I am having trouble connecting WebSphere with Jconsole through an SSL connection. I have generate my own keystore and truststore with certificates and I have setup the following system properties through WebSphere:
-Dcom.ibm.team.server.monitoring.mbean.server=WebSphere -Djavax.management.builder.initial= -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=12099 -Djavax.net.ssl.keyStore={KEYSTOREPATH}\keystore -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStorePassword=password -Dcom.sun.management.jmxremote.authenticate=false
On the jconsole side I am running the following arguments to add the truststore files to the runtime:
jconsole -J-Djavax.net.ssl.trustStore={KEYSTOREPATH}\truststore -J-Djavax.net.ssl.trustStorePassword=password -J-Djavax.net.ssl.trustStoreType=pkcs12 -J-Djava.security.debug=all localhost:12099
With the debug mode, I am able to see the error on the client side:
java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
at com.ibm.security.util.DerInputStream.getLength(DerInputStream.java:724)
at com.ibm.security.util.DerInputStream.getLength(DerInputStream.java:698)
at com.ibm.security.util.DerValue.<init>(DerValue.java:254)
at com.ibm.security.util.DerInputStream.getDerValue(DerInputStream.java:499)
at com.ibm.security.pkcsutil.PKCSDerObject.decode(PKCSDerObject.java:251)
at com.ibm.security.pkcs12.PFX.<init>(PFX.java:134)
at com.ibm.crypto.provider.PKCS12KeyStore.engineLoad(Unknown Source)
at java.security.KeyStore.load(KeyStore.java:1225)
at com.ibm.jsse2.cc.a(cc.java:72)
at com.ibm.jsse2.cc.a(cc.java:76)
at com.ibm.jsse2.ec.g(ec.java:7)
at com.ibm.jsse2.ec.<init>(ec.java:19)
at com.ibm.jsse2.ec.e(ec.java:14)
at com.ibm.jsse2.SSLSocketFactoryImpl.<init>(SSLSocketFactoryImpl.java:16)
at java.lang.J9VMInternals.newInstanceImpl(Native Method)
at java.lang.Class.newInstance(Class.java:1617)
at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:37)
at javax.rmi.ssl.SslRMIClientSocketFactory.getDefaultClientSocketFactory(SslRMIClientSocketFactory.java:218)
at javax.rmi.ssl.SslRMIClientSocketFactory.createSocket(SslRMIClientSocketFactory.java:128)
at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:625)
at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:228)
at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:214)
at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:353)
at sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source)
at sun.tools.jconsole.ProxyClient.checkSslConfig(ProxyClient.java:230)
at sun.tools.jconsole.ProxyClient.<init>(ProxyClient.java:133)
at sun.tools.jconsole.ProxyClient.getProxyClient(ProxyClient.java:487)
at sun.tools.jconsole.JConsole$3.run(JConsole.java:551)
Research tells me that the issue might be with the format of the keystore and truststore which in my case is PKCS12. The default is expecting JKS and I have changed this in the java.security file in the JAVA_HOME/jre/lib/security/java.security:
#
# Default keystore type.
#
keystore.type=pkcs12
Also, I have client authentication disabled.
Does anyone know what the issue might be with my setup?
Related
Error:
io.apicurio.hub.core.exceptions.ServerError: Unexpected server error
at deployment.apicurio-studio-api.war//io.apicurio.hub.api.rest.impl.DesignsResource.createDesign(DesignsResource.java:497)
at deployment.apicurio-studio-api.war//io.apicurio.hub.api.rest.impl.DesignsResource$Proxy$_$$_WeldClientProxy.createDesign(Unknown Source)
at jdk.internal.reflect.GeneratedMethodAccessor284.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.jboss.resteasy.resteasy-jaxrs#3.7.0.Final//org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138)
When I use the following truststore ,I get the above error ,if the origin is localhost or from Nginx
Djavax.net.ssl.trustStore=/tmp/trustStore.jks/trustStore.jks -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStore=/tmp/trustStore.jks/trustStore.jks -Djavax.net.ssl.keyStorePassword=changeit
But when i use following truststore, i get the above error only when orgini is in Nginx but not in localhost.
-Djavax.net.ssl.trustStore=/workspace/app/iKeystore.jks
-Djavax.net.ssl.trustStorePassword=changeit
What changes i need to do to make it work if orgin is localhost and from nginx together?
