I've a problem setting up a two-way SSL authentication.
I need to access an HTTPS endpoint from wso2 entreprise integrator.
The service provider gave me a pfx keystore that containes certificates and private key that i have to provide to the server.
I installed this pfx keystore on my windows computer and tried to access the endpoint from Chrome (the endpoint has a GET service at root context that return hello message). When accessing this endpoint, chrome tell me to choose a certificate to provide to the server... i choose the good one and the hello message is returned... fine, the certificate works.
I tried with curl too, providing key, cacert and cert (extracted from pfx files using openssl). Everything worked fine.
The problem is when i try to access this endpoint from wso2 ei service.
I imported my pfx file into default keystore (wso2carbon.jks), following these steps, using keytool:
Import pfx in jks
keytool -importkeystore -srckeystore .pfx -srcstoretype pkcs12 -destkeystore wso2carbon.jks -deststoretype JKS -srcstorepass -deststorepass wso2carbon
Export jks public key
keytool -export -alias "" -keystore wso2carbon.jks -file publickey.pem -storepass wso2carbon
Import public key in default client-trustore.jks
keytool -import -alias "" -file publickey.pem -keystore client-truststore.jks -storepass wso2carbon
Update password of alias in wso2carbon keystore (must be the same as jks pwd)
keytool -keypasswd -alias "" -new wso2carbon -keystore wso2carbon.jks -keypass -storepass wso2carbon
Added root & intermediate server certificates to trustore
keytool -import -v -trustcacerts -alias root -file root.cer -keystore client-truststore.jks -storepass wso2carbon
keytool -import -v -trustcacerts -alias intermed -file intermed.cer -keystore client-truststore.jks -storepass wso2carbon
Restarted WSO2 EI then tried to access endpoint (handshake failure !!!)
I activated -Djavax.net.debug=ssl:handshake, below the trace of error.
Seems like WSO2 EI cannot find certificates asked by server
...
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, Unknown (hash:0x4, signature:0x2), SHA256withECDSA, SHA224withRSA, Unknown (hash:0x3, signature:0x2), SHA224withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<CN=Autorite Bureau RTE, O=RTE, L=Pacy, ST=Eure, C=FR>
<CN=Autorite Racine RTE, O=RTE, L=Pacy, ST=Eure, C=FR>
<CN=Autorite Bureau Machine RTE, DC=bureau, DC=si, DC=interne>
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1.2
PassThroughMessageProcessor-2, WRITE: TLSv1.2 Handshake, length = 320
SESSION KEYGEN:
PreMaster Secret:
... no IV derived for this protocol
PassThroughMessageProcessor-2, WRITE: TLSv1.2 Change Cipher Spec, length = 64
*** Finished
verify_data: { 111, 185, 151, 74, 99, 156, 152, 185, 240, 222, 162, 116 }
***
PassThroughMessageProcessor-2, WRITE: TLSv1.2 Handshake, length = 80
PassThroughMessageProcessor-2, READ: TLSv1.2 Alert, length = 64
PassThroughMessageProcessor-2, RECV TLSv1.2 ALERT: fatal, handshake_failure
%% Invalidated: [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA256]
%% Invalidated: [Session-2, TLS_RSA_WITH_AES_256_CBC_SHA256]
PassThroughMessageProcessor-2, called closeSocket()
PassThroughMessageProcessor-2, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
PassThroughMessageProcessor-2, called close()
PassThroughMessageProcessor-2, called closeInternal(true)
I tried with SOAP UI, referencing the previously created keystore, and the GET call returns the hello message (handshake succeeded).
I also tried with a snippet java class that use that keystore and the ssl handshake process goes fine.
System.setProperty("javax.net.ssl.keyStore", keystorePath);
System.setProperty("javax.net.ssl.keyStorePassword", CERT_PASSWORD);
System.setProperty("javax.net.ssl.keyStoreType", "JKS");
URL myUrl;
try {
myUrl = new URL(endpoint);
HttpsURLConnection conn = (HttpsURLConnection) myUrl.openConnection();
InputStream is = conn.getInputStream();
InputStreamReader isr = new InputStreamReader(is);
BufferedReader br = new BufferedReader(isr);
String inputLine;
while ((inputLine = br.readLine()) != null) {
System.out.println(inputLine);
}
Cert Authorities:
<CN=Autorite Bureau RTE, O=RTE, L=Pacy, ST=Eure, C=FR>
<CN=Autorite Racine RTE, O=RTE, L=Pacy, ST=Eure, C=FR>
<CN=Autorite Bureau Machine RTE, DC=bureau, DC=si, DC=interne>
*** ServerHelloDone
matching alias: alias-cert
I appreciate any help.
