What is the default demo certificate used by Weblogc 12.2.1.3 and where is it stored?
Under <Oracle_Home>\wlserver\server\lib there are cacerts and DemoTrust.jks
On <adf_domain>\security\ there is no DemoIdentity.jks
So I believe Weblogic is using it's own demo certificate for AdminServer and NodeManager stored in DemoTrust.jks?
While checking keystore using:
keytool -list -v -keystore <Oracle_Home>\wlserver\server\lib\DemoTrust.jks
there are 2 entries: alias wlscertgencab and alias wlscertgenca
Under Weblogic admin console => domain - configuration - SSL there is Private Key Alias: DemoIdentity and Private Key Location: from Demo Identity Kestore
I would like to know where is the default weblogic demo certificate stored, what is his alias, and how does Admin Server and NodeManager knows which certificate to use(in nodemanager.properties I don't see any certificates/keystores entry)?
Thx a lot
The demo certificate is stored in the DemoIdentity.jks file. This file is located under the security folder of your domain, not in the WebLogic Server installation.
The alias is demoidentity
The default keystore pass phrase is DemoIdentityKeyStorePassPhrase (you will need it with keytool)
Related
I've tried to follow the following tutorial to setup our own private registry (v2) on an AWS Centos machine.
I've self signed a TLS certificate and placed it in /etc/docker/certs.d/MACHINE_STATIS_IP:5000/
When trying to login the registry (docker login MACHINE_IP:5000) or push a tagged repository (MACHINE_IP:5000/ubuntu:latest) i get the following error :
Error response from daemon: Get https://MACHINE_IP:5000/v1/users/: x509: cannot validate certificate for MACHINE_IP because it doesn't contain any IP SANs
Tried to search for an answer for 2 days, however I couldn't find any.
I've set the certificate CN (common name) to MACHINE_STATIC_IP:5000
When using a self signed TLS certificate docker daemon require you to add the certificate to it's known certificates.
Use the keytool command to grab the certificate :
keytool -printcert -sslserver ${NEXUS_DOMAIN}:${SSL_PORT} -rfc > ${NEXUS_DOMAIN}.crt
And copy it your client's machine SSL certificates directory (in my case - ubuntu):
sudo cp ${NEXUS_DOMAIN}.crt /usr/local/share/ca-certificates/${NEXUS_DOMAIN}.crt && sudo update-ca-certificates
Now reload docker daemon and you're good to go :
sudo systemctl restart docker
You can also use the following command to temporarily trust the certificate without adding it your system certificates.
docker --tlscert <the downloaded tls cert> pull <whatever you want to pull>
Background: I have an ongoing problem with a Connection Failure error message when I try connecting to an API using CFHTTP. While reviewing the API in SoapUI I noticed there was a button SSL Info (3 certs) which is outlined below. When I click the button a window of copy pops up with the headlines outlined below.
"SSL Info (3 certs)"
CipherSuite:
PeerPrincipal
Peer Certificate 1:
Peer Certificate 2:
Peer Certificate 3:
I have a feeling these are the key to getting my application to connect and pull the JSON correctly.
Question: How or Where do I install this cert information. Should I copy all 310 lines in the window with the cert information and place it in new file and save it somewhere?
Any info would be great.
I have answered the question of installing certificates before. Here are the steps again to save you from searching...
If you are using cfhttp to connect via SSL (https) then the ColdFusion server definitely needs the certificate installed to successfully connect. Here is a previous answer that I gave on a similar issue:
Here are the steps you need to perform in order to install the certificate to the Java keystore for ColdFusion. First, be sure you are updating the correct cacerts file that ColdFusion is using. In case you have more than one JRE installed on that server. You can verify the JRE ColdFusion is using from the administrator under the 'System Information'. Look for the Java Home line.
The default truststore is the JRE's cacerts file. This file is typically located in the following places:
Server Configuration:
cf_root/runtime/jre/lib/security/cacerts
Multiserver/J2EE on JRun 4 Configuration:
jrun_root/jre/lib/security/cacerts
Sun JDK installation:
jdk_root/jre/lib/security/cacerts
Consult documentation for other J2EE application servers and JVMs
In order to install the certificate you need to first get a copy of the certificate. This can be done by using Internet Explorer. Note that different versions of Internet Explorer will behave slightly differently but should be very similar to these steps. For example, earlier versions of IE might save the certificate under a different tab than I mention.
