I have troubles setting up a mutual authentication scheme using Tomcat 7 in Centos 7.
The server authentication is working as expected, but I am stuck on the client authentication.
The server certificate and the clients certificates are issued by the same CA. My goal is to allow any client with a certificate issued by this CA.
So far, my server.xml looks like this for the concerned connector:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150"
scheme="https" secure="true" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true"
keystoreFile="/absolute/path/to/mykeystore.jks" keystorePass="P455W0RD" keyAlias="myalias"
clientAuth="true"
truststoreFile="/absolute/path/to/mykeystore.jks" truststorePass="P455W0RD"
/>
When the keystore contains the client certificate, the mutual authentication successes.
However, when the keystore contains only the CA, the mutual authentication fails.
I have generated my keystore with the commands below:
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name myalias -CAfile ca.crt -caname root
keytool -importkeystore -deststorepass <pass> -destkeypass <pass> -destkeystore mykeystore.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass <pass> -alias myalias
keytool -importcert -alias root -keystore mykeystore.jks -storepass <pass> -file ca.crt
I also tried to remove the truststoreFile and truststorePass parameters from the connector, and add the CA to the cacerts in $JAVA_HOME/jre/lib/security/, but the mutual authentication still fails.
Could you please indicate me how to set up such a mutual authentication configuration?
Related
I'm a new ActiveMQ user trying to enable SSL over Stomp with ActiveMQ. Previously I've enabled SSL over openwire for a CMS and I've tried to use both the certificate setup for the CMS and a new one for Stomp.
Here is my certificate setup
Creating the broker keystore:
keytool -genkeypair -alias broker -keyalg RSA -keysize 4096 -sigalg SHA256withRSA -validity 4383 -keystore AMQBroker.ks -storepass "password" -keypass "password" -dname "CN=localhost" -ext "SAN=DNS:localhost,DNS:%computername%.%userdomain%,IP:0.0.0.0,IP:127.0.0.1" -ext "BC:critical=ca:true" -ext "KU:critical=keyCertSign"
Creating the keystore for the CMS client:
keytool -genkey -alias client -keyalg RSA -keysize 4096 -sigalg SHA256withRSA -validity 4383 -keystore AMQClient.ks -storepass "password" -keypass "password" -dname "CN=localhost" -ext "SAN=DNS:localhost,DNS:%computername%.%userdomain%,IP:0.0.0.0,IP:127.0.0.1"
Creating truststores and importing certificates for the Broker and Client
keytool -export -alias broker -keystore AMQBroker.ks -storepass "password" -file AMQBroker.crt
keytool -export -alias client -keystore AMQClient.ks -storepass "password" -file AMQClient.crt
keytool -import -alias client -keystore AMQBroker.ts -storepass "password" -file AMQClient.crt -noprompt
keytool -import -alias broker -keystore AMQBroker.ts -storepass "password" -file AMQBroker.crt -noprompt (This was for the network connector)
Converting the broker keystore to p12 format to export as .pem format for the CMS client:
keytool -importkeystore -srckeystore AMQBroker.ks -destkeystore AMQBroker.p12 -srcstoretype jks -deststoretype pkcs12 -srcalias broker -deststorepass "password" -destkeypass "password" -srcstorepass "password"
openssl pkcs12 -in AMQBroker.p12 -out AMQClient-ts.pem -password pass:"password" -nokeys
Converting the client keystore to p12 format to export as .pem format for the CMS client. I also grabbed the .key file for testing with Stomp.py
keytool -importkeystore -srckeystore AMQClient.ks -destkeystore AMQClient.p12 -srcstoretype jks -deststoretype pkcs12 -srcalias client -deststorepass "password" -destkeypass "password" -srcstorepass "password"
openssl pkcs12 -in AMQClient.p12 -passin pass:"password" -out AMQClient.pem -passout pass:"password"
openssl pkcs12 -info -in AMQClient.p12 -passin pass:"password" -out AMQClient.key -nodes -nocerts
Here's some certificates generated trying to use Stomp specifically
openssl genrsa -out AMQStomp.key 4096
openssl req -sha256 -new -key AMQStomp.key -out AMQStomp.pem -subj "/CN=localhost" -addext "subjectAltName=DNS:localhost,DNS:%userdomain%,DNS:%computername%.%userdomain%,IP:0.0.0.0,IP:127.0.0.1"
keytool -import -alias stomp -keystore AMQBroker.ts -storepass "password" -file AMQStomp.pem -noprompt
keytool -exportcert -rfc -alias broker -keystore AMQBroker.ks -file AMQStomp-ts.pem -storepass "password"
Here's how I've setup my connection with Stomp.py
brokerPort = 61612
stomp_key = 'C:/path/to/AMQStomp.key'
stomp_cert = 'C:/path/to/AMQStomp.pem'
ca_cert = 'C:/path/to/AMQStomp-ts.pem'
self.__conn = stomp.Connection(host_and_ports=[(brokerHost, brokerPort)],
auto_content_length=False,
