I use AdminClient for secure connection to local websphere server:
java.util.Properties props = new java.util.Properties();
props.setProperty(AdminClient.CONNECTOR_TYPE, AdminClient.CONNECTOR_TYPE_SOAP);
props.setProperty(AdminClient.CONNECTOR_HOST, "localhost");
props.setProperty(AdminClient.CONNECTOR_PORT, "8880");
props.setProperty(AdminClient.CONNECTOR_SECURITY_ENABLED, "true");
props.setProperty(AdminClient.USERNAME, "admin");
props.setProperty(AdminClient.PASSWORD, "111111");
props.setProperty("javax.net.ssl.trustStore", "C:/WAS/AppServer/profiles/AppSrv01/etc/DummyClientTrustFile.jks");
props.setProperty("javax.net.ssl.keyStore", "C:/WAS/AppServer/profiles/AppSrv01/etc/DummyClientKeyFile.jks");
props.setProperty("javax.net.ssl.trustStorePassword", "WebAS");
props.setProperty("javax.net.ssl.keyStorePassword", "WebAS");
client = AdminClientFactory.createAdminClient(props);
It's work perfect. But if i try secure connect to remote url (ip or hostname), this code does not work, such SSL exaptions. I think, problem in cert files:
props.setProperty("javax.net.ssl.trustStore", "C:/WAS/AppServer/profiles/AppSrv01/etc/DummyClientTrustFile.jks");
props.setProperty("javax.net.ssl.keyStore", "C:/WAS/AppServer/profiles/AppSrv01/etc/DummyClientKeyFile.jks");
How i can retrive this certificates from remote server using JAVA and make secure connection with AdminClient?
You will need to extract the remote signer certificate and import it into the local WebSphere trust keystore. To do this you can use ikeyman utility to open the remote keystore and export the certificate, and then use the same utility to import the cert into the local Websphere trust store.
The SSL exception should give a clue as to what signer certificate you need to extract from the remote server and import into the local trust store.
Have a look at the http://www-01.ibm.com/software/webservers/httpservers/doc/v1312/ibm/9atikeyu.htm (Exporting Keys and Importing Keys section)
Also, the similar question has already been addressed here:
telling java to accept self-signed ssl certificate
I'd suggest not to put it in your code, but add WebSphere certificate to the Glassfish trusted certs. So you need to perform the following steps:
Extract certificate from WebSphere - the easiest is to access via https using browser any application running on WAS and save certificate to file.
Import that certificate using keytool to the Glassfish trusted store. It should be domains/domain1/config/cacerts.jks (I'm not Glassfish expert, so the path might be different).
Then you should no longer need to set all these javax.net.ssl.* properties.
Related
Can I use SSL certificates using truststore and keystore in BIRT Report Designer to connect to database?
You must copy the SSL cert from the server to a file, import the certificate in the java keystore, and modify the WSDL URL or Location field in Eclipse.
Here is a step by step guide to configure Setting up the DataSource
When installing Dataminder, two web service ports are set up. One for http and the other for https.
A self-signed certificate is created during installation.
But we need to use a certificate from a certificate authority.
How do you change the certificate used on web service https port?
To replace the default self-signed certificate with certificates from a certificate authority the simplest is to replace
the DMKeyStore file (which is just a standard Java Keystore file) with a new Java Keystore file containing the new certificates.
Note that the new Keystore file must be named and placed at default destination:
DataMinder/Server/Config/Certificates/DMKeyStore
To start using the new certificates file update the DataMinder properties file:
DataMinder/Server/Config/DataMinder.properties
The properties to update are:
dataminder.environment.web.https.keyStorePassword=...
dataminder.environment.web.https.keyAlias=...
dataminder.environment.web.https.keyPassword=....
Update the properties and restart DataMinder. Now DataMinder will use the new certificates.
Note: The certificates are used both for the admin HTTPS and Web Service HTTPS ports.
I built a Web-Service application in Jdeveloper 11.1.1.7 and deployed it on weblogic 10.3.6 with all Key-store and SSL configuration.
SSl Configuration:
Use Server Certs : Checked
Two Way Client Cert Behavior: Client Certs Not Requested. [That is means it is one-way ssl.
