I have a problem where I don´t know why it happens.
I have LetsEncrypt Certificates which I use to create a .pfx file.
openssl pkcs12 -export -out /tmp/certificate.pfx -inkey /etc/letsencrypt/live/ds-gym.de/privkey.pem -in /etc/letsencrypt/live/ds-gym.de/cert.pem -certfile /etc/letsencrypt/live/ds-gym.de/chain.pem
I set up keycloak 8.0.1. as service by following this tutorial (https://medium.com/#hasnat.saeed/setup-keycloak-server-on-ubuntu-18-04-ed8c7c79a2d9) and it worked fine. Keycloak seems to set up a self-signed certificate which is not what I want. First I set up Keycloak for SSL.
With the JBoss-cli.sh file I do the following (described here: https://www.keycloak.org/docs/latest/server_installation/#setting-up-https-ssl)
/core-service=management/security-realm=UndertowRealm:add()
/core-service=management/security-realm=UndertowRealm/server-identity=ssl:add(keystore-path=keycloak.jks, keystore-relative-to=jboss.server.config.dir, keystore-password=secret)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=security-realm, value=UndertowRealm)
Not my security tealm looks like this:
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="secret"/>
</ssl>
</server-identities>
</security-realm>
I import the certificate now:
keytool -importkeystore -srckeystore /tmp/certificate.pfx -srcstoretype pkcs12 -destkeystore /opt/keycloak/standalone/configuration/keycloak.jks -deststoretype JKS
Then I restart keycloak:
systemctl restart keycloak
Now I get the following error:
HTTP ERROR 502
You can also check the network tab of my website if that helps.
The keycloak service is up and running, however it seems it does not work on port 8443 anymore.
Listener look like this:
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
Any idea why this happens? Are my certificates wrong? I´m quite desperate with Keycloak already :-(
Edit:
This is my logged Error:
]) - failure description: {"WFLYCTL0080: Failed services" =>
{"org.wildfly.core.management.security.realm.UndertowRealm.key-manager"
=> "WFLYDM0018: Unable to start service
Caused by: java.security.UnrecoverableKeyException: Cannot recover key"}} 2019-12-23 19:12:57,421 INFO [org.jboss.as.server]
(ServerService Thread Pool -- 43) WFLYSRV0010: Deployed
"keycloak-server.war" (runtime-name : "keycloak-server.war")
2019-12-23 19:12:57,423 INFO [org.jboss.as.controller] (Controller
Boot Thread) WFLYCTL0183: Service status report WFLYCTL0186:
Services which failed to start: service
org.wildfly.core.management.security.realm.UndertowRealm.key-manager:
WFLYDM0018: Unable to start service WFLYCTL0448: 2 additional services
are down due to their dependencies being missing or failed 2019-12-23
19:12:57,569 INFO [org.jboss.as.server] (Controller Boot Thread)
WFLYSRV0212: Resuming server 2019-12-23 19:12:57,578 INFO
[org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management
interface listening on http://127.0.0.1:9990/management 2019-12-23
19:12:57,579 INFO [org.jboss.as] (Controller Boot Thread)
WFLYSRV0051: Admin console listening on http://127.0.0.1:9990
2019-12-23 19:12:57,580 ERROR [org.jboss.as] (Controller Boot Thread)
WFLYSRV0026: Keycloak 8.0.1 (WildFly Core 10.0.3.Final) started (with
errors) in 41093ms - Started 586 of 888 services (4 services failed or
missing dependencies, 604 services are lazy, passive or on-demand)
It looks like the keystore is incorrectly generated. Check that:
You set the value of keystore-password to match actual keystore password.
You set alias root for root certificate.
You set alias yourdomain.com for the domain certificate.
Try to follow the steps exactly as described in the documentation.
Related
In trying to get secure rest services to work on Open Liberty in a container, I get the following error:
CWPKI0824E: SSL HANDSHAKE FAILURE: Host name verification error while connecting to host [hostname]. The host name used to access the server does not match the server certificate's SubjectDN or Subject Alternative Name information. The extended error message from the SSL handshake exception is: [No name matching hostname found].
