WebSphere Liberty P12 fails to enable TLS - ssl

When trying to enable SSL/TLS on WebSphere Liberty profile, WLP fails to allow SSL connectivity.
<?xml version="1.0" encoding="UTF-8"?>
<server description="DefaultServer">
<!-- Enable features -->
<featureManager>
<feature>webProfile-7.0</feature>
<feature>ssl-1.0</feature>
</featureManager>
<keyStore id="defaultKeyStore" location="/opt/wlp/usr/servers/defaultServer/wildcard.p12" type="PKCS12" password="******"/>
<!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
<httpEndpoint id="defaultHttpEndpoint"
host="*"
httpPort="9080"
httpsPort="9443" />
<!-- Automatically expand WAR files and EAR files -->
<applicationManager autoExpand="true"/>
</server>
When issuing curl https://localhost:9443 --insecure -vv I get the following response. This doesn't happen if I use the default generated <keyStore id="defautlKeyStore" password="somePassword"/>
[~] curl https://localhost:9443 --insecure -vv
About to connect() to localhost port 9443 (#0)
Trying ::1...
Connected to localhost (::1) port 9443 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
NSS error -5938 (PR_END_OF_FILE_ERROR)
Encountered end of file
Closing connection 0
curl: (35) Encountered end of file
Can someone explain what's going on?
Some .p12 attribute data. Note, the .p12 displayed below has private key and cert omitted.
MAC verified OK
Bag Attributes
Microsoft Local Key set: <No Values>
localKeyID: 01 00 00 00
friendlyName: <omitted for Stack Overflow Post>
Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
Key Attributes
X509v3 Key Usage: 10

Related

Why is hostname verification done even though verifyHostname is false?

In trying to get secure rest services to work on Open Liberty in a container, I get the following error:
CWPKI0824E: SSL HANDSHAKE FAILURE: Host name verification error while connecting to host [hostname]. The host name used to access the server does not match the server certificate's SubjectDN or Subject Alternative Name information. The extended error message from the SSL handshake exception is: [No name matching hostname found].
Relevant portion of the server.xml:
<featureManager>
<feature>appSecurity-3.0</feature>
<feature>jca-1.7</feature>
<feature>jdbc-4.1</feature>
<feature>jndi-1.0</feature>
<feature>localConnector-1.0</feature>
<feature>mpConfig-1.3</feature>
<feature>passwordUtilities-1.0</feature>
<feature>ssl-1.0</feature>
<feature>transportSecurity-1.0</feature>
</featureManager>
<sslDefault sslRef="DefaultSSLConfig" httpHostNameVerification="false"/>
<ssl id="DefaultSSLConfig" keyStoreRef="DefaultKeyStore" trustStoreRef="DefaultTrustStore" trustDefaultCerts="true" verifyHostname="false"/>
<keyStore id="DefaultKeyStore" location="liberty-default-key.p12" type="PKCS12" password="password"/>
<keyStore id="DefaultTrustStore" location="liberty-default-trust.p12" type="PKCS12" password="password"/>
<ldapRegistry id="ldapRegistry" realm="Standalone LDAP Registry" ldapType="IBM Tivoli Directory Server"
host="server" port="123"
baseDN="baseDN" bindDN="bindDN" bindPassword="password"
recursiveSearch="true"
sslEnabled="true" sslRef="DefaultSSLConfig">
<idsFilters>
...
</idsFilters>
</ldapRegistry>
As you can see verifyHostname has the value 'false', but the check is done anyway.
What am I missing?
The JDK has handles LDAP separately and hostname verification is enabled by default by the JDK. To disable LDAP hostname verification you need to set the system property com.sun.jndi.ldap.object.disableEndpointIdentification to true. So in the jvm.options in your server directory add -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true to disable hostname verification on an LDAP connention.

Keycloak does not work on https after setting up SSL

I have a problem where I don´t know why it happens.
I have LetsEncrypt Certificates which I use to create a .pfx file.
openssl pkcs12 -export -out /tmp/certificate.pfx -inkey /etc/letsencrypt/live/ds-gym.de/privkey.pem -in /etc/letsencrypt/live/ds-gym.de/cert.pem -certfile /etc/letsencrypt/live/ds-gym.de/chain.pem
I set up keycloak 8.0.1. as service by following this tutorial (https://medium.com/#hasnat.saeed/setup-keycloak-server-on-ubuntu-18-04-ed8c7c79a2d9) and it worked fine. Keycloak seems to set up a self-signed certificate which is not what I want. First I set up Keycloak for SSL.
With the JBoss-cli.sh file I do the following (described here: https://www.keycloak.org/docs/latest/server_installation/#setting-up-https-ssl)
/core-service=management/security-realm=UndertowRealm:add()
/core-service=management/security-realm=UndertowRealm/server-identity=ssl:add(keystore-path=keycloak.jks, keystore-relative-to=jboss.server.config.dir, keystore-password=secret)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=security-realm, value=UndertowRealm)
Not my security tealm looks like this:
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="secret"/>
</ssl>
</server-identities>
</security-realm>
I import the certificate now:
keytool -importkeystore -srckeystore /tmp/certificate.pfx -srcstoretype pkcs12 -destkeystore /opt/keycloak/standalone/configuration/keycloak.jks -deststoretype JKS
Then I restart keycloak:
systemctl restart keycloak
Now I get the following error:
HTTP ERROR 502
You can also check the network tab of my website if that helps.
The keycloak service is up and running, however it seems it does not work on port 8443 anymore.
Listener look like this:
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
Any idea why this happens? Are my certificates wrong? I´m quite desperate with Keycloak already :-(
Edit:
This is my logged Error:
]) - failure description: {"WFLYCTL0080: Failed services" =>
{"org.wildfly.core.management.security.realm.UndertowRealm.key-manager"
=> "WFLYDM0018: Unable to start service
Caused by: java.security.UnrecoverableKeyException: Cannot recover key"}} 2019-12-23 19:12:57,421 INFO [org.jboss.as.server]
(ServerService Thread Pool -- 43) WFLYSRV0010: Deployed
"keycloak-server.war" (runtime-name : "keycloak-server.war")
2019-12-23 19:12:57,423 INFO [org.jboss.as.controller] (Controller
Boot Thread) WFLYCTL0183: Service status report WFLYCTL0186:
Services which failed to start: service
org.wildfly.core.management.security.realm.UndertowRealm.key-manager:
WFLYDM0018: Unable to start service WFLYCTL0448: 2 additional services
are down due to their dependencies being missing or failed 2019-12-23
19:12:57,569 INFO [org.jboss.as.server] (Controller Boot Thread)
WFLYSRV0212: Resuming server 2019-12-23 19:12:57,578 INFO
[org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management
interface listening on http://127.0.0.1:9990/management 2019-12-23
19:12:57,579 INFO [org.jboss.as] (Controller Boot Thread)
WFLYSRV0051: Admin console listening on http://127.0.0.1:9990
2019-12-23 19:12:57,580 ERROR [org.jboss.as] (Controller Boot Thread)
WFLYSRV0026: Keycloak 8.0.1 (WildFly Core 10.0.3.Final) started (with
errors) in 41093ms - Started 586 of 888 services (4 services failed or
missing dependencies, 604 services are lazy, passive or on-demand)
It looks like the keystore is incorrectly generated. Check that:
You set the value of keystore-password to match actual keystore password.
You set alias root for root certificate.
You set alias yourdomain.com for the domain certificate.
Try to follow the steps exactly as described in the documentation.

