ActiveMQ WSS gives ERR_CERT_COMMON_NAME_INVALID - ssl

I basically follow the steps in this question to create SSL certificates for ActiveMQ. Now with some help, I can connect my C# application to ActiveMQ. However when I tried to connect my Angular application to it, I got ERR_CERT_COMMON_NAME_INVALID error.
I actually have an ActiveMQ instance running in AmazonMQ and it works fine with my Angular application. So I think this is the issue of the certificate when I try to run the ActiveMQ in my own docker image.
For some details, I am using a domain name dev.com pointing to 127.0.0.1, which is set in host file. I am using dev.com to access both C# application and Angular application so I plan to use wss://dev.com:61619 to access ActiveMQ from my Angular application. When I generate keystore, I specify dev.com as the CN. In addition, I have another self-signed certificate generated with OpenSSL for Angular and C# application, not sure if there will be any conflict between them.
Can anyone please help to see what could be wrong?
Thank you

Related

How to configure ssl certificates and keys for confluent kafka python client?

I am using confluent-kafka. I've to retrieve messages from kafka-broker using ssl. Now, I've configured broker using these properties (partial):
listeners=SSL://:9092
security.inter.broker.protocol = SSL
Console consumer/producer seem to be working fine with this ssl configuration.
For console consumer/producer, I am having following configuration:
security.protocol=SSL
ssl.truststore.location=/home/ubuntu/kafka1.server.truststore.jks
ssl.truststore.password=<intentionally>
ssl.keystore.location=/home/ubuntu/kafka1.server.keystore.jks
ssl.keystore.password=<intentionally>
ssl.key.password=<intentionally>
Now, from console perspective things are working fine.
I am having problem in figuring out how to connect to broker using python-client consumer (with ssl enabled).
Documentation talks about these 3 properties to be set:
ssl.ca.location
ssl.certificate.location
ssl.key.location
But, does not mention where or how to get data for these guys.
Please help me out. Thanks.
To configure these properties, you have to create x509 compliant certificates using OpenSSL instead of keytool. See this page, here is explained how to create the x509 certificates.

Using ssl with localhost with asp.net mvc 5 on VS2015

I'm trying to test my website locally using SSL with IIS Express. It has the following properties set:
SSL Enabled set to 'true'
SSL URL is set https://localhost:44354/
But whenever I open the https address, I get the following error:
In "Microsoft Edge":
In Google Chrome:
I've read article after articles, including some on SO but to no avail. I've tried the following:
I've deleted my IIS Express Development Certificate
I've repaired IIS Express 10 via the Control Panel
I've removed the localhost certificate I had created manually.
I've added <binding protocol="https" bindingInformation="*:44354:localhost" /> to the bindings section the applicationhost.config
I've stopped and restarted IIS Express.
Some suggest to change the port to 443 but my SSL URL is read-only in .NET IDE.
Some articles I've read:
Running IIS Express without Administrative Privileges
How do I fix a missing IIS Express SSL Certificate?
IIS Express — Getting SSL to Work
and many more...
Any help would be greatly appreciated.
Thanks.
I finally figured it out by following this article How to trust the IIS Express Self-Signed Certificate but a few additional steps:
Export IIS Express Development certificate to a local from. This certificate can be found in the Server Certificates section in IIS 10.0.
Open the Certificate console by calling mmc.exe certmgr.msc from File|Run.
Delete all instances of localhost under the Trusted Root Certification Authorities|Certificates.
Import the newly created certificate. You will get prompted with the following:
Once imported, I went back to Asp.Net MVC 5 project, recompile it and ran it. When I ran it, I got prompted with the following:
This is when I knew I was on the right track as this was the first time I had ever seen this prompt! Click Yes, and now this prompt appears:
And click Yes on this prompt as well. Your project will then launch the relevant browser.
Go to the https address defined in your .net project, in my instance, https://localhost:44354/, and you will now see the padlock displayed in the address bar to indicate that it is a secure site:
Most of these answers were already available in different answers provided on SO but the points that were missing or that I missed were that I had to export my IIS Express Development certificate, delete all localhost entries (which I had done) and then re-import this certificate. Once done, .NET detects the change and you get prompted accordingly.
Anyway, I hope this will help others.
Self signed certificates need to be trusted or browsers won't accept them. You can easily use Jexus Manager to configure that,
https://www.jexusmanager.com/en/latest/tutorials/self-signed.html#to-trust-self-signed-certificate
While if you prefer manually, you can import the certificates to the Trusted Root Certificate Authority store in Windows.
Learn more about SSL, certificates, stores and so on (Google each of them and learn them thoroughly), so that next time you really understand what is the culprit before trying so many irrelevant things.
Jexus Manager also has an SSLDiag feature to identify potential issues,
https://www.jexusmanager.com/en/latest/tutorials/ssl-diagnostics.html
But you need to know enough so as to interpret its output correctly.

