BKS not found when configuration in jBoss 7.1 - ssl

jBoss - 7.1
OS - Win 10
To add ssl certificate to jBoss use this command keytool -genkey -alias tomcat -keyalg RSA its genarates .keystore file in configuration folder in jBoss home. But when it runs gives a error message
"BKS not found"
I reffer follwing tutorial for configuraion https://docs.jboss.org/jbossweb/2.1.x/ssl-howto.html
This is not jBoss web.

This error is related with the fact that keytool tries to instantiate a BKS keystore but no Cryptographic Service Provider (CSP) is able to provide such an implementation. Please bear in mind that BKS keystore type has been implemented by the BouncyCastle CSP!

Look if you somewhere have storetype defined. When creating keystore depending on the JDK version JKS or JCEKS is default. JBoss afaik wants to see JKS. So try to create keystore maybe with option -storetype JKS.
Or maybe in your JBoss config the usage of storetype BKS is mandated?
See also Keystore type: which one to use?

Related

Getting SSL handshake error

I am consuming third party web service in my application. It has https url which requires handshake. I am using Weblogic application Server and I want to configure the certificate in my server.
Can anyone please provide me steps to configure that certificate?
Also What is Identity and Trust on Weblogic Console?
Please help!!
Update the cacerts file for the JVM used by WebLogic. Using the WebLogic console, select the server. Then use the Configuration > Keystores tab to find the cacerts file location labeled Java Standard Trust Keystore on this page.
You will want to import the certificate from the web service into this cacerts file. If you are a Windows user, I use a free tool called Keystore Explorer (http://keystore-explorer.sourceforge.net/). This application allows to directly import the certificate using the URL. Do this by opening your cacerts file in KeyStore Explorer then use the Examine SSL option to import the certificate.
I resolved this by using keytool command provided in Jdk bin folder.
I just went to demotrust.jks and imported the third party certificate in it and it worked for me.
I used below command.
${ORACLE_HOME}/product/jrockit-jdk1.6.0_20-R28.1.0-4.0.1/bin/keytool -import -alias [AliasForYourCertificate] -keystore ${ORACLE_HOME}/Middleware/wlserver_10.3/server/lib/DemoTrust.jks -file /home/oracle/[YourCertFile].crt

How to add SSLC certificates in a unix server

I have a java web project and I have used few certificates to contact a URL. Now I have deployed project as a WAR file in a Unix server and my project has a certificate issue.
I have the certificates in my local store and I need to put them in the Unix server and need to add them to the keytool in Tomcat. How do i do that.
Can I get an example how do I do that with keytool?
There are at least 3 ways of handling this problem:
You can import the certificate into the JRE's default truststore (often in $JAVA_HOME/lib/security/cacerts). This will affect all the applications using that JRE (unless they override the default settings). You'll need to have write permissions on that cacerts file to do this too.
You can import the certificate into a local keystore that you will configure to be Tomcat's default truststore. Typically, you could make a copy of the default cacerts file and import your certificate into this copy, or you can create a new keystore and import only the certificates you know you need (keytool -import -keystore ... will create the keystore file if it doesn't exist). This can be done in tomcat by setting an additional system property in catalina.sh (or .bat): in JAVA_OPTS, you can add -Djavax.net.ssl.trustStore=/path/to/local/truststore.jks for example (and other related properties).
You can make that certificate be used only by certain connections in your application (or set the default SSLContext programmatically). For this, you'll need to alter your application so that it loads the keystore, uses it to initialise a TrustManagerFactory, in passed into an SSLContext. Then, how that SSLContext can be used depends on the client library you're using. There is an example in this answer.
Either way, you can import your cert (be it a CA cert or a specific server cert) into the truststore of your choice using:
keytool -import -file cert.pem -alias "some name" -keystore truststore.jks
(If using the programming route, you can also create your keystore in memory and load the certificate file dynamically, as shown in this answer. Using keystores might be easier, it's up to you to assess the pros and cons of the deployment you want to use.)
I got the answer for this. We need to find which java file the tomcat is using and we need to add the keytool to that particular thing.
this is where the tomcat has its cacerts .ie. the java which is used by the tomcat.
etc/pki/java/cacerts
Keytool command:
keytool -import -alias ttg-lys-cm1 -file /var/lib/certificates/ttg-lys-cm1.cer -keystore "/etc/pki/java/cacerts"
Once you do this restart tomcat and it works fine.
Thanks
pradeepa

Worklight 6.1- How to import self sign certificate in MAC machine same as windows