Browse to the SSL URL in Internet Explorer - https://xyz/infoLookup.php?wsdl.
View the certificate by clicking on the lock icon and clicking view certificate
Then click the Install Certificate... button (note: if you do not see this button you must close IE and run it as administrator first)
Click on IE's Internet Options and click the Content tab
Click the Certificates button
Find the server's certificate under the Intermediate Certification Authorities tab, select the cert and click the Export... button
Export using DER format
Copy the exported certificate file to your ColdFusion server (you can delete the cert from IE if you want)
Run cmd prompt as administrator on the ColdFusion server
Make a backup of the original cacerts file in case you run into issues
The keytool is part of the Java SDK and can be found in the following places:
Server Configuration:
cf_root/runtime/bin/keytool
Multiserver/J2EE on JRun 4 Configuration:
jrun_root/jre/bin/keytool
Sun JDK installation:
jdk_root/bin/keytool
Consult documentation for other J2EE application servers and JVMs
To install the cert:
Change directory to your truststore's location (where the cacerts file is located)
Type this command (use current jvm and use current jvm's keytool) "c:\program files\java\jre7\bin\keytool" -import -v -alias your_cert_alias_name -file C:\wherever_you_saved_the_file\cert_file.cer -keystore cacerts -storepass changeit
Type yes at the prompt to "Trust this certificate?"
Note: your_cert_alias_name I used above can be whatever you want
Note: C:\wherever_you_saved_the_file\cert_file.cer change these values to whatever you use for the server folder and certificate file name
To verify the cert:
Type this command (use current jvm and use current jvm's keytool) "c:\program files\java\jre7\bin\keytool" -list -v -keystore cacerts -alias your_cert_alias_name -storepass changeit
Note: your_cert_alias_name use the same name here that you used above to install the cert
Restart the ColdFusion service It will not read the updated cacerts file until you do this.
You can delete the imported certificate file from the server if you wish.
I have followed these two sites for SSL setup on my glassfish server.
https://javadude.wordpress.com/2010/04/06/getting-started-with-glassfish-v3-and-ssl/
and
https://docs.oracle.com/cd/E19776-01/820-4495/ghlgv/index.html
Https with default s1as was working fine. Then I followed these steps
Deleted existing s1as from keystore.jks and cacerts.jks.
Generated alias (tried SOME_OTHER_ALIAS or, s1as)
Exported it
Imported it to truststore cacerts.jks
Restarted the server.
Then typed the URL in browser. https://localhost:8181/HelloWorld
I got a blank page saying "This webpage is not available", "ERR_CONNECTION_CLOSED".
Checked server.log file inside C:\Program Files\glassfish3\glassfish\domains\domain1\logs. But, no error was there.
System details are as follows,
Glassfish Version: Glassfish3.1.2-Windows
Master Password of Glassfish: changeit
Keypass: changeit
Storepass: changeit
Please help me out. Thanks in advance.
Unknowingly, I was putting some random name for the First and Last Name (CN) of SSL key. It must be the the domain name or IP address of the server.
I am trying to consume a RESTful service from url https://someurl.com.
I have added the following properties in my code:
Security.setProperty("ssl.SocketFactory.provider", "com.ibm.jsse2.SSLSocketFactoryImpl");
Security.setProperty("ssl.ServerSocketFactory.provider", "com.ibm.jsse2.SSLServerSocketFactoryImpl");
Security.setProperty("javax.net.ssl.trustStore", "cacerts.jks");
Security.setProperty("javax.net.ssl.keyStore", "keystore.jks");
Security.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
Security.setProperty("javax.net.ssl.trustStoreType", "JKS");
The configuration changes that I have done so far are:
set com.ibm.websphere.ssl.retrieveLeafCert to true
retrieved the certificate using url as someurl and port 443 and added it to the truststore.
restarted the server
But I am getting the following exception:
java.security.cert.CertPathValidatorException: Certificate chaining error
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=Walmart Root CA, O=Wal-Mart Stores Inc is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.o.a(o.java:22)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:423)
at com.ibm.jsse2.kb.a(kb.java:192)
at com.ibm.jsse2.kb.a(kb.java:176)
at com.ibm.jsse2.lb.a(lb.java:53)
at com.ibm.jsse2.lb.a(lb.java:464)
at com.ibm.jsse2.kb.s(kb.java:545)
at com.ibm.jsse2.kb.a(kb.java:530)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:79)
at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:437)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:142)
at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:686)
at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:98)
at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:13)
at com.ibm.net.ssl.www2.protocol.https.b.connect(b.java:6)
at com.dwl.tcrm.tester.RESTClient_2.main(RESTClient_2.java:76)
I'm assuming you have a web application, which is trying to access that restful service.
First, you should not set your stores via javax.net.ssl.* properties, but use SSL configurations provided in WebSphere. So comment all these setProperty() calls.
Second, you have to add your service server certificate to the trust store.
Login to web admin console:
Go to Security > SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates
Click Retrieve from port button, and specify hostname, 443 port, and Alias.
Click Retrieve singer information button.
Verify, if correct certificate is imported (parent).
Save, and restart.
In some versions, the child certificate was imported (not the root), in that case, you will have to manually download the root certificate and intermediate (e.g. via browser, and import that one to the NodeDefaultTrustStore, but this time using Add button, not Retrieve..
This means your certificate is not added in cacerts. Try to execute this command as
keytool -list -v -keystore your_path_to_cacerts (Provide the list of cert in cacerts)
check by matching the serial number of your certificate. If it is not there then please follow the steps given below
To export the Intermediate certificate: Internet Explorer -> Tools -> Internet Options -> Content -> Certificates ->
To view the Certificate Path: Select Certificate -> View -> Certification Path ->
To Export the Certificate: Select Certificate -> Export -> DER
encoded Binary Format -> Save ( From Firefox -> Tools -> Options -> Advanced -> Encryption -> View Certificates )
(Given here - http://www-01.ibm.com/support/docview.wss?uid=swg21592616) after this add this exported certificate with below command
keytool -import -trustcacerts -Keystore CACERTS(path) -alias alias -file cert path export in step 3
My issue was the same and I am able to resolve it by following these steps
When I try to start node manager I am getting below error. I am getting this error on remote machine. By the way node manager is running on my local machine without any problem. Both machines have same configuration. Is there any idea?
<SEVERE> <Fatal error in node manager server>
weblogic.nodemanager.common.ConfigException: Unknown key store identity alias or not a key entry alias: DemoIdentity
at weblogic.nodemanager.server.SSLConfig.loadKeyStoreConfig(SSLConfig.java:175)
at weblogic.nodemanager.server.SSLConfig.<init>(SSLConfig.java:100)
at weblogic.nodemanager.server.NMServer.init(NMServer.java:185)
at weblogic.nodemanager.server.NMServer.<init>(NMServer.java:147)
at weblogic.nodemanager.server.NMServer.main(NMServer.java:353)
at weblogic.NodeManager.main(NodeManager.java:31)
You'll want to go look at the wlserver_10.3/common/nodemanager/nodemanager.properties file.
It sounds like your domain isn't set up to use a custom trust store or key store so it defaults to using the "Demo" identity.
In that properties file, verify that
ListenPort=5556
SecureListener=false
You may also want to login to your admin console and verify that all of the settings here are correct:
Environments->Machines-> <your machine name> -> Configuration-> NodeManager
You may want to use Plain instead of SSL.
If you do want to use SSL, I would recommend checking out a tutorial like the following:
http://jvzoggel.wordpress.com/2011/12/16/configuring-ssl-for-oracle-weblogic-and-ofmw/
Old Question. For future users.
It could not able to find the alias in the keystore specified.
Unknown key store identity alias or not a key entry alias: DemoIdentity.
In the nodemanager.properties check the following lines
CustomIdentityKeyStoreFileName=<path_file>/kesytore.jks
CustomIdentityAlias=<AliasName>
I hope you have given as DemoIdentity and it couldnt find the alias in the keystore.jks file.
Make sure you have given correct alias or correct jks file .
To know the list of alias in the jks file
keytool -list -keystore <path_file>/kesytore.jks