I have an activated partition on Luna HSM and configured the HSM.
My server can talk to HSM, cert are exchanged and vtl verify works.
Installed OpenDJ(Directory server, or Could be any application) then I wanted to use an existing certificate on PCKS11 token.
Could anyone please provide instructions to use the cert from HSM?
Error I get-
Could not access the PKCS#11 keystore. Check that the JVM security settings
have been configured to use a PKCS#11 keystore and that a valid password has
been provided if needed. Error details: PKCS11 not found
Related
Currently I want to expose a gRPC Method as Public API and protected by Auth0 (JWT Token), with Istio(Envoy Proxy) will help validating the token on server side. Since the JWT Token is not encrypted by the standard (it is only used to end-user authentication and authorization layer), I want to encrypt the communication using TLS. Also, my public server already have valid certificate.
The problem is on the gRPC Client side. Every example I look, the gRPC Client have to initialize the TLS Connection with server cert pem file. Is it really necessary? Because it adds operational burden and complexity, where we have to distribute our server pem file everytime we renew the certificate AND/OR the client side has to restart the application.
Thanks,
Agung
If you are using a self signed certificate, then yes you must explicitly trust it in your client. If you use a publicly signed certificate on your Server, gRPC will use the Operating System's certificate authorities to verify the cert. (In the case of Java, it uses the JVMs cert authorities.)
If you are using a self-signed certificate you need to specify the server's root certificates in the pem_root_certs member of the SslCredentialsOptions struct passed in when creating a channel, as Carl says.
However if you are using a CA issued certificate, leaving the pem_root_certs member empty will cause gRPC to default to its own master list (reviewable online), not any OS-specific list.
If Tomcat is set up for SSL mutual authentication you can get the client javax.servlet.request.X509Certificate from the servlet request.
In the server app I need a key to encrypt a file.
Is it a good idea to use a part of the Client X509Certificate, e.g. the SubjectPublicKeyInfo as encryption key?
The client Certificate should be as secret as any password, shouldn't it?
(this question has Java API example, but is not Java specific)
I have been trying to configure SNMP over TLS. I need to send INFORM messages.
I referred to
How do you use asymmetric keys or certificate authentication in SNMP4J?
It provides nice explanation but I have some more questions such as following,
What should keystore contain, agent (snmpd) or manager certificate? I believe keystore should exist on the system from where the connection is being made through SNMP4j library.
What should trust store contain? Where should it reside, agent or manager?
Do we need to store private keys in keystore and trust store?
What should be passed to CertifiedTarget constructor, agent certificate alias or manager certificate alias?
E.g. CertifiedTarget ct = new CertifiedTarget(new OctetString("alias"));
I have the same question for certificate alias passed to DefaultTlsTmSecurityCallback.addLocalCertMapping().
E.g. securityCallback.addLocalCertMapping(ct.getAddress(), "snmpagentalias");
If I run the code provided in How do you use asymmetric keys or certificate authentication in SNMP4J?, it always returns null response PDU.
Any help would be appreciated. Thank you.
What are the checks that will be performed when we call the method WL.Client.pinTrustedCertificatePublicKey for MobileFirst hybrid app ?
This is all explained in the documentation. See here: http://www.ibm.com/support/knowledgecenter/SSHSCD_7.1.0/com.ibm.worklight.dev.doc/monitor/c_cert_pinning_intro.html
Certificate pinning is the process of associating a host with its expected public key. Because you own both the server-side code and the client-side code, you can configure your client code to accept only a specific certificate for your domain name, instead of any certificate that corresponds to a trusted CA root certificate recognized by the operating system or browser.
A copy of the certificate is placed in your client application. During the SSL handshake (first request to the server), the IBM MobileFirst Platform Foundation for iOS client SDK verifies that the public key of the server certificate matches the public key of the certificate that is stored
in the app.
If pinning is successful, the public key inside the provided certificate is used to verify the integrity of the MobileFirst Server certificate during the secured request SSL/TLS handshake. If pinning fails, all SSL/TLS requests to the server are rejected by the client application.
The API initiates the pinning process.
I am using the LDAP Login module to secure access to the Worklight Console. The ldap:// access works. However, I need to access LDAP over SSL i.e., using ldaps://. I am trying to find out the key-store into which to provision the LDAP server side public-keys certificate. There are two possibilities, namely:
the default keystore built into the worklight war file
the keystore defined for use by Liberty Profile.
There does not appear to be any documentation on which keystore is used by the LDAP Login Module.
Any pointers?
Thanks in anticipation.
The keystore is often even lower level than you suggest and based upon the cacerts in the JRE/JVM's lib\security directory.