In our WSO2 ESB 4.9.0 we had setup CA certificate (root, intermediate and the final) in new JKS and had configured our carbon, axis2 and catalina xmls.
Now we want the client application to hit our ESB on https with SSL, can you let us know what details do we need to share to our client application ?
Thanks
Client should have the public key of the server.
Related
I'm trying to connect my java based application to the IBM MQ queue manager through the MQ client. SSL is already configured at MQ Server which is managed by third-party, Now to configure the SSL on the client-side I need Keystore & Truststore in .jks form.
Could you please let me know the process of generating the Keystore & Truststore required for SSL communication b/w IBM MQ server & client?
What is the Userid in Keystore & Truststore is it the alias name?
There is a tutorial that will guide you through the process of creating a JMS Keystore - https://developer.ibm.com/tutorials/mq-secure-msgs-tls/
but it doesn't need to be. You could use a .p12 Truststore, and there is a guide that shows how - https://github.com/ibm-messaging/mq-dev-samples/blob/master/README.md
both use keytool.
I am running an old version of jetty that allows SSL TLS v1.0 and v1.1. I want to disable anything other than TLS 1.2 as there are security vulnerabilities with the other implementations.
Currently clients connect to the jetty server using SSL, without any jks file for java clients or any certs or pk12 equivalent for c#/.net clients.
My understanding of jks is that the client and server needs it, which isn't a vulnerability in itself as the alias and servers should not be available in the jks file.
So my question is when I enforce stricter security protocol TLS 1.2 do i need to provide the clients with jks/pk12 or whatever the windows equivalent is? If i dont change the code to allow trustAll etc?
Client(is a request running within jetty server 9.4) server and request code:
System.setProperty("javax.net.ssl.trustStore", "filename");
System.setProperty("java.net.ssl.trustStorePassword", "xyx")
ServletContextHandler context =
ServletContextHandler(ServletContextHandler.SESSIONS);
...
server.setPort(8080);
server.start();
//Then call is via apache server code
CLoseableHttpClient httpClient = HttpClients.createMinimal();
HttpGet httpGet = new HttpGet("https://server:8080/getLogisticsData");
...
httpClient.execute(httpGet), response -> {
//format response
}));
We have a websphere application that must connect to a webservice over https. Websphere Application server has version 8.5.5
We have the wsdl of the service, so we were able to create the client using the JAX-WS wizard in eclipse 4.5.
The SSL connection requires both accepting the server certificate and authentication with client certificate (private key).
The restriction we have is that the SSL configuration must be at application level, and not at server level. In a first time we were able to configure the server with the repective certificates in the default truststore and keystore, but that configuration was not accepted.
So we created a SSL configuration with a keystore that includes both the signer certificates of the server of the webservice and the personal certificate (with the private key) of the client. Type is JKS.
We suppose that we have to create in some way a "Web services Client security bindings" in Applications > Application Types > WebSphere enterprise applications > application_name > Manage Module > module_name > Web services: Client security bindings, but that list is empty:
Currently when we try to test the service client we get the exception:
exception: javax.xml.ws.soap.SOAPFaultException:
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
You need to import the SSL certificate into the Web SPhere truststore, you can do it from here:
Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates > Retrieve from port
or
You can directly upload the certificate from:
SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates > Add signer certificate
Hope this solves your issue.
I'm trying to set up a WCF-service with SSL on Azure.
Can someone please explain a bit about the differences of using certificates is these cases?
Certificate for https-binding in IIS
ServiceCertificate in Web.Config
ClientCertificate in Web.Config
Certificate in ServiceDefinition.csdef
Certificate in ServiceConfiguration.Local.cscfg
Certificate in ServiceConfiguration.Cloud.cscfg
More I should know about?
I want to publish several service-endpoints within the same role, some with SSL and some without. Do I need binding-certificates at all or is it service-certificates I should use?
Start by reading WCF Transport Security with Certificate Authentication and Configuring SSL for an application in Windows Azure
Certificate for https-binding in IIS - exactly what it says, the cert is used by IIS to create a secure binding on a site/service, typically on port 443
ServiceCertificate in Web.Config - WCF service-side binding cert used for WCF Transport Security with Certificate Authentication - private key cert used to authenticate client request signed with the corresponding public key
ClientCertificate in Web.Config - WCF client-side binding cert used for WCF Transport Security with Certificate Authentication - public key cert used to sign a request for authentication to a service using Transport Security with the corresponding private key
Certificate in ServiceDefinition.csdef - default certificate used to create a secure endpoint in Azure worker & web roles. NOTE: This is the certificate Azure installs in IIS to bind to the service endpoint (see #1)
Certificate in ServiceConfiguration.Local.cscfg - same as 4, just used in a "Local" build/deployment configuration
Certificate in ServiceConfiguration.Cloud.cscfg - same as 4, just used in a "Cloud" build/deployment configuration
I am using jboss as the server and my java program as the client, I have modified the server.xml file in jboss to send certificate from server to the client. this happens automatically, when the requesting client has the same domain as the domain in the server keystore.
But I want the jboss server to validate the client certificate also. How can I send the client certificate to jboss and receive it in jboss?
You are trying to achieve a two way ssl so lookup "jboss two way ssl".
The steps would be similar to setting up ssl on the server ; the only difference would be that you would need to import the client cert into the server truststore (assuming the client cert is self-signed).