Only difference between the certificates is that , iKeystore.jks is using different keyclock and trustStore.jks is using a different keyclock
I'm sitting behind a coorporate proxy that has its own certificate. E.g. when I want my Java runtime to be able to communicate with the outer world I need to import my "coorporate certificate" to the Java truststore e.g. with keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -trustcacerts -file coorp-cert.crt
How do I import this certificate to Apache Karaf (4.3.0)?
Background:
I cannot install features into Karaf. E.g. karaf#root()> feature:repo-add ecf results in the error Error executing command: Connection refused: connect : [...]. The proxy is configured correctly (tested with maven:summary which displays valid "HTTP Proxies" values). So I suspect the missing proxy certificate is causing this problem.
Okay, although the commands http:proxy-list and maven:summary displayed the correct proxy settings, I fixed the problem by appending -Dhttps.proxyHost=<proxy url> -Dhttps.proxyPort=<proxy port> in the line starting with set DEFAULT_JAVA_OPTS in the $KARAF_HOME/bin/karaf.bat file. Alternatively one can probably set the JAVA_OPTS or EXTRA_JAVA_OPTS variables before starting karaf (haven't tested the latter, though).
The certificate apparently wasn't the problem.
I am installing EJBCA on a Windows .
OS version: Windows Server 2016
Java: OpenJDK 8.0.242.08
Ant: ant 1.9.14
Database: MariaDB 10.4.12
Server: Wildfly 10.1.0
EJBCA Version: 6.15.2
Installation proceeded using this https://doc.primekey.com/ejbca6152/ejbca-installations/ejbca-main-installation manual.
Unfortunately on the command ant deploy-keystore provides this error:
jee:deploytruststore:
BUILD FAILED
c:\ejbca\build.xml:844: The following error occurred while executing this line:
c:\ejbca\bin\jboss.xml:310: The following error occurred while executing this line:
c:\ejbca\bin\jboss.xml:294: Missing JKS truststorestore file in 'c:\ejbca/p12/truststore.jks'
It has a corresponding error (I think they are related):
ejbca:javatruststore:
[input] skipping input as property ca.name has already been set.
[echo] Getting root certificate in DER format...
[echo] ca getcacert "ManagementCA" C:\Users\tsaForFN\AppData\Local\Temp\2\/rootca.der -der
[java] Wrote CA certificate to 'C:\Users\tsaForFN\AppData\Local\Temp\2\/rootca.der' using DER encoding.
[echo] Adding to or creating keystore: c:\ejbca/p12/truststore.jks
ejbca:javatruststore-removeold:
[exec] keytool error: java.lang.Exception: Input not an X.509 certificate
[exec] java.lang.Exception: Input not an X.509 certificate
[exec] at sun.security.tools.keytool.Main.addTrustedCert(Main.java:2861)
[exec] at sun.security.tools.keytool.Main.doCommands(Main.java:1050)
[exec] at sun.security.tools.keytool.Main.run(Main.java:366)
[exec] at sun.security.tools.keytool.Main.main(Main.java:359)
[exec] Result: 1
[delete] Deleting: C:\Users\tsaForFN\AppData\Local\Temp\2\rootca.der
I tried to change slashes but it still didn't worked.
This is the log of Wildfly server
https://controlc.com/bb5d54f4
This is the log of EJBCA installation
https://controlc.com/f6f062d2
properties are default except database which is configured, working and not relevant right now.
Your issue is this: "Input not an X.509 certificate"
This is due to your usage of "implicitlyCA" in "install.properties", creating a CA certificate that is not useable by normal clients.
Initializing CA with 'ManagementCA' 'CN=ManagementCA,O=EJBCA Sample,C=SE' 'soft' '<ca.tokenpassword hidden>' 'implicitlyCA' 'ECDSA' '3650' 'null' 'SHA256withECDSA' -superadmincn 'SuperAdmin'...
You have configured the Management CA to use "implicitlyCA" ECDSA, which is not something that Java, Windows or any web servers and browsers support.
You need to use keys (in the ca.keyspec setting) that can be used for TLS connections, such as RSA 2048 or ECDSA prime256v1.
ImplicitlyCA can only be used if you are really really really sure what you are doing, and you use specific customer client software.
The step before is ant runinstall which :
1- created the Management CA.