Thanks.
Kind regards,
Rudy
To solve this review your configuration on axis2.xml file, observe the element transportSender with name="https", and insert the config for customSSLProfiles.
The how-to, is at this documentation:
https://docs.wso2.com/display/EI660/HTTPS-NIO+Transport+
Although my site's certificate is fine, ("openssl verify mysite.com.cer" resulted in OK), and my site is ssl-certified including green lock in the url-bar, my site is generating a fatal alert: bad_certificate whenever a subscriber in my WSO2 app executes an api.
[2018-06-08 10:54:47,167] ERROR - SourceHandler I/O error: Received fatal alert: bad_certificate
javax.net.ssl.SSLException: Received fatal alert: bad_certificate
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap(SSLIOSession.java:245)
at org.apache.http.nio.reactor.ssl.SSLIOSession.decryptData(SSLIOSession.java:378)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:413)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:119)
at org.apache.http.impl.nio.reactor.BaseIOReactor.validate(BaseIOReactor.java:218)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:281)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:105)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:586)
at java.lang.Thread.run(Thread.java:748)
I browsed through several stackoverflow-questions about 'bad_certificate' but found no solution.
To import my certificate I followed WSO2's docs:
openssl pkcs12 -export -in SSL_certificate_www_mysite_com.crt -inkey www.mysite.com.key -name "mykeys" -certfile mysite.com.cer -out mykeys.pfx
keytool -importkeystore -srckeystore mykeys.pfx -srcstoretype pkcs12 -destkeystore mykeys.jks -deststoretype JKS
keytool -export -alias "mykeys" -keystore mykeys.jks -file mykeys.pem
copied mykeys.pem and mykeys.jks to /usr/local/opt/wso2am-2.2.0/repository/resources/security/
keytool -import -alias "mykeys" -file mykeys.pem -keystore client-truststore.jks -storepass wso2carbon and answered yes to include the certificate
Then I had to change several configuration files to use mykeys instead of wso2carbon. So I did.
Then I restarted wso2-carbon, logged in and checked that mykeys.JKS showed up in the list of keystores, it does.
My site is correctly ssl-certified, green lock showing in the url-bar. All works fine, upto the point that logged in as Subscriber I try to Execute an API, which results in the response "ERROR - SourceHandler I/O error: Received fatal alert: bad_certificate" and the above-mentioned log coming from sourcehandler
This error is logged in repository/logs/wso2-apigw-errors.log and wso2carbon.log, but only this message, nothing else.
Where to look next to find why my certificate is not getting validated correctly?
the problem is in the self-signed certificate
assume your service published at this endpoint:
https://192.168.99.3:8243/first/1.0.0
then you have to go into a new browser window
https://192.168.99.3:8243/
set browser to always accept the https certificate
after this the call in api console should work
If you have separate Store and gateway instances, open the gateway:9443/carbon in browser and accept the self signed certificate. That should work.
I'm trying to use JMeter to test my app by sniffing the packet and then replaying them.
I followed the instructions of JMeter, by creating a HTTPS Test Script Record, configuring the proxy both on my phone and installed the certificate generated by Apache, but I still get this exception:
2018-02-27 11:16:50,564 INFO o.a.j.p.h.p.ProxyControl: [62991] Creating entry xxx.111-xxx.ch in C:\xxx\apache-jmeter-4.0\bin\proxyserver.jks
2018-02-27 11:16:50,564 ERROR o.a.j.p.h.p.Proxy: [63017] Problem with keystore
java.io.IOException: >> erreur keytool : java.lang.RuntimeException: java.io.IOException: DNSName components must begin with a letter <<
Command failed, code: 1
'keytool -genkeypair -alias xxx.111-xxx.ch -dname "cn=xxx.111-xxx.ch, o=JMeter Proxy (TEMPORARY TRUST ONLY)" -keyalg RSA -keystore proxyserver.jks -storepass {redacted} -keypass {redacted} -validity 7 -ext san=dns:xxx.111-xxx.ch'
at org.apache.jorphan.exec.KeyToolUtils.genkeypair(KeyToolUtils.java:171) ~[jorphan.jar:4.0 r1823414]
at org.apache.jorphan.exec.KeyToolUtils.generateSignedCert(KeyToolUtils.java:285) ~[jorphan.jar:4.0 r1823414]
at org.apache.jorphan.exec.KeyToolUtils.generateHostCert(KeyToolUtils.java:276) ~[jorphan.jar:4.0 r1823414]
at org.apache.jmeter.protocol.http.proxy.ProxyControl.updateKeyStore(ProxyControl.java:1563) ~[ApacheJMeter_http.jar:4.0 r1823414]
at org.apache.jmeter.protocol.http.proxy.Proxy.getSSLSocketFactory(Proxy.java:324) [ApacheJMeter_http.jar:4.0 r1823414]
at org.apache.jmeter.protocol.http.proxy.Proxy.startSSL(Proxy.java:429) [ApacheJMeter_http.jar:4.0 r1823414]
at org.apache.jmeter.protocol.http.proxy.Proxy.run(Proxy.java:194) [ApacheJMeter_http.jar:4.0 r1823414]
2018-02-27 11:16:50,564 WARN o.a.j.p.h.p.Proxy: [63017] Unable to negotiate SSL transaction, no keystore?
2018-02-27 11:16:50,564 ERROR o.a.j.p.h.p.Proxy: [63017] Exception when processing sample
Can anyone help ?
My company has jabber server with certificate
I added this certificate to my keystore like this:
openssl s_client -connect ${HOST}:${PORT} >>host.crt
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > host.crt
keytool -import -trustcacerts -alias ${HOST} -file host.crt -keystore $JAVA_HOME/lib/security/cacerts
and still i cant get notification via jabber in jenkins
Jabber notifier plugin: Sending notification to: lana#jabber_host.com
Jabber notifier plugin: [ERROR] not connected. Cannot send message to 'lana#jabber_host.com'
Can any one help?
Logs:
INFO: Trying to connect to XMPP on jabber_host:5223/jabber_host
java.io.EOFException: input contained no data
at org.xmlpull.mxp1.MXParser.fillBuf(MXParser.java:3003)
at org.xmlpull.mxp1.MXParser.more(MXParser.java:3046)
at org.xmlpull.mxp1.MXParser.parseProlog(MXParser.java:1410)
at org.xmlpull.mxp1.MXParser.nextImpl(MXParser.java:1395)
at org.xmlpull.mxp1.MXParser.next(MXParser.java:1093)
at org.jivesoftware.smack.PacketReader.parsePackets(PacketReader.java:325)
at org.jivesoftware.smack.PacketReader.access$000(PacketReader.java:43)
at org.jivesoftware.smack.PacketReader$1.run(PacketReader.java:70)
PM hudson.plugins.jabber.im.transport.JabberIMConnection connect
WARNING: service-unavailable(503)
at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication.java:77)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:212)
at hudson.plugins.jabber.im.transport.JabberIMConnection.createConnection(JabberIMConnection.java:319)
at hudson.plugins.jabber.im.transport.JabberIMConnection.connect(JabberIMConnection.java:162)
at hudson.plugins.jabber.im.transport.JabberIMConnectionProvider.createConnection(JabberIMConne ctionProvider.java:42)
at hudson.plugins.im.IMConnectionProvider.create(IMConnectionProvider.java:65)
at hudson.plugins.im.IMConnectionProvider.access$600(IMConnectionProvider.java:22)
at hudson.plugins.im.IMConnectionProvider$ConnectorRunnable.run(IMConnectionProvider.java:183)
at java.lang.Thread.run(Thread.java:662)
org.apache.axis2.AxisFault: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: basic constraints check failed: this is not a CA certificate
Are you trying to use your webapp as a client to a service based on https? If so you´re webapp should be able to trust that service. If the service is created with a self-signed certificate you need to add that cert´s CA root certificate to your cacerts as trusted. That can be done with a keytool which comes with the jre/jdk.
keytool.exe -import -alias AliasForYourTrustedCert -file File.cer -trustcacerts -keystore %JAVA_HOME%\lib\security\cacerts