I am trying to get json data from an application via an http adapter of IBM mobilefirst.
The app is accessible with https and i get this ssl error:
"Runtime: Http request failed: javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateExpiredException: NotAfter: Sat Jul 26
21:15:15 EEST 2014"
This is the xml of the adapter:
<wl:adapter name="test2"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:wl="http://www.ibm.com/mfp/integration"
xmlns:http="http://www.ibm.com/mfp/integration/http">
<displayName>test2</displayName>
<description>test2</description>
<connectivity>
<connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
<protocol>https</protocol>
<domain>www.mydomain-company.gr</domain>
<port>443</port>
<connectionTimeoutInMilliseconds>30000</connectionTimeoutInMilliseconds>
<socketTimeoutInMilliseconds>30000</socketTimeoutInMilliseconds>
<maxConcurrentConnectionsPerNode>50</maxConcurrentConnectionsPerNode>
<!-- Following properties used by adapter's key manager for choosing specific certificate from key store
<sslCertificateAlias></sslCertificateAlias>
<sslCertificatePassword></sslCertificatePassword>
-->
</connectionPolicy>
</connectivity>
<procedure name="getDDD"/>
</wl:adapter>
and here is the js:
function getDDD() {
var identity = Base64.encode("myuser:mypass"); //i have a base64 function above that i have not pasted here. It works it is tested in other apps.
var path = "/part1/part2/ddd.nsf/rest.xsp/ddd";
var input = {
method : 'get',
returnedContentType : 'json',
path : path,
headers: {Authorization: "Basic "+identity}
};
return WL.Server.invokeHttp(input);
}
If i call the same url from my browser i get the data and checking the https info i see that the certificate expires in 2016.
I have also checked using java keytool the expiration date of the certificate in the jks file of mobile first server in the path:
C:\path1\path2\\MobileFirstServerConfig\servers\worklight\resources\security\key.jks
and it is not expired.
Is it a problem of mobile first server or the target server's certificate?
My steps so far in order to configure ssl:
1) went to /MobileFirstServerConfig\servers\worklight\resources\security
and created a new key.jks with a new certificate using java keytool. I named the cerificate default just as it was the name in the old key.jks file.
2)exported the certificate from this jks
3)imported the certificate into default.keystore file in the project under server/conf folder
4) worklight.properties file:
MobileFirst SSL keystore
#
SSL certificate keystore location. ssl.keystore.path=conf/default.keystore
SSL certificate keystore type (jks or PKCS12) ssl.keystore.type=jks
SSL certificate keystore password. ssl.keystore.password=worklight
5) server.xml file:
<keyStore id="defaultKeyStore" password="worklight"/>
i ve also tried to put "default" as id.
You did not configure SSL between the adapter and the backend.
The keystore that you should be looking at is defined in the worklight.properties file of the project (by default located like this: workspace\CustomLoginModule\server\conf).
Make sure to follow the instructions provided here: https://www-01.ibm.com/support/knowledgecenter/SSZH4A_6.2.0/com.ibm.worklight.installconfig.doc/admin/t_configuring_SSL_WL_adapters_backend_servers_certificates.html
Related
I am trying to call a WSO2 API through https port 8243. However, when I make a call, the client app (web app) gets a 502 bad gateway error (which is logged inside WSO2 apim server carbon log file).
I see the exception below.
Please Note that, I have received a CA signed cert inside a jks from my networking team... I imported It through management console into keystore... I can view the company certs as well from the console:
TID: [-1] [] [2018-12-19 16:51:12,890] ERROR {org.apache.synapse.transport.passthru.SourceHandler} -
I/O error: Received fatal alert: unknown_ca {org.apache.synapse.transport.passthru.SourceHandler}
javax.net.ssl.SSLException: Received fatal alert: unknown_ca
If you are trying to update the certificate of API Manager, importing the certificate to existing keystore will not work.
Please have a look at the documentation[1] on creating a keystore with a CA signed certificate when you create the new keystore with updated certificate.
