I've got a WebSphere 9 server for testing web apps on my laptop. I also have Hybris running under Tomcat on my laptop (for testing also). I wrote a Java web app to test punchout functions in Hybris, that runs on my WebSphere server. It had been working, but I had to reinstall WebSphere. Since then, when I try to run my web app in WebSphere, I get this error in WebSphere:
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path
building failed: java.security.cert.CertPathBuilderException: unable
to find valid certification path to requested target
whenever my app tries to post to Hybris.
In the administrative console of WebSphere, I used the "receive from port" button to get the self-signed certificate from Hybris into the nodedefaultTrustStore in WebSphere. Hybris is at applied.local:9002 on my laptop and the certificate looks like this:
CN=applied.local, OU=applied.local, O=applied.local, L=applied.local,
ST=WI, C=us Valid from Jul 17, 2019 to Apr 11, 2022.
All of this was working previously, but I must have broken something. I must be missing something. I don't understand why it can't "find a valid certification path" to applied.local, since the CN is applied.local, and the certificate is in the trust store in WebSphere.
I got it working, but I don't know why I had to do this to get it working. If someone can explain why - that would be great. Anyway here's what I did:
Added custom variables to WebSphere to define where cacerts was, but default values should have worked, so not sure if this had any effect. In admin console, application servers > server1 > Java and Process Management, process definition, Java Virtual Machine, Customer properties: javax.net.ssl.truststore (path to cacerts in WebSphere), javax.net.ssl.truststoretype jks, and javax.net.ssl.trustStorePassword changeit.
Used a browser to export the self-signed certificate Hybris was using to a file.
Used Ikeyman to import the certificate into cacerts. (There are instructions on how to do this in IBM's pages).
Restarted WebSphere and Hybris and posting from WebSphere to Hybris worked again.
What doesn't make sense to me is that I had previously imported the Hybris self-signed certificate using the "Retrieve from port" button in the admin console for the NodeDefaultTrustStore. That used to work, but now apparently I have to import it into cacerts also or instead?
Related
Firefox 91.12.0
Windows 10 Enterprise for Virtual Desktops version 21H2 build 19044.1766
Visual Studio 2022 V 17.1.6
C#
.NET Core 6.0
System.Security,Cryptography.OpenSsl 5.0.0 nuget package
I am creating a certificate authority to programmatically generate client certificates. The CA (and the intermediate CA) is imported into windows. I have created an website in IIS that uses that certificate, and it works fine with all three browsers (edge, chrome, firefox).
I created another website in IIS to require client certificates, and I used my CA application to generate a client certificate. I imported that certificate using chrome, and I see that cert in MMC "Certificates - Current User" under Personal->Certificates. Both Chrome and Edge prompt for the certificate, and when I select it, it grants me access to the site, and I can see the index.html content.
Firefox does not prompt me for the certificate. In Firefox advanced preferences:
security.osclientcerts.autoload = true
security.enterprise_roots.enabled = true
I have tried to import the PFX file my app generates, within Firefox, and it prompts me for a password, but it issues the error message "The PKCS #12 operation failed for unknown reasons" ... which tells me precisely nothing.
In my research I have seen comments about certificate fields being encoded with "printable
strings" rather than UTF8, but I can find no way to control this, or even control it in anyway.
So what am I doing wrong? What special thing is it that Firefox needs that it isn't getting?
Edit: The issue I mentioned before, here, was that the cert did not contain PrintableStrings. I confirmed using ASN.1 Decoder that my cert does in fact use PrintableStrings for everything in the cert.
The problem was that when I generated the certificate it had the same serial number as the certificate from the CA. I changed the number to 9, and restarted Firefox, and it prompted me for the cert.
So ... apparently duplicate serial numbers among certs from the same CA are a problem for Firefox.
I was trying to establish a ssl connection to the sever in my application. for this, I generated self-signed certificates and added them to the keystore as well as the java cacerts which is the trust store.