I am using worklight 6.1 version and MAC 10.8. I have build the project which uses adapter and it require self sign certificate. On windows I know how to do that and it works fine for me but when I am trying the same worklight setup on MAC machine. I am not able to do that. I have tried to import certificate and remove the default path in worklight.properties file as i have done the same thing in windows but it din't worked for me.
http://docs.oracle.com/javase/tutorial/security/toolfilex/rstep1.html
#SSL certificate keystore location.
#ssl.keystore.path=conf/default.keystore
#SSL certificate keystore type (jks or PKCS12)
#ssl.keystore.type=jks
#SSL certificate keystore password.
#ssl.keystore.password=worklight
Please help me if there is any docs regarding that.
The following documentation shows instructions for "Configuring SSL between Worklight adapters and back-end servers by using self-signed certificates":
https://pic.dhe.ibm.com/infocenter/wrklight/v6r1m0/topic/com.ibm.worklight.installconfig.doc/admin/t_configuring_SSL_WL_adapters_backend_servers_certificates.html
In regards to importing the certificate into the default keystore you can do something similar to the following as described in the above documentation:
keytool -import -alias backend -file backend.crt -storetype JKS -keystore default.keystore
Please let me know if you have any trouble following these instructions. I have completed these steps on a MAC machine myself and was successful.
You can use keystore explorer (http://keystore-explorer.sourceforge.net/) , this is a great GUI tool to work with keystores and certificates. as for ssl.keystore.path you can specify both relative and absolute path to your keystore file

CertificateException when testing with arquillian on glassfish-remote

When trying to run tests with arquillian with adminHttps option set to true, got an exception:
Could not connect to DAS on: (...) | java.security.cert.CertificateException: No subject alternative names present
org.jboss.arquillian.container.spi.client.container.LifecycleException: Could not connect to DAS on: (...) | java.security.cert.CertificateException: No subject alternative names present
at org.jboss.arquillian.container.glassfish.CommonGlassFishManager.start(CommonGlassFishManager.java:77)
at org.jboss.arquillian.container.glassfish.remote_3_1.GlassFishRestDeployableContainer.start(GlassFishRestDeployableContainer.java:59)
at org.jboss.arquillian.container.impl.ContainerImpl.start(ContainerImpl.java:199)
The examples which I found were without ssl turned on.
I think that I should import a certificate, but can't find how or if it's realy that problem. Any idea? Thanks for sugestions.
Whilst the accepted answer shows that this problem was due to the use of the containers self signed certificate, it doesn't explain how the problem can be overcome. Hopefully this answer will help anyone having the same problem.
You can import the containers self signed certificate into a keystore using the following command:
keytool -import -alias glassfish -file mycert.cer -keystore truststore.jks -storepass changeit
Change mycert.cer to the location of the certificate file
Change truststore.jks to the location of the keystore you want to use to store the certificate. This can either be a new keystore or an existing one. The storepass parameter is the password for the keystore. If you are using an existing keystore then you will need to specify the password associated with the keystore.
Once you have imported the self signed certificate into the keystore you need to tell the JVM running Arquillian to use the keystore. This can be done by setting the system parameter javax.net.ssl.trustStore to the location of the keystore. For example javax.net.ssl.trustStore=truststore.jks
Problem was caused by certificate. When deploying to another server you should import certificate from that server into current machine (when usins self-signed certificates)