The main keystore of WSO2 products is wso2carbon.jks file which holds private certificate entry. When you update the certificate with keystore you have to update all the configuration files listed in documentation[2] to refer to new keystore file and also you will have to update related properties(i.e: keystore password, key password, alias).
[1] https://docs.wso2.com/display/Carbon443/Creating+New+Keystores
[2] https://docs.wso2.com/display/Carbon443/Configuring+Keystores+in+WSO2+Products
I'm trying to configure websphere-liberty server to use default keystore and trustore for all outbound connections (actually REST calls) and for inbound use a custom key and trust stores. But it fails with SSLHandshakeException when try to make a call to external REST service. In logs I can see that it uses my custom truststore instead of default one.
Below is my server.xml
<?xml version="1.0" encoding="UTF-8"?>
<server description="Default server">
<featureManager>
<feature>appSecurity-2.0</feature>
<feature>transportSecurity-1.0</feature>
<feature>jaxrs-2.0</feature>
<feature>json-1.0</feature>
<feature>javaMail-1.5</feature>
<!--<feature>ssl-1.0</feature>-->
</featureManager>
<sslDefault sslRef="saasSSLConfig" outboundSSLRef="outboundSSLConfig" />
<ssl id="saasSSLConfig" keyStoreRef="saasKeyStore" trustStoreRef="saasTrustStore" clientAuthentication="true" sslProtocol="TLSv1" />
<keyStore id="saasKeyStore" location="/opt/ibm/wlp/output/defaultServer/resources/security/sbs_endpoint_keystore.jks" password="pwd" />
<keyStore id="saasTrustStore" location="/opt/ibm/wlp/output/defaultServer/resources/security/serverTruststore.jks" password="pwd" />
<ssl id="outboundSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" />
<basicRegistry id="basic" realm="BasicRealm">
<!-- <user name="yourUserName" password="" /> -->
</basicRegistry>
<httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080" httpsPort="9443" />
<applicationManager autoExpand="true"/>
</server>
BTW if change saasSSLConfig to use defaultTrustStore instead of saasTrustStore then everything works fine.
Server version:
WebSphere Application Server 17.0.0.2 (1.0.17.cl170220170523-1818) on IBM J9 VM, version pxa6480sr4fp7-20170627_02 (SR4 FP7) (en_US)
Error:
[ERROR] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN CN=*.api.ibm.com, O=International Business Machines, L=Armonk, ST=New York, C=US was sent from the target host. The signer might need to be added to local trust store /opt/ibm/wlp/output/defaultServer/resources/security/serverTruststore.jks, located in SSL configuration alias saasSSLConfig. The extended error message from the SSL handshake exception is: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.;
SSLHandshakeException invoking https://dev.api.ibm.com/scx/test/sbs/customer/222222222: java.security.cert.CertificateException: PKIXCertPathBuilderImpl could not build a valid CertPath.
Liberty does not load cacerts automatically. You can create a keyStore element to point to it if desired. So in your case above you can create a configuration like this.
<ssl id="outboundSSLConfig" keyStoreRef="cacertKeyStore" />
<keyStore id="cacertKeyStore" location=<fill in path to your jdk cacerts file> password="changeit" />
I am assuming you do not need a key for this configuration so I simplified to just a keyStoreRef on outboundSSLConfig. It will use what is pointed to by keyStoreRef for both key and trust.
In your configuration I do not see keyStore elements for defaultKeyStore and defaultTrustStore. If they are missing that will cause outboundSSLConfig to be an invalid SSL configuration. Can you please add them and see if things work.
Need your help in setting the SSL manager in Jmeter for performance testing with IBM datapower.
I tried the below steps to Add cert.
• Added (* .jks /*.p12 ) file in the jmeter GUI > Options > SSL Manager.
• I tried the setting the jks file in system.properties file too.
