I am passing certificates in RestTemplate request header. I get 403 forbidden error. How can I display the certificate information at my end before I make a call to the web service? I am using below code to pass certificate in request header.
What is the right way to send a client certificate with every request made by the resttemplate in spring?
Not sure about 403 as I'm newbie on certs & stuff, but for your other questions(I know this is late but might help someone who come across to this page) :
Java Keytool Commands for Checking :
keytool comes with JDK
If you need to check the information within a certificate, or Java keystore, use these commands.
Check a stand-alone certificate :
keytool -printcert -v -file mydomain.crt
Check which certificates are in a Java keystore :
keytool -list -v -keystore keystore.jks
Check a particular keystore entry using an alias :
keytool -list -v -keystore keystore.jks -alias mydomain
First, I would suggest to verify in your rest client whether you're able to access the rest endpoint or not by importing cert & key files:
https://www.getpostman.com/docs/v6/postman/sending_api_requests/certificates
Helpful links:
https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
Related
I got a serious problem while making an SSL request to the server with SOAPUI. I am a newbie in SoapUI and maybe I did something wrong while I'm trying to import the certificate into SOAPUI.
My client sends me:
Root CA
Intermediate CA
SSL CA
Private Key
I am using keytore to generate keystore with password by command
keytool -genkey -alias soapui -keyalg RSA -keystore soapui.keystore
And then I tried to export the this keystore with my SSL CA
keytool -export -alias soapui -file SSL.cer -keystore soapui.keystore
And then I import this into Keystores in the SoapUI.
However, I got the error
ERROR:java.security.KeyStoreException: Can't build keystore: [Private key missing (bad password?)]
I have no idea where am I wrong?
Could anyone please indicate what are the steps I should work on to make the SSL request to SoapUI?
Please help
Thank you.
I assume you need to make a Two-Way SSL connection with client cetificate.
Firstly you need to make a keystore (JKS) containing:
your private key
all certificates upwards including the root CA
Maybe using https://keystore-explorer.org/ may help you to understand and verify the content of your keystore.
There are multiple ways to configure the client certificate in SoapUI:
If you use the global configuration (File - Preferences - SSL Settings), there is only one password to be set. Make sure your keystore password and key password are equal.
If you use the setup on the project level, you are allowed to enter two passwords.
I want a authentication flow for certificate authentication in keycloak and followed this docs from keycloak.
i generated the keystore and truststore with these commands
keytool.exe -genkey -keyalg RSA -alias localhost -keystore keystore.jks -storepass password123 -validity 360
keytool.exe -export -alias localhost -file localhost.cer -keystore keystore.jks
keytool.exe -import -v -trustcacerts -alias localhost -file localhost.cer -keystore truststore.jks
and also made the changes in xml file, now in the troubleshooting part I'm not getting how to generate client_cert.crt and client_cert.key. also it is mentioned they need to be in .pem format.
Can somebody help how i move forward with this ?
I assume that you want mutual SSL between users and keycloak?, I've tried to do the same thing, but it didnt work, i've tried every thing on keycloak doc, but users were never prompted to choose a cert, eventually i used wildfly official documentation, and it finnaly worked!
src: https://docs.wildfly.org/18/WildFly_Elytron_Security.html#configure-ssltls
Based on what you provided I suggest you to double-check if all instructions were followed.
Have you configured a X509 Browser flow?
This flow should be selected for authentication through KC> Authentication> Bindings
The source identity is also an important part to map the certificate to an user, so check if this is properly configured as well.
On my side I tried a mapping by Serial Number, and it works.
I had to create an user attribute called usercertificate with a value of 0D (my certificate Serial Number) in Keycloak > Users > [testuser] > Attributes.
The certificate was imported in my browser, and during authentication phase my browser popups the browser certificate for selection.
Context of my problem :
I'm working with apache camel in servicemix, and i'm developing a bundle. In this bundle, the following endpoint is defined in a route :
<to uri="https4://URL_I_WANT_TO_CONNECT_TO?proxyAuthHost=MY_PROXY_HOST_NAME&proxyAuthPort=MY_PROXY_PORT&sslContextParameters=mySslContextParameters" />
As you can see in the value of the "uri" attribute, i use a HTTP proxy.
My goal is to do a HTTP POST request to the "URL_I_WANT_TO_CONNECT_TO". I've been given 3 certificates (3 ".cer" files, and according to the names of these files i guess there is one for the server, one for the CA and one for CA intermediate). Let's name these 3 certificates "cert_server.cer", "cert_ca.cer", and "cert_ca_intermediate.cer".
I created a file named "keystore.jks" using the tool "keytool". This creation was done by executing the three following commands in this order :
keytool -import -keystore keystore.jks -file cert_server.cer -alias "server"
keytool -import -keystore keystore.jks -file cert_ca.cer -alias "ca"
keytool -import -keystore keystore.jks -file cert_ca_intermediate.cer -alias "ca_intermediate"
Note : i used the same password for all certificates
Then i added the file "keystore.jks" and the 3 certificates in the java project corresponding to my bundle, and defined the following sslContextParameters (which is referenced in the value of the "uri" attribute of the previously defined endpoint) in the blueprint file of my bundle :
<sslContextParameters id="mySslContextParameters"
xmlns="http://camel.apache.org/schema/blueprint">
<keyManagers keyPassword="abcde">
<keyStore resource="/key/keystore.jks" password="abcde" />
</keyManagers>
</sslContextParameters>
The problem is that it doesn't work (i don't manage to connect to "URL_I_WANT_TO_CONNECT_TO"), and the only information i have is the following log message : "Error : Remote host closed connection during handshake". I have no idea how to solve the problem.