use_ssl=True,
ssl_key_file=stomp_key,
ssl_cert_file=stomp_cert,
ssl_ca_certs=ca_cert,
ssl_version=ssl.PROTOCOL_TLSv1_2)
self.__conn.set_ssl(
for_hosts=[(brokerHost, brokerPort)],
cert_file=stomp_cert,
key_file=stomp_key,
ca_certs=ca_cert,
ssl_version=ssl.PROTOCOL_TLSv1_2)
I've also tried the CMS certificates.
stomp_key = 'C:/path/to/AMQClient.key'
stomp_cert = 'C:/path/to/AMQClient.pem'
ca_cert = 'C:/path/to/AMQClient-ts.pem'
Here's what's currently configured with my activemq.xml
<sslContext>
<sslContext
keyStore="C:/path/to/AMQBroker.ks"
keyStorePassword="password"
trustStore="C:/path/to/AMQBroker.ts"
trustStorePassword="password" />
</sslContext>
<transportConnectors>
<transportConnector name="openwire+ssl" uri="ssl://0.0.0.0:61617?needClientAuth=true&maximumConnections=1000&transport.enabledProtocols=TLSv1.2&wireformat.maxFrameSize=104857600&wireFormat.maxInactivityDuration=-1"/>
<transportConnector name="stomp+ssl" uri="stomp+nio+ssl://0.0.0.0:61612?maximumConnections=1000&transport.enabledProtocols=TLSv1.2&needClientAuth=true"/>
</transportConnectors>
ACTIVEMQ_SSL_OPTS is set as:
-Djavax.net.ssl.keyStore=C:\path\to\AMQBroker.ks -Djavax.net.ssl.trustStore=C:\path\to\AMQBroker.ts -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password -Djavax.net.debug=ssl
Here's the error I'm getting when Trying to connect with Stomp
2021-01-18 19:35:40,184 | ERROR | Could not accept connection from null : {} | org.apache.activemq.broker.TransportConnector | ActiveMQ BrokerService[infrastructure] Task-10
java.io.IOException: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:196)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.stomp.StompNIOSSLTransport.initializeStreams(StompNIOSSLTransport.java:57)[activemq-stomp-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.tcp.TcpTransport.connect(TcpTransport.java:543)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.nio.NIOTransport.doStart(NIOTransport.java:174)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.nio.NIOSSLTransport.doStart(NIOSSLTransport.java:470)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.util.ServiceSupport.start(ServiceSupport.java:55)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.stomp.StompTransportFilter.start(StompTransportFilter.java:65)[activemq-stomp-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.AbstractInactivityMonitor.start(AbstractInactivityMonitor.java:169)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1072)[activemq-broker-5.15.9.jar:5.15.9]
at org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218)[activemq-broker-5.15.9.jar:5.15.9]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)[:]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)[:]
at java.base/java.lang.Thread.run(Unknown Source)[:]
2021-01-18 19:35:40,184 | DEBUG | Reason: java.io.IOException: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection? | org.apache.activemq.broker.TransportConnector | ActiveMQ BrokerService[infrastructure] Task-10
java.io.IOException: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:196)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.stomp.StompNIOSSLTransport.initializeStreams(StompNIOSSLTransport.java:57)[activemq-stomp-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.tcp.TcpTransport.connect(TcpTransport.java:543)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.nio.NIOTransport.doStart(NIOTransport.java:174)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.nio.NIOSSLTransport.doStart(NIOSSLTransport.java:470)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.util.ServiceSupport.start(ServiceSupport.java:55)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.stomp.StompTransportFilter.start(StompTransportFilter.java:65)[activemq-stomp-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.AbstractInactivityMonitor.start(AbstractInactivityMonitor.java:169)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1072)[activemq-broker-5.15.9.jar:5.15.9]
at org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218)[activemq-broker-5.15.9.jar:5.15.9]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)[:]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)[:]
at java.base/java.lang.Thread.run(Unknown Source)[:]
It would be quite hard to know from the data given what is going on between the client and broker over the wire which is where you are going to need to look in order to understand what is going wrong. The Broker STOMP module has a number of tests that run using an SSL configuration which you can see here:
One means of debugging is to set the JVM option to enable debug for SSL:
-Djavax.net.debug=ssl
Review the handshake information to see where the negotiation goes wrong.