Path : *\jMETER\apache-jmeter-3.0\apache-jmeter-3.0\bin\system.properties
# Truststore properties (trusted certificates)
#javax.net.ssl.trustStore=/path/to/[jsse]cacerts
#javax.net.ssl.trustStorePassword
#javax.net.ssl.trustStoreProvider
#javax.net.ssl.trustStoreType [default = KeyStore.getDefaultType()]
# Keystore properties (client certificates)
# Location
javax.net.ssl.keyStore=****.jks -- Added
#
#The password to your keystore
javax.net.ssl.keyStorePassword=****-- Added
#
#javax.net.ssl.keyStoreProvider
#javax.net.ssl.keyStoreType [default = KeyStore.getDefaultType()]
I dont see the SSL handshake jMETER and datapower even after i followed ablove steps. Getting below error from datapower.
12:47:26 AM ssl error 51751363 10.123.98.73 0x806000ca valcred (###_CVC_Reverse_Server): SSL Proxy Profile '###_SSLPP_Reverse_Server': connection error: peer did not send a certificate
12:47:26 AM mpgw error 51751363 10.123.98.73 0x80e00161 source-https (###_HTTPS_FSH_CON_****): Request processing failed: Connection terminated before request headers read because of the connection error occurs, from URL: 10.123.98.73:58394
12:47:26 AM ssl error 51751363 10.123.98.73 0x8120002f sslproxy (####_SSLPP_Reverse_Server): SSL library error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
Can you please advice how to send the cert(.jks/ .p12) file from jmeter.
Change "Implementation" of your HTTP Request sampler(s) to Java. The fastest and the easiest way of doing this is using HTTP Request Defaults.
If you're using .p12 keystores you will need an extra line in the system.properties file like:
javax.net.ssl.keyStoreType=pkcs12
JMeter restart is required to pick the properties up.
See How to Set Your JMeter Load Test to Use Client Side Certificates article for more information.
I have configured SSL in JBoss Wildfly 8.1. I have generated a keystore files and updated the standaolne.xml file as below
<security-realm name="security-realm">
<server-identities>
<ssl>
<keystore path="security/keystore.jks" relative-to="jboss.server.config.dir" keystore-password="changeit" key-password=" changeit"/>
</ssl>
</server-identities>
</security-realm>
The keystore-password and key-password is in cleartext. Simply we cannot show it in clear text. I want to encrypt the password. I tried a lot but could not credible help in this regard. So any body can help me in how to encrypt this password and how to use that in sandalone.xml file.
You can masking passwords for WildFly using the VaultTool.
VaultTool used in WildFly Application Server is used for
creating/using storage for secured attributes (e.g. passwords) which
can be later on used in WildFly configuration files in masked form.
Thus users can use references to their secured attributes instead of
putting them in clear text form to configuration files.
First you need create a Java Keystore to Store Sensitive Strings.
$ keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -storepass vault22 -keypass vault22 -validity 730 -keystore WILDFLY_HOME/vault/vault.keystore
Then initialize the Password Vault and store password for ssl keystore:
wildfly-8.1.0.Final/bin$ sh vault.sh
=========================================================================
JBoss Vault Tool
JBOSS_HOME: "wildfly-8.1.0.Final"
JAVA: ""
JAVA_OPTS: ""
=========================================================================
**********************************
**** JBoss Vault ***************
**********************************
Please enter a Digit:: 0: Start Interactive Session 1: Remove Interactive Session 2: Exit
0
Starting an interactive session
Enter directory to store encrypted files:/home/fsierra/vault/
Enter Keystore URL:home/fsierra/vault/vault.keystore
Enter Keystore password:
Enter Keystore password again:
Values match
Enter 8 character salt:12345678
Enter iteration count as a number (e.g.: 44):17
Enter Keystore Alias:Vault
Initializing Vault
ene 13, 2015 12:42:48 PM org.picketbox.plugins.vault.PicketBoxSecurityVault init
INFO: PBOX000361: Default Security Vault Implementation Initialized and Ready
Vault Configuration in WildFly configuration file:
********************************************
...
</extensions>
<vault>
<vault-option name="KEYSTORE_URL" value="/home/fsierra/vault/vault.keystore"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-49SI2WfwF1X"/>
<vault-option name="KEYSTORE_ALIAS" value="Vault"/>
<vault-option name="SALT" value="12345678"/>
<vault-option name="ITERATION_COUNT" value="17"/>
<vault-option name="ENC_FILE_DIR" value="/home/fsierra/vault/"/>
</vault><management> ...
