Recently We have enabled SSL on AEM and after that we are facing issue to connect with third party services.
For some services we are getting
javax.net.ssl.SSLException: java.security.ProviderException: Could not derive key
Any pointers on how to resolve this issue?
Thanks,
Nidhi
I had this issue a while ago. The cert file was not installed to the java keystore in my case.
Ensure the cert file is installed to the java keystore. This command will list the installed certs, check if your cert is in there, you can search by the alias that was used to install the cert.
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
This will help you import to keystore if cert is not installed
keytool -importcert -file certificate.cer -keystore keystore.jks -alias "Alias"
You can also search by the alias that was used to install the cert
keytool -list -v -keystore keystore.jks -alias youralias
If you have multiple versions of java installed, ensure java_home points to the location of java where the cert is installed. Also check if PATH contains the same path.
Related
I'm tinkering with a self-signed certificate on RH Linux 7 for a tomcat instance, but having a hell of a time so that I don't have browser warnings. I've followed this guys instructions here (Getting Chrome to accept self-signed localhost certificate) and tried importing the .crt into my tomcat instance using keytool. Using the following commands -
Create the keystore - keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
Import the myCA.pem file created in the stackoverflow steps - keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file myCA.pem
And finally import the .crt created from the stackoverflow - keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file signed.crt
Now on the Linux 7 box I can access server.domain.com:8443 or server:8443 with a warning, but on my Windows workstation I can only access server:8443, not the FQDN. I've imported both the myCa.pem and signed.crt into my computer as trusted root authorities.
What am I doing wrong? Thanks much!
What I could understand is . You have generated SSL certs and imported in you machine.
Hope you have updated the conf/server.xml with ssl information . After updating restart the service and check
For couple of days I'm trying to set up my development environment for certificate-based client authentication and it just don't want to work. I'm using the Glassfish 4 documentation (security guide) and creating according to it self signed client certificate for test purposes but I'm not sure what I'm missing, since there is not complete description of the whole process. When I enable Client Authentication for my Http-Listener and don't get any error message in the server log, but when I try to connect from a browser I just cannot establish a connection with the server. Without this option my web application is working just fine. In chrome I see the following message:
This site can’t be reached
127.0.0.1 refused to connect.
ERR_CONNECTION_REFUSED
And in firefox:
The connection to 192.168.1.9:8181 was interrupted while the page was loading.
So for me it seems that something (unfortunately I cannot understand what exactly) is happening, but a connection cannot be established.
Since the setup is pretty complex I'm looking for a tutorial or how-to page which has step by step instruction, but any help and advise will be higly appreciated.
Ok, I finally got it how it works :) I found very good step by step instructions in the book Java EE 7 with GlassFish 4 Application Server, Chapter 9, The cerrtificate realm (p. 247)
One have to basicly do the following 3 Steps:
Create Client Certificate
1.1 Generate a self-signed certificate:
keytool -genkey -v -alias myalias -keyalg RSA -storetype PKCS12 -keystore clientCert_1.p12 -storepass wonttellyou -keypass wonttellyou
1.2 Import it in a browser
NB!: When the certificate is not imported the browser doesn't ask for it, but instead returns a connection error message, which for me is pretty misleading.
Export the certificate from step 1. into a format that Glassfish can understand
keytool -export -alias myalias -keystore clientCert_1.p12 -storetype PKCS12 -storepass wonttellyou -rfc -file clientCert_1.cer
RESULT => Certificate stored in file clientCert_1.cer
Since we issued a self-signed certificate, in order for GlassFish to accept our certificate, we need to import it into the cacerts keystore.
keytool -import -v -trustcacerts -alias myalias -file clientCert_1.cer -keystore ../cacerts.jks -keypass changeit -storepass changeit
Note
The part: -import -v -trustcacerts is not in the book, but without
it the keytool may crash throwing an exception.
changeit is the default glassfish password
Finally one needs to setup the application server for certificate based client authentication, which has two parts. The first one is adding the a login configuration to web.xml:
...
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>certificate</realm-name>
</login-config>
...
And the second one is configuring the role mapping in glassfish-web.xml, so that your application has a corresponding role for that login. It looks like this:
...
<security-role-mapping>
<role-name>YOUR_ROLE</role-name>
<group-name>YOUR_GROUP</group-name>
<principal-name>CN=Test User, OU=n/a, O=Test User, L=Cologne, ST=NRW, C=DE</principal-name>
</security-role-mapping>
...
