For a Java EE 7 web application we are using SSL/TLS client-cert authentication
provided by Wildfly login module.
SSL realm is properly configured with adequate truststore and keystore files on the transport level authentication is successfull, but role mapping cannot map roles as it should based on certificate subject DN for some certificates.
These certificates have cyrillic characters in subject DN which are UTF-8 encoded.
How to configure CertificatesRoles login module to treat rolesProperties file as UTF-8 encoded file?
When I set file.encoding=UTF-8 subject DN from certificate is properly read, but string from roles file is not (i checked twice, it is UTF-8 encoded).
It's a matter of Properties class implementation. This class supports ISO 8859-1 encoding. Solution is to encode UTF-8 encoded file as ISO 8859-1 encoded file by using native2ascii tool provided in Java SDK or JRE.
Related
I am setting up the tomcat server which communicate with external system through SOAP web services(I am using the external system stubs and apache Axis2 library for that).
The external system is secured with ssl client/server authentication. The system provides me keystore file in .pfx format which contains two certificates.
Things I have tried:
I have extract those two certificates and added in my keystore. I added below entry in my tomcat/bin/catalina.bat file
set JAVA_OPTS = %JAVA_OPTS% -Djavax.net.ssl.trustStore=/pathtomykeystore/cacerts -Djavax.net.ssl.keyStore=/pathtomykeystore/cacerts -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStorePassword=changeit
With above configuration my request fails with No X.509 client certificate HTTP header found in request.
I have enable ssl logs then I found that serverHelloDone is printed and after that it says
"No suitable client certificate could be found - continuing without
client authentication"
The same thing I have tried from SOAPUI Tool where I directly configure .pfx file as keystore and it is working fine there
The diff between Tomcat and SOPAUI logs is
SOAPUI can successfully competing Client authentication where tomcat is not.
also below lines are missing from tomcat ssl logs
keystore is:
keystoreType is: jks
keystore provider is
Update1:
I remove the keystore configuration from SOAPUI->project view-> WS Security Configuration -> keystore (This is working configuration) and added above mentioned JAVA_OPTS entries in soapui.bat file and now SOAPUI also giving a same error.
Anyone helps arround how soap ui pick and send the certificates from keystore configured in project view->keystore
I am working on setting up ssl to secure my end points. I got a test certificate created from my org
I have recieved a .pfx file
I converted it into .pem -----> .der -------> .jks format
We have basic infrastructure to put this .jks file in a folder called ssl and it gets picked up just by using a confg file.
Next I set up Jmeter to test this. Steps Followed
set up a test recorder --> set up an http get request that takes no parameters
2.changed protocol to https ---> given port no ---> set up host and path. This is correct as I have tested it with http and it returns fine.
Now when I try to test it I get an error Certificate_Unknown error.
I have tried searching the internet and StackFlow articles about testing SSL. I also stumbled upon an article which says I need to add the certificate to my java_home cacerts. I havenot been able to successfully test it. Any pointers to what I might be doing wrong or if I could test it in some other way would be very helpful.
I am comparatively new to SSL concepts and just learnt about formats, ssl etc.
Thanks in advance. :)
You don't need to convert .pfx file into .jks as .pfx files are basically PKCS 12 certificates and JMeter supports them out of the box
I fail to see where you "tell" JMeter to use the certificate. If your " basic infrastructure to put this .jks file in a folder called ssl and it gets picked up just by using a confg file" stanza is related to JMeter - you should address this question to the "infrastructure" providers. Otherwise you need to explicitly configure JMeter to use the certificate. Just add the next lines to system.properties file:
javax.net.ssl.keyStoreType=pkcs12
javax.net.ssl.keyStore=/path/to/certificate.pfx
javax.net.ssl.keyStorePassword=your certificate password
JMeter restart will be required to pick the properties up.
I am rather confused by the purpose of the trustore file in a tomcat server.
I.e use of the truststoreFile parameter when setting up a TLS enabled connector.
According to the tomcat docs:
truststoreFile
The trust store file to use to validate client certificates. The
default is the value of the javax.net.ssl.trustStore system property.
If neither this attribute nor the default system property is set, no
trust store will be configured.
To me this is telling me that for an inbound connection to my tomcat server, this is where I would store certificates that a client would present. (e.g. a users browser)
Would I really put in 3rd party CA certificates here or other 3rd party server certificates, if my tomcat server wants to make an outbound connection to a TLS enabled server (e.g. an LDAPS server)
As per my understanding the place to do this is the cacerts file.
Is my understanding of the truststore wrong?
Yes, you are right, it is quite confusing.
If you need to make an outbound connection a 3rd party, you need to add the certificates to cacerts.
There is a very popular "signing, validation, etc." service for government-owned companies here in Spain, #firma, that just changed its wildcard server certificate and we had to add it to cacerts.
I have a version of an application that uses PKI (X509) for authentication/authorization. In an older version of apache (2.2) the DN is delimited by forward slashes (/), in the version of apache (2.4) on my new box the DN for the SAME CERTIFICATE is delimited by commas (,).
What tool does Apache use to parse the DN out of the certificate?
Not sure about the tool/library that Apache uses, but a certificate itself doesn't use delimiters.
The whole certificate is formatted in asn1 which is a tree structure right down to the components of the DN in the subject name field.
The delimiters are very likely only relevant for display purposes.
I have generated my own CA files - cacert.pem, careq.pem, cakey.pem.
The internet explained that I definitely shouldn't use PKCS#12 (.p12) as it exposes my private key and that browsers like .der format (which is binary format for pem?!). This just enhances the confusion.
From my point of understanding this http://www.cacert.org/certs/root.txt is a .pem, right? And if I cut everything out, except the "PEM armor" I get a .crt?
So the question is: how do I safely (!) distribute this root certificate for installations on client workstations (.pem, .crt, etc)?