2-Create TLS keystores for handling HTTPS, signed by the Management CA
3-Create the key store for the initial super administrator
it might not successfully done 2nd and 3rd step.
So you need to :
delete all the date(rows) in you ejbca database in all tables
,then from $EJBCA_HOME:
ant -q clean deployear
ant runinstall
ant deploy-keystore
Inshaallah it will work
I am trying to run the following jarsigner command:
jarsigner -keystore C:/keystore.p12 -storepass xyz jars_to_be_signed.jar friendly_name -tsa http://sha256timestamp.ws.symantec.com/sha256/timestamp -storetype pkcs12 signedjar C:/signed.jar
Without timestamping i.e. -tsa option, it gives signed jar properly. Hence signing is working.
But with timestamping i.e. -tsa option it gives the following error:
jarsigner: unable to sign jar: java.net.SocketException: Permission denied: connect
On hitting url http://sha256timestamp.ws.symantec.com/sha256/timestamp , I get the following output Invalid Content-Type: <empty>
It means port 80 is able to communicate.
I had previously enabled and then disabled Windows Firewall. Now, the Windows Firewall is having -- Windows Firewall state : off
And Kaspersky Security is also not having firewall enabled.
Port 80 in Listening ports is being used by system process. So Ive not killed these 2 processes on port 80.
What could be the reason for SocketException: Permission denied: connect ?
Fixed the "SocketException: Permission denied: connect" problem by re-installing Kaspersky Security.
If anyone has this issue, check if firewall is blocking the connection to your pc.
I want to access ssl webservice.
I have generated the client bindings in Netbeans
Generated JKS and imported client pfx file to the client.jks
with ckeystorepwd and calias
Webservice Producer has shared server.jks with srvalias and srvkeystorepwd
I have configured the Keystore and TrustStore in NetBeans IDE and I am
running Main.java and
I am able to consume the webservice. I want to consume the webservice without NetBeansIDE. I need to configure the Keystroe and Truststore (client.jks,server.jks) to the
environment pragmatically.
I have included the below code in my Main.java but it is giving below error , Please guide me how can I configure the keystroe ,truststore.
Main.java Code
System.setProperty("-Djavax.net.ssl.keyStore",JKSFILE);
System.setProperty("-Djavax.net.ssl.keyStorePassword",JKSPWD);
System.setProperty("javax.net.ssl.keyStoreType", "JKS");
System.setProperty("-Djavax.net.ssl.trustStore",JKSFILET);
System.setProperty("-Djavax.net.ssl.trustStorePassword",JKSPWDT);
System.setProperty("javax.net.ssl.requireClientAuth", "true");
System.setProperty("com.sun.xml.ws.transport.http.client.
HttpTransportPipe.dump","true");
URL u;
u = new URL(MAIN_URL);
IWebService service = new
WebService(u).getWS2007HttpBindingIWebService();
Error
SEVERE: WSS1906: Invalid key provided for encryption/decryption.
java.security.InvalidKeyException: Illegal key size or default parameters
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at com.sun.xml.ws.security.opt.impl.enc.CryptoProcessor.initCipher(CryptoProcessor.java:125)
at com.sun.xml.ws.security.opt.impl.enc.CryptoProcessor.encryptData(CryptoProcessor.java:269)
at com.sun.xml.ws.security.opt.impl.enc.CryptoProcessor.encrypt(CryptoProcessor.java:153)
at com.sun.xml.ws.security.opt.impl.util.CVDataHandler.writeTo(CVDataHandler.java:69)
at javax.activation.ObjectDataContentHandler.writeTo(Unknown Source)
at javax.activation.DataHandler$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Exception in thread "DataHandler.getInputStream" com.sun.xml.wss.impl.XWSSecurityRuntimeException: Unable to calculate cipher value as invalid key was provided
Resolved the issue,
I was not using the same JVM where I have copied the policy jar as
part of JCE-6 configuration in Eclipse environment.
Now I have changed the JRE for the project and able to run the program without any issue.
C:\Program Files (x86)\Java\jdk1.6.0_33\bin\java -jar "WSClient.jar"
You may have to install the unlimited strength encryption policy files: http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html
Java doesn't ship with strong encryption due to US export laws against encryption, but you can enable it separately by replacing the local_policy.jar and US_export_policy.jar from the download above in $JAVA_HOME/lib/security.