********************************************
Vault is initialized and ready for use
Handshake with Vault complete
Please enter a Digit:: 0: Store a secured attribute 1: Check whether a secured attribute exists 2: Exit
0
Task: Store a secured attribute
Please enter secured attribute value (such as password):
Please enter secured attribute value (such as password) again:
Values match
Enter Vault Block:keystore
Enter Attribute Name:password
Secured attribute value has been stored in Vault.
Please make note of the following:
********************************************
Vault Block:keystore
Attribute Name:password
Configuration should be done as follows:
VAULT::keystore::password::1
********************************************
Please enter a Digit:: 0: Store a secured attribute 1: Check whether a secured attribute exists 2: Exit
Finally keystore password has been masked for use in configuration files and deployments.
Eg (standalone.xml):
<extensions>
...
</extensions>
<vault>
<vault-option name="KEYSTORE_URL" value="/home/fsierra/vault/vault.keystore"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-49SI2WfwF1X"/>
<vault-option name="KEYSTORE_ALIAS" value="Vault"/>
<vault-option name="SALT" value="12345678"/>
<vault-option name="ITERATION_COUNT" value="17"/>
<vault-option name="ENC_FILE_DIR" value="/home/fsierra/vault/"/>
</vault>
<management>
<security-realms>
...
<security-realm name="SslRealm">
<server-identities>
<ssl>
<keystore path="ssl.jks" relative-to="jboss.server.config.dir" keystore-password="${VAULT::keystore::password::1}"/>
</ssl>
</server-identities>
</security-realm>
</security-realms>
</management>
References:
Masking passwords for WildFly using non-interactive VaultTool
Mask the Keystore Password and Initialize the Password Vault
JBoss AS7 Securing Passwords
AS7: Utilising masked passwords via the vault
I'm using IBM worklight 6.1 and backbone.js for my mobile app project. I got this error message when I try invoke the adapter.
Orders.xml
<?xml version="1.0" encoding="UTF-8"?>
<wl:adapter name="Orders"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:wl="http://www.worklight.com/integration"
xmlns:http="http://www.worklight.com/integration/http">
<displayName>Orders</displayName>
<description>Orders</description>
<connectivity>
<connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
<protocol>https</protocol>
<domain>izify.com</domain>
<port>443</port>
</connectionPolicy>
<loadConstraints maxConcurrentConnectionsPerNode="2" />
</connectivity>
<procedure name="getOrders"> </procedure>
</wl:adapter>
Orders-impl.js
function getOrders() {
var input = {
method : 'get',
returnedContentType : 'json',
path : "api/izify-api/admin/get_all_orders.php",
parameters:{merchantId:"74718912a2c0d82feb2c14604efecb6d"}
};
return WL.Server.invokeHttp(input);
}
ERROR message
{
"errors": [
"Runtime: Http request failed: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated"
],
"info": [
],
"isSuccessful": false,
"warnings": [
]
}
Thanks a lot in advance.
I got the answer for my problem.
Clean worklight development server
Deploy worklight adapter
No issue regarding to SSL.
Done
Sometimes this exception occurs when the JVM doesn't trust the certificate. It's one of several symptoms of a problem negotiating the SSL/https connection.
Sometimes this happens when the remote server has an issue with its SSL certificate. However, from my end I am unable to recreate with an Oracle 1.7 JVM with unmodified trust stores - I can retrieve https://izify.com/api/izify-api/admin/get_all_orders.php and get back a response.
I also verified with a 3rd party certificate checker that there are no problems with the izify.com SSL certificate (other than it expires soon, but that won't be a problem for a few months now). Please run this from your end and confirm the IP address they resolve matches what you do.
Then, check that your WL server's HTTP requests to izify.com aren't going through some sort of proxy that is redirecting or otherwise interrupting the SSL connection (for example, Fiddler or development proxy).
I solved this problem by ensuring Eclipse is pointing to Java 7 as opposed to Java 6.