Could the HTTP proxy be the source of the problem?
Thank you for any help.
Best regards
If your certificates are used to contact the SSL server (and not to authenticate), have a look at TrustManagersParameters (and not KeyStoreParameters).
http://camel.apache.org/camel-configuration-utilities.html#CamelConfigurationUtilities-TrustManagersParameters
For couple of days I'm trying to set up my development environment for certificate-based client authentication and it just don't want to work. I'm using the Glassfish 4 documentation (security guide) and creating according to it self signed client certificate for test purposes but I'm not sure what I'm missing, since there is not complete description of the whole process. When I enable Client Authentication for my Http-Listener and don't get any error message in the server log, but when I try to connect from a browser I just cannot establish a connection with the server. Without this option my web application is working just fine. In chrome I see the following message:
This site can’t be reached
127.0.0.1 refused to connect.
ERR_CONNECTION_REFUSED
And in firefox:
The connection to 192.168.1.9:8181 was interrupted while the page was loading.
So for me it seems that something (unfortunately I cannot understand what exactly) is happening, but a connection cannot be established.
Since the setup is pretty complex I'm looking for a tutorial or how-to page which has step by step instruction, but any help and advise will be higly appreciated.
Ok, I finally got it how it works :) I found very good step by step instructions in the book Java EE 7 with GlassFish 4 Application Server, Chapter 9, The cerrtificate realm (p. 247)
One have to basicly do the following 3 Steps:
Create Client Certificate
1.1 Generate a self-signed certificate:
keytool -genkey -v -alias myalias -keyalg RSA -storetype PKCS12 -keystore clientCert_1.p12 -storepass wonttellyou -keypass wonttellyou
1.2 Import it in a browser
NB!: When the certificate is not imported the browser doesn't ask for it, but instead returns a connection error message, which for me is pretty misleading.
Export the certificate from step 1. into a format that Glassfish can understand
keytool -export -alias myalias -keystore clientCert_1.p12 -storetype PKCS12 -storepass wonttellyou -rfc -file clientCert_1.cer
RESULT => Certificate stored in file clientCert_1.cer
Since we issued a self-signed certificate, in order for GlassFish to accept our certificate, we need to import it into the cacerts keystore.
keytool -import -v -trustcacerts -alias myalias -file clientCert_1.cer -keystore ../cacerts.jks -keypass changeit -storepass changeit
Note
The part: -import -v -trustcacerts is not in the book, but without
it the keytool may crash throwing an exception.
changeit is the default glassfish password
Finally one needs to setup the application server for certificate based client authentication, which has two parts. The first one is adding the a login configuration to web.xml:
...
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>certificate</realm-name>
</login-config>
...
And the second one is configuring the role mapping in glassfish-web.xml, so that your application has a corresponding role for that login. It looks like this:
...
<security-role-mapping>
<role-name>YOUR_ROLE</role-name>
<group-name>YOUR_GROUP</group-name>
<principal-name>CN=Test User, OU=n/a, O=Test User, L=Cologne, ST=NRW, C=DE</principal-name>
</security-role-mapping>
...
For more detailed information, about key generation and setting up your glassfish consult the book.
And finally one more thing which was confusing for me. Over the admin interface one can find the SSL configuration tab of an existing http-listener. You don't have to enable the Client Authentication option!
I'm having trouble getting ColdFusion to connect to a secure FTP server that uses a self-signed certificate. The connection just times out. I've tested the setup in an FTP client and it works, but you must accept an 'unknown certificate.'
The code, though it's not very helpful:
<cfftp
connection="ftp"
action="open"
server="server"
username="username"
password="password"
port="23456"
passive="true"
secure="true"
/>
Here's the error I get from ColdFusion:
Verify your connection attributes: username, password, server, fingerprint, port, key, connection, proxyServer, and secure (as applicable). Error: Session.connect: java.net.SocketTimeoutException: Read timed out.
Does anyone know if it's possible to accept the certificate? Or if that's even the problem?
I am not sure about cfftp but for cfhttp requests to sites with a self-signed certificate you have to import their certificate into the Java keystore on your ColdFusion server. So you might want to give that a try.
I always export the certificate in DER format
The command to import should be something like this:
keytool -import -v -alias giveUniqueName -file filename.cer -keystore cacerts -storepass thePassword
Here is the command line to verify an imported certificate:
keytool -list -v -keystore cacerts -alias giveUniqueName -storepass thePassword
I did not include the password here but am pretty sure you can Google it. If not, send me a message and I can give it to you.
Also, you may need to supply pathing information depending on where you run the keytool commands from and where your certificate file resides.
Another note, be sure you are updating the correct cacerts file that ColdFusion is using. In case you have more than one JRE installed on that server. You can verify the JRE ColdFusion is using from the administrator under the 'System Information'. Look for the Java Home line.
Oh - and you have to restart ColdFusion after making the import.
UPDATE FOR CF10
I found a forum discussion (here) talking about installing certificates on CF10. The keytool commands appear to be slightly different in their example. In case it is a bit different than CF9, here is what they said:
keytool -importcert -alias giveUniqueName -trustcacerts -file filename.cer -keystore cacerts -storepass thePassword
Trust this certificate? [no]: y
It looks like the verification command line has not changed.