Relevant portion of the server.xml:
<featureManager>
<feature>appSecurity-3.0</feature>
<feature>jca-1.7</feature>
<feature>jdbc-4.1</feature>
<feature>jndi-1.0</feature>
<feature>localConnector-1.0</feature>
<feature>mpConfig-1.3</feature>
<feature>passwordUtilities-1.0</feature>
<feature>ssl-1.0</feature>
<feature>transportSecurity-1.0</feature>
</featureManager>
<sslDefault sslRef="DefaultSSLConfig" httpHostNameVerification="false"/>
<ssl id="DefaultSSLConfig" keyStoreRef="DefaultKeyStore" trustStoreRef="DefaultTrustStore" trustDefaultCerts="true" verifyHostname="false"/>
<keyStore id="DefaultKeyStore" location="liberty-default-key.p12" type="PKCS12" password="password"/>
<keyStore id="DefaultTrustStore" location="liberty-default-trust.p12" type="PKCS12" password="password"/>
<ldapRegistry id="ldapRegistry" realm="Standalone LDAP Registry" ldapType="IBM Tivoli Directory Server"
host="server" port="123"
baseDN="baseDN" bindDN="bindDN" bindPassword="password"
recursiveSearch="true"
sslEnabled="true" sslRef="DefaultSSLConfig">
<idsFilters>
...
</idsFilters>
</ldapRegistry>
As you can see verifyHostname has the value 'false', but the check is done anyway.
What am I missing?
The JDK has handles LDAP separately and hostname verification is enabled by default by the JDK. To disable LDAP hostname verification you need to set the system property com.sun.jndi.ldap.object.disableEndpointIdentification to true. So in the jvm.options in your server directory add -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true to disable hostname verification on an LDAP connention.
I’m using Tomcat 9.0.19 and trying to enable X.509 cert.-based client authentication (AKA I&A) for a particular Web application.
In summary, the Tomcat works for an application that has basic I&A enabled over one-way TLS. When accessing the Web application that has certificate-based I&A, Tomcat does not seem to request a client certificate as part of the Server Hello message, prior to sending Server Hello Done and it later fails the authentication check:
02-Jan-2020 13:00:40.371 FINE [https-jsse-nio-443-exec-10] org.apache.catalina.authenticator.SSLAuthenticator.doAuthenticate Looking up certificates
02-Jan-2020 13:00:40.830 FINE [https-jsse-nio-443-exec-10] org.apache.catalina.authenticator.SSLAuthenticator.doAuthenticate No certificates included with this request
Traced the TLS flow in Wireshark and saw the TLS 1.2 handshake. Shortly after encrypted data is exchanged, the Tomcat sends an “Encrypted Alert” message and the socket is closed. Trying to contact the Tomcat from the browser, doing a GET. The browser does not prompt me to select a certificate, which also seems to point to Tomcat not requesting it from the browser.
Any help will be greatly appreciated!
More Details:
We have a set of certificates for the Tomcat and the client, issued by an Intermediate CA, which is signed (issued) by a Root CA. The trust stores have been setup on both sides (client and server) as well as key stores with the right certs/keys in them. The Web application is setup to require certificate I&A (web.xml):
<security-constraint>
<web-resource-collection>
<web-resource-name>All by default</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>OTService</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>certificate</realm-name>
</login-config>
The OTService role is setup in the Tomcat-Users.xml, along with a single user account:
Now, the Connector in server.xml is configured as follows:
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="100" SSLEnabled="true" scheme="https" secure="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="/apache-tomcat-9.0.19/conf/km/keyStore.jks"
certificateKeystorePassword="PASSWORD"
certificateKeyAlias="tomcat"
type="RSA" />
truststoreFile="/apache-tomcat-9.0.19/conf/km/trust_store.jks"
truststorePass="PASSWORD"
truststoreType="JKS"
certificateVerification="required"
clientAuth="true"
protocols="TLSv1.2"
</SSLHostConfig>
</Connector>
Any ideas why Tomcat would not request a client certificate?
The first issue that I discovered was that Tomcat ignored the Connector->SSLHostConfig settings for the trust store and used the JRE default trust store anyway. The way I discovered it was to have a browser save the negotiated TLS session key to a file (Google SSLKEYLOGFILE), then configured the Wireshark to use that file, captured the browser-Tomcat session and then was able to see every message in plaintext.
Next, I discovered that Tomcat was actually asking for a client cert., but the list of accepted Root CAs it was sending was from the default JRE cacerts file, not from the file specified by the truststoreFile attribute. Can have Tomcat use a different file across the board by adding a setenv.sh file to the Tomcat bin directory with Java properties to override default trust store location.
Now, I was in business, the browser was able to complete the TLS handshake, but then the authentication and authorization steps were failing. I finally determinate that the proper way to provide the cert. subject field in tomcat_users.xml file was not "CN=OU Client, OU=Control Systems, O=IoTOY, L=Scottsdale, S=AZ, C=US", but "CN=OU Client, OU=Control Systems, O=IoTOY, L=Scottsdale, ST=AZ, C=US". Finally, I had 2-way TLS working.
One thing to keep in mind is if anything running on the Tomcat attempts to connect over TLS to another system that uses commercial CA certs, it will fail because the truststore you're using now does not have commercial Root CAs' certs. One way to remediate it is to make a copy of the default JRE cacerts file and add your system-specific CA cert(s) to it and point to it from the setenv.sh file noted above.