SSL config for outbound connections doesn't work in websphere-liberty 17.0.0.2

I'm trying to configure websphere-liberty server to use default keystore and trustore for all outbound connections (actually REST calls) and for inbound use a custom key and trust stores. But it fails with SSLHandshakeException when try to make a call to external REST service. In logs I can see that it uses my custom truststore instead of default one.
Below is my server.xml
<?xml version="1.0" encoding="UTF-8"?>
<server description="Default server">
<featureManager>
<feature>appSecurity-2.0</feature>
<feature>transportSecurity-1.0</feature>
<feature>jaxrs-2.0</feature>
<feature>json-1.0</feature>
<feature>javaMail-1.5</feature>
<!--<feature>ssl-1.0</feature>-->
</featureManager>
<sslDefault sslRef="saasSSLConfig" outboundSSLRef="outboundSSLConfig" />
<ssl id="saasSSLConfig" keyStoreRef="saasKeyStore" trustStoreRef="saasTrustStore" clientAuthentication="true" sslProtocol="TLSv1" />
<keyStore id="saasKeyStore" location="/opt/ibm/wlp/output/defaultServer/resources/security/sbs_endpoint_keystore.jks" password="pwd" />
<keyStore id="saasTrustStore" location="/opt/ibm/wlp/output/defaultServer/resources/security/serverTruststore.jks" password="pwd" />
<ssl id="outboundSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" />
<basicRegistry id="basic" realm="BasicRealm">
<!-- <user name="yourUserName" password="" /> -->
</basicRegistry>
<httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080" httpsPort="9443" />
<applicationManager autoExpand="true"/>
</server>
BTW if change saasSSLConfig to use defaultTrustStore instead of saasTrustStore then everything works fine.
Server version:
WebSphere Application Server 17.0.0.2 (1.0.17.cl170220170523-1818) on IBM J9 VM, version pxa6480sr4fp7-20170627_02 (SR4 FP7) (en_US)
Error:
[ERROR] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN CN=*.api.ibm.com, O=International Business Machines, L=Armonk, ST=New York, C=US was sent from the target host. The signer might need to be added to local trust store /opt/ibm/wlp/output/defaultServer/resources/security/serverTruststore.jks, located in SSL configuration alias saasSSLConfig. The extended error message from the SSL handshake exception is: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.;
SSLHandshakeException invoking https://dev.api.ibm.com/scx/test/sbs/customer/222222222: java.security.cert.CertificateException: PKIXCertPathBuilderImpl could not build a valid CertPath.
Liberty does not load cacerts automatically. You can create a keyStore element to point to it if desired. So in your case above you can create a configuration like this.
<ssl id="outboundSSLConfig" keyStoreRef="cacertKeyStore" />
<keyStore id="cacertKeyStore" location=<fill in path to your jdk cacerts file> password="changeit" />
I am assuming you do not need a key for this configuration so I simplified to just a keyStoreRef on outboundSSLConfig. It will use what is pointed to by keyStoreRef for both key and trust.
In your configuration I do not see keyStore elements for defaultKeyStore and defaultTrustStore. If they are missing that will cause outboundSSLConfig to be an invalid SSL configuration. Can you please add them and see if things work.

IBM MobileFirst adapter call ssl error

I am trying to get json data from an application via an http adapter of IBM mobilefirst.
The app is accessible with https and i get this ssl error:
"Runtime: Http request failed: javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateExpiredException: NotAfter: Sat Jul 26
21:15:15 EEST 2014"
This is the xml of the adapter:
<wl:adapter name="test2"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:wl="http://www.ibm.com/mfp/integration"
xmlns:http="http://www.ibm.com/mfp/integration/http">
<displayName>test2</displayName>
<description>test2</description>
<connectivity>
<connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
<protocol>https</protocol>
<domain>www.mydomain-company.gr</domain>
<port>443</port>
<connectionTimeoutInMilliseconds>30000</connectionTimeoutInMilliseconds>
<socketTimeoutInMilliseconds>30000</socketTimeoutInMilliseconds>
<maxConcurrentConnectionsPerNode>50</maxConcurrentConnectionsPerNode>
<!-- Following properties used by adapter's key manager for choosing specific certificate from key store
<sslCertificateAlias></sslCertificateAlias>
<sslCertificatePassword></sslCertificatePassword>
-->
</connectionPolicy>
</connectivity>
<procedure name="getDDD"/>
</wl:adapter>
and here is the js:
function getDDD() {
var identity = Base64.encode("myuser:mypass"); //i have a base64 function above that i have not pasted here. It works it is tested in other apps.
var path = "/part1/part2/ddd.nsf/rest.xsp/ddd";
var input = {
method : 'get',
returnedContentType : 'json',
path : path,
headers: {Authorization: "Basic "+identity}
};
return WL.Server.invokeHttp(input);
}
If i call the same url from my browser i get the data and checking the https info i see that the certificate expires in 2016.
I have also checked using java keytool the expiration date of the certificate in the jks file of mobile first server in the path:
C:\path1\path2\\MobileFirstServerConfig\servers\worklight\resources\security\key.jks
and it is not expired.
Is it a problem of mobile first server or the target server's certificate?
My steps so far in order to configure ssl:
1) went to /MobileFirstServerConfig\servers\worklight\resources\security
and created a new key.jks with a new certificate using java keytool. I named the cerificate default just as it was the name in the old key.jks file.
2)exported the certificate from this jks
3)imported the certificate into default.keystore file in the project under server/conf folder
4) worklight.properties file:
MobileFirst SSL keystore
#
SSL certificate keystore location. ssl.keystore.path=conf/default.keystore
SSL certificate keystore type (jks or PKCS12) ssl.keystore.type=jks
SSL certificate keystore password. ssl.keystore.password=worklight
5) server.xml file:
<keyStore id="defaultKeyStore" password="worklight"/>
i ve also tried to put "default" as id.
You did not configure SSL between the adapter and the backend.
The keystore that you should be looking at is defined in the worklight.properties file of the project (by default located like this: workspace\CustomLoginModule\server\conf).
Make sure to follow the instructions provided here: https://www-01.ibm.com/support/knowledgecenter/SSZH4A_6.2.0/com.ibm.worklight.installconfig.doc/admin/t_configuring_SSL_WL_adapters_backend_servers_certificates.html

How configure SSL in Jboss Wildfly 8.1

I have configured SSL in JBoss Wildfly 8.1. I have generated a keystore files and updated the standaolne.xml file as below
<security-realm name="security-realm">
<server-identities>
<ssl>
<keystore path="security/keystore.jks" relative-to="jboss.server.config.dir" keystore-password="changeit" key-password=" changeit"/>
</ssl>
</server-identities>
</security-realm>
The keystore-password and key-password is in cleartext. Simply we cannot show it in clear text. I want to encrypt the password. I tried a lot but could not credible help in this regard. So any body can help me in how to encrypt this password and how to use that in sandalone.xml file.
You can masking passwords for WildFly using the VaultTool.
VaultTool used in WildFly Application Server is used for
creating/using storage for secured attributes (e.g. passwords) which
can be later on used in WildFly configuration files in masked form.
Thus users can use references to their secured attributes instead of
putting them in clear text form to configuration files.
First you need create a Java Keystore to Store Sensitive Strings.
$ keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -storepass vault22 -keypass vault22 -validity 730 -keystore WILDFLY_HOME/vault/vault.keystore
Then initialize the Password Vault and store password for ssl keystore:
wildfly-8.1.0.Final/bin$ sh vault.sh
=========================================================================
JBoss Vault Tool
JBOSS_HOME: "wildfly-8.1.0.Final"
JAVA: ""
JAVA_OPTS: ""
=========================================================================
**********************************
**** JBoss Vault ***************
**********************************
Please enter a Digit:: 0: Start Interactive Session 1: Remove Interactive Session 2: Exit
0
Starting an interactive session
Enter directory to store encrypted files:/home/fsierra/vault/
Enter Keystore URL:home/fsierra/vault/vault.keystore
Enter Keystore password:
Enter Keystore password again:
Values match
Enter 8 character salt:12345678
Enter iteration count as a number (e.g.: 44):17
Enter Keystore Alias:Vault
Initializing Vault
ene 13, 2015 12:42:48 PM org.picketbox.plugins.vault.PicketBoxSecurityVault init
INFO: PBOX000361: Default Security Vault Implementation Initialized and Ready
Vault Configuration in WildFly configuration file:
********************************************
...
</extensions>
<vault>
<vault-option name="KEYSTORE_URL" value="/home/fsierra/vault/vault.keystore"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-49SI2WfwF1X"/>
<vault-option name="KEYSTORE_ALIAS" value="Vault"/>
<vault-option name="SALT" value="12345678"/>
<vault-option name="ITERATION_COUNT" value="17"/>
<vault-option name="ENC_FILE_DIR" value="/home/fsierra/vault/"/>
</vault><management> ...
********************************************
Vault is initialized and ready for use
Handshake with Vault complete
Please enter a Digit:: 0: Store a secured attribute 1: Check whether a secured attribute exists 2: Exit
0
Task: Store a secured attribute
Please enter secured attribute value (such as password):
Please enter secured attribute value (such as password) again:
Values match
Enter Vault Block:keystore
Enter Attribute Name:password
Secured attribute value has been stored in Vault.
Please make note of the following:
********************************************
Vault Block:keystore
Attribute Name:password
Configuration should be done as follows:
VAULT::keystore::password::1
********************************************
Please enter a Digit:: 0: Store a secured attribute 1: Check whether a secured attribute exists 2: Exit
Finally keystore password has been masked for use in configuration files and deployments.
Eg (standalone.xml):
<extensions>
...
</extensions>
<vault>
<vault-option name="KEYSTORE_URL" value="/home/fsierra/vault/vault.keystore"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-49SI2WfwF1X"/>
<vault-option name="KEYSTORE_ALIAS" value="Vault"/>
<vault-option name="SALT" value="12345678"/>
<vault-option name="ITERATION_COUNT" value="17"/>
<vault-option name="ENC_FILE_DIR" value="/home/fsierra/vault/"/>
</vault>
<management>
<security-realms>
...
<security-realm name="SslRealm">
<server-identities>
<ssl>
<keystore path="ssl.jks" relative-to="jboss.server.config.dir" keystore-password="${VAULT::keystore::password::1}"/>
</ssl>
</server-identities>
</security-realm>
</security-realms>
</management>
References:
Masking passwords for WildFly using non-interactive VaultTool
Mask the Keystore Password and Initialize the Password Vault
JBoss AS7 Securing Passwords
AS7: Utilising masked passwords via the vault