But When I launch my application, I keep getting PKIX path building failed validatorException: unable to find valid path to requested target error
Hence unable to login to my java application.I use java1.8.0_144 version.
Try to login to the website which IDE is complaining about, and see if you are able to access it through the browser.
If so, then check for the certificate being used in the browser and check that certificate is present in your java cacerts.
Hi i usually generated the root CA with openssl and never worked importing that into the cacerts with keytools. You can instead generate it with this application i made out of desperation (it's a Java 11 app):
https://github.com/kendarorg/JavaCaCertGenerator
Its only purpose is to replace the generation of the private key and the root certificate, in a form "fit" for cacerts. From there you can produce the various certificates for the addresses
We're struggling to get IBM MQ to work across SSL.
We've been provided with the certificate chain for the remote host and installed into the Windows Certificate Store (Local Machine). These all look valid.
We're using the following connection properties:
connectionProperties.Add(MQC.SSL_PEER_NAME_PROPERTY, "other-server.com");
connectionProperties.Add(MQC.SSL_CIPHER_SUITE_PROPERTY, "TLS_RSA_WITH_AES_256_CBC_SHA256"); connectionProperties.Add(MQC.SSL_CIPHER_SPEC_PROPERTY, "TLS_RSA_WITH_AES_256_CBC_SHA256");
connectionProperties.Add(MQC.SSL_CERT_STORE_PROPERTY, "*SYSTEM");
connectionProperties.Add("CertificateLabel", "ibmwebspheremqmywindowsusernamewithoutdomain");
MQEnvironment.SSLCertRevocationCheck = true;
We've established that the "CertificateLabel" is the "Friendly name" in Windows parlance.
We've proven unencrypted communication and network-level configuration.
We're using 8.0.0.7 client.
These are the issues we've come across:
All secure communications fail with a 2538 error. (MQRC_HOST_NOT_AVAILABLE, https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.5.0/com.ibm.mq.tro.doc/q045380_.htm)
No success setting the Friendly Name to ibmwebspheremq and ibmwebspheremqmywindowsusername#domain and ibmwebspheremqmywindowsusernamewithoutdomain
General questions:
Are we correct in assuming that we can install generated certificates exclusively in the Windows Certificate Store?
Is the 2538 error even related to SSL communications? It feels like a network error, though there is that final point in the referenced error documentation.
Is there anywhere we can look for more informative error information? eg. relating to the SSL trust chain to see if there is an issue there?
The issue was the following line:
connectionProperties.Add(MQC.SSL_PEER_NAME_PROPERTY, "otherserver.com");
Turns out that:
It needs it in a canonical format, so DN=, etc.
You don't even need that line
Though we did learn a few things along the way:
The line:
connectionProperties.Add("CertificateLabel", "ibmwebspheremqmyusername");
Is the string ibmwebspheremq plus your Windows username (without your domain) and the label should be set on the Friendly name of your client machine's outgoing certificate NOT including the username.
The various folders inside your Windows certificate store are significant. The intermediate CAs should be correctly filed.
When using EppLib.net (and as per the Nominet instructions - http://registrars.nominet.uk/namespace/uk/registration-and-domain-management/registrar-systems/epp/testbed)
In order to verify the identity of the secure server you will need the 'Verisign Class 3 Public Primary Certification Authority' root certificate available free from www.verisign.com (the certificate is also distributed with most web browsers).
I am supplying the Verisign Class 3 PPCA Certs in .crt format (I can't export as a pfx) within the code (and have tried every cert installed on the server).
However each one fails with the error (when trying to negotiate the connection):
An existing connection was forcibly closed by the remote host.
I've confirmed that I can connect from the server to Nominet by running cURL
curl -v https://testbed-epp.nominet.org.uk:700
and that responds as I would expect - or at least without an error!
I have also tried to use the same cert that curl appears to be using without success.
