I want to enable SSL for my spring boot application.
I generated a keystore with this command:
keytool -genkey -alias myapp -keyalg RSA -keystore tomcat.keystore
application.properties contains:
server.port = 8443
server.ssl.key-store = classpath:tomcat.keystore
server.ssl.key-store-password = ###
server.ssl.key-password = !&*
server.ssl.enabled=true
First I had created JKS key store with this command:
keytool -genkey -alias tomcat -keystore keystore.jks -validity 3650
But I received error when visited https://localhost:8443:
This site can’t provide a secure connection
localhost uses an unsupported protocol.
Why it's working now and not then ?
I have a few other questions:
1.I looked at a few tutorials and they all suggested to put the keystore file in src/main/resources. Is this really a good idea?
2.What is the key-store-password? what is the key-password?
3.Is this all we have to do to enable SSL ? what about crt and cer files? where are they used ?
About localhost uses an unsupported protocol. make sure the server is supporting a cipher which client can support.
This site can’t provide a secure connection, the message could be becasue the connection is not trusted! of course. here you would simply tell the client to ignore it.
You also set an alias in your JKS file, make sure you tell the server to load the correct alias.
placing the JKS in src/main/resources could be a good practice, but not essential, just make sure it's safe and accessible.
crt and cer are not required explicitly for java, but once you get a signed certificate by a CA, you would import the cert into the JKS to let the server finds the intermediate and root certs(if exists, root is not essential)
Once you generate a key by keytool, just keep the file safe. You need to generate the CSR value, also the same jKS is needed for trusted cert importing.
I also suggest to get some hand of OpenSSL(if possible) over JSSE.
Related
I've created a global JKS that has "changeme" as the keystore password. I created the JKS using the Keystore Explorer.
The idea behind using the global JKS is that apps can pull down the JKS from S3 and then reset the JKS with their own string password. We do alot of SpringBoot APIs and we use the JKSs to secure Tomcat in the container so we can get HTTPS connected.
But here's the problem I'm running into, when I change the JKS keystore password I start getting java.security.UnrecoverableKeyException: Cannot recover key errors being thrown.
In the Keystore Explorer I didn't specify a password for the alias. When I go into the Keystore Explorer to change the alias password, it accepts "changeme" as the password. So, I assume the Keystore Explorer is automatically using changeme as the password since I supplied it for the JKS keystore password.
Admittedly, I'm no expert with using JKS and understanding the intricacies of security but this one has me stumped.
I've also tried changing both the keystore password with the Keytool using the following command:
keytool -storepasswd -keystore myJKS.jks
and
keytool -keypasswd -alias myalias -keystore myJKS.jks
But when I try to change the alias I get:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
What am I doing wrong?
Thanks
The error you are seeing is because you might have provided wrong keystore-password in the command.
A basic understanding of how and what JKS is. A JKS (Java KeyStore) is basically a file that protects secret keys (symmetric keys), key pairs (asymmetric keys) and certificates. The way it protects them is by a password, this password is called a keystore-password. And the keys within the JKS file can also be protected individually, which means they can have their own password, which is called a key-password.
The way to change the keystore-password:
keytool -storepasswd -keystore [KEYSTORE] -storepass [OLD_KEYSTORE_PASSWORD] -new [NEW_KEYSTORE_PASSWORD]
The way to change the key-password:
keytool -keypasswd -keystore [KEYSTORE] -storepass [KEYSTORE_PASSWORD] -alias [ALIAS] -keypass [OLD_KEY_PASSWORD] -new [NEW_KEY_PASSWORD]
These are the properties related to securing the spring-boot application. You have to define the keystore-password and key-password in those properties.
server.ssl.ciphers= # Supported SSL ciphers.
server.ssl.client-auth= # Client authentication mode.
server.ssl.enabled=true # Whether to enable SSL support.
server.ssl.enabled-protocols= # Enabled SSL protocols.
server.ssl.key-alias= # Alias that identifies the key in the key store.
server.ssl.key-password= # Password used to access the key in the key store.
server.ssl.key-store= # Path to the key store that holds the SSL certificate (typically a jks file).
server.ssl.key-store-password= # Password used to access the key store.
server.ssl.key-store-provider= # Provider for the key store.
server.ssl.key-store-type= # Type of the key store.
server.ssl.protocol=TLS # SSL protocol to use.
server.ssl.trust-store= # Trust store that holds SSL certificates.
server.ssl.trust-store-password= # Password used to access the trust store.
server.ssl.trust-store-provider= # Provider for the trust store.
server.ssl.trust-store-type= # Type of the trust store.
You can find all the spring-boot properties in the documentation here.
If you look at the properties, there is server.ssl.key-store-password and server.ssl.key-password. You can ask the users to set those two values after they change the global JKS password.
I have an application written using QuickFIX/J to connect with Bloomberg Server. Recently Bloomberg added CA certificate validation to their servers and they provide additional CA certificate file for handshaking.