Correct me if that wrong]
SSL Listen Port Enabled: Checked
Key-store Configuration:
Custom Identity and Custom Trust. The file path has been specified for those custom key store
A sample client application has been created and everything seems to be fine; I mean the client can not access the server application without specifying the trust store file location where the server certificate is stored and it is trusted at the client end.
By the server certificate I mean the same certificate that has been configured in server Key-store Configuration
for your information the client application referring to trust store as follow:
System.setProperty("javax.net.ssl.trustStore",[Trust-store location goes here]);
System.setProperty("javax.net.ssl.trustStorePassword", [password goes here]);
Till now nothing wrong. Next is the problem details:
For the purpose of testing I tried to access the deployed web-service application using the SoapUI (open source software). What is confusing is the request has been sent, accepted at the server and proceed without specifying any thing for server certificate nor trust store location in SoapUI project configuration !!
Why the SOAP request has been accepted from SoapUI without referring to server certificate? The request should be rejected in this case.
My experience with SoapUI is that it is quite lenient. For example, if it doesn't check if the CN of server certificate matches the fully qualified domain name in the URL. In your case, your server most likely uses a CA signed certificate. Most of the root and intermediate certificates of well known CA's (e.g. VeriSign/Symantec) are already included in the default truststores for most systems. If your server had used a self-signed certificate, then SoapUI would have incurred SSL error unless you import the self-signed certificates into the truststore of the host where SoapUI is running.
This website, https://dcs1.noaa.gov, recently updated their SSL certification. Since that change I cannot grab a file from there that I need. I get the following error:
--08:37:12-- https://dcs1.noaa.gov/pdts_compressed.txt
=> `pdts_compressed.txt'
Resolving dcs1.noaa.gov... 205.156.2.181
Connecting to dcs1.noaa.gov|205.156.2.181|:443... connected.
ERROR: Certificate verification error for dcs1.noaa.gov: unable to get local issuer certificate
To connect to dcs1.noaa.gov insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
I am running Red Hat Linux 4.x and updated all the openssl packages. The usual process I use to access this file is running in Java and uses URL.openStream() to read the file. The command wget also does not work so I am assuming that it is an SSL problem and not a java problem.
the cert is issued by Verisign, probably their root cert is in your servers root cert store. Open the webpage from your machine from a browser and you will see the cert is valid. You can also try to wget from another machine and it will work too.
Probably, the new server certificate is issued by an issuing authority that is not trusted by you. You need to import the issuing authority's certificate in your truststore.
You could try testing the SSL connection with openssl's s_client. I recently had a similar problem and had it resolved. Here's a link to that solution. It also includes information on how to use the s_client to test an SSL connection.
SSL Error: unable to get local issuer certificate
I'm a bit of a newbie when it comes to SSL security on WebSphere.
But basically I am calling a URL from my Java application hosted on WebSphere 6.1. The URL is a web service which is secured via SSL. As an example my URL is:
https://servername:portname/service
I call the web service using cURL using:
--cert test.cer --key
test-privkey.pem --pass "Password"
i.e. I have a .CER file and a .PEM file.
Please could someone advise how I configure WebSphere (through the Admin console) to secure "https://servername:portname/service" using the CER file and PEM file I have.
Thank you.
Whenever using a SSL URL, the JVM tries to recognize the certificate based on its trust store. The truststore file is named 'cacerts' and is present in the java/jre/lib/security folder.For the Webapp to recognize the SSL certificate, the root certificates* of the service must be imported into the cacerts store. This can be done with the help of 'keytool -import' in the java/jre/bin folder.
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_sslexchangesigncerts.html
Whenever using a SSL URL, the JVM tries to recognize the certificate based on its trust store. The truststore file is named 'cacerts' and is present in the java/jre/lib/security folder.For the Webapp to recognize the SSL certificate, the root certificates* of the service must be imported into the cacerts store. This can be done with the help of 'keytool -import' in the java/jre/bin folder.
Root certificate is the Certifying Authority [CA] of a service i.e the Organization that provides the SSL certificate will have a CA cert to identify itself.
Let me know if you need more details.