Situation:
I have a Airwatch Installment, that provides the Client with private "User Certificates" that are stored in the User private CA Store. The Certificates should be used when establishing a SSL Connection to a designated https Webserver.
E.g. When i try to access this Webserver via HTTPS and Chrome, Chrome finds the Client Certificate and asks me if i wanna use it (so not directly). By clicking "ok" i can establish the Connection and view the Site.
Problem
In the "recent times" this could be solved in custom Apps by providing the Apps themselfs with the physical Certificate and load it on runtime (by creating a Keystore, Trustmanager, and Custom SSLContext) as described here
I though with Android Nougat i could get rid of the "Workaround", by only configuring where the Certificates for this app are located. Its called Network Security Configuration, as described here https://developer.android.com/training/articles/security-config.html
So i Added:
android:networkSecurityConfig="#xml/network_security_config"
in the Android Manifest, and added a XML that looks like this
<network-security-config>
<base-config>
<!-- Trust ONLY the mydomain.com Domain and its Subdomains -->
<domain includeSubdomains="true">mydomain.com</domain>
<trust-anchors>
<!-- Trust preinstalled CAs -->
<certificates src="system"/>
<!-- Additionally trust user added CAs -->
<certificates src="user"/>
</trust-anchors>
</base-config>
</network-security-config>
I though using a HttpsURLConnection would automatically use also the User-Certificates if necessary.
Current Situation:
Im Still getting this:
javax.net.ssl.SSLHandshakeException: Handshake failed
Question:
1) Do I still have to Create a Custom SSLContext and injecting a Custom Trustmanager with a Custom Keystore ? And If I have to do so, how do I get the User Certificates ? The Defautl System CAs can be easyly initialised via KeyStore.getInstance("AndroidCAStore"); but how to get the Keys from the User Specific Store to use them in the SSLContext ?
3) I didn't find any example in the Web how to Use a HttpsConnection with Client Certificates that are stored in the User Keystore on Android with Nougat or higher, any hints ?
Related
I am trying to enable SSL in my hosted project via tomcat.
I managed to upload certs but the connection is still unsecured.
My Url looks like this
laptap.partner.solution
Is it possible to enable SSL using this url, and get a green lock at the same time? Someone told me SSL only works on TLD's.
What does it mean?
when you generate an SSL certificate you must use wildcard (*.example.com) so it works with your subdomain.
you can use Let's Encrypt to generate free SSL certificates which also supports wildcards and the Green Bar you want to have
I am quite new to working with certificates and security, so pardon me if this is a no-brainer to others. I have followed this guide to set up my Grails application to run on HTTPS with self-signed certificates.
I am trying to establish 2-way SSL with another HTTPS network (a Nifi standalone instance) running on the same machine. I can get the Nifi instance to talk to Grails over HTTPS, but I am having issues with Grails talking to Nifi (specifically to a ListenHTTP processor).
I was hoping someone could advise how to use certificate authentication in Grails when posting over HTTPS.
Nifi uses certificate authentication; however per the above guide Grails only specifies a single keystore (for receiving requests?) so I'm a bit thrown off. I can successfully CURL to Nifi's REST API by specifying the --cert and --key properties, but since the final product will be a WAR on a client machine I want to set this up the 'right way', and I believe leaving those files on the client machine is a really big no-no for security.
During early development RestBuilder was sufficient for 2-way comms over HTTP, however, I am unable to find any mention of using it with certificate authentication (only basic authentication is covered in the documentation?).
HTTPBuilder shows up a lot when I looked for alternatives, however looking at the relevant documentation (line 139 'certificate()') it states that it takes a whole keystore JKS and password. I think this is close but not quite what I am looking for considering I only have one keystore; I am open to correction here.
Please note that I will be unavailable to respond until at least the day after this question was posted.
When making an outgoing HTTPS connection, if the remote endpoint (in this case Apache NiFi) requires client certificate authentication, the originating endpoint (Grails) will attempt to provide a certificate. The certificate that Grails is using to identify itself as a service is fine to use in this scenario, provided:
The certificate either does not have the ExtendedKeyUsage extension set, or if it is set, both ServerAuth and ClientAuth values are present. If ClientAuth is missing, the system will not allow this certificate to be used for client authentication, which is the necessary role in this exchange.
The certificate has a valid SubjectAlternativeName value which matches the hostname it is running on. RFC 6125 prescribes that SAN values should be used for certificate identity rather than Distinguished Name (DN) and Common Name (CN). So if the Grails app is running on https://grails.example.com, the SAN must contain values for grails.example.com or *.example.com.
The certificate must be imported into NiFi's truststore in order to allow NiFi to authenticate a presenter of this certificate.