My application connected using SSL and when disable CA certificate validation from Bloomberg side, application successfully connect to server and get the messages. Handshaking failed when enable CA validation.
Below are the steps I tried.
Previously i'm using ImportKey Java class to add certificate and key.
I changed it to add multiple certificates. If need I can post the
Java class.
When I connect to the server using openssl s_client it successfully connects to the server.
Is there anything that needs to be changed on Application level? Configuration? Or is there anything to do in the Java keystore level?
Error message comes when connecting is added below:
20160823-06:04:15, FIX.4.4:XXXX->XXXX, error> (Disconnecting: Socket
exception (/XXXX.XXXX.XXX.XX:20237):
javax.net.ssl.SSLHandshakeException: SSL handshake failed.)
Successfully logged out for sessionId : FIX.4.4:XXXX->XXXX
Any help is appreciated!
The configuration:
[default]
# Settings which apply to all the Sessions.
ConnectionType=initiator
LogonTimeout=86400
ResetOnLogon=Y
UseDataDictionary=Y
MaxLatency=240
#StartTime=00:00:00
#EndTime=00:00:00
#StartTime=02:30:00
#EndTime=12:30:00
StartTime=02:21:00
EndTime=12:21:00
HeartBtInt=30
ReconnectInterval=5
[session]
# Settings specifically for one session
BeginString=FIX.4.4
SocketConnectHost=xxx.xxx.xxx.xxx
SocketUseSSL=Y
SocketKeyStorePassword=importkey
CheckLatency=N
#SendResetSeqNumFlag=Y
# new setups
FileLogHeartbeats=Y
##----- CAPS Configuration ---------##
FileStorePath=/etc/bloomburg-live/msgs
FileLogPath=/etc/bloomburg-live/logs
DataDictionary=/etc/bloomburg-live/conf/FIX44.xml
SocketKeyStore=/root/.keystore
TargetCompID=BLPSTP
SocketConnectPort=xxxxx
SenderCompID=CAPSTP
# log configuration
FileIncludeMilliseconds=Y
FileIncludeTimeStampForMessages=Y
ScreenLogShowHeartBeats=Y
#Filter heartbeats from output (both incoming and outgoing)
PS - Application work without CA certificate validation. Error comes when enabling CA certificate validation.
Yes, If the application previously worked with ssl. You dont need to do any changes in the application side. Normally Quickfix/j is processing ssl validation just like java. That means openssl and the java keytool will do the trick for you. So steps are listed below.
Create pkcs12 keystore using trust certificate, private key and ca
certificate.
$ openssl pkcs12 -export -chain -in certificate.pem -inkey encodedKey.pem -out keystore.p12 -name importkey -CAfile CAcertificate.pem
Enter Export Password: importkey
Verifying - Enter Export Password: importkey
Using keytool, import the PKCS12 keystore into the resulting keystore using by the quickfix/j called /root/.keystore. Again, you may select different passwords.
keytool -importkeystore -destkeystore /root/.keystore -srckeystore keystore.p12 -alias importkey
Enter destination keystore password: importkey
Re-enter new password: importkey
Enter source keystore password: importkey
Change the configuration file and copy the keystore to the class path.
SocketKeyStore=keystore.ImportKey
cp /root/.keystore keystore.ImportKey /your/classpath
Thats it.
Please note, Adding ssl key and certificates to the java keystore is not working for quickfix/j due to quickfix/j is maintaining its own keystore. So make sure you add the keystore to the class path after the key adding process.
Reference - https://blogs.oracle.com/jtc/entry/installing_trusted_certificates_into_a
I am installing a wild Card SSL certificate to my keystore which will be used for Apache Tomcat web server.
Description :
My Tomcat Server is installed on windows 2012 server.
And I have certificates provided from COMODO.
The wildcard cert I'm using has already been used previously on a few servers. so I am directly installing same on my apache tomcat server .
so what I've generated a public keystore using keytool providing the same information used while purchasing the certificate using following tool command.
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
Then I have attached my certificates to the generated keystore using following commond
For "Comodo" certificates
i.keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystoreselfservice.keystore
And I have used correct chain of installation of certificate like root , all intermediate, primary from above command.
And while installing each certificate i received the following message
"Certificate added to keystore"
Though I have not got any error .
And when i have opened my keystore there were no certificate chain , means there is individual entry of each certificate . but there is no chain hierarchy of certificates like Root then intermediate then primary.
And in my final PI or certifcate, i am getting provider as local first name instead of Comodo .
EXAMPLE :
CN=nims.ABC.com,OU=abcCommunications,O=abc Group LLC, L=Roseville,ST=Minnesota,C=US
Provider must be
CN=COMODO RSA Organization Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
So I would like to know which steps I have missed or used any extra steps .
Please provide a solution to install a wild card certificate .