I did get this running from a smaller test file
the following code snippet was modified from https://developers.redhat.com/blog/2018/06/14/stomp-with-activemq-artemis-python/
stomp_test.py
import time
import sys
import stomp
import ssl
class MyListener(stomp.ConnectionListener):
def on_error(self, headers, message):
print('received an error "%s"' % message)
def on_message(self, headers, message):
print('received a message "%s"' % message)
hosts = [('localhost', 61613)]
stomp_key = 'D:/FOSS/ActiveMQ/conf/AMQClient.key'
stomp_cert = 'D:/FOSS/ActiveMQ/conf/AMQClient.pem'
stomp_ca = 'D:/FOSS/ActiveMQ/conf/AMQClient-ts.pem'
conn = stomp.Connection(host_and_ports=hosts,
use_ssl=True,
ssl_key_file=stomp_key,
ssl_cert_file=stomp_cert,
ssl_ca_certs=stomp_ca,
ssl_version=ssl.PROTOCOL_TLSv1_2)
conn.set_ssl(for_hosts=hosts,
cert_file=stomp_cert,
key_file=stomp_key,
ca_certs=stomp_ca,
ssl_version=ssl.PROTOCOL_TLSv1_2,
password='password')
conn.set_listener('', MyListener())
conn.connect('admin', 'admin', wait=True,headers = {'client-id': 'clientname'} )
conn.subscribe(destination='A.B.C.D', id=1, ack='auto',headers = {'subscription-type': 'MULTICAST','durable-subscription-name':'someValue'})
conn.send(body=' '.join(sys.argv[1:]), destination='A.B.C.D')
time.sleep(2)
conn.disconnect()
I also had to add a few more extensions to my broker's keystore (I went a little overkill)
-ext KeyUsage=digitalSignature,keyEncipherment,keyCertSign -ext ExtendedKeyUsage=serverAuth,clientAuth -ext BasicConstraints=ca:true
keytool -genkeypair -alias broker -keyalg RSA -keysize 4096 -sigalg SHA256withRSA -validity 4383 -keystore AMQBroker.ks -storepass "password" -keypass "password" -dname "CN=localhost" -ext "SAN=DNS:localhost,IP:0.0.0.0,IP:127.0.0.1" -ext KeyUsage=digitalSignature,keyEncipherment,keyCertSign -ext ExtendedKeyUsage=serverAuth,clientAuth -ext BasicConstraints=ca:true
I also removed nio from my stomp transportConnector in the activemq.xml
<transportConnector name="stomp+ssl" uri="stomp+ssl://0.0.0.0:61613?maximumConnections=1000&transport.enabledProtocols=TLSv1.2&needClientAuth=true"/>
I hope this helps anyone with a similar issue.
I have installed ActiveMQ Artemis in Linux and configured broker.xml. I am using a certificate, but ActiveMQ Artemis uses keystore and truststore. How to create those and how to enable SSL for MQTT protocol?
