Tomcat is not picking up the keystore - ssl

I am setting up the tomcat server which communicate with external system through SOAP web services(I am using the external system stubs and apache Axis2 library for that).
The external system is secured with ssl client/server authentication. The system provides me keystore file in .pfx format which contains two certificates.
Things I have tried:
I have extract those two certificates and added in my keystore. I added below entry in my tomcat/bin/catalina.bat file
set JAVA_OPTS = %JAVA_OPTS% -Djavax.net.ssl.trustStore=/pathtomykeystore/cacerts -Djavax.net.ssl.keyStore=/pathtomykeystore/cacerts -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStorePassword=changeit
With above configuration my request fails with No X.509 client certificate HTTP header found in request.
I have enable ssl logs then I found that serverHelloDone is printed and after that it says
"No suitable client certificate could be found - continuing without
client authentication"
The same thing I have tried from SOAPUI Tool where I directly configure .pfx file as keystore and it is working fine there
The diff between Tomcat and SOPAUI logs is
SOAPUI can successfully competing Client authentication where tomcat is not.
also below lines are missing from tomcat ssl logs
keystore is:
keystoreType is: jks
keystore provider is
Update1:
I remove the keystore configuration from SOAPUI->project view-> WS Security Configuration -> keystore (This is working configuration) and added above mentioned JAVA_OPTS entries in soapui.bat file and now SOAPUI also giving a same error.
Anyone helps arround how soap ui pick and send the certificates from keystore configured in project view->keystore

Related

JMeter JMS samplers not attaching Client SSL certificate (self signed certificate)

I am running a JMS point to point sampler for TIBCO EMS queue testing. I have added all the tibco ems jars to jmeter lib folder. Configured the queue details, context factory, user credentials in JMS sampler.
When hitting the TIBCO ems with tcp request for queue, it is working. But while hitting with SSL url it is failing to connect.
I tried below way to attach the Self signed certificate given by tibco team
added the .pem file (only begin and end certificate) to JAVA JDK cacerts file and opened Jmeter in command line with -Djavax.net.ssl.keystore=cacerts with password. The SSL request failed to connect with tibco ems server
extracted the certificate from server through openssl -connect commands, copied the begin & end certificate sections to .cer file and used keytool to add them to trustore. Started jmeter with this truststore. the JMS sampler still failed.
I understand the SSL certificate is not getting attached with JMS sampler when we are running it. Can some one help out with steps to successfully attached the SSL certificate to the JMS request.enter image description here
Looking into Configuring EMS over SSL on Application Servers I think you need to provide the following Java System properties:
com.tibco.tibjms.naming.security_protocol=ssl
jsse.providerClass=com.ibm.jsse2.IBMJSSEProvider2
com.tibco.tibjms.ssl.expected_hostname=xxxx
com.tibco.tibjms.ssl.enable_verify_host_name=false
com.tibco.tibjms.ssl.enable_verify_host=false
com.tibco.tibjms.ssl.trusted=/path/to/your/certificate.pem
The properties can either be put into system.properties file (lives in "bin" folder of your JMeter installation) or passed via -D command-line arguments like:
jmeter -Dcom.tibco.tibjms.naming.security_protocol=ssl -Djsse.providerClass=com.ibm.jsse2.IBMJSSEProvider2 ....
References:
Java Secure Socket Extension (JSSE) Reference Guide
TibjmsContext
TibjmsSSL
Apache JMeter Properties Customization Guide
Overriding Properties Via The Command Line

