Can't build keystore: [Private key missing (bad password?)] - SOAPUI - ssl

I got a serious problem while making an SSL request to the server with SOAPUI. I am a newbie in SoapUI and maybe I did something wrong while I'm trying to import the certificate into SOAPUI.
My client sends me:
Root CA
Intermediate CA
SSL CA
Private Key
I am using keytore to generate keystore with password by command
keytool -genkey -alias soapui -keyalg RSA -keystore soapui.keystore
And then I tried to export the this keystore with my SSL CA
keytool -export -alias soapui -file SSL.cer -keystore soapui.keystore
And then I import this into Keystores in the SoapUI.
However, I got the error
ERROR:java.security.KeyStoreException: Can't build keystore: [Private key missing (bad password?)]
I have no idea where am I wrong?
Could anyone please indicate what are the steps I should work on to make the SSL request to SoapUI?
Please help
Thank you.

I assume you need to make a Two-Way SSL connection with client cetificate.
Firstly you need to make a keystore (JKS) containing:
your private key
all certificates upwards including the root CA
Maybe using https://keystore-explorer.org/ may help you to understand and verify the content of your keystore.
There are multiple ways to configure the client certificate in SoapUI:
If you use the global configuration (File - Preferences - SSL Settings), there is only one password to be set. Make sure your keystore password and key password are equal.
If you use the setup on the project level, you are allowed to enter two passwords.

Related

how to convert a pki to jks if I don't have the private key?

The company signs it own certificates so this is giving problems to validate so I have added the custom ca authority to a pod running jenkins so now I can curl successfully against a service, the thing is that I'm trying to use a jenkins' plugin which continue to give ssl error so I think the problem is that I need to add the certs in jks format but all the info I found to convert a pem to jks is with the private key which I don't have.
The plugin which I need to make work is micro focus fortify plugin.
How do I convert a public ca authority to jks if I don't have the private key?
I'm guessing you're just trying to add your internal CA cert to the cacerts file that you Jenkins server is using. The cacerts file is a keystore file that contains all of the public certs for trusted CAs and it will be located with the java installation that your Jenkins server is using.
Please note that if you're trying to trust other certs that were signed by your CA, then you only need your CA's public certificate. You do not require the CA's private cert. If you have an admin who gives out the private cert/key to anyone, you should probably slap that person because that is a major security risk.
When Jenkins starts up, it will use the public CA certs from that cacerts file which will also be used by any Jenkins plugins that you use.
To import a new CA cert, you just need the cert to be in base64 format. You can use the following command to import:
keytool -importcert -file yourCAcert.pem -keystore cacerts -alias "YourCertAlias"

RestTemplate certificate issue

I am passing certificates in RestTemplate request header. I get 403 forbidden error. How can I display the certificate information at my end before I make a call to the web service? I am using below code to pass certificate in request header.
What is the right way to send a client certificate with every request made by the resttemplate in spring?
Not sure about 403 as I'm newbie on certs & stuff, but for your other questions(I know this is late but might help someone who come across to this page) :
Java Keytool Commands for Checking :
keytool comes with JDK
If you need to check the information within a certificate, or Java keystore, use these commands.
Check a stand-alone certificate :
keytool -printcert -v -file mydomain.crt
Check which certificates are in a Java keystore :
keytool -list -v -keystore keystore.jks
Check a particular keystore entry using an alias :
keytool -list -v -keystore keystore.jks -alias mydomain
First, I would suggest to verify in your rest client whether you're able to access the rest endpoint or not by importing cert & key files:
https://www.getpostman.com/docs/v6/postman/sending_api_requests/certificates
Helpful links:
https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

Is Keytool certificate is for free?

In our application we are creating Client and server that talks with each other using SSL authentication. I done a POC which downloads certificate using following commnand:
keytool -genkey -keystore yourKEYSTORE -keyalg RSA
Need to know if the certificate created by above command is free to use ?
It's free to use but it is self-signed, which makes it basically useless unless you can go through all the steps required to get the peers to trust it.
Failing that, you need to generate a certificate request from this, get it signed, and import the resulting signed certificate into that keystore using the same alias you used here.