Thanks in advance
You did everything correctly. The trust chain is important for another aspect. If you trust one 'certificate' of the chain, you trust the following 'certificates' of the chain too. So to trust all certs of a CA you just have to trust the root CA's cert.
What you realy need to make the wild card certificate work on you server is to import the private key part of it.
I assume you mean Tomcat using Java SSL (JSSE) not APR/Native (OpenSSL). If you want Tomcat-APR, change your question.
If the cert you want to use is already in use on other servers, and you "generated a public keystore using" the keytool command you showed on the NEW server, you generated a NEW KEY which is different from the key the other servers used and different from the key included in the certificate, thus the certificate DOES NOT MATCH that new key and cannot be used with that new key. You also implicitly generated (and have not replaced) a self-signed cert, with both subject and issuer (what you call provider) identifying you rather than a CA like Comodo. This certificate is not good for general use but can be useful for some testing, which is why keytool does it implicitly.
You need to get the certificate, the ALREADY EXISTING private key that MATCHES the certficate, and the needed chain cert(s) into your JKS as a privateKey entry. If an existing SSL server is Java (using JSSE), just copy its JKS. If you want or need to change the password(s) on the copy for your new server, see keytool -storepassword and keytool -keypasswd.
If an existing server is OpenSSL (including Apache httpd and nginx), convert the OpenSSL PEM format to PKCS#12 (preferably on the old server); depending on that server's file layout this is something like
openssl pkcs12 -export -in certfile -inkey keyfile -certfile chaincert -out xxx
and then use keytool to convert PKCS#12 to JKS (preferably on the new server)
keytool -importkeystore -srckeystore xxx -srcstoretype pkcs12 -destkeystore yyy
Note you must use a password on the PKCS#12. This does not need to be the same as the old server keyfile (if any) or the new server JKS, but it's usually more convenient if it is.
If an existing server is IIS, you should be able to export the cert WITH private key AS PFX/PKCS#12 from the Certificate snapin of mmc, and then convert the PKCS12 to JKS as just above.
If an existing server is something else, add it to the question.
I've downloaded apache james 2.3.2. At the moment I just want to get it working on localhost with ssl encyption (but I know very little about ssl). Initially I managed to get it running, create accounts (by running james-2.3.2/bin/run.bat) and connect to these account using mozilla thunderbird mail client. The trouble comes when I try to create a self signed ssl certificate. I have tried two different methods.
running keytool -genkeypair creates a keystore in .keystore
in my home directory and
running keytool -genkeypair -alias certificate -keystore
my_keystore.pfx -storepass password -validty 365 -keyalg RSA
-keysize 2048 -storetype pkcs12 creates a keystore in my_keystore.pfx.
james-2.3.2 will accept the .keystore but Thunderbird won't and Thunderbird will accept my_keystore.pfx but James throws exceptions. I think the error might be in the james-2.3.2/apps/james/SAR-INF/conf.xml file.
<sockets>
<server-sockets>
<factory name="plain" class="org.apache.avalon.cornerstone.blocks.sockets.DefaultServerSocketFactory"/>
<factory name="ssl" class="org.apache.avalon.cornerstone.blocks.sockets.TLSServerSocketFactory">
<ssl-factory>
<keystore>
<file>conf/my_keystore.pfx</file>
<password>password</password>
<key-password>password</key-password>
<type>PKCS12</type>
<protocol>TLS</protocol>
<algorithm>SHA256withRSA</algorithm>
<authenticate-client>false</authenticate-client>
</keystore>
</ssl-factory>
</factory>
</server-sockets
When i try to run james again from the batch file I get NoSuchAlgorithException. Have tried using allsorts for the algorithm tag instead of SHA256withRSA but nothing seems to work. If anyone knows the answer I'd be greatfull. Also if anyone knows how to turn on the logging so I can see it in the log file that too would be helpfull.
sunjce_provider.jar has to be copied from the JRE lib folder to the lib folder in James. James will then accept the .pfx file if the algorithm tag is left as the default SunX509. I spotted this nugget of information in the comments of the config xml file.
How do you setup SSL with Grails? We have our signed certificate from our provider, and have tried creating a keystore under .grails/1.3.7/ssl/keystore. With just putting our key in, we start grails and get:
Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
at sun.security.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:327)
at sun.security.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:272)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:742)
Maybe we have to import the .crt file with a different command? I used:
keytool -import -v -trustcacerts -alias riseup.org.nz -file /etc/ssl/telethon/telethon.crt
When I use and alias other than riseup.org.nz, it complains the alias doesn't match the crt.
After running the command, it does ask me if I trust the information, which makes me think of:
Note: it is not required that you execute a -printcert command prior to importing a certificate, since before adding a certificate to the list of trusted certificates in the keystore, the -import command prints out the certificate information and prompts you to verify it.
from: http://download.oracle.com/javase/1.3/docs/tooldocs/win32/keytool.html