When you have:
<Connector ...>
<SSLHostConfig>
<Certificate A=1 B=2 C=3 />
D=4 E=5 F=6
</SSLHostConfig>
</Connector>
then A,B,C are attributes of the Certificate object but D,E,F are NOT attributes of the SSLHostConfig object -- they are XML content which is different. Attributes need to be put IN THE TAG:
<Connector ... >
<SSLHostConfig certificateVerification="required" truststoreFile=... >
<Certificate ...keystore... />
</SSLHostConfig>
</Connector>
and that does cert-request on the initial handshake as desired (for me, tested on tomcat 9.0.14).
I'm trying to configure websphere-liberty server to use default keystore and trustore for all outbound connections (actually REST calls) and for inbound use a custom key and trust stores. But it fails with SSLHandshakeException when try to make a call to external REST service. In logs I can see that it uses my custom truststore instead of default one.
Below is my server.xml
<?xml version="1.0" encoding="UTF-8"?>
<server description="Default server">
<featureManager>
<feature>appSecurity-2.0</feature>
<feature>transportSecurity-1.0</feature>
<feature>jaxrs-2.0</feature>
<feature>json-1.0</feature>
<feature>javaMail-1.5</feature>
<!--<feature>ssl-1.0</feature>-->
</featureManager>
<sslDefault sslRef="saasSSLConfig" outboundSSLRef="outboundSSLConfig" />
<ssl id="saasSSLConfig" keyStoreRef="saasKeyStore" trustStoreRef="saasTrustStore" clientAuthentication="true" sslProtocol="TLSv1" />
<keyStore id="saasKeyStore" location="/opt/ibm/wlp/output/defaultServer/resources/security/sbs_endpoint_keystore.jks" password="pwd" />
<keyStore id="saasTrustStore" location="/opt/ibm/wlp/output/defaultServer/resources/security/serverTruststore.jks" password="pwd" />
<ssl id="outboundSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" />
<basicRegistry id="basic" realm="BasicRealm">
<!-- <user name="yourUserName" password="" /> -->
</basicRegistry>
<httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080" httpsPort="9443" />
<applicationManager autoExpand="true"/>
</server>
BTW if change saasSSLConfig to use defaultTrustStore instead of saasTrustStore then everything works fine.
Server version:
WebSphere Application Server 17.0.0.2 (1.0.17.cl170220170523-1818) on IBM J9 VM, version pxa6480sr4fp7-20170627_02 (SR4 FP7) (en_US)
Error:
[ERROR] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN CN=*.api.ibm.com, O=International Business Machines, L=Armonk, ST=New York, C=US was sent from the target host. The signer might need to be added to local trust store /opt/ibm/wlp/output/defaultServer/resources/security/serverTruststore.jks, located in SSL configuration alias saasSSLConfig. The extended error message from the SSL handshake exception is: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.;
SSLHandshakeException invoking https://dev.api.ibm.com/scx/test/sbs/customer/222222222: java.security.cert.CertificateException: PKIXCertPathBuilderImpl could not build a valid CertPath.
Liberty does not load cacerts automatically. You can create a keyStore element to point to it if desired. So in your case above you can create a configuration like this.
<ssl id="outboundSSLConfig" keyStoreRef="cacertKeyStore" />
<keyStore id="cacertKeyStore" location=<fill in path to your jdk cacerts file> password="changeit" />
I am assuming you do not need a key for this configuration so I simplified to just a keyStoreRef on outboundSSLConfig. It will use what is pointed to by keyStoreRef for both key and trust.
In your configuration I do not see keyStore elements for defaultKeyStore and defaultTrustStore. If they are missing that will cause outboundSSLConfig to be an invalid SSL configuration. Can you please add them and see if things work.
I'm trying to set up ActiveMQ for mutual authentication, that the client will need a certificate in order to pass messages to the broker. I created a keystore and a truststore on the broker and exported a certificate that was copied to the client. On the client side I did the same, although I am using NMS so I am only using the exported certificate, which I added to the broker's truststore. I also added the certificate's to the other's Local Computer Trusted Root Certificates.