CertificateException when testing with arquillian on glassfish-remote

When trying to run tests with arquillian with adminHttps option set to true, got an exception:
Could not connect to DAS on: (...) | java.security.cert.CertificateException: No subject alternative names present
org.jboss.arquillian.container.spi.client.container.LifecycleException: Could not connect to DAS on: (...) | java.security.cert.CertificateException: No subject alternative names present
at org.jboss.arquillian.container.glassfish.CommonGlassFishManager.start(CommonGlassFishManager.java:77)
at org.jboss.arquillian.container.glassfish.remote_3_1.GlassFishRestDeployableContainer.start(GlassFishRestDeployableContainer.java:59)
at org.jboss.arquillian.container.impl.ContainerImpl.start(ContainerImpl.java:199)
The examples which I found were without ssl turned on.
I think that I should import a certificate, but can't find how or if it's realy that problem. Any idea? Thanks for sugestions.
Whilst the accepted answer shows that this problem was due to the use of the containers self signed certificate, it doesn't explain how the problem can be overcome. Hopefully this answer will help anyone having the same problem.
You can import the containers self signed certificate into a keystore using the following command:
keytool -import -alias glassfish -file mycert.cer -keystore truststore.jks -storepass changeit
Change mycert.cer to the location of the certificate file
Change truststore.jks to the location of the keystore you want to use to store the certificate. This can either be a new keystore or an existing one. The storepass parameter is the password for the keystore. If you are using an existing keystore then you will need to specify the password associated with the keystore.
Once you have imported the self signed certificate into the keystore you need to tell the JVM running Arquillian to use the keystore. This can be done by setting the system parameter javax.net.ssl.trustStore to the location of the keystore. For example javax.net.ssl.trustStore=truststore.jks
Problem was caused by certificate. When deploying to another server you should import certificate from that server into current machine (when usins self-signed certificates)