NiFi must have ACL permissions in place for this "user". This can be done through the UI or by modifying the conf/authorizers.xml file before starting NiFi for the first time. See NiFi Admin Guide - Authorizers Configuration for more information.
Your concern for leaving the cert.pem and key.key files on the client machine is understandable, but the sensitive information contained therein is the same data that's in your keystore. At some point, the private key must be accessible by the Grails app in order to perform HTTPS processes, so having it in the keystore is functionally equivalent (you don't mention having a password on the *.key file, but obviously you should have a password on the keystore).
I got a url with https, which has a common certification (which means this url could be visited from the browser and has a https security badge). Now I want to get the info from this url using HttpsUrlConnection, how can I do a certification check.
I am a SSL beginner, so I did some searching. And I got this, which is a self-signed check demo.
I'm wondering if the common https link should be checked like this. Does HttpsUrlConnection do a check, I found on the Android Developers:
If an application wants to trust Certificate Authority (CA) certificates that are not part of the system, it should specify its own X509TrustManager via a SSLSocketFactory set on the HttpsURLConnection.
Does this means I don't need to check the server certificate if I can browse it from a web browser? Can I do a validation like the web browser does? And where can I find the trust store file, can I just make a default key store? Or anybody can tell me how to implement a TrustManager(I do want a validation, not a trust manager that trust anything).
maybe this information will help you HttpComponents
I built a Web-Service application in Jdeveloper 11.1.1.7 and deployed it on weblogic 10.3.6 with all Key-store and SSL configuration.
SSl Configuration:
Use Server Certs : Checked
Two Way Client Cert Behavior: Client Certs Not Requested. [That is means it is one-way ssl.
Correct me if that wrong]
SSL Listen Port Enabled: Checked
Key-store Configuration:
Custom Identity and Custom Trust. The file path has been specified for those custom key store
A sample client application has been created and everything seems to be fine; I mean the client can not access the server application without specifying the trust store file location where the server certificate is stored and it is trusted at the client end.
By the server certificate I mean the same certificate that has been configured in server Key-store Configuration
for your information the client application referring to trust store as follow:
System.setProperty("javax.net.ssl.trustStore",[Trust-store location goes here]);
System.setProperty("javax.net.ssl.trustStorePassword", [password goes here]);
Till now nothing wrong. Next is the problem details:
For the purpose of testing I tried to access the deployed web-service application using the SoapUI (open source software). What is confusing is the request has been sent, accepted at the server and proceed without specifying any thing for server certificate nor trust store location in SoapUI project configuration !!
Why the SOAP request has been accepted from SoapUI without referring to server certificate? The request should be rejected in this case.
My experience with SoapUI is that it is quite lenient. For example, if it doesn't check if the CN of server certificate matches the fully qualified domain name in the URL. In your case, your server most likely uses a CA signed certificate. Most of the root and intermediate certificates of well known CA's (e.g. VeriSign/Symantec) are already included in the default truststores for most systems. If your server had used a self-signed certificate, then SoapUI would have incurred SSL error unless you import the self-signed certificates into the truststore of the host where SoapUI is running.
is it possible in spring framework to have 2 login implementation at the same time for the login page? Form login and Certificate based login (x509). I've tried either one of these method but combining them at the same time, it is hard for me to do it. Any idea how to enable these two methods? Any book or site reference that I can refer to regarding this?
Thanks
Yes, it is possible, by making the SSL client-auth optional.
Here on Baeldung is a good tutorial on enabling SSL client authentication with X.509 certificates, with forced client-auth (not good for your case, with login form fallback)
Follow that tutorial and pay attention in the application.properties file to make the client-auth want instead of need. This will make the client-server SSL handshake attempt to ask for a certificate.
server.ssl.client-auth=want
If the browser does not provide a certificate (does not have any configured or the user clicks on cancel when prompted to select a certificate from a list), the SSL handshake will be done without the client certificate, and the user will have to login with username+password
If the user chooses a certificate, the SSL handshake is done with the client certificate. The server then verifies the given certificate in the trust-store. If the certificate is valid, the SSL handshake is successfully established. Otherwise, the connection is refused by the server.
Pay attention that
only the authentication is done with the x.509 certificate. For authorization, you must provide the X509Configurer an UserDetailsService implementation, to retrieve the UserDetails for the user that just authenticated via x.509
thus, if you have a database of users with their assigned roles, even if the certificate is in the trust-store, the user might not be in the user database, so you will have to treat this possibility in your application logic. I.e. when the SSL connection is mutual, but the user is not present in the user database.
Yes it is possible. All you need is to declare x509 support in your http config:
<http ...>
...
<x509 ... />
....
</http>
and configure SSL in Tomcat.
See this entry and this thread.