Mule MMC Alert - Url Health check not working for HTTPS

Im creating alert using URL Health check for HTTPS in mule MMC. When I configure Http url works fine. But for HTTPS how can I achieve the health check( https://apps:8089/check), since it is secured connection, there is no option for keystore path where can I place my certificate. Obvious Alert showing me 'SSL handshake error'( Because no where i can configure the certificate) .
How can I configure HTTPS url in MMC( MMC document in Mule also says for HTTP not for HTTPS). Hopefully some way should be there .
Let me know whether it is possible or not, If possible how to achieve the same.Help will be really appreciable.
I assume you are running MMC using container such as tomcat, glassfish or jboss. All these containers use JRE/JDK(depending on what you have configured). If you are trying to invoke an HTTPS url from MMC, the relevant certificate(for the HTTPS URL) must be imported into JDK/JRE trust store so that when HTTPS url within MMC is invoked in the JVM(that is running MMC in tomcat/glassfish/jboss), the relevant certificate can be recognized.
Download the certificate from the browser(by clicking on the green bar in browser)
Use this command to import certificate:-
keytool -import -file "Path to your certificate file" -keystore "C:\Program Files\Java\jre7\lib\security\cacerts"
Once done, restart your container and try again.

IBM Worklight 6.1. Adapters. SSL working with worklight.properties but not with Liberty SSL configuration

I have read the posts that are about this subject but I have not found any one that helps me.
I have an adapter that invokes a service using HTTPS.
It works if I do the SSL configuration using the server/conf/worklight.properties file with the properties: (after importing the backend server certificate in the default.keystore)
ssl.keystore.path=conf/default.keystore
ssl.keystore.type=jks
ssl.keystore.password=worklight
But if I comment those properties and edit the server.xml with this configuration:
<feature>ssl-1.0</feature>
<keyStore id="worklight" location="${server.config.dir}/default.keystore" password="worklight"/>
The adapter does not work and fails with the error:
Http request failed: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
The "${server.config.dir}/default.keystore" file and "conf/default.keystore" file are the same file.
Is it possible to invoke https services from adapters in the Worklight Studio Liberty Profile Server without using the worklight.properties file and making the SSL configuration directly in the server.xml?
Worklight is not seeking SSL certificates in liberty key store. If the certificate is selfsigned it should be added to the keystore defined into worklight.properties or into default OS/JVM keystore.

Issuer details are not valid. Issuer details should be registered in advance

I am trying to run a test of the SAML2 SSO using WSO2 Identity Server 4.0.0 M7 but am not successful.
I tried to use the 3.2.3 binary but ran into the bug about long hostnames and the identity.xml file (http://stackoverflow.com/questions/9600392/unable-to-configure-wso2-identity-server-for-openid).
These are the examples I'm using:
http://sureshatt.blogspot.com/2012/08/saml20-sso-with-wso2-identity-server.html
http://wso2.org/library/articles/2010/07/saml2-web-browser-based-sso-wso2-identity-server
I've stood up a new Tomcat7 server and configured it for HTTPS, which works cleanly in the browser. The certs are signed by our trusted enterprise CA and both the private key and chain certs are installed.
Same for the WSO2-IS host which has a new wso2carbon.jks with the private key signed by the same CA. I've exported the host cert from wso2carbon.jks and imported same into the client-truststore.jks. The trusted CA-signed certs are also in client-truststore.jks (at this point just to be sure). They are also in wso2carbon.jks (used to trust the CA reply).
I've changed the HostName and MgtHostName in carbon.xml to match the CN in the private key; the Carbon console comes up cleanly with no SSL issues and I can log in using the 'admin' user with no problem. From there I've updated the SSO configuration using the above example links as guides. That works with no errors.
When I go to each site (e.g., saml2.demo, avis.com, etc.) they redirect perfectly to IS to authenticate. However when I log in I get the error in the log "Issuer details are not valid. Issuer details should be registered in advance". And then I'm stuck.
What have I missed?
Have you done the 5th step of the topic 2 Configuring the WSO2 Identity Server ? Please check the value you've registered as the Issuer is as same as the one that comes in the SAML Authentication Request message.

How to get the client certificate in jboss

I am using jboss as the server and my java program as the client, I have modified the server.xml file in jboss to send certificate from server to the client. this happens automatically, when the requesting client has the same domain as the domain in the server keystore.
But I want the jboss server to validate the client certificate also. How can I send the client certificate to jboss and receive it in jboss?
You are trying to achieve a two way ssl so lookup "jboss two way ssl".
The steps would be similar to setting up ssl on the server ; the only difference would be that you would need to import the client cert into the server truststore (assuming the client cert is self-signed).