For more detailed information, about key generation and setting up your glassfish consult the book.
And finally one more thing which was confusing for me. Over the admin interface one can find the SSL configuration tab of an existing http-listener. You don't have to enable the Client Authentication option!
I'm having trouble getting ColdFusion to connect to a secure FTP server that uses a self-signed certificate. The connection just times out. I've tested the setup in an FTP client and it works, but you must accept an 'unknown certificate.'
The code, though it's not very helpful:
<cfftp
connection="ftp"
action="open"
server="server"
username="username"
password="password"
port="23456"
passive="true"
secure="true"
/>
Here's the error I get from ColdFusion:
Verify your connection attributes: username, password, server, fingerprint, port, key, connection, proxyServer, and secure (as applicable). Error: Session.connect: java.net.SocketTimeoutException: Read timed out.
Does anyone know if it's possible to accept the certificate? Or if that's even the problem?
I am not sure about cfftp but for cfhttp requests to sites with a self-signed certificate you have to import their certificate into the Java keystore on your ColdFusion server. So you might want to give that a try.
I always export the certificate in DER format
The command to import should be something like this:
keytool -import -v -alias giveUniqueName -file filename.cer -keystore cacerts -storepass thePassword
Here is the command line to verify an imported certificate:
keytool -list -v -keystore cacerts -alias giveUniqueName -storepass thePassword
I did not include the password here but am pretty sure you can Google it. If not, send me a message and I can give it to you.
Also, you may need to supply pathing information depending on where you run the keytool commands from and where your certificate file resides.
Another note, be sure you are updating the correct cacerts file that ColdFusion is using. In case you have more than one JRE installed on that server. You can verify the JRE ColdFusion is using from the administrator under the 'System Information'. Look for the Java Home line.
Oh - and you have to restart ColdFusion after making the import.
UPDATE FOR CF10
I found a forum discussion (here) talking about installing certificates on CF10. The keytool commands appear to be slightly different in their example. In case it is a bit different than CF9, here is what they said:
keytool -importcert -alias giveUniqueName -trustcacerts -file filename.cer -keystore cacerts -storepass thePassword
Trust this certificate? [no]: y
It looks like the verification command line has not changed.
I have a webstart application where I want to do client authentication while connecting to the server. I have created pkcs12 certificate which I install using certmgr.exe and it works fine.
I want to do for every client that uses the application. How should I do this? If I distribute the certificate
I get a bad_certificate error. I know there isn't a problem with the certifcate because it would work if you install the certificate using the browser.
I had created the public key using
keytool -export -alias myKey -keystore abc.p12" -storetype PKCS12 -storepass mypassword -rfc -file abc.cer
then I imported this file into my server's keystore for mutual authentication using:
keytool -import -v -file abc.cer -keystore C:\apache-tomcat-7.0.26\tomcat.keystore" -storepass mypassword
after this, if I install abc.p12 certificate in certmgr, it works fine.
To be able to do it from Java, I needed a truststore. I created a truststore where I import the public key using
>keytool -import -keystore client-truststore.jks -file abc.cer
If I try to access the server using
-Djavax.net.ssl.keyStore=abc.p12
-Djavax.net.ssl.keyStorePassword=mypassword
-Djavax.net.ssl.trustStore=trustore.jks
-Djavax.net.ssl.trustStorePassword=mypassword
I'm not sure if I'm doing the right thing. Please let me know what you think.
What should I be doing? Please let me know your suggestions.
You should have imported it into your server's trust store, not its keystore.
You have to import the cert to your certs file, in the JDK is the cacerts file. After do that you have to view the cert is living on the file, and you will have do that on every client.
The thing about the trust store is that you create your own JKS file.
I have just installed a new ssl certificate on GlassFish 3. I also changed all references to s1as to a new certificate alias in config/domain.xml. Everything seems to work fine, but I wonder if I have to change all "s1as" entries in
config/sun-acc.xml, wss-server-config-1.0.xml,wss-server-config-2.0.xml as well ? Do settings in these files affect anything ?
Thanks in advance.
Why you did not use
keytool -delete -alias s1as -keystore
and
keytool <opts> -keystore keystore.jks -validity <val_days> -alias s1as
instead?
sun-acc xml comes in to play while accessing EJB objects that are residing in a remote system
Bottomline is:
You would require to edit sun-acc.xml and other configs that refer to si1as