I'm trying to set up a new keystore in wso2is, I follow the 2 guides :
https://docs.wso2.com/display/ADMIN446/Creating+New+Keystores
https://docs.wso2.com/display/Carbon443/Configuring+Keystores+in+WSO2+Products
In the https://docs.wso2.com/display/Carbon443/Configuring+Keystores+in+WSO2+Products it says to change keystore in sec.policy, but the file doesn't exist in IS 5.2.0
Although the guide don't talk about theses files, where the default keystore seem to be used :
conf/identity/EndpointConfig.properties
conf/security/secret-conf.properties
conf/security/cipher-text.properties
I have a webapp calling wso2is, the keystore has been added in the JVM using -Djavax.net.ssl.trustStore=/path/to/newkeystore.jks -Djavax.net.ssl.trustStorePassword=mypassword
When calling oauth2 endpoint (https://myinternaldomain:9443/oauth2/token) I got this error :
TID: [1] [] [2017-01-10 13:30:14,505] #tenant1.com [1] [IS] INFO
{org.wso2.carbon.core.deployment.DeploymentInterceptor} - Deploying
Axis2 service: wso2carbon-sts {tenant1.com[1]} TID: [1] [] [2017-01-10
13:30:14,536] admin#tenant1.com [1] [IS]ERROR
{org.wso2.carbon.core.deployment.DeploymentInterceptor} - Error while
updating wso2carbon-sts in STSDeploymentInterceptor
java.io.IOException: Keystore was tampered with, or password was
incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.wso2.carbon.core.util.KeyStoreManager.getKeyStore(KeyStoreManager.java:146)
I did not change anything regarding keystore in the axis2.xml because all information regarding the keystore are commented.
All other endpoints (soap enpoints) are working fine with SSL, and everything works fine with localhost and default wso2carbon.jks
but I cannot make oauth2/token endpoint work with a new jks.
Thanks for your input, ideas.
Regards
I got it working by adding the public key in the java default keystore
keytool -import -v -alias certalias -file newkeystore.pem -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit
and by doing the following configuration which should definitely be in the wso2is keystore configuration documentation !
http://xacmlinfo.org/2014/11/05/how-to-changing-the-primary-keystore-of-a-tenant-in-carbon-products/
Related
I exposed a simple REST service with Apache Camel like Spring boot microservice, which creates a request to a service in https, using the netty4-http component.
public class RoutingTest extends RouteBuilder {
#Override
public void configure() throws Exception {
restConfiguration()
.host("localhost")
.port("8080");
rest().post("test")
.route()
.setBody(constant("message=Hello"))
.setHeader(Exchange.HTTP_METHOD, constant(HttpMethod.POST))
.setHeader(Exchange.CONTENT_TYPE, constant("application/x-www-form-urlencoded"))
.to("netty4-http:https://localhost/service/test");
}
}
When i call http://localhost:8080/test, I get 400 Bad Request error when the routing call https://localhost/service/test service.From the logs I read that the request arrives in HTTP instead HTTPS format and I don't understand why:
You're speaking plain HTTP to an SSL-enabled server port. Instead use
the HTTPS scheme to access this URL, please.
If I invoke the service https://localhost/service/test with Postman, it works correctly.
SSL is configured with a Self-signed certificate.
How do I create a correct https request with the netty component in apache camel? The documentation only suggests the replacement of the protocol, at most a few options which however do not work.
UPDATE (SOLVED SEE BELOW)
I updated the call in this way
.to("netty4-http:https://localhost/dpm/idp/oauth/token?ssl=true&sslContextParameters=#sslContextParameters");
The ssl = true parameter is mandatory and I have also configured the bean for SSLContextParameters like this:
#Bean(name = "sslContextParameters")
public static SSLContextParameters sslParameters() throws KeyManagementException, GeneralSecurityException, IOException {
KeyStoreParameters ksp = new KeyStoreParameters();
ksp.setResource("C:/myfolder/test.jks");
KeyManagersParameters kmp = new KeyManagersParameters();
kmp.setKeyStore(ksp);
kmp.setKeyPassword("jskPassword");
SSLContextParameters scp = new SSLContextParameters();
scp.setKeyManagers(kmp);
SSLContextBuilder builder = new SSLContextBuilder();
builder.loadTrustMaterial(new TrustSelfSignedStrategy());
SSLContext sslcontext = builder.build();
scp.createSSLContext().setDefault(sslcontext);
return scp;
}
I am fighting a bit with the classes that are deprecated. For testing I leave only one method deprecated because I should work with inheritance.
If I understood correctly, I had to generate a JKS file for the trust zone, starting from my self-signed certificates (.crt and .key files). Once done, I added the instructions for the KeyStoreParameters with the password.
It is almost solved, but now I am getting this error when i execute the
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
You probably need to configure a sslContextParameters object that you can use to configure the Netty component for SSL.
I am not sure about the parameter name. The docs say sslContextParameters, but I thought it was sslContextParametersRef.
.to("netty4-http:https://localhost/service/test?sslContextParametersRef=#sslConfig");
The #sslConfig means that Camel can get the object from the registry with the identifier sslConfig. So for example with Spring this would be a Spring managed Bean with ID sslConfig.
The Netty component (not http) also has a parameter ssl=true. No idea if this is also needed for Netty-http. So you will have to test a bit with these different parameters.
By the way the docs of the Netty component have an SSL example with context parameter configuration etc. Have a look at it.
Resolved. Some instructions needed for the self-signed certificate were missing.
Below is the complete bean.
#Bean(name = "sslContextParameters")
public static SSLContextParameters sslParameters() throws KeyManagementException, GeneralSecurityException, IOException {
KeyStoreParameters ksp = new KeyStoreParameters();
ksp.setResource("C:/myfolder/test.jks");
ksp.setPassword("jskPassword");
KeyManagersParameters kmp = new KeyManagersParameters();
kmp.setKeyStore(ksp);
kmp.setKeyPassword("jskPassword");
SSLContextParameters scp = new SSLContextParameters();
scp.setKeyManagers(kmp);
SSLContextBuilder builder = new SSLContextBuilder();
builder.loadTrustMaterial(null, new TrustSelfSignedStrategy());
SSLContext sslcontext = builder.build();
scp.createSSLContext().setDefault(sslcontext);
// Necessary for the the self-signed server certificate
TrustManagersParameters tmp = new TrustManagersParameters();
tmp.setKeyStore(ksp);
scp.setTrustManagers(tmp);
return scp;
}
As for the test.jks file, I created it with keytool, the tool supplied with the JDK for managing certificates (creation, export and import).
In my case having already created the certificate with OpenSSL, I had to create only the JKS (Java Keystore) file to be imported. For it is necessary to convert the certificate in the P12 file (it should be an archive) and finally in the JKS.
During the operations you will be asked to enter passwords for both files
- openssl pkcs12 -export -in test.crt -inkey test.key -out test.p12
- keytool -importkeystore -srckeystore test.p12 -destkeystore test.jks -srcstoretype pkcs12
- keytool -importkeystore -srckeystore test.jks -destkeystore test.jks -deststoretype pkcs12
here test is the name of my certificate file. The last operation is not mandatory but it is recommended by keytool itself in order to migrate the JKS format, proprietary format if I understand correctly, to the more common PKCS12 format.
The value jskPassword in the code is the password I set when creating the keystore.
I hope it will help.
I am trying to call a WSO2 API through https port 8243. However, when I make a call, the client app (web app) gets a 502 bad gateway error (which is logged inside WSO2 apim server carbon log file).
I see the exception below.
Please Note that, I have received a CA signed cert inside a jks from my networking team... I imported It through management console into keystore... I can view the company certs as well from the console:
TID: [-1] [] [2018-12-19 16:51:12,890] ERROR {org.apache.synapse.transport.passthru.SourceHandler} -
I/O error: Received fatal alert: unknown_ca {org.apache.synapse.transport.passthru.SourceHandler}
javax.net.ssl.SSLException: Received fatal alert: unknown_ca
If you are trying to update the certificate of API Manager, importing the certificate to existing keystore will not work.
Please have a look at the documentation[1] on creating a keystore with a CA signed certificate when you create the new keystore with updated certificate.
The main keystore of WSO2 products is wso2carbon.jks file which holds private certificate entry. When you update the certificate with keystore you have to update all the configuration files listed in documentation[2] to refer to new keystore file and also you will have to update related properties(i.e: keystore password, key password, alias).
[1] https://docs.wso2.com/display/Carbon443/Creating+New+Keystores
[2] https://docs.wso2.com/display/Carbon443/Configuring+Keystores+in+WSO2+Products
I am receiving the following error while trying to connect my REST webservice using HTTP adapter in IBM Mobile First:
"errors": [
"Runtime: Http request failed: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty"
I am passing the user id and password in a base64 encoded format in the headers section of my input.
How do I resolve this error?
Yoel's answer got me on track: your adapter is doing an SSL request to a server that is not trusted by the keystore in your MobileFirst server.
You need to import in your server's keystore the certificate chain of the server that you are trying to reach. What I did was
From Firefox, export the certificate chain in PEM format (.crt extension).
In the server/conf folder of your project, import the certificate chain file. If you are using the defaults form the worklight.properties file, this will do it:
keytool --import -keystore default.keystore -storepass worklight -file remoteServer.crt
This bizarre message means that the truststore you specified was not
found, or couldn't be opened due to access permissions for example.
Quote from: Error - trustAnchors parameter must be non-empty
Author: #EJP
Similar question:
got java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty when using cas
I have configured SSL in JBoss Wildfly 8.1. I have generated a keystore files and updated the standaolne.xml file as below
<security-realm name="security-realm">
<server-identities>
<ssl>
<keystore path="security/keystore.jks" relative-to="jboss.server.config.dir" keystore-password="changeit" key-password=" changeit"/>
</ssl>
</server-identities>
</security-realm>
The keystore-password and key-password is in cleartext. Simply we cannot show it in clear text. I want to encrypt the password. I tried a lot but could not credible help in this regard. So any body can help me in how to encrypt this password and how to use that in sandalone.xml file.
You can masking passwords for WildFly using the VaultTool.
VaultTool used in WildFly Application Server is used for
creating/using storage for secured attributes (e.g. passwords) which
can be later on used in WildFly configuration files in masked form.
Thus users can use references to their secured attributes instead of
putting them in clear text form to configuration files.
First you need create a Java Keystore to Store Sensitive Strings.
$ keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -storepass vault22 -keypass vault22 -validity 730 -keystore WILDFLY_HOME/vault/vault.keystore
Then initialize the Password Vault and store password for ssl keystore:
wildfly-8.1.0.Final/bin$ sh vault.sh
=========================================================================
JBoss Vault Tool
JBOSS_HOME: "wildfly-8.1.0.Final"
JAVA: ""
JAVA_OPTS: ""
=========================================================================
**********************************
**** JBoss Vault ***************
**********************************
Please enter a Digit:: 0: Start Interactive Session 1: Remove Interactive Session 2: Exit
0
Starting an interactive session
Enter directory to store encrypted files:/home/fsierra/vault/
Enter Keystore URL:home/fsierra/vault/vault.keystore
Enter Keystore password:
Enter Keystore password again:
Values match
Enter 8 character salt:12345678
Enter iteration count as a number (e.g.: 44):17
Enter Keystore Alias:Vault
Initializing Vault
ene 13, 2015 12:42:48 PM org.picketbox.plugins.vault.PicketBoxSecurityVault init
INFO: PBOX000361: Default Security Vault Implementation Initialized and Ready
Vault Configuration in WildFly configuration file:
********************************************
...
</extensions>
<vault>
<vault-option name="KEYSTORE_URL" value="/home/fsierra/vault/vault.keystore"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-49SI2WfwF1X"/>
<vault-option name="KEYSTORE_ALIAS" value="Vault"/>
<vault-option name="SALT" value="12345678"/>
<vault-option name="ITERATION_COUNT" value="17"/>
<vault-option name="ENC_FILE_DIR" value="/home/fsierra/vault/"/>
</vault><management> ...
********************************************
Vault is initialized and ready for use
Handshake with Vault complete
Please enter a Digit:: 0: Store a secured attribute 1: Check whether a secured attribute exists 2: Exit
0
Task: Store a secured attribute
Please enter secured attribute value (such as password):
Please enter secured attribute value (such as password) again:
Values match
Enter Vault Block:keystore
Enter Attribute Name:password
Secured attribute value has been stored in Vault.
Please make note of the following:
********************************************
Vault Block:keystore
Attribute Name:password
Configuration should be done as follows:
VAULT::keystore::password::1
********************************************
Please enter a Digit:: 0: Store a secured attribute 1: Check whether a secured attribute exists 2: Exit
Finally keystore password has been masked for use in configuration files and deployments.
Eg (standalone.xml):
<extensions>
...
</extensions>
<vault>
<vault-option name="KEYSTORE_URL" value="/home/fsierra/vault/vault.keystore"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-49SI2WfwF1X"/>
<vault-option name="KEYSTORE_ALIAS" value="Vault"/>
<vault-option name="SALT" value="12345678"/>
<vault-option name="ITERATION_COUNT" value="17"/>
<vault-option name="ENC_FILE_DIR" value="/home/fsierra/vault/"/>
</vault>
<management>
<security-realms>
...
<security-realm name="SslRealm">
<server-identities>
<ssl>
<keystore path="ssl.jks" relative-to="jboss.server.config.dir" keystore-password="${VAULT::keystore::password::1}"/>
</ssl>
</server-identities>
</security-realm>
</security-realms>
</management>
References:
Masking passwords for WildFly using non-interactive VaultTool
Mask the Keystore Password and Initialize the Password Vault
JBoss AS7 Securing Passwords
AS7: Utilising masked passwords via the vault
I'm using jetty version 9.0.0.M4 and am trying to configure it to accept SSL connections.
following the instructions in:
http://www.eclipse.org/jetty/documentation/current/configuring-connectors.html
I've managed to write something that works.
However, the code I wrote seems ugly and unnecessarily complex.
Any idea how to do this properly?
final Server server = new Server(Config.Server.PORT);
SslContextFactory contextFactory = new SslContextFactory();
contextFactory.setKeyStorePath(Config.Location.KEYSTORE_LOCATION);
contextFactory.setKeyStorePassword("******");
SslConnectionFactory sslConnectionFactory = new SslConnectionFactory(contextFactory, org.eclipse.jetty.http.HttpVersion.HTTP_1_1.toString());
HttpConfiguration config = new HttpConfiguration();
config.setSecureScheme("https");
config.setSecurePort(Config.Server.SSL_PORT);
config.setOutputBufferSize(32786);
config.setRequestHeaderSize(8192);
config.setResponseHeaderSize(8192);
HttpConfiguration sslConfiguration = new HttpConfiguration(config);
sslConfiguration.addCustomizer(new SecureRequestCustomizer());
HttpConnectionFactory httpConnectionFactory = new HttpConnectionFactory(sslConfiguration);
ServerConnector connector = new ServerConnector(server, sslConnectionFactory, httpConnectionFactory);
connector.setPort(Config.Server.SSL_PORT);
server.addConnector(connector);
server.start();
server.join();
The ServerConnector should be setup with an SslContextFactory.
The rest of the work you are doing in the HttpConfiguration is irrelevant to setting up SSL.
A good example of setting up SSL in embedded mode is maintained in the embedded jetty examples project.
http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/tree/examples/embedded/src/main/java/org/eclipse/jetty/embedded/LikeJettyXml.java
Edit: to be more clear (thanks Erik)
Update: June 2016
The Eclipse Jetty Project has moved its canonical repository to github.
The above LikeJettyXml.java can now be found at
https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/examples/embedded/src/main/java/org/eclipse/jetty/embedded/LikeJettyXml.java
For Jetty 9 there is a good reference here and all you need to do is to create the JKS keystore file as explained here.
using the command keytool -genkey -alias sitename -keyalg RSA -keystore keystore.jks -keysize 2048. For some reason what works with jetty 8 is not what works on 9.
For those who can't get above configuration working:
If you are using java 1.7, ensure you have latest update of it. First versions of jvm 1.7 cause problems with accessing https web pages (browser may display: connection reset, connection aborted, or no data received error).