Is Weblogic Node Manager SSL setup required while implementiing SSL for Application

In Weblogic, I have more than one Machines created using Node Manager. We have been told to setup SSL implementation for our Application which is deployed across created machines in a single Weblogic Admin Console.
So for the Application we had configured certificate using .jks file and configured SSL listen port by enabling it.
However we have been told to secure Node Manager machines in which application are deployed across as well. While enabling Node Manager type to SSL instead of Plain I am getting SSLException. By the fact we no need to secure Machines which were created using Node Manager, only securing Application is sufficient. Is am I right. Else is it required to Secure Machines -> Node Manager as well.
When I am turning SSL in Machines -> Node Manager, what are the things I have to consider to avoid SSLException. Is the Weblogic restart required If configure this or so. For now I do not have UNIX access, hence I couldn't do that at this moment.
Please advise on this situation. Without securing Machines -> Node Manager I am able run the application. But not able to access it using https. Only http for the Application is working.
Please advise on the situation.
SSL for node manager is optional as there's no application related sensitive data that flows in this layer.
You mention even after configuring jks you can't get the server and hence the application listening on https. Could you elaborate what steps did you follow. Note this has nothing to do with node manager

Configuring IBM P8 to use LDAP over SSL with Active Directory

I am hoping someone can help me out with a frustrating configuration problem I'm having with IBM FileNet Content Manager 5.2.1 (aka P8 5.2.1).
We have an existing system setup that uses Microsoft Active Directory as our LDAP directory service for P8 and that has worked fine to date. That said, we are now wanting our .NET apps to talk to P8 (via the Content Platform Engine .NET API) using WCF instead of legacy (and now deprecated) WSE but we have run into a problem. WCF requires that all communication occur over SSL - on the surface, not a problem. If you want to talk to the IBM Content Platform Engine (CPE) over SSL however, according to IBM's documentation, you must also change the underlying default LDAP connection from unsecured to SSL as well (in the process, changing LDAP to use port 636 instead of 389).
Following both Microsoft's and IBM's docs, I first enabled LDAP over SSL on Active Directory and tested accordingly. Using Microsoft's LDAP utility, ldp.exe, I can successfully connect and bind to Active Directory on port 636 over SSL.
The next step however is where I hit a wall - Enabling SSL for Content Platform Engine. I followed all the steps involving adding the Active Directory Server's CA certificate to the CPE's application server keystore - no problem. The next step in the configuration instructions however asks you to start the Administration Console for CPE (ACCE) and reconfigure the directory configuration properties - telling it to use SSL on port 636 and... KABOOM! When I attempt to save the configuration, the save fails, stating
An unexpected exception occurred. Message was: Failed connecting to ldap://ad1.domain.com:636
Unfortunately, I can't find any additional info as to why it failed to connect - I assumed it was due to something minor, such as a port conflict. To test that theory, I installed Microsoft's LDAP test utility on the CPE server and attempted to connect to the Active Directory Server over SSL on port 636. Much to my surprise, that worked just fine - grrrr...
I am now at something of a loss as to what to look at next. Anybody out there with experience configuring CPE to use SSL in an Active Directory environment?
Thanks in advance for any-and-all assistance.
WCF requires that all communication occur over SSL - on the surface, not a problem. If you want to talk to the IBM Content Platform Engine (CPE) over SSL however, according to IBM's documentation, you must also change the underlying default LDAP connection from unsecured to SSL as well
This is not true. FileNet can work with non-secure LDAP, while at the same time working with WCF.
Now, if you would like to solve why FileNet will not connect to a secure LDAP, then you should start with your WebSphere
Check WebSphere's Keystores to ensure that the AD's key is contained. Follow #M.Tamboli's advice and restart WebSphere.
Also make sure that you check WebSphere's SystemOut.log logs, as you may find more info in there.
I'm not sure if it is necessary, but you may also want to add/change the LDAP config that is setup within WebSphere itself.

Meteor SSL connection

I'm trying to connect to my Meteor project via SSL/TLS.
Therefore I did the following:
meteor add force-ssl
in the meteor folder.
Then I start the programm with 'meteor'.
Everything is running fine on localhost, but if I want to connect to the server with giving the IP and Port over http, I get redirected to a https connection with the same IP and an 'Unable to connect message'.
Note: I created a certificate on my own an put it into the Meteor/server folder.
Does anyone know my mistake?
If you need to enable SSL support for your Meteor app deployed with Meteor Up. Now it has the support for SSL. You just need to tell where the SSL certificate and the key are.
If you are not familiar with the process of generating a SSL certificate, follow this guide.
Disclaimer: I'm the author of Meteor Up.
You can't just put the certificate inside Meteor/server folder. You will need a web server to proxy the request and configure that server with your certificate (Docs also say that, search for force-ssl: http://docs.meteor.com/)
I recommend you to put an nginx instance as the proxy. Here an example of how to do it: http://www.digicert.com/ssl-certificate-installation-nginx.htm