the system.
It will be a different folder if JRE or JDK is running, or if you check the personal or the "global" one.
They are encrypted too
In short, the path will be like:
$JAVA_HOME/lib/security/cacerts for the "general one", who has all the CA for the Authorities and is quite important.
I have a problem with signing my jar files with jarsigner. I used this tutorial to sign my jar files, but with the last step(signing the jar), I got this error:
jarsigner error: java.lang.RuntimeException: keystore load: Invalid keystore format
and I didn't use step #10, I used instead step #5 from this site since, I'm using a real certificate not a fake one ...
Note:
I'm having my certificate in .spc & .pvk format...
But, since I'm using jarsigner, I have to convert them to .p12 format. So, I convert them first to .pfx using pvkimprt.exe then to .p12. I used the method that I specified in the link that I mentioned it before.
Also, I tried to create a fake certificate to make sure that the problem is not from the pvkimprt.exe tool or from the certificate. It gave me the same error.
The certificate is just fine. So, where is the problem came from?
The error you are facing indicates that jarsigner does not understand the format of the keystore containing the key.
If you converted your key & certificate into a PKCS#12 file you have to specify the type of used keystore to jarsigner with the -storetype PKCS12 command line option and the P12 password with -storepass mystorepassword
(actually most of the time .pfx and .p12 are used for the same file format therefore I am not sure that the firefox import/export step in the tutorial is mandated)
Not really an answer, just a comment - I found that the upper case was crucial - "pkcs12" didn't work but "PKCS12" did, using Jcs's answer.
This is what I did and that worked:
<ant:signjar alias="le-f0b73c88-1f82-4497-8c3f-e10d399b4c9c" storetype="pkcs12"
storepass="fount-current"
keystore="/vobs/oam_base/loadbuild_tools/common/src/conf/kunal.pfx">
Store pass should be the lower case, this is the working order or arguments, some time wrong order with throw the runtime padding exception.
[signjar] jarsigner error: java.lang.RuntimeException: keystore load: