We Keep Coding

SSL config for outbound connections doesn't work in websphere-liberty 17.0.0.2

I'm trying to configure websphere-liberty server to use default keystore and trustore for all outbound connections (actually REST calls) and for inbound use a custom key and trust stores. But it fails with SSLHandshakeException when try to make a call to external REST service. In logs I can see that it uses my custom truststore instead of default one.
Below is my server.xml
<?xml version="1.0" encoding="UTF-8"?>
<server description="Default server">
<featureManager>
<feature>appSecurity-2.0</feature>
<feature>transportSecurity-1.0</feature>
<feature>jaxrs-2.0</feature>
<feature>json-1.0</feature>
<feature>javaMail-1.5</feature>
<!--<feature>ssl-1.0</feature>-->
</featureManager>
<sslDefault sslRef="saasSSLConfig" outboundSSLRef="outboundSSLConfig" />
<ssl id="saasSSLConfig" keyStoreRef="saasKeyStore" trustStoreRef="saasTrustStore" clientAuthentication="true" sslProtocol="TLSv1" />
<keyStore id="saasKeyStore" location="/opt/ibm/wlp/output/defaultServer/resources/security/sbs_endpoint_keystore.jks" password="pwd" />
<keyStore id="saasTrustStore" location="/opt/ibm/wlp/output/defaultServer/resources/security/serverTruststore.jks" password="pwd" />
<ssl id="outboundSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" />
<basicRegistry id="basic" realm="BasicRealm">
<!-- <user name="yourUserName" password="" /> -->
</basicRegistry>
<httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080" httpsPort="9443" />
<applicationManager autoExpand="true"/>
</server>
BTW if change saasSSLConfig to use defaultTrustStore instead of saasTrustStore then everything works fine.
Server version:
WebSphere Application Server 17.0.0.2 (1.0.17.cl170220170523-1818) on IBM J9 VM, version pxa6480sr4fp7-20170627_02 (SR4 FP7) (en_US)
Error:
[ERROR] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN CN=*.api.ibm.com, O=International Business Machines, L=Armonk, ST=New York, C=US was sent from the target host. The signer might need to be added to local trust store /opt/ibm/wlp/output/defaultServer/resources/security/serverTruststore.jks, located in SSL configuration alias saasSSLConfig. The extended error message from the SSL handshake exception is: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.;
SSLHandshakeException invoking https://dev.api.ibm.com/scx/test/sbs/customer/222222222: java.security.cert.CertificateException: PKIXCertPathBuilderImpl could not build a valid CertPath.

Liberty does not load cacerts automatically. You can create a keyStore element to point to it if desired. So in your case above you can create a configuration like this.
<ssl id="outboundSSLConfig" keyStoreRef="cacertKeyStore" />
<keyStore id="cacertKeyStore" location=<fill in path to your jdk cacerts file> password="changeit" />
I am assuming you do not need a key for this configuration so I simplified to just a keyStoreRef on outboundSSLConfig. It will use what is pointed to by keyStoreRef for both key and trust.

In your configuration I do not see keyStore elements for defaultKeyStore and defaultTrustStore. If they are missing that will cause outboundSSLConfig to be an invalid SSL configuration. Can you please add them and see if things work.

How to set the pre-emptive auth value in header value in adapter implementation file in mobile first 7.1?

I am using authentication header in the IBM integration bus, so to call the IIB service from mobile first adapter, I am using the following values in adapter.xml file. IIB service is expecting pre-emptive value, so how to set that value in adapter.xml
<connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
<protocol>https</protocol>
<domain></domain>
<port>443</port>
<connectionTimeoutInMilliseconds>30000</connectionTimeoutInMilliseconds>
<socketTimeoutInMilliseconds>30000</socketTimeoutInMilliseconds>
<authentication>
<basic/>
<serverIdentity>
<username></username>
<password></password>
</serverIdentity>
</authentication>
<maxConcurrentConnectionsPerNode>50</maxConcurrentConnectionsPerNode>
<!-- Following properties used by adapter's key manager for choosing specific certificate from key store
<sslCertificateAlias></sslCertificateAlias>
<sslCertificatePassword></sslCertificatePassword>
-->
</connectionPolicy>

IBM MobileFirst adapter call ssl error

I am trying to get json data from an application via an http adapter of IBM mobilefirst.
The app is accessible with https and i get this ssl error:
"Runtime: Http request failed: javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateExpiredException: NotAfter: Sat Jul 26
21:15:15 EEST 2014"
This is the xml of the adapter:
<wl:adapter name="test2"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:wl="http://www.ibm.com/mfp/integration"
xmlns:http="http://www.ibm.com/mfp/integration/http">
<displayName>test2</displayName>
<description>test2</description>
<connectivity>
<connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
<protocol>https</protocol>
<domain>www.mydomain-company.gr</domain>
<port>443</port>
<connectionTimeoutInMilliseconds>30000</connectionTimeoutInMilliseconds>
<socketTimeoutInMilliseconds>30000</socketTimeoutInMilliseconds>
<maxConcurrentConnectionsPerNode>50</maxConcurrentConnectionsPerNode>
<!-- Following properties used by adapter's key manager for choosing specific certificate from key store
<sslCertificateAlias></sslCertificateAlias>
<sslCertificatePassword></sslCertificatePassword>
-->
</connectionPolicy>
</connectivity>
<procedure name="getDDD"/>
</wl:adapter>
and here is the js:
function getDDD() {
var identity = Base64.encode("myuser:mypass"); //i have a base64 function above that i have not pasted here. It works it is tested in other apps.
var path = "/part1/part2/ddd.nsf/rest.xsp/ddd";
var input = {
method : 'get',
returnedContentType : 'json',
path : path,
headers: {Authorization: "Basic "+identity}
};
return WL.Server.invokeHttp(input);
}
If i call the same url from my browser i get the data and checking the https info i see that the certificate expires in 2016.
I have also checked using java keytool the expiration date of the certificate in the jks file of mobile first server in the path:
C:\path1\path2\\MobileFirstServerConfig\servers\worklight\resources\security\key.jks
and it is not expired.
Is it a problem of mobile first server or the target server's certificate?
My steps so far in order to configure ssl:
1) went to /MobileFirstServerConfig\servers\worklight\resources\security
and created a new key.jks with a new certificate using java keytool. I named the cerificate default just as it was the name in the old key.jks file.
2)exported the certificate from this jks
3)imported the certificate into default.keystore file in the project under server/conf folder
4) worklight.properties file:
MobileFirst SSL keystore
#
SSL certificate keystore location. ssl.keystore.path=conf/default.keystore
SSL certificate keystore type (jks or PKCS12) ssl.keystore.type=jks
SSL certificate keystore password. ssl.keystore.password=worklight
5) server.xml file:
<keyStore id="defaultKeyStore" password="worklight"/>
i ve also tried to put "default" as id.

You did not configure SSL between the adapter and the backend.
The keystore that you should be looking at is defined in the worklight.properties file of the project (by default located like this: workspace\CustomLoginModule\server\conf).
Make sure to follow the instructions provided here: https://www-01.ibm.com/support/knowledgecenter/SSZH4A_6.2.0/com.ibm.worklight.installconfig.doc/admin/t_configuring_SSL_WL_adapters_backend_servers_certificates.html

How configure SSL in Jboss Wildfly 8.1

I have configured SSL in JBoss Wildfly 8.1. I have generated a keystore files and updated the standaolne.xml file as below
<security-realm name="security-realm">
<server-identities>
<ssl>
<keystore path="security/keystore.jks" relative-to="jboss.server.config.dir" keystore-password="changeit" key-password=" changeit"/>
</ssl>
</server-identities>
</security-realm>
The keystore-password and key-password is in cleartext. Simply we cannot show it in clear text. I want to encrypt the password. I tried a lot but could not credible help in this regard. So any body can help me in how to encrypt this password and how to use that in sandalone.xml file.

You can masking passwords for WildFly using the VaultTool.
VaultTool used in WildFly Application Server is used for
creating/using storage for secured attributes (e.g. passwords) which
can be later on used in WildFly configuration files in masked form.
Thus users can use references to their secured attributes instead of
putting them in clear text form to configuration files.
First you need create a Java Keystore to Store Sensitive Strings.
$ keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -storepass vault22 -keypass vault22 -validity 730 -keystore WILDFLY_HOME/vault/vault.keystore
Then initialize the Password Vault and store password for ssl keystore:
wildfly-8.1.0.Final/bin$ sh vault.sh
=========================================================================
JBoss Vault Tool
JBOSS_HOME: "wildfly-8.1.0.Final"
JAVA: ""
JAVA_OPTS: ""
=========================================================================
**********************************
**** JBoss Vault ***************
**********************************
Please enter a Digit:: 0: Start Interactive Session 1: Remove Interactive Session 2: Exit
0
Starting an interactive session
Enter directory to store encrypted files:/home/fsierra/vault/
Enter Keystore URL:home/fsierra/vault/vault.keystore
Enter Keystore password:
Enter Keystore password again:
Values match
Enter 8 character salt:12345678
Enter iteration count as a number (e.g.: 44):17
Enter Keystore Alias:Vault
Initializing Vault
ene 13, 2015 12:42:48 PM org.picketbox.plugins.vault.PicketBoxSecurityVault init
INFO: PBOX000361: Default Security Vault Implementation Initialized and Ready
Vault Configuration in WildFly configuration file:
********************************************
...
</extensions>
<vault>
<vault-option name="KEYSTORE_URL" value="/home/fsierra/vault/vault.keystore"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-49SI2WfwF1X"/>
<vault-option name="KEYSTORE_ALIAS" value="Vault"/>
<vault-option name="SALT" value="12345678"/>
<vault-option name="ITERATION_COUNT" value="17"/>
<vault-option name="ENC_FILE_DIR" value="/home/fsierra/vault/"/>
</vault><management> ...
********************************************
Vault is initialized and ready for use
Handshake with Vault complete
Please enter a Digit:: 0: Store a secured attribute 1: Check whether a secured attribute exists 2: Exit
0
Task: Store a secured attribute
Please enter secured attribute value (such as password):
Please enter secured attribute value (such as password) again:
Values match
Enter Vault Block:keystore
Enter Attribute Name:password
Secured attribute value has been stored in Vault.
Please make note of the following:
********************************************
Vault Block:keystore
Attribute Name:password
Configuration should be done as follows:
VAULT::keystore::password::1
********************************************
Please enter a Digit:: 0: Store a secured attribute 1: Check whether a secured attribute exists 2: Exit
Finally keystore password has been masked for use in configuration files and deployments.
Eg (standalone.xml):
<extensions>
...
</extensions>
<vault>
<vault-option name="KEYSTORE_URL" value="/home/fsierra/vault/vault.keystore"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-49SI2WfwF1X"/>
<vault-option name="KEYSTORE_ALIAS" value="Vault"/>
<vault-option name="SALT" value="12345678"/>
<vault-option name="ITERATION_COUNT" value="17"/>
<vault-option name="ENC_FILE_DIR" value="/home/fsierra/vault/"/>
</vault>
<management>
<security-realms>
...
<security-realm name="SslRealm">
<server-identities>
<ssl>
<keystore path="ssl.jks" relative-to="jboss.server.config.dir" keystore-password="${VAULT::keystore::password::1}"/>
</ssl>
</server-identities>
</security-realm>
</security-realms>
</management>
References:
Masking passwords for WildFly using non-interactive VaultTool
Mask the Keystore Password and Initialize the Password Vault
JBoss AS7 Securing Passwords
AS7: Utilising masked passwords via the vault

Worklight SAP Netweaver GateWay Adapter - Client ID

Currently we are using the Worklight SAP Netweaver GateWay Adapter to connect to our development environment of SAP. Our customer has configured two client environments 101 and 211. The default is 101.
When creating a connection based on the following adapter configuration...
<?xml version="1.0" encoding="UTF-8"?>
<wl:adapter xmlns:wl="http://www.worklight.com/integration" xmlns:nwgateway="http://www.worklight.com/integration/nwgateway" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="SAPAdapter1">
<displayName>SAPAdapter1</displayName>
<description></description>
<connectivity>
<connectionPolicy xsi:type="nwgateway:NWGatewayHTTPConnectionPolicyType">
<protocol>http</protocol>
<domain>10.9.5.27</domain>
<port>8000</port>
<serviceRootUrl>/sap/opu/odata/sap/services_x_y_z/</serviceRootUrl>
<authentication>
<basic/>
<serverIdentity>
<client>211</client>
<username>xyz</username>
<password>123</password>
</serverIdentity>
</authentication>
</connectionPolicy>
<loadConstraints maxConcurrentConnectionsPerNode="10"/>
</connectivity>
<procedure name="getShipments"/>
</wl:adapter>
We assume to connect to client 211, but apparently we are connected to 101.
How is the client-id handled by the Worklight SAP NWG Adapter?

This has been identified as a defect in the product.
There is no available workaround.
To receive an iFix containing the fix for this defect, you need to open a PMR (support ticket).
Please mention this question as well as APAR #PI31148 in your query for reference.