Below shows configuration broker.xml
<acceptor name="mqtt">tcp://0.0.0.0:1883?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=MQTT;useEpoll=true
sslEnabled=true;
keyStorePath=home/certs/server-ks/server1.p12;keyStorePassword=abc#1234;
trustStorePath=home/certs/server-ks/server1.p12;
trustStorePassword=abc#1234;needClientAuth=true
</acceptor>
I have converted a certificate (.pem) to keystore and truststore
keytool -import -alias rootCA -trustcacerts -file certs/ca.pem -keystore certs/activeMQ-truststore.jks
openssl pkcs12 -inkey certs/server-cert/server1.pem -in certs/server-cert/server1.pem -name server1 -export -out certs/server-ks/server1.p12
keytool -importkeystore -deststorepass abc#1234 -destkeystore certs/server-ks/server-keystore1.jks -srckeystore certs/server-ks/server1.p12 -srcstoretype PKCS12
As above same I have created/converted for client keystore.
I need to connect broker using MQTT.FX client with self signed client keystore.
How to achieve this I am getting confused. Please help me if any one have idea.
In a self-signed configuration typically you'll create a certificate for both the broker and the client, export each, and then import the broker's cert into the client's truststore and import the client's cert into the broker's truststore. You can do all this using Java's keytool command.
Take a look at the example that ships with ActiveMQ Artemis in the examples/features/standard/ssl-enabled-dual-authentication directory. It demonstrates how to do this, e.g.:
keytool -genkey -keystore server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
keytool -export -keystore server-side-keystore.jks -file server-side-cert.cer -storepass secureexample
keytool -import -keystore client-side-truststore.jks -file server-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
keytool -export -keystore client-side-keystore.jks -file client-side-cert.cer -storepass secureexample
keytool -import -keystore server-side-truststore.jks -file client-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
Your acceptor will need both sslEnabled=true and needClientAuth=true.
I have a Debian virtual machine with Tomcat installed. I would like to install an SSL certificate so that my website is in Https.
I received the following certificate files with my VM:
my-domain.cer my-domain.chain.crt.pem my-domain.crt.pem
my-domain.csr my-domain.key my-domain.ch.p7c
I created a keystore with the following command :
keytool -import -trustcacerts -alias tomcat -keystore keystore.jks -file my-domain.cer
Then, I modified the file conf/server.xml file with the following code:
<Connector acceptCount="100" bindOnInit="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false"
maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" useBodyEncodingForURI="true"
keyAlias="tomcat" keystoreFile="/usr/local/tomcat/ssl/keystore.jks" keystorePass="PASSWORD" keystoreType="JKS"
port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true"
sslEnabledProtocols="TLSv1.2,TLSv1.3" SSLEnabled="true" clientAuth="false"/>
Unfortunately, I get the following error when starting tomcat :
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:983)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:535)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1055)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:585)
at org.apache.catalina.startup.Catalina.load(Catalina.java:608)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: jsse.alias_no_key_entry
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:224)
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1103)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1116)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:557)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
... 13 more
Caused by: java.io.IOException: jsse.alias_no_key_entry
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:330)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:104)
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:239)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
... 20 more
I do not understand where it can come from. Because my alias is however the good one ...
Thank you in advance for your help
In my case, the cause of this issue was that the SSL key alias present in the application was not same as the alias passed while creating the certificate.
keytool -genkeypair -keyalg RSA -alias dummyApp -keystore dummy-app.p12 -storepass password -validity 3650 -keysize 2048 -dname "CN=dummy-app, OU=Enterprise, O=Test, L=Unknown, ST=Unknown, C=US" -storetype pkcs12
To fix, this I had to correct the value of the server.ssl.key-alias property. As per the above SSL generation example, its value should be dummyApp.
Just had this issue, only with .p7b.
This error means your keystore doesn't contain the original private key.
Please make sure your private key (.csr) is in the same keystore with the .p7b chain.
I followed these steps:
1. Generated a key with a keystore:
keytool -genkey -alias [alias_name] -keyalg RSA -keystore
[enter_keystore_name] -keysize 2048
This command creates not only a key entry, but also a private key in the keystore. That's why it's important to import the .p7b into the same keystore.
2. Generated a CSR from this entry:
keytool -certreq -keyalg RSA -keysize 2048 -alias [alias_name] -file
[csr_file_name] -keystore [keystore_name] -ext
san=dns:[FQDN_of_server]
3. Imported the received signed .p7b into the same keystore (I recommend you to download the .p7b into the same folder your .csr and keystore are in):
keytool -import -alias [alias_name] -trustcacerts -file
[ssl_certificate.p7b] -keystore [keystore_name]
If everything's done right, your keystore will contain the generated private key and the received .p7b.
you need to import private key to keystore.