Configuring Glassfish as a client of web services using mutual SSL

I'm trying to request data from a web service which requires a client certificate to be presented by a client. The server uses SSL for all communications, and uses a self-signed certificate. I gave Netbeans the service's WSDL file and it generated client code with wsimport.
I have no issues when my client code is written in a regular Java application; I set the trust store to the cacerts file containing the server's certificate, set the key store to be a file provided by the server admin in JKS format containing 2 keys - a client private key and the server's public key, build the request object, and send the request.
The problem comes when I move it to an enterprise Java environment. Requirements dictate that the code must be an Enterprise JavaBean inside an Enterprise Archive running on the Glassfish application server. It appears that Glassfish has its own security settings which override the JVM's settings. When the EJB method containing the web service call runs, the SSL negotiation fails: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. I don't know how to set Glassfish's security settings up like my JVM's settings, can anyone explain Glassfish's security settings? The research I have done has only shown how to set up Glassfish as a web service server, not as a web service client.
I have a .cer certificate file for the server which I added it to my trust store by using Java's keytool to add it to the default cacerts file.
Would it be better to modify cacerts file with InstallCert to include the self-signed certificate, following the steps at http://blog.johnryding.com/post/1548502059/acquire-an-ssl-certificate-for-your-java-programs-in-win?
I have the trust store file, key store file, along with a .cer certificate file and a .p12 browser certificate, stored in $JAVA_HOME/jre/lib/security and $JAVA_HOME/lib/security.
I'm using Netbeans 6.9.1 and Glassfish 3.1 Final. The relevant piece of code is below, copied from my EJB. The exception occurs at the last line.
System.setProperty("javax.net.ssl.trustStore", "C:\\jssecacerts");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
System.setProperty("javax.net.ssl.keyStore", "C:\\userCertificate.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "password");
RequestObject request = new RequestObject;
request.setQuery("some data");
request.setUsername("user");
request.setPassword("pass");
Service service = new Service();
Endpoint port = service.getWebServicePort();
Result result = port.specificWebServiceMethod(request);
I faced the same exception that Jacques Pritchard described above:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I solved it importing the root certificate in both cacerts.jks and keystore.jks, using the following commands:
/usr/java/jdk1.6.0_25/bin/keytool -import -trustcacerts -file root_ca.cer -alias rootca -keystore cacerts.jks
/usr/java/jdk1.6.0_25/bin/keytool -import -trustcacerts -file root_ca.cer -alias rootca -keystore keystore.jks
It's important to say that the alias rootca is a name I defined myself to label the certificate. You can choose any name also.
Instead of using the global system properties, you should create a separate SSLContext for your client. Whether or not it runs within a Glassfish server doesn't really matter, then.
Here is a question that should be relevant (about client-certificates for WS): Choosing SSL client certificate in Java
I had this exact problem (with Glassfish 3.0.1).
Here are the exact steps we took to resolve this.
a. Use java keytool command to view the keystore to see what's in it. This is helpful later on to see if there are any changes. The command goes something like
keytool -list -keystore MyKeyStore.jks
b. Convert the pfx to a pem using openssl. Note that I used the correct password for the input pfx and the same password as my java keystore for the pem file output.
openssl pkcs12 -in MyPfxFile.pfx -out MyPemFile.pem
Convert the pem file to a p12 which can easily be imported into a java keystore. Note that I used the same password from my java keystore as I did on the input and output files.
openssl pkcs12 -export -in MyPemFile.pem -out MyP12File.p12
Now I finally import the p12 into my java keystore. Note that I used java 6, java 5 keytool doesn't have support for the -importkeystore argument.
keytool -importkeystore -deststorepass MyPassword -destkeystore PathToMyKeystore/keystore.jks -srckeystore MyP12File.p12 -srcstoretype PKCS12 -srcstorepass MyPassword
You can list the keystore contents here, something like this keytool -list -keystore keystore.jks just to ensure that your new key was imported correctly.
If you're lucky like I am you'll find that starting up your app server at this point will be of no use. You'll see errors like something about pkix path or something about HTTP 403 Forbidden.
The steps used above worked perfectly for Sun Application Server 9.1_1 but not for Oracle Glassfish 3.0.1. I'm thinking this has something to do with the version of JSSE used in ogs 3 compared to Sun App Server or jdk versions. Adding the jvm option below to your ogs 3 domain.xml file should resolve the issue if simply adding the client cert to the keystore didn't.
<jvm-options>-Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol</jvm-options>
I did notice that someone said to not use the jvm options statement above but it's part of the fix, don't use it and see if it works, I'll bet it won't. Maybe just changing the handlers is why it works?
Here's where I found the details: http://onjava.com/pub/a/onjava/2001/05/03/java_security.html?page=4
I also stumbled across a final issue (only for ogs 3), if you get fails every now and again I'd suggest finding the InstallCert app (its out there) and give it the following command line parameters:
I was getting these PKIX errors every third attempt at calling the web service.
Hopefully this helped someone else out. These kind of issues really make me want to rip my hair out :)
I finally got it.
Removed all the certs from my keytool.
Command Example : keytool -list -v -keystore keystore.jks -alias mydomain
I converted the cert response from server to bas64 DER and copied them into one file a .PEM, and I uploaded the .PEM into my keytool:
Command Example : keytool -importcert -keystore keystore.jks -alias mydomain -file my.pem
Then I loaded the keystore:
KeyStore myStore = KeyStore.getInstance("JKS");
InputStream keyInputx = new FileInputStream("C:\\myStore.jks");
myStore.load(keyInputx, "xxx".toCharArray());
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
keyInputx.close();
/*Enumeration enumeration = myStore.aliases();
while (enumeration.hasMoreElements()) {
String alias = (String) enumeration.nextElement();
System.out.println("alias name: " + alias);
Certificate certificate = myStore.getCertificate(alias);
System.out.println(certificate.toString());
}*/
keyManagerFactory.init(myStore, "xxx".toCharArray());
SSLContext context = SSLContext.getInstance("TLS");
context.init(keyManagerFactory.getKeyManagers(), null, new SecureRandom());
SSLSocketFactory sockFact = context.getSocketFactory();
Lots of references around so be happy to use.