The broker's configuration has this:
<transportConnectors>
<transportConnector name="ssl" uri="ssl://0.0.0.0:61616"/>
</transportConnectors>
<sslContext>
<sslContext keyStore="file:${activemq.base}/conf/keystore.jks"
keyStorePassword="ksPass"
trustStore="file:${activemq.base}/conf/shared.ks"
trustStorePassword="ksPass"/>
</sslContext>
<plugins>
<jaasCertificateAuthenticationPlugin configuration="CertLogin" />
</plugins>
amq service wrapper.conf has
wrapper.java.additional.8=-Djava.security.auth.login.config="%ACTIVEMQ_CONF%/login.config"
${activemq.base}/conf/login.config
CertLogin {
org.apache.activemq.jaas.TextFileCertificateLoginModule required
debug=true
org.apache.activemq.jaas.textfiledn.user="users.properties"
org.apache.activemq.jaas.textfiledn.group="groups.properties";
};
${activemq.base}/conf/users.properties has
user=CN=nms.client.170,\ OU=IT,\ O=MyOrg,\ L=Oslo,\ S=Oslo,\ C=NO
${activemq.base}/conf/groups.properties has
admins=system
users=system,user
In the NMS client's appSettings I use this to connect:
< add key="jms.uri" value="ssl://brokeraddress.in.hosts:61616?needClientAuth=true&wantClientAuth=true&transport.clientCertSubject=nms.client.170&transport.clientCertPassword=ksClientPw&transport.clientCertFilename=C:\TestClient\client170.crt" />
If I don't have the jaasCertificateAuthenticationPlugin in the broker I can connect via ssl, but with it (which is what I had in mind) I get an error, it fails in Apache.NMS.ActiveMQ.Connection
// Send the connection and see if an ack/nak is returned.
Response response = transport.Request(this.info, this.RequestTimeout);
Gets an ExeptionResponse: "java.lang.SecurityException: Unable to authenticate transport without SSL certificate."
The trace shows:
10:19:16,479 INFO Client.MyTrace - BrokerUri set = ssl://brokeraddress.in.hosts:61616?transport.clientcertpassword=ksClient&transport.clientcertsubject=nms.client.170&needclientauth=true&wantclientauth=true&transport.clientcertfilename=C:\TestClient\client170.crt
10:19:16,492 DEBUG Client.MyTrace - SetProperties called with target: ConnectionFactory, and prefix: connection.
10:19:16,492 DEBUG Client.MyTrace - SetProperties called with target: ConnectionFactory, and prefix: nms.
10:19:16,495 INFO Client.MyTrace - Connecting to: ssl://brokeraddress.in.hosts:61616/?transport.clientcertpassword=ksClient&transport.clientcertsubject=nms.client.170&needclientauth=true&wantclientauth=true&transport.clientcertfilename=C:\TestClient\client170.crt
10:19:16,497 DEBUG Client.MyTrace - Searching Assembly: Apache.NMS.ActiveMQ for factory of the id: ssl
10:19:16,549 DEBUG Client.MyTrace - Found the Factory of type Apache.NMS.ActiveMQ.Transport.Tcp.SslTransportFactory for id: ssl
10:19:16,552 DEBUG Client.MyTrace - Opening socket to: brokeraddress.in.hosts on port: 61616
10:19:16,554 DEBUG Client.MyTrace - Connected to brokeraddress.in.hosts:61616 using InterNetwork protocol.
10:19:16,562 DEBUG Client.MyTrace - Creating new instance of the SSL Transport.
10:19:16,564 DEBUG Client.MyTrace - Creating Inactivity Monitor: 1
10:19:16,677 DEBUG Client.MyTrace - Authorizing as Client for Server: brokeraddress.in.hosts
10:19:16,679 DEBUG Client.MyTrace - Attempting to load Client Certificate from file := C:\TestClient\client170.crt
10:19:16,682 DEBUG Client.MyTrace - Loaded Client Certificate := [Subject] CN=nms.client.170, OU=IT, O=MyOrg, L=Oslo, S=Oslo, C=NO [Issuer] CN=nms.client.170, OU=IT, O=MyOrg, L=Oslo, S=Oslo, C=NO
10:19:16,684 DEBUG Client.MyTrace - Client is selecting a local certificate from 1 possibilities.
10:19:16,684 DEBUG Client.MyTrace - Client has selected certificate with Subject = CN=nms.client.170, OU=IT, O=MyOrg, L=Oslo, S=Oslo, C=NO
10:19:16,969 DEBUG Client.MyTrace - ValidateServerCertificate: Issued By CN=brokeraddress.in.hosts, OU=DataCom, O=MyOrg, L=Oslo, S=Oslo, C=NO
10:19:16,969 DEBUG Client.MyTrace - Server is Authenticated = True
10:19:16,970 DEBUG Client.MyTrace - Server is Encrypted = True
10:19:16,978 DEBUG Client.MyTrace - InactivityMonitor[1]: Read Check time interval: 30000
10:19:16,978 DEBUG Client.MyTrace - InactivityMonitor[1]: Initial Delay time interval: 10000
10:19:16,985 DEBUG Client.MyTrace - InactivityMonitor[1]: Write Check time interval: 10000
10:19:19,017 DEBUG Client.MyTrace - Exception received in the Inactivity Monitor: Unable to read beyond the end of the stream.
