Using SSL Certificate for WCF-BasicHttp Send Adapter in Biztalk - ssl-certificate

I have a business process which send messages to SAP via soap endpoint exposed by them.
I am using WCF-BasicHttp Send Adapter(In-Process).
As you can see below, earlier the url was http, now they have moved their system to cloud so now they have https endpoints.
I wanted to test this change from http->https, so I have modified the url to https, fill in the credentials for basic auth. it working fine in Test system without SSL Certificate, I need to make sure it wont cause any issue after moving to production system.
My Question is,
1/ Will it work in Production system too as its in TEST without SSL Certificate ?
2/ or Do I need to apply SSL for WCF-BasicHttp Adapter, if yes How can I do that ??

If you are moving to https URL, Certificate is must for SSL/TLS handshake. Many times, Certificate used by specific endpoint is signed by a third party Trusted Root CA e.g. Trustwave, DigiCert etc and these Root CA certs are already trusted on most of the systems. It’s possible in your test system, your endpoint certificate Root CA is already trusted and that’s why you did’t need to install the certificate. In order to check this, you can do following:
Browse your https service url in browser in chrome/IE
Look for Security/Lock sign to find it’s cert. Clicking the lock sign will open certificate.
Check the certificate root by going to Certification Path. You should see a chain of certificates in path. A cert can be by signed by just root CA Or by Intermediary CA first and then root CA. e.g.
—- Trustwave Root
—- Trustwave Intermediary
—- service cert
Or
—- Some Root
—- service cert
Check if Root CA is in your Trusted Root store of system. And Intermediary Cert (if applicable) is in Intermediary Cert Store. You can check this by opening certificate mmc snap-in using mmc command in Windows->Run and adding Certificates snap in of local computer.
If Root CA Cert and Intermediary Certs are not in your system store. SSL/TLS handshake will not complete successfully and BizTalk send port will not work.
If these are installed, you should be good. Otherwise install these certificates in local computer stores.
Another way to verify if endpoint certificate is trusted on a BizTalk system is to login with service account under which your send host is running and then browse the URL in IE. If you don’t get any Cert error, and URL opens such as wsdl URL, then you are good. If you get a cert error, this means end point certificate is not trusted and you need to install the certs as described above.
Some references:
View Certificate
Working with Certificates

Related

Valid SSL Certificate , Local Host

I have a web page with apache, and it is hosted only in localhost, but all devices that are connected to my network can be entered using my ipv4 (192.168.1.x), I have installed a certificate using openssl, but the certificate is only valid For my pc where I am hosting the site, if I try to enter with another device it tells me that it is not valid.
That's expected since the Certificate Authority (who emitted your certificate) is not trusted by the browsers. You'd need to install your CA certificate in your clients in order to make them trust the certificates emitted by that CA.
If you own a valid domain, you may buy a certificate for it from a trusted CA, or even emit a certificate using Let's Encrypt, which emits free SSL certificates that are trusted by all major browsers currently. Remember that this won't work neither for invalid/local domains or domains that you don't own.

Self signed cert in chain from only some servers

I have multiple Intel NUCs out in the field that I use for displaying digital signage. Out of the thousands I have in the field, a couple complain with this error:
SSL certificate problem: self signed certificate in certificate chain. More details here: http://curl.haxx.se/docs/sslcerts.html, curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
I've confirmed that the cert is not expired, and the domain name matches
These units are running on Debian 7
Could the network they are on cause this issue with some sort of firewall setting?
When you visit the website what certificate is shown in the web browser? In your curl bundle is that the same certificate which is supposed to be used for SSL encryption? I'd guess no. CA will sign your cert.pem so that web browsers will show your green lock thereby authenticating your website. You most likely have an issue on the back end with the configuration of your curl bundle. You need to make sure that your server is using the CA cert not a self signed certificate like ssl-cert-snakeoil.pem for example.
Essentially your website should be using a static IPv4 address. As far as a network firewall stopping an SSL handshake from happening that may be possible, I have seen it happen on specific ports for example port 22 for ssh connections may be blocked at the network gateway for inbound traffic on a client side computer attempting a connection to a server. The SYN/ACK https://tools.ietf.org/rfc/rfc793.txt TCP handshake may time out in that type of network fire wall situation. However since you are getting an explicit response from your server about a self signed cert a firewall issue does not seem to be the problem.

Change the root signing certificate used by Fiddler

Fiddler allows one to decrypt HTTPS traffic by doing a MITM attack. Fiddler generates a root certificate, that when added to the Trusted Root Authorities, apps that use the certificate store can be intercepted as they trust the generated root certificate.
However, the specific app that I want to intercept is using a weak form of certificate pinning. The site certificate must have a specific value for the Issuer.CN field. Therefore the generated root certificate must have a CN value that I specify, and not the default value of DO_NOT_TRUST_FiddlerRoot.
Is it possible to use a custom root certificate with Fiddler?
You can use either:
CertMaker.StoreCert("example.com", certMyCert);`
or
CertMaker.StoreCert("example.com", "C:\\temp\\cert.pfx", "TopSecretPassword");
to have Fiddler return the certificate of your choice to the client application. You will, of course, have to generate the certificates (using whatever tools you like) and possibly configure the OS to trust the self-signed root you use.
The first call requires that your X509Certificate2 be installed in your certmgr.msc (so its private key can be found) while the second allows you to specify a PFX file from disk.

Websphere application server not supporting Deutsche Telekom Root certificate

We are consuming xml from different datasources. Some are http and some are https. HTTPS with Verisign certificates are working without any issues. However, URLs with Deutsche Telekom Root certificate is not working. The web sphere application server is having the default root certificate which was generated while creating a WAS profile. Do I have to add any other special certificate to make Deutsche Telekom Root certificate work ? Any kind of help is much appreciated.
I don't think I know enough about your setup yet. So by default WebSphere creates it's own root certificate, nothing about it would trust a Verisign certificate. So I wonder about what you are using to make the https connection? It could be something that manages to bypass the WebSphere socket factories and you are actually using the JRE's default, and the cacerts file for trust. Verisign certs are in the cacerts file there are no Deutsche Telekom as far as I can tell.
Or was a Verisign certificate added to your WebSphere truststore at some time?
Typically you have establish trust to make WebSphere trust another server. Retrieving a certificate from a port is a good way to do that.
Alaine
Please, post the WAS version you use.
The reason you cannot setup the connection to ssl port is that WAS doesn't trust to the ssl certificate of the remote host.
You have to add the whole certificate chain of the remote host to the WAS truststore.
You can find the example of how to add the certificate by following link https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=8&cad=rja&uact=8&ved=0CE0QFjAHahUKEwiRy4zsztzGAhXCfHIKHVq-BfM&url=http%3A%2F%2Fwww.webspheretools.com%2Fsites%2Fwebspheretools.nsf%2Fdocs%2FBasic%2520SSL%2520terminalogy%2520and%2520Tips%2520for%2520WebSphere%2520Application%2520Server.Default%2520passwords%2520for%2520SSL%2520keyfile%2520and%2520Truststore.&ei=DwymVdGHDcL5yQPa_JaYDw&usg=AFQjCNE42W06AILWb99iYWiUp7EcbT92iw&sig2=KKYyvAsFET1Ae0fOLSl8zA&bvm=bv.97949915,d.bGQ

SSL handshake with intermediate certificate

During SSL handshake, the browser downloads any intermediate certificate from the host web server using the URL provided if needed. I believe browser comes with the pre-installed certificates from public CAs having only the public key of the root certificate.
1) When calling a https url using a standalone java program [https://xyz.com ..which is using Verisign certificate], i do not need to add that Certificate to any truststore since its root public is already available in jdk's cacerts truststore file. Is this correct statement?
2) When i run the same program from application server, it requires to add all the intermediate certificate to server truststore individually. Why this works in different way.
If the trust chain for the servers certificate is: root-intermediate#1-intermediate#2-server and the client (browser) has root as trusted CA in its CA store, it needs a way to verify the servers certificate by checking the complete chain up to the root. And because the client usually has no knowledge of the intermediate CAs the server needs to provide them.
Sometimes it seems to work w/o providing these intermediate CAs. First, the browsers usually cache the intermediate CAs they got and thus if intermediate#2 is the same as already seen by another server the verification will succeed, but only for the clients who visited the other server before :(
Another way is to provide a URL inside a certificate, where the issuer certificate can be downloaded, e.g. server could provide a link to the certificate for intermediate#2, intermediate#2 could provide a link to intermediate#1. In this case the client could download the missing certificates. But, this features is not universally adopted, e.g. some browsers might provide it but SSL libraries outside of the browsers usually don't.