I'm a bit of a newbie when it comes to SSL security on WebSphere.
But basically I am calling a URL from my Java application hosted on WebSphere 6.1. The URL is a web service which is secured via SSL. As an example my URL is:
https://servername:portname/service
I call the web service using cURL using:
--cert test.cer --key
test-privkey.pem --pass "Password"
i.e. I have a .CER file and a .PEM file.
Please could someone advise how I configure WebSphere (through the Admin console) to secure "https://servername:portname/service" using the CER file and PEM file I have.
Thank you.
Whenever using a SSL URL, the JVM tries to recognize the certificate based on its trust store. The truststore file is named 'cacerts' and is present in the java/jre/lib/security folder.For the Webapp to recognize the SSL certificate, the root certificates* of the service must be imported into the cacerts store. This can be done with the help of 'keytool -import' in the java/jre/bin folder.
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_sslexchangesigncerts.html
Whenever using a SSL URL, the JVM tries to recognize the certificate based on its trust store. The truststore file is named 'cacerts' and is present in the java/jre/lib/security folder.For the Webapp to recognize the SSL certificate, the root certificates* of the service must be imported into the cacerts store. This can be done with the help of 'keytool -import' in the java/jre/bin folder.
Root certificate is the Certifying Authority [CA] of a service i.e the Organization that provides the SSL certificate will have a CA cert to identify itself.
Let me know if you need more details.
Related
When installing Dataminder, two web service ports are set up. One for http and the other for https.
A self-signed certificate is created during installation.
But we need to use a certificate from a certificate authority.
How do you change the certificate used on web service https port?
To replace the default self-signed certificate with certificates from a certificate authority the simplest is to replace
the DMKeyStore file (which is just a standard Java Keystore file) with a new Java Keystore file containing the new certificates.
Note that the new Keystore file must be named and placed at default destination:
DataMinder/Server/Config/Certificates/DMKeyStore
To start using the new certificates file update the DataMinder properties file:
DataMinder/Server/Config/DataMinder.properties
The properties to update are:
dataminder.environment.web.https.keyStorePassword=...
dataminder.environment.web.https.keyAlias=...
dataminder.environment.web.https.keyPassword=....
Update the properties and restart DataMinder. Now DataMinder will use the new certificates.
Note: The certificates are used both for the admin HTTPS and Web Service HTTPS ports.
I am trying to set up SSL certificates for Openfire XMPP server.
I deleted keystore file from /etc/openfire/security/ folder and have done all SSL cert setup procedures using web interface:
Generated CSR file from web interface
Placed this files contents on Comodo's website
Got CA keychain
Placed it's contents on web interface
This was all successful - the web interface shows success message
SSL successfully installed on Openfire server.
However I can't see any keystore file. Will this cause me any problems?
I built a Web-Service application in Jdeveloper 11.1.1.7 and deployed it on weblogic 10.3.6 with all Key-store and SSL configuration.
SSl Configuration:
Use Server Certs : Checked
Two Way Client Cert Behavior: Client Certs Not Requested. [That is means it is one-way ssl.
Correct me if that wrong]
SSL Listen Port Enabled: Checked
Key-store Configuration:
Custom Identity and Custom Trust. The file path has been specified for those custom key store
A sample client application has been created and everything seems to be fine; I mean the client can not access the server application without specifying the trust store file location where the server certificate is stored and it is trusted at the client end.
By the server certificate I mean the same certificate that has been configured in server Key-store Configuration
for your information the client application referring to trust store as follow:
System.setProperty("javax.net.ssl.trustStore",[Trust-store location goes here]);
System.setProperty("javax.net.ssl.trustStorePassword", [password goes here]);
Till now nothing wrong. Next is the problem details:
For the purpose of testing I tried to access the deployed web-service application using the SoapUI (open source software). What is confusing is the request has been sent, accepted at the server and proceed without specifying any thing for server certificate nor trust store location in SoapUI project configuration !!
Why the SOAP request has been accepted from SoapUI without referring to server certificate? The request should be rejected in this case.
My experience with SoapUI is that it is quite lenient. For example, if it doesn't check if the CN of server certificate matches the fully qualified domain name in the URL. In your case, your server most likely uses a CA signed certificate. Most of the root and intermediate certificates of well known CA's (e.g. VeriSign/Symantec) are already included in the default truststores for most systems. If your server had used a self-signed certificate, then SoapUI would have incurred SSL error unless you import the self-signed certificates into the truststore of the host where SoapUI is running.
In my project,I have integrated Spring Security with CAS server authentication. Now my project is an http application where as the CAS server is an Https application. I was getting following exception after Spring Security and CAS integration: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
In order to solve this error ,I replaced CAS server usr\java\jre\lib\security\cacerts file with my local usr\java\jre\lib\security\cacerts file. After this step the error was gone.
Now I want to deploy my application to some other server. In this new server some other applications are also deployed which may be using different CAS authentication. I cannot directly replace my CAS server cacerts file with this new server cacerts file as in that other application deployed may fail.Right? Can anyone suggest what should I do so that cacerts can be merged,or what should be done? i got to know a command called as keytool but unable to understand how it could be used to merge cacerts file. I dont know how to get my CAS server .cer file,I got to know this could be used in merging,please suggest solution
There is a missunderstanding here.
cacerts is Java's default truststore containing all the trusted certificates for known CA's (Verisign etc). So java can by default trust these certificates same way that your browser does.
This truststore should be used when you want to connect to servers that are signed by these CAs.
In all other cases you are expected to use your own custom truststore so that you can trust specific servers.Actually this is the norm.
So what you should be doing is to load in your code your own truststore and provide that to Java's JSSE to use for authentication during handshake
I have a web service deployed on tomcat hosted on a remote server.
I have set it up such that it can be accessed only via HTTPS.
For this, I generated a Certificate Signing Request (CSR) and used it to get a temporary certificate from VeriSign.
My web service client is on my local machine. If I try to access the service it will throw a javax.net.ssl.SSLHandshakeException:unable to find valid certification path to requested target
If I install the certificate in to local Java's keystore, the issue will be resolved.
My question is if I install a valid SSL certificate from a CA in to my tomcat server,
will I get this client-side error even if I do not import the certificate to local key store?
No, you won't. JVM ships with root ca's by default. The older JVMs (1.5.xx version) don't have all root CA's, but if you have a certificate from Verisign it shouldn't be a problem.
Java has many root CA certificates already installed. As long as you use one of those popular CAs to get your certificate, the client will not receive an error.
While you should be fine, its a good idea to include not only the actual certificate for your site, but also the entire chain leading up to the root certificate. (Sometimes you'll bump into clients which are missing some intermediate certificates and this can cause annoying debugging problems.)