Step1: You need to download openSSL and then move to C:\OpenSSL-win64\bin
Next, type this command:
openssl pkcs12 -export -in C:\Keystore\certificate.crt -inkey C:\Keystore\name_key.key -out C:\Keystore\server.p12 -name [name_alias] -CAfile C:\Keystore\rootCA.crt -caname root
Note: if you use alias "tomcat" in server.xml
keyAlias="tomcat"
keystoreFile="C:\Keystore\server.jks"
keystorePass="your pass"
then [name_alias] = tomcat
Step 2: use cmd and move to C:\program files\java\jdk..\ bin and type this command to convert p12 file to jks file:
keytool -importkeystore -deststorepass mypass -destkeystore C:\Keystore\server.jks -srckeystore C:\Keystore\server.p12 -srcstoretype PKCS12
Resart your tomcat server
Execute the following command
#First step
jmendoza#jmendoza:~$ openssl genrsa -aes256 -out electoralsystem-cakey.pem 2048 -alias electoralsystem-cakey.pem
Enter pass phrase for electoralsystem.key: jmendoza
#Second step
jmendoza#jmendoza:~$ openssl req -new -x509 -sha256 -key electoralsystem-cakey.pem -days 365 -out electoralsystem-cacert.pem
jmendoza#jmendoza:~$ openssl x509 -in electoralsystem-cacert.pem -text
#Third step
jmendoza#jmendoza:~$ openssl pkcs12 -export -in electoralsystem-cacert.pem -inkey electoralsystem-cakey.pem -out electoralsystem-store.p12 -name "electoralsystem-store"
Enter Export Password: jmendoza
#Fourth step
jmendoza#jmendoza:~$ keytool -importkeystore -destkeystore electoralsystem-store.jks -deststorepass jmendoza -srckeystore electoralsystem-store.p12 -srcstoretype PKCS12 -srcstorepass jmendoza -alias electoralsystem-store
Configuration example with Springboot (application.properties)
server.port=8081
server.ssl.key-alias=electoralsystem-store
server.ssl.key-password=jmendoza
server.ssl.key-store=/home/jmendoza/IdeaProjects/dummy/config/electoralsystem-store.jks
server.ssl.key-store-provider=SUN
enter image description here
I tried installing SSL certificate I purchased from Godaddy (CN = my domain) following below steps. And after the last step I did a GREP search for .jks in repository/conf directory and replaced all keystore configs (wso2carbon.jks) to my JKS and password. Restarted the server. It started giving a bunch of errors and server not started properly.. But when I changed ONLY catalina_server.xml's configuration and undo all others, it started and SSL was working only for 9443 port but when I checked the cert installation from a SSL checker tool, it said cert was not installed properly. And even API gateway endpoints were not working with SSL (browser rejects cert) and it was port 8244. What have I done wrong? Exception trace given below.
Create Keystore and the CSR
keytool -genkey -alias certalias -keyalg RSA -keysize 2048 -keystore newkeystore.jks
Create CSR - copy output and submit to Go Daddy.
keytool -certreq -alias certalias -keystore newkeystore.jks
Get the Certificates for tomcat you will get below certificates.
gd_bundle-g2-g1.crt - Root Certificate
gdig2.crt.pem - Intermediate Certificate
[randomNumber].crt - Domain Certificate
Convert crt to pem.
openssl x509 -in gd_bundle-g2-g1.crt -out gd_bundle-g2-g1.pem
openssl x509 -in [randomNumber].crt -out [randomNumber].pem
Join root and intermediate certificate
cat gdig2.crt.pem gd_bundle-g2-g1.pem >> clientcertchain.pem
Extract the key from the keystore.
keytool -importkeystore -srckeystore newkeystore.jks -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias keys -deststorepass -destkeypass
openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key.pem
Create pkcs12 keystore
openssl pkcs12 -export -out final.p12 -inkey key.pem -in [randomNumber].crt -CAfile clientcertchain.pem -name "cacertificates"
Create JKS from pkcs keystore.
keytool -importkeystore -srckeystore final.p12 -srcstoretype PKCS12 -destkeystore wso2carbon.jks
Replace it with wso2carbon.jks located in <WSO2AM_HOME>/repository/resources/security/
Go to <WSO2AM_HOME>/repository/resources/security/
Extract key file to add client keystore
keytool -export -alias cacertificates -keystore newkeystore.jks -file .pem
Add key to client-truststore.jks
keytool -import -alias cacertificates -file .pem -keystore client-truststore.jks -storepass wso2carbon
I am trying to enable two way ssl authentication between Apache Ace and management agent(by following the document http://ace.apache.org/dev-doc/design/using-client-certificates.html). To achieve this , first of all i created the required certificates by following the steps mentioned below:
Step#1) Created a self-signed certificate authority using OpenSSL by excecuting the command below:
openssl req -x509 -new -config Certi/X509CA/openssl.cnf -days 365 -out Certi/X509CA/ca/new_ca.pem -keyout Certi/X509CA/ca/new_ca_pk.pem
This command created a certificate new_ca.pem and its private key new_ca_pk.pem.
Step#2) Imported the certificate new_ca.pem to keystore file named truststore by using following command
keytool -import -alias truststore -keystore truststore -file new_ca.pem
Step#3) Created certificate for the management agent, available in a Java keystore file, called keystore-ma.jks.
keytool -genkey -dname "CN=<hostIP>, OU=IT, O=<Organization Name>, ST=UP, C=IN" -validity 365 -alias keystore-ma -keypass secret -keystore keystore-ma.jks -storepass secret
Step#4) Created a CSR:
keytool -certreq -alias keystore-ma -file keystore-ma_csr.pem -keypass secret -keystore keystore-ma.jks -storepass secret
Step#5) Signed the certificate using the certificate authority created in Step 1.
openssl ca -config X509CA/openssl.cnf -days 365 -cert C:/X509CA/ca/new_ca.pem -keyfile C:/X509CA/ca/new_ca_pk.pem -in C:/X509CA/ca/keystore-ma_csr.pem -out C:/X509CA/ca/keystore-ma.pem
Step#6) Imported the certificate in a kestore file named keystore-ma
keytool -import -alias keystore-ma -keystore keystore-ma -file keystore-ma.pem
Similar steps(3-6) were followed to create and sign the cetificate or the ACE server, available in a Java keystore file, called keystore-server.
Then i updated the Platform.properties of Ace Server to include the additional properties and started Ace Server:
-Dorg.osgi.service.http.port.secure=8443
-Dorg.apache.felix.https.enable=true
-Dorg.apache.felix.https.truststore=/path/to/truststore
-Dorg.apache.felix.https.truststore.password=secret
-Dorg.apache.felix.https.keystore=/path/to/keystore-server
-Dorg.apache.felix.https.keystore.password=secret
-Dorg.apache.felix.https.clientcertificate=needs
Started ace-launcher.jar with the following command:
java -Djavax.net.ssl.trustStore=/path/to/truststore -Djavax.net.ssl.trustStorePassword=secret -Djavax.net.ssl.keyStore=/path/to/keystore-ma -Djavax.net.ssl.keyStorePassword=secret -jar org.apache.ace.launcher-0.8.1-SNAPSHOT.jar discovery=https://<Ace Server Ip>:8443 identification=MyTarget
i tried multiple times by changing the discovery url to
1) https://<Ace Server Ip>:8080
2) http://<Ace Server Ip>:8080
3) https://<Ace Server Ip>:8443
But the target was not registered in the Ace Server. Am i using the correct URLs to connect to Ace server through HTTPS?
Also how to confirm if my Ace Server is configured to accept HTTPS traffic from the management agent?
I see you use a distinguished name (DN) with more than only a common name.
By convention, the hostname as common name is used for certificate validation. It should work if you create a certificate with CN=hostname-of-target (IP address is not sufficient).
Another hint I can give you for troubleshooting SSL errors: use -Djavax.net.debug=ssl for the server, it will spit out lots of information, but gives detailed information on what is going on and what causes the error.