Configuring Glassfish as a client of web services using mutual SSL

I'm trying to request data from a web service which requires a client certificate to be presented by a client. The server uses SSL for all communications, and uses a self-signed certificate. I gave Netbeans the service's WSDL file and it generated client code with wsimport.
I have no issues when my client code is written in a regular Java application; I set the trust store to the cacerts file containing the server's certificate, set the key store to be a file provided by the server admin in JKS format containing 2 keys - a client private key and the server's public key, build the request object, and send the request.
The problem comes when I move it to an enterprise Java environment. Requirements dictate that the code must be an Enterprise JavaBean inside an Enterprise Archive running on the Glassfish application server. It appears that Glassfish has its own security settings which override the JVM's settings. When the EJB method containing the web service call runs, the SSL negotiation fails: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. I don't know how to set Glassfish's security settings up like my JVM's settings, can anyone explain Glassfish's security settings? The research I have done has only shown how to set up Glassfish as a web service server, not as a web service client.
I have a .cer certificate file for the server which I added it to my trust store by using Java's keytool to add it to the default cacerts file.
Would it be better to modify cacerts file with InstallCert to include the self-signed certificate, following the steps at http://blog.johnryding.com/post/1548502059/acquire-an-ssl-certificate-for-your-java-programs-in-win?
I have the trust store file, key store file, along with a .cer certificate file and a .p12 browser certificate, stored in $JAVA_HOME/jre/lib/security and $JAVA_HOME/lib/security.
I'm using Netbeans 6.9.1 and Glassfish 3.1 Final. The relevant piece of code is below, copied from my EJB. The exception occurs at the last line.
System.setProperty("javax.net.ssl.trustStore", "C:\\jssecacerts");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
System.setProperty("javax.net.ssl.keyStore", "C:\\userCertificate.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "password");
RequestObject request = new RequestObject;
request.setQuery("some data");
request.setUsername("user");
request.setPassword("pass");
Service service = new Service();
Endpoint port = service.getWebServicePort();
Result result = port.specificWebServiceMethod(request);
I faced the same exception that Jacques Pritchard described above:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I solved it importing the root certificate in both cacerts.jks and keystore.jks, using the following commands:
/usr/java/jdk1.6.0_25/bin/keytool -import -trustcacerts -file root_ca.cer -alias rootca -keystore cacerts.jks
/usr/java/jdk1.6.0_25/bin/keytool -import -trustcacerts -file root_ca.cer -alias rootca -keystore keystore.jks
It's important to say that the alias rootca is a name I defined myself to label the certificate. You can choose any name also.
Instead of using the global system properties, you should create a separate SSLContext for your client. Whether or not it runs within a Glassfish server doesn't really matter, then.
Here is a question that should be relevant (about client-certificates for WS): Choosing SSL client certificate in Java
I had this exact problem (with Glassfish 3.0.1).
Here are the exact steps we took to resolve this.
a. Use java keytool command to view the keystore to see what's in it. This is helpful later on to see if there are any changes. The command goes something like
keytool -list -keystore MyKeyStore.jks
b. Convert the pfx to a pem using openssl. Note that I used the correct password for the input pfx and the same password as my java keystore for the pem file output.
openssl pkcs12 -in MyPfxFile.pfx -out MyPemFile.pem
Convert the pem file to a p12 which can easily be imported into a java keystore. Note that I used the same password from my java keystore as I did on the input and output files.
openssl pkcs12 -export -in MyPemFile.pem -out MyP12File.p12
Now I finally import the p12 into my java keystore. Note that I used java 6, java 5 keytool doesn't have support for the -importkeystore argument.
keytool -importkeystore -deststorepass MyPassword -destkeystore PathToMyKeystore/keystore.jks -srckeystore MyP12File.p12 -srcstoretype PKCS12 -srcstorepass MyPassword
You can list the keystore contents here, something like this keytool -list -keystore keystore.jks just to ensure that your new key was imported correctly.
If you're lucky like I am you'll find that starting up your app server at this point will be of no use. You'll see errors like something about pkix path or something about HTTP 403 Forbidden.
The steps used above worked perfectly for Sun Application Server 9.1_1 but not for Oracle Glassfish 3.0.1. I'm thinking this has something to do with the version of JSSE used in ogs 3 compared to Sun App Server or jdk versions. Adding the jvm option below to your ogs 3 domain.xml file should resolve the issue if simply adding the client cert to the keystore didn't.
<jvm-options>-Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol</jvm-options>
I did notice that someone said to not use the jvm options statement above but it's part of the fix, don't use it and see if it works, I'll bet it won't. Maybe just changing the handlers is why it works?
Here's where I found the details: http://onjava.com/pub/a/onjava/2001/05/03/java_security.html?page=4
I also stumbled across a final issue (only for ogs 3), if you get fails every now and again I'd suggest finding the InstallCert app (its out there) and give it the following command line parameters:
I was getting these PKIX errors every third attempt at calling the web service.
Hopefully this helped someone else out. These kind of issues really make me want to rip my hair out :)
I finally got it.
Removed all the certs from my keytool.
Command Example : keytool -list -v -keystore keystore.jks -alias mydomain
I converted the cert response from server to bas64 DER and copied them into one file a .PEM, and I uploaded the .PEM into my keytool:
Command Example : keytool -importcert -keystore keystore.jks -alias mydomain -file my.pem
Then I loaded the keystore:
KeyStore myStore = KeyStore.getInstance("JKS");
InputStream keyInputx = new FileInputStream("C:\\myStore.jks");
myStore.load(keyInputx, "xxx".toCharArray());
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
keyInputx.close();
/*Enumeration enumeration = myStore.aliases();
while (enumeration.hasMoreElements()) {
String alias = (String) enumeration.nextElement();
System.out.println("alias name: " + alias);
Certificate certificate = myStore.getCertificate(alias);
System.out.println(certificate.toString());
}*/
keyManagerFactory.init(myStore, "xxx".toCharArray());
SSLContext context = SSLContext.getInstance("TLS");
context.init(keyManagerFactory.getKeyManagers(), null, new SecureRandom());
SSLSocketFactory sockFact = context.getSocketFactory();
Lots of references around so be happy to use.