10:19:19,019 DEBUG Client.MyTrace - InactivityMonitor[1].Runner: Task Runner Shut Down
10:19:19,019 DEBUG Client.MyTrace - InactivityMonitor[1]: Stopped Monitor Threads.
10:19:19,032 DEBUG Client.MyTrace - Connection[ID:EJPB-56409-635193299565662525-1:0]: Async exception with no exception listener: System.IO.EndOfStreamException: Unable to read beyond the end of the stream.
System.IO.BinaryRe.FillBuffer(Int32 numBytes)
System.IO.BinaryRe.ReadInt32()
Apache.NMS.Util.EnBinaryReader.ReadInt32() in c:\dev\NMS\src\main\csharp\Util\EndianBinaryReader.cs:line 135
Apache.NMS.ActiveMenWire.OpenWireFormat.Unmarshal(BinaryReader dis) in c:\dev\NMS.ActiveMQ\src\main\csharp\OpenWire\OpenWireFormat.cs:line 228
Apache.NMS.ActiveMansport.Tcp.TcpTransport.ReadLoop() in c:\dev\NMS.ActiveMQ\src\main\csharp\Transport\Tcp\TcpTransport.cs:line 295
10:19:19,035 DEBUG Client.MyTrace - TransportFilter disposing of next Transport: MutexTransport
10:19:19,035 DEBUG Client.MyTrace - TransportFilter disposing of next Transport: WireFormatNegotiator
10:19:19,036 DEBUG Client.MyTrace - TransportFilter disposing of next Transport: InactivityMonitor
10:19:19,036 DEBUG Client.MyTrace - InactivityMonitor[1]: Stopped Monitor Threads.
10:19:19,037 DEBUG Client.MyTrace - TransportFilter disposing of next Transport: SslTransport
10:19:19,071 INFO Client.MyTrace - Connection[ID:SUSSDEV2-56409-635193299565662525-1:0]: Closing Connection Now.
10:19:19,073 DEBUG Client.MyTrace - Connection[ID:SUSSDEV2-56409-635193299565662525-1:0]: Disposing of the Transport.
10:19:19,073 DEBUG Client.MyTrace - InactivityMonitor[1]: Stopped Monitor Threads.
and in the broker it says:
INFO | jvm 1 | 10:18:20 | WARN | Failed to add Connection ID:EJPB-56409-635193299565662525-1:0, reason: java.lang.SecurityException: Unable to authenticate transport without SSL certificate.
INFO | jvm 1 | 10:18:22 | INFO | Stopping tcp://192.168.5.170:56408 because Failed with SecurityException: Unable to authenticate transport without SSL certificate.
Ok, what am I missing? It says "transport without SSL certificate", but it selects it during the client's connection and it is in both the broker's truststore and Root Certs.
Using NMS 1.6.0 and activeMQ 5.8.0.
I also tried a simple client in java with the same result.
Exception in thread "main" javax.jms.JMSException: Unable to authenticate transport without SSL certificate.
at org.apache.activemq.util.JMSExceptionSupport.create(JMSExceptionSupport.java:49)
at org.apache.activemq.ActiveMQConnection.syncSendPacket (ActiveMQConnection.java:1295)
at org.apache.activemq.ActiveMQConnection.ensureConnectionInfoSent (ActiveMQConnection.java:1392)
at org.apache.activemq.ActiveMQConnection.start(ActiveMQConnection.java:504)
at com.atest.jms.Client.main(Client.java:69)
Caused by: java.lang.SecurityException: Unable to authenticate transport without SSL certificate.
at org.apache.activemq.security.JaasCertificateAuthenticationBroker.addConnection(JaasCertificateAuthenticationBroker.java:74)
at org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:91)
at org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:766)
at org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:79)
at org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:139)
at org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:329)
at org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:184)
at org.apache.activemq.transport.MutexTransport.onCommand(MutexTransport.java:50)
at org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:113)
at org.apache.activemq.transport.AbstractInactivityMonitor.onCommand(AbstractInactivityMonitor.java:288)
at org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)
at org.apache.activemq.transport.tcp.SslTransport.doConsume(SslTransport.java:91)
at org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:214)
at org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:196)
at java.lang.Thread.run(Unknown Source)
Anyone has any ideas? Thanks.
Edit nov 12th
Ok, I tried again. I see I hadn't added to the broker's transportConnector ssl:
<transportConnector name="ssl" uri="ssl://0.0.0.0:61616?needClientAuth=true"/>
I tried the java client and it could send, but I'm still getting error for the NMS client (same config):
15:28:14,044 ERROR Test_DataCom.MyTrace - Exception: A call to SSPI failed, see inner exception.
