I've been working on a client API using QuickFIX and I'm planning to use SSL and certificate based authentication. I generated self signed certificates for acceptor and initiator the following way:
1) Generate and export server/acceptor certificate:
keytool -genkeypair -keyalg RSA -keysize 2048 -alias server -keystore server.jks
keytool -export -alias server -file server.cer -keystore server.jks
2) Generate and export client/initiator certificate:
keytool -genkeypair -keyalg RSA -keysize 2048 -alias client -keystore client.jks
keytool -export -alias client -file client.cer -keystore client.jks
3) Import server/acceptor certificate to client keystore:
keytool -import -v -trustcacerts -alias server -file server.cer -keystore client.jks
4) Import client/initiator certificate to server/acceptor keystore:
keytool -import -v -trustcacerts -alias client -file client.cer -keystore server.jks
Acceptor config:
SocketUseSSL=Y
SocketKeyStore=server.jks
SocketKeyStorePassword=password
Initiator config:
SocketUseSSL=Y
SocketKeyStore=client.jks
SocketKeyStorePassword=password
Everything seems to work fine and data is getting encrypted. However, if I remove the initiator's client.jks keystore file, I will get a QuickFIX log entry saying "client.jks: keystore not found, using empty keystore". Strange thing, the initiator is still able to connect and establish a valid FIX session. I would expected the connection to be dropped immediately since no valid certificate is provided. Am I missing something?
The client certificate is not required by default, you must set this:
NeedClientAuth=Y
Related
I have installed ActiveMQ Artemis in Linux and configured broker.xml. I am using a certificate, but ActiveMQ Artemis uses keystore and truststore. How to create those and how to enable SSL for MQTT protocol?
Below shows configuration broker.xml
<acceptor name="mqtt">tcp://0.0.0.0:1883?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=MQTT;useEpoll=true
sslEnabled=true;
keyStorePath=home/certs/server-ks/server1.p12;keyStorePassword=abc#1234;
trustStorePath=home/certs/server-ks/server1.p12;
trustStorePassword=abc#1234;needClientAuth=true
</acceptor>
I have converted a certificate (.pem) to keystore and truststore
keytool -import -alias rootCA -trustcacerts -file certs/ca.pem -keystore certs/activeMQ-truststore.jks
openssl pkcs12 -inkey certs/server-cert/server1.pem -in certs/server-cert/server1.pem -name server1 -export -out certs/server-ks/server1.p12
keytool -importkeystore -deststorepass abc#1234 -destkeystore certs/server-ks/server-keystore1.jks -srckeystore certs/server-ks/server1.p12 -srcstoretype PKCS12
As above same I have created/converted for client keystore.
I need to connect broker using MQTT.FX client with self signed client keystore.
How to achieve this I am getting confused. Please help me if any one have idea.
In a self-signed configuration typically you'll create a certificate for both the broker and the client, export each, and then import the broker's cert into the client's truststore and import the client's cert into the broker's truststore. You can do all this using Java's keytool command.
Take a look at the example that ships with ActiveMQ Artemis in the examples/features/standard/ssl-enabled-dual-authentication directory. It demonstrates how to do this, e.g.:
keytool -genkey -keystore server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
keytool -export -keystore server-side-keystore.jks -file server-side-cert.cer -storepass secureexample
keytool -import -keystore client-side-truststore.jks -file server-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
keytool -export -keystore client-side-keystore.jks -file client-side-cert.cer -storepass secureexample
keytool -import -keystore server-side-truststore.jks -file client-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
Your acceptor will need both sslEnabled=true and needClientAuth=true.
I am trying to use openwire+ssl in my ActiveMq. I am using the docker images provided by rmohr/activemq.
What I ran the following commands to generated necessary files since the broker_localhost.cert has expired.
keytool -genkey -alias broker -keyalg RSA -keystore broker.ks
keytool -export -alias broker -keystore broker.ks -file broker_cert
keytool -genkey -alias client -keyalg RSA -keystore client.ks
keytool -import -alias broker -keystore client.ts -file broker_cert
keytool -export -alias client -keystore client.ks -file client_cert
keytool -import -alias client -keystore broker.ts -file client_cert
Then in the activemq.xml I added:
<sslContext keyStore="file:${activemq.base}/certs/ActiveMq/broker.ks"
keyStorePassword="password" trustStore="file:${activemq.base}/certs/ActiveMq/broker.ts"
trustStorePassword="password"/>
as well as:
<transportConnector name="openwire+ssl" uri="ssl://0.0.0.0:61617?transport.enabledProtocols=TLSv1"/>
When I run docker compose to create the ActiveMQ instance I added an environment variable as:
environment:
- ACTIVEMQ_SSL_OPTS="-Djavax.net.ssl.keyStore=/opt/activemq/certs/ActiveMq/broker.ks -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStore=/opt/activemq/certs/ActiveMq/broker.ts -Djavax.net.ssl.trustStorePassword=password -Djavax.net.debug=ssl,handshake"
After that I import the broker_cert generated in the previous steps in Windows Manage user certificates as Trusted Root Certification Authorities.
Then I build my Asp.Net Core project to access the ActiveMQ broker
var uri = new Uri(#"ssl://localhost:61617?trace=true&needClientAuth=true&transport.serverName='MoveQ Broker'");
ITransportFactory sslTransportFactory = new SslTransportFactory();
((SslTransportFactory)sslTransportFactory).SslProtocol = "Tls";
ITransport transport = sslTransportFactory.CreateTransport(uri);
_connection = new Connection(uri, transport, new IdGenerator());
((Connection)_connection).UserName = "username";
((Connection)_connection).Password = "password";
_session = _connection.CreateSession(AcknowledgementMode.AutoAcknowledge);
However I keep getting
activemq | WARN | Transport Connection to: tcp://172.17.0.1:35356 failed: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
Can anyone help to see what step(s) I may miss?
If you just need 1-way SSL and you're using self-signed certificates then you don't need a truststore on the broker or a keystore on the client. You just need a keystore on the broker and a truststore on the client. Generate these resources like so:
keytool -genkey -keystore broker-keystore.ks
keytool -export -keystore broker-keystore.ks -file broker.cer
keytool -import -keystore client-truststore.ks -file broker.cer
Then use broker-keystore.ks on the broker and client-truststore.ks on the client.
I am trying to setup TLS for kafka broker. I have followed the steps here and able to setup the Kafka with TLS. (In log, I see SSL entry for the configured port).
Now I am facing the issue with connecting the producer/consumer.
I created a client keystore using the below command,
keytool -keystore client.keystore.jks -alias localhost -validity 365 -keyalg RSA -genkey
Added the CA cert to the keystore,
keytool -keystore client.keystore.jks -alias CARoot -import -file ca-cert
Ran the below command in the client, where the ca-cert is the certificate used on the server.
keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert
keytool -keystore client.keystore.jks -alias localhost -validity 365 -keyalg RSA -genkey
keytool -keystore client.keystore.jks -alias CARoot -import -file ca-cert
Added the below config in the producer.properties,
security.protocol=SSL
ssl.truststore.location=path to client.truststore.jks
ssl.truststore.password=<password>
ssl.keystore.location=path to client.keystore.jks
ssl.keystore.password=<password>
ssl.key.password=<password>
Ran kafka-console-producer
kafka-console-producer.sh --broker-list 0.0.0.0:9092 --topic test --producer.config ../config/producer.properties
But I am getting the below error when running the util,
WARN Connection to node -1 terminated during authentication. This may
indicate that authentication failed due to invalid credentials.
(org.apache.kafka.clients.NetworkClient)
Suspecting that I am missing something in the client config. Any help would be greatly appreciated.
Are you trying with client side certificate ? Rather I would recommend, try without client certificate. In that case you only need below entries,
producer.properties file:-
security.protocol=SSL
ssl.truststore.location=/<path-to>/truststore.jks
ssl.truststore.type=JKS
Read more about it here - http://kafka.apache.org/documentation/#security_configclients
For client authentication kafka uses SASL, This part of the document covers it clearly - http://kafka.apache.org/documentation/#security_sasl
I am trying to establish a secure connection for my application using jetty http server version 8.1.8.v20121106 with self signed certificate.
I am generating self signed certificate with the following command,
keytool -genkey -alias mykey -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 365 -keypass password -keystore keystore.jks -storepass password
keytool -export -alias mykey -file server.cer -keystore keystore.jks -storepass password
keytool -import -alias mykey -file server.cer -keystore truststore.jks -storepass password
So, totally 3 files generate (keystore.jks,server.cer,truststore.jks)
After the server gets started, I got the following error in my browser. There are issues with the site's certificate chain (net::ERR_CERT_AUTHORITY_INVALID).
Could anyone help me to generate a trusted self signed certificate using keytool.
Thanks in advance.
It is the problem with java jdk. I have verified using java 1.8 and jdk1.7.0_79 it is working fyn for me. Change your java jdk version and verify. For further clarification, Please refer this link.
https://bugs.eclipse.org/bugs/show_bug.cgi?id=398644
I can't make my weblogic 11g to work on https. The problem is with identity keystore. How should I create identity keystore? I have private key, web server certificate and intermediate certificate in pem format. I import private key and certificates like this:
keytool -import -keystore myIdentity.jks -storepass mypass -storetype JKS -alias myPrivateKey -file mykey.pem -keypass mypass
keytool -import -keystore myIdentity.jks -storepass mypass -storetype JKS -alias mycert -trustcacerts -file certificate.pem -keypass mypass
I am dummy at this and don't know what is wrong
Generate the IdentityStore :
keytool -genkey -keystore myIdentityStore.jks -storepass welcome1 -alias dummy -dname CN="dummy,C=FR" -keypass welcome1
Import certificates in the TrustStore
keytool -import -v -noprompt -trustcacerts -alias myCertificateAliasName -file myCertificateLocation -keystore myTrustStore.jks -storepass welcome1
Configure your weblogic Server :
Environment -> Servers – AdminServer -> Keystores, then
Change Demo Identity and Demo Trust to Custom Identity and Custom Trust.
Also, change those values for Identity
Custom Identity Keystore : $OSB_HOME/vesiKeyStore/vesiIdentityStore.jks,
Custom Identity Keystore Type : JKS,
Confirm Custom Identity Keystore Passphrase :welcome1.
Do the same for Trust.
restart the server.
Found very useful:
This link
I generated keystore with IBM Keyman and solved my problems.