Can anyone help with pointing me in the right direction with the SSL that I should be using or how to get hold of the correct certificate?
thanks in advance
For anyone having a similar issue, it wasn't a question of which SSL certificate to use, but to ensure the correct protocol was being used. Incidentally, I got it working initially using the curl-ca-bundle.crt provided with cURL.
This certificate, in combination with a change to the target .net framework for the EppLib.net project resolved my issue.
On cloning from Github the target was .net 4.0 and Nominet needs at least TLS1.1, which wasn't available in v4.
Therefore I also updated the target to 4.5.1 for the EppLib.net project and changed the SslProtocol from
SslProtocol.Tls to
SslProtocol.Tls12
I have a simple cfhttp request (a login) going out to an SSL server:
<cfhttp url="https://www2.[domain].com/api/user/login" method="POST" port="443" >
<cfhttpparam type="formfield" name="username" value="[username]" >
<cfhttpparam type="formfield" name="password" value="[password]" >
</cfhttp>
The request fails before it begins, and the ColdFusion server says:
I/O Exception: peer not authenticated
Both development environments work smashingly. They receive the login session and then hand that to the collector process which successfully taps the remote web service for data.
After I spent a day trying to get the correct certificate into the ColdFusion stores, I had the bright idea to actually compare them to the working development environments. I looked at them (keytool -list), and they are identical.
Now that the obvious is absolved the questions I'm left with are twofold:
Is there some other certificate repository I need to check, or alternately, is there a place where I can get ColdFusion to tell me what certificate repository it needs to find the certificate IN (on the off chance it can and has been altered) or if that is even possible.
Identify and correct else could be causing this.
Are the development and production environments the same? Are they all, for example, ColdFusion 9 Standard or ColdFusion 8 Enterprise?
In my experience, this error is usually caused by one of two things:
The administrator failed to install the certificate into the cacarts repository, or they installed it into the wrong one.
ColdFusion Enterprise and ColdFusion Developer edition (for ColdFusion 8 and ColdFusion 9 both, I believe) have an issue with the built-in BSafe CryptoJ library that is installed and certain types of certificates (I have not yet been able to determine a pattern) that causes this error. There are some workarounds if this is the case.
First, I would explore the possibility that you are importing into the wrong certificate repository. It can be hard to tell which repository is being used. In your CF Admin under "Setting Summary" you should be able to find the location of the JRE that is being used. It is listed under "Java Home". Take that directory and add lib/security to the end of it and that should be the location of the cacaerts file that is being used. I say should because I have seen at least one weird situation where it was not.
I HAD the same problem and I tried everything and can't fix it. Strange is that everything worked fine then suddenly stopped working. It might be a Java update on the server causing the problem or a change of the certificate from the website the CFHTTP is trying to access.
Anyway, here is a link I setup for a "demo" of this problem:
http://www.viaromania.eu/https.cfm
As you can see, I am trying to access a HTTPS service using CFHTTP tag. And it is not working. I deleted the certificate from C:\ColdFusion9\runtime\jre\lib\security\cacerts, generated a new one from the website URL, imported back, installed "certman" under CFID/admministrator, checked the certificate, it's there... and it's listed in my test page.
If you scroll to the bottom of my test page, you'll see a similar CFHTTP to https://www.google.com and this works fine, even if there is no certificate installed on the server.
It is important to mention that the request is working just perfect on my development machine, and here I also don't have any certificate installed...
AND THIS HOW I FIXED IT
1. Updated ColdFusion 9.0.2 with this - https://helpx.adobe.com/coldfusion/kb/cumulative-hotfix-1-coldfusion-902.html
2. Installed Java JDK 1.7.0_79 from here http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html
3. Changed the Java Home in ColdFusion Administrator / Server Settings → Java and JVM from "C:\ColdFusion9\runtime\lib\jre" to "C:\Program Files\Java\jdk1.7.0_79\jre"
That's it. I don't know if it uses any certificate or not. They were installed in the "C:\ColdFusion9\runtime\lib\jre\lib\security\cacerts" and not moved from there or anything.