15:28:14,045 ERROR Test_DataCom.MyTrace - Inner exception: An unknown error occurred while processing the certificate
15:28:14,045 ERROR Test_DataCom.MyTrace - Authentication failed - closing the connection.
and at the broker I get null cert chain
INFO | jvm 1 | 15:28:13 | ERROR | Could not accept connection from tcp://192.168.50.170:61978: javax.net.ssl.SSLHandshakeException: null cert chain
I have the certs in each other's truststore and Local Computer Trusted Root CA... what more is needed? Where should it find the cert chain for self signed certs if not there?
OK, I seem to have it now. After re-reading this comment I exported the client cert and key to a PKCS file and imported it to Current User Certification Store in Windows.
C:\> keytool -v -importkeystore -srckeystore client-keystore.jks -srcalias client -destkeystore client.p12 -deststoretype PKCS12
Then I used this url-encoded connection:
<add key="jms.uri" value="ssl://brokeraddress.in.hosts:61616?needClientAuth=true&wantClientAuth=true&transport.clientCertSubject=CN%3Dnms.client.170%2C+OU%3DIT%2C+O%3DMyOrg%2C+L%3DOslo%2C+S%3DOslo%2C+C%3DNO" />
I also had
${activemq.base}/conf/users.properties: user=CN=nms.client.170,\ OU=IT,\ O=MyOrg,\ L=Oslo,\ S=Oslo,\ C=NO, trying to escape the spaces, I removed those and corrected S to ST, just as keytool reports the Owner line. I checked, and that gives error otherwise.
Corrected ${activemq.base}/conf/users.properties:
user=CN=nms.client.170, OU=IT, O=MyOrg, L=Oslo, ST=Oslo, C=NO
I'm having trouble getting tomcat to load a self signed certificate. I followed the instructions at this site to the letter, modified my connectors in the server.xml file, added the security constraint to my tomcat.conf file. The following is an out put of my catalina.out:
Using CATALINA_BASE: /usr/share/tomcat5
Using CATALINA_HOME: /usr/share/tomcat5
Using CATALINA_TMPDIR: /usr/share/tomcat5/temp
Using JRE_HOME: /usr/lib/jvm/jre
Created MBeanServer with ID: -hnoxxr:gj0olj3z.0:s15425714.domainepardefaut.fr:1
17-Jan-11 2:13:25 AM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/lib64/gcj-4.1.2
17-Jan-11 2:13:25 AM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8081
17-Jan-11 2:13:26 AM org.apache.tomcat.util.net.jsse.JSSESocketFactory getStore
SEVERE: Exception trying to load keystore /usr/share/tomcat5/webapps/.keystore
java.security.KeyStoreException: JKS
at java.security.KeyStore.getInstance(libgcj.so.7rh)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(tomcat-util-5.5.23.jar.so)
at org.apache.coyote.http11.Http11BaseProtocol.init(tomcat-http-5.5.23.jar.so)
at org.apache.catalina.connector.Connector.initialize(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardService.initialize(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardServer.initialize(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.Catalina.load(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.Catalina.load(catalina-5.5.23.jar.so)
at java.lang.reflect.Method.invoke(libgcj.so.7rh)
at org.apache.catalina.startup.Bootstrap.load(bootstrap.jar.so)
at org.apache.catalina.startup.Bootstrap.main(bootstrap.jar.so)
17-Jan-11 2:13:26 AM org.apache.coyote.http11.Http11BaseProtocol init
SEVERE: Error initializing endpoint
java.io.IOException: Exception trying to load keystore /usr/share/tomcat5/webapps/.keystore: JKS
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(tomcat-util-5.5.23.jar.so)
at org.apache.coyote.http11.Http11BaseProtocol.init(tomcat-http-5.5.23.jar.so)
at org.apache.catalina.connector.Connector.initialize(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardService.initialize(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardServer.initialize(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.Catalina.load(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.Catalina.load(catalina-5.5.23.jar.so)
at java.lang.reflect.Method.invoke(libgcj.so.7rh)
at org.apache.catalina.startup.Bootstrap.load(bootstrap.jar.so)
at org.apache.catalina.startup.Bootstrap.main(bootstrap.jar.so)
17-Jan-11 2:13:26 AM org.apache.catalina.startup.Catalina load
SEVERE: Catalina.start
LifecycleException: Protocol handler initialization failed: java.io.IOException: Exception trying to load keystore /usr/share/tomcat5/webapps/.keystore: JKS
at org.apache.catalina.connector.Connector.initialize(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardService.initialize(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardServer.initialize(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.Catalina.load(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.Catalina.load(catalina-5.5.23.jar.so)
at java.lang.reflect.Method.invoke(libgcj.so.7rh)
at org.apache.catalina.startup.Bootstrap.load(bootstrap.jar.so)
at org.apache.catalina.startup.Bootstrap.main(bootstrap.jar.so)
17-Jan-11 2:13:26 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 744 ms
17-Jan-11 2:13:26 AM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
17-Jan-11 2:13:26 AM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.5.23
17-Jan-11 2:13:26 AM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
17-Jan-11 2:13:26 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive myapp.war
17-Jan-11 2:13:26 AM org.apache.catalina.loader.WebappClassLoader validateJarFile
INFO: validateJarFile(/usr/share/tomcat5/webapps/myapp/WEB-INF/lib/servlet.jar) - jar not loaded. See Servlet Spec 2.3, section 9.7.2. Offending class: javax/servlet/Servlet.class
log4j:WARN No appenders could be found for logger (org.apache.commons.digester.Digester.sax).
log4j:WARN Please initialize the log4j system properly.
17-Jan-11 2:13:27 AM org.apache.catalina.startup.TldConfig lifecycleEvent
SEVERE: Error processing TLD files for context path /myapp
javax.servlet.ServletException: Exception processing TLD at resource path /WEB-INF/struts-tiles.tld in context /myapp
at org.apache.catalina.startup.TldConfig.tldScanTld(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.TldConfig.execute(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.TldConfig.lifecycleEvent(catalina-5.5.23.jar.so)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardContext.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.ContainerBase.addChildInternal(catalina-5.5.23.jar.so)
at org.apache.catalina.core.ContainerBase.addChild(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardHost.addChild(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.HostConfig.deployWAR(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.HostConfig.deployWARs(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.HostConfig.deployApps(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.HostConfig.start(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(catalina-5.5.23.jar.so)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(catalina-5.5.23.jar.so)
at org.apache.catalina.core.ContainerBase.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardHost.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.ContainerBase.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardEngine.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardService.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardServer.start(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.Catalina.start(catalina-5.5.23.jar.so)
at java.lang.reflect.Method.invoke(libgcj.so.7rh)
at org.apache.catalina.startup.Bootstrap.start(bootstrap.jar.so)
at org.apache.catalina.startup.Bootstrap.main(bootstrap.jar.so)
17-Jan-11 2:13:29 AM org.apache.catalina.loader.WebappClassLoader validateJarFile
INFO: validateJarFile(/usr/share/tomcat5/webapps/ROOT/WEB-INF/lib/servlet.jar) - jar not loaded. See Servlet Spec 2.3, section 9.7.2. Offending class: javax/servlet/Servlet.class
log4j:WARN No appenders could be found for logger (org.apache.commons.digester.Digester.sax).
log4j:WARN Please initialize the log4j system properly.
17-Jan-11 2:13:29 AM org.apache.catalina.startup.TldConfig lifecycleEvent
SEVERE: Error processing TLD files for context path
javax.servlet.ServletException: Exception processing TLD at resource path /WEB-INF/struts-tiles.tld in context
at org.apache.catalina.startup.TldConfig.tldScanTld(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.TldConfig.execute(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.TldConfig.lifecycleEvent(catalina-5.5.23.jar.so)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardContext.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.ContainerBase.addChildInternal(catalina-5.5.23.jar.so)
at org.apache.catalina.core.ContainerBase.addChild(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardHost.addChild(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.HostConfig.deployDirectory(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.HostConfig.deployDirectories(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.HostConfig.deployApps(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.HostConfig.start(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(catalina-5.5.23.jar.so)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(catalina-5.5.23.jar.so)
at org.apache.catalina.core.ContainerBase.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardHost.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.ContainerBase.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardEngine.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardService.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardServer.start(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.Catalina.start(catalina-5.5.23.jar.so)
at java.lang.reflect.Method.invoke(libgcj.so.7rh)
at org.apache.catalina.startup.Bootstrap.start(bootstrap.jar.so)
at org.apache.catalina.startup.Bootstrap.main(bootstrap.jar.so)
17-Jan-11 2:13:31 AM org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8081
17-Jan-11 2:13:31 AM org.apache.catalina.connector.MapperListener init
INFO: Registering Hosts
17-Jan-11 2:13:31 AM org.apache.catalina.connector.MapperListener init
INFO: Registering WebModule Contexts
17-Jan-11 2:13:31 AM org.apache.catalina.connector.MapperListener init
INFO: Registering Servlets
17-Jan-11 2:13:31 AM org.apache.tomcat.util.net.jsse.JSSESocketFactory getStore
SEVERE: Exception trying to load keystore /usr/share/tomcat5/webapps/.keystore
java.security.KeyStoreException: JKS
at java.security.KeyStore.getInstance(libgcj.so.7rh)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(tomcat-util-5.5.23.jar.so)
at org.apache.coyote.http11.Http11BaseProtocol.start(tomcat-http-5.5.23.jar.so)
at org.apache.coyote.http11.Http11Protocol.start(tomcat-http-5.5.23.jar.so)
at org.apache.catalina.connector.Connector.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardService.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardServer.start(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.Catalina.start(catalina-5.5.23.jar.so)
at java.lang.reflect.Method.invoke(libgcj.so.7rh)
at org.apache.catalina.startup.Bootstrap.start(bootstrap.jar.so)
at org.apache.catalina.startup.Bootstrap.main(bootstrap.jar.so)
17-Jan-11 2:13:31 AM org.apache.coyote.http11.Http11BaseProtocol start
SEVERE: Error starting endpoint
java.io.IOException: Exception trying to load keystore /usr/share/tomcat5/webapps/.keystore: JKS
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(tomcat-util-5.5.23.jar.so)
at org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(tomcat-util-5.5.23.jar.so)
at org.apache.coyote.http11.Http11BaseProtocol.start(tomcat-http-5.5.23.jar.so)
at org.apache.coyote.http11.Http11Protocol.start(tomcat-http-5.5.23.jar.so)
at org.apache.catalina.connector.Connector.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardService.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardServer.start(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.Catalina.start(catalina-5.5.23.jar.so)
at java.lang.reflect.Method.invoke(libgcj.so.7rh)
at org.apache.catalina.startup.Bootstrap.start(bootstrap.jar.so)
at org.apache.catalina.startup.Bootstrap.main(bootstrap.jar.so)
17-Jan-11 2:13:31 AM org.apache.catalina.startup.Catalina start
SEVERE: Catalina.start:
LifecycleException: service.getName(): "Catalina"; Protocol handler start failed: java.io.IOException: Exception trying to load keystore /usr/share/tomcat5/webapps/.keystore: JKS
at org.apache.catalina.connector.Connector.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardService.start(catalina-5.5.23.jar.so)
at org.apache.catalina.core.StandardServer.start(catalina-5.5.23.jar.so)
at org.apache.catalina.startup.Catalina.start(catalina-5.5.23.jar.so)
at java.lang.reflect.Method.invoke(libgcj.so.7rh)
at org.apache.catalina.startup.Bootstrap.start(bootstrap.jar.so)
at org.apache.catalina.startup.Bootstrap.main(bootstrap.jar.so)
17-Jan-11 2:13:31 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 5535 ms
I did a port scan after I start tomcat. The standard port is up along with 8005 but the SSL port doesn't exist. Am I missing a step somewhere?
I guess you are using tomcat 5.5 compiled with gcj, on some linux distribution (debian or ubuntu?) with java-1.5.0-gcj. You can find some on topic help here:
https://bugzilla.redhat.com/show_bug.cgi?id=238613
Check if the keystore indicated in the exception message is actually present, and that it is in JKS format. Or point the keystoreFile attribute in your server.xml to the cacerts file provided with your JVM (if my guess was right should be /usr/lib/jvm/java-1.5.0-gcj-4.3-1.5.0.0/jre/lib/security/cacerts ) and import there your self-signed certificate.
Stock cacerts file has default password = changeit
However i suggest you to use the sun-jvm or a openjdk-1.6.0 that comes from your distro, in order to avoid a lot of hassle, in particular if it is one of your first ssl deploys.
Edit:
Let me append here my working configuration:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/etc/pki/java/cacerts"
keystorePass="changeit" keystoreType="JKS"
keyAlias="tomcat"
/>
In the /etc/pki/java/cacerts keystore, i generated a keypair with:
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /etc/pki/java/cacerts
Note: if you dont specify the key alias in server.xml, the first keypair found in the keystore is used.
Important note: the keystore password MUST be the same as the private key password!
You are trying to use a JKS format key store. This format was defined by Sun, and is not supported by GNU Classpath.
GNU Classpath might support a "PKCS12" key store (because it is a standard, unlike JKS). A new command in the keytool utility from a Java 6 runtime will allow you to "import" an existing JKS key store into a new PKCS #12 key store. Of course, GNU Classpath can't perform this conversion either, but if you use an OpenJDK product to do the conversion, the resulting store might work with GNU Classpath at run time.
You are running GNU CLASSPATH, not Java. Remove it and install a JDK.
If you are using the GNU jvm and keytool, you can add the following options to the Tomcat connector in server.xml in order to get it to work:
keystoreType="gkr"
algorithm="JessieX509"
The algorithm is mentioned at http://developer.classpath.org/doc/javax/net/ssl/KeyManagerFactory.html#getDefaultAlgorithm: