We Keep Coding

Why is hostname verification done even though verifyHostname is false?

In trying to get secure rest services to work on Open Liberty in a container, I get the following error:
CWPKI0824E: SSL HANDSHAKE FAILURE: Host name verification error while connecting to host [hostname]. The host name used to access the server does not match the server certificate's SubjectDN or Subject Alternative Name information. The extended error message from the SSL handshake exception is: [No name matching hostname found].
Relevant portion of the server.xml:
<featureManager>
<feature>appSecurity-3.0</feature>
<feature>jca-1.7</feature>
<feature>jdbc-4.1</feature>
<feature>jndi-1.0</feature>
<feature>localConnector-1.0</feature>
<feature>mpConfig-1.3</feature>
<feature>passwordUtilities-1.0</feature>
<feature>ssl-1.0</feature>
<feature>transportSecurity-1.0</feature>
</featureManager>
<sslDefault sslRef="DefaultSSLConfig" httpHostNameVerification="false"/>
<ssl id="DefaultSSLConfig" keyStoreRef="DefaultKeyStore" trustStoreRef="DefaultTrustStore" trustDefaultCerts="true" verifyHostname="false"/>
<keyStore id="DefaultKeyStore" location="liberty-default-key.p12" type="PKCS12" password="password"/>
<keyStore id="DefaultTrustStore" location="liberty-default-trust.p12" type="PKCS12" password="password"/>
<ldapRegistry id="ldapRegistry" realm="Standalone LDAP Registry" ldapType="IBM Tivoli Directory Server"
host="server" port="123"
baseDN="baseDN" bindDN="bindDN" bindPassword="password"
recursiveSearch="true"
sslEnabled="true" sslRef="DefaultSSLConfig">
<idsFilters>
...
</idsFilters>
</ldapRegistry>
As you can see verifyHostname has the value 'false', but the check is done anyway.
What am I missing?

The JDK has handles LDAP separately and hostname verification is enabled by default by the JDK. To disable LDAP hostname verification you need to set the system property com.sun.jndi.ldap.object.disableEndpointIdentification to true. So in the jvm.options in your server directory add -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true to disable hostname verification on an LDAP connention.

Tomcat 9.x.x Client Authentication using X.509 Certificates

I’m using Tomcat 9.0.19 and trying to enable X.509 cert.-based client authentication (AKA I&A) for a particular Web application.
In summary, the Tomcat works for an application that has basic I&A enabled over one-way TLS. When accessing the Web application that has certificate-based I&A, Tomcat does not seem to request a client certificate as part of the Server Hello message, prior to sending Server Hello Done and it later fails the authentication check:
02-Jan-2020 13:00:40.371 FINE [https-jsse-nio-443-exec-10] org.apache.catalina.authenticator.SSLAuthenticator.doAuthenticate Looking up certificates
02-Jan-2020 13:00:40.830 FINE [https-jsse-nio-443-exec-10] org.apache.catalina.authenticator.SSLAuthenticator.doAuthenticate No certificates included with this request
Traced the TLS flow in Wireshark and saw the TLS 1.2 handshake. Shortly after encrypted data is exchanged, the Tomcat sends an “Encrypted Alert” message and the socket is closed. Trying to contact the Tomcat from the browser, doing a GET. The browser does not prompt me to select a certificate, which also seems to point to Tomcat not requesting it from the browser.
Any help will be greatly appreciated!
More Details:
We have a set of certificates for the Tomcat and the client, issued by an Intermediate CA, which is signed (issued) by a Root CA. The trust stores have been setup on both sides (client and server) as well as key stores with the right certs/keys in them. The Web application is setup to require certificate I&A (web.xml):
<security-constraint>
<web-resource-collection>
<web-resource-name>All by default</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>OTService</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>certificate</realm-name>
</login-config>
The OTService role is setup in the Tomcat-Users.xml, along with a single user account:
Now, the Connector in server.xml is configured as follows:
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="100" SSLEnabled="true" scheme="https" secure="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="/apache-tomcat-9.0.19/conf/km/keyStore.jks"
certificateKeystorePassword="PASSWORD"
certificateKeyAlias="tomcat"
type="RSA" />
truststoreFile="/apache-tomcat-9.0.19/conf/km/trust_store.jks"
truststorePass="PASSWORD"
truststoreType="JKS"
certificateVerification="required"
clientAuth="true"
protocols="TLSv1.2"
</SSLHostConfig>
</Connector>
Any ideas why Tomcat would not request a client certificate?

The first issue that I discovered was that Tomcat ignored the Connector->SSLHostConfig settings for the trust store and used the JRE default trust store anyway. The way I discovered it was to have a browser save the negotiated TLS session key to a file (Google SSLKEYLOGFILE), then configured the Wireshark to use that file, captured the browser-Tomcat session and then was able to see every message in plaintext.
Next, I discovered that Tomcat was actually asking for a client cert., but the list of accepted Root CAs it was sending was from the default JRE cacerts file, not from the file specified by the truststoreFile attribute. Can have Tomcat use a different file across the board by adding a setenv.sh file to the Tomcat bin directory with Java properties to override default trust store location.
Now, I was in business, the browser was able to complete the TLS handshake, but then the authentication and authorization steps were failing. I finally determinate that the proper way to provide the cert. subject field in tomcat_users.xml file was not "CN=OU Client, OU=Control Systems, O=IoTOY, L=Scottsdale, S=AZ, C=US", but "CN=OU Client, OU=Control Systems, O=IoTOY, L=Scottsdale, ST=AZ, C=US". Finally, I had 2-way TLS working.
One thing to keep in mind is if anything running on the Tomcat attempts to connect over TLS to another system that uses commercial CA certs, it will fail because the truststore you're using now does not have commercial Root CAs' certs. One way to remediate it is to make a copy of the default JRE cacerts file and add your system-specific CA cert(s) to it and point to it from the setenv.sh file noted above.

When you have:
<Connector ...>
<SSLHostConfig>
<Certificate A=1 B=2 C=3 />
D=4 E=5 F=6
</SSLHostConfig>
</Connector>
then A,B,C are attributes of the Certificate object but D,E,F are NOT attributes of the SSLHostConfig object -- they are XML content which is different. Attributes need to be put IN THE TAG:
<Connector ... >
<SSLHostConfig certificateVerification="required" truststoreFile=... >
<Certificate ...keystore... />
</SSLHostConfig>
</Connector>
and that does cert-request on the initial handshake as desired (for me, tested on tomcat 9.0.14).

wso2is - Adding new keystore

I'm trying to set up a new keystore in wso2is, I follow the 2 guides :
https://docs.wso2.com/display/ADMIN446/Creating+New+Keystores
https://docs.wso2.com/display/Carbon443/Configuring+Keystores+in+WSO2+Products
In the https://docs.wso2.com/display/Carbon443/Configuring+Keystores+in+WSO2+Products it says to change keystore in sec.policy, but the file doesn't exist in IS 5.2.0
Although the guide don't talk about theses files, where the default keystore seem to be used :
conf/identity/EndpointConfig.properties
conf/security/secret-conf.properties
conf/security/cipher-text.properties
I have a webapp calling wso2is, the keystore has been added in the JVM using -Djavax.net.ssl.trustStore=/path/to/newkeystore.jks -Djavax.net.ssl.trustStorePassword=mypassword
When calling oauth2 endpoint (https://myinternaldomain:9443/oauth2/token) I got this error :
TID: [1] [] [2017-01-10 13:30:14,505] #tenant1.com [1] [IS] INFO
{org.wso2.carbon.core.deployment.DeploymentInterceptor} - Deploying
Axis2 service: wso2carbon-sts {tenant1.com[1]} TID: [1] [] [2017-01-10
13:30:14,536] admin#tenant1.com [1] [IS]ERROR
{org.wso2.carbon.core.deployment.DeploymentInterceptor} - Error while
updating wso2carbon-sts in STSDeploymentInterceptor
java.io.IOException: Keystore was tampered with, or password was
incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.wso2.carbon.core.util.KeyStoreManager.getKeyStore(KeyStoreManager.java:146)
I did not change anything regarding keystore in the axis2.xml because all information regarding the keystore are commented.
All other endpoints (soap enpoints) are working fine with SSL, and everything works fine with localhost and default wso2carbon.jks
but I cannot make oauth2/token endpoint work with a new jks.
Thanks for your input, ideas.
Regards

I got it working by adding the public key in the java default keystore
keytool -import -v -alias certalias -file newkeystore.pem -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit
and by doing the following configuration which should definitely be in the wso2is keystore configuration documentation !
http://xacmlinfo.org/2014/11/05/how-to-changing-the-primary-keystore-of-a-tenant-in-carbon-products/

Client authentication on JBoss server

I'm trying to configure client authentication for my application running on JBoss. Expected result is that application requests user for certificate and if trusted one is provided, he will be able to work with application.
I've generated certificate and added one into trustore (JBoss.keystore) and also configured standalone.xml file as follow:
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="false" secure="true">
<ssl name="ssl" key-alias="ssl alias" password="password" certificate-key-file="..\standalone\configuration\JBoss.keystore" protocol="TLSv1.2" verify-client="true"/>
<virtual-server name="my-host" />
</connector>
I thought that setting secure property true will do the trick, but browser does not ask for user certificate, but immediately returns error ERR_BAD_SSL_CLIENT_AUTH_CERT. Browser is configured to ask for certificate each time, if required.
How to change server configuration into expected behavior?

I have found an answer. The solution was to import CA certificate that signed client certificate into truststore, instead of importing client certificate itself.
After importing CA certificate, each certificate that was signed by CA and imported into browser is displayed to be chosen from.

Installing SSL certificate on JBoss

I have a server that runs JBoss. When I type bad URL to that server it gives me version like this: JBossWeb/2.0.1.GA - what version of JBoss that would be? A SSL certificate will be bought and provided for me so that I could install it in JBoss. I would really appreciate any HOWTO or any information how to install ready SSL certificate on JBoss. Do I need to generate any files with openssl, when this SSL certificate will be bought from some other company that sells SSL certificates?
Thanks in advance for any help.

You can generate your own SSL certificate:
First off you need to create a self-signed certificate. You do this using the keytools application that comes with Java. Open a command prompt and run the following command. You will need to change the path to your Jboss conf directory to reflect your install:
C:\>keytool -genkey -alias tomcat -keyalg RSA -keystore C:\jboss-2.0.1.GA\server\default\conf\localhost.keystore
When prompted use a password of changeit everywhere. It’s important that you answer localhost to the first question:
Enter keystore password: changeit
Re-enter new password: changeit
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]: NZ
Is CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=NZ correct?
[no]: yes
Enter key password for
(RETURN if same as keystore password): changeit
Re-enter new password: changeit
Next up you need to configure tomcat to create a SSL connector.
Edit C:\jboss-2.0.1.GA\server\default\deploy\jboss-web.deployer\server.xml and find the commented out SSL connector example, uncomment it and tweak it as follows:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="${jboss.server.home.dir}/conf/localhost.keystore"
keystorePass="changeit"
/>
Finally add two System properties to your Jboss startup command to get the javax.net.ssl library to use your new keystore. These are only needed if you need to make SSL calls back to yourself. I needed them because I had CAS and 3 apps authenticating with CAS all running in the same dev Jboss instance:
-Djavax.net.ssl.trustStore=C:\jboss-2.0.1.GA\server\default\conf\localhost.keystore
-Djavax.net.ssl.trustStorePassword=changeit
Ok now browse to http://localhost:8443/
Your browser will complain about a self-signed certificate. Just follow your browser’s instructions to add this certificate as a security exception so you won’t be prompted again and you are all done.

I know this post is quite old, bui i want to share the steps needed for a much more recent version of Wildfly (JBoss AS in early times).
First of all you need to create your self-signed certificate. If you already have a keystore, you can skip this steps.
Go to your Wildfly/ Jboss home folder and create a new directory called "keystore"
Download the KeyStore Explorer application.
Open it and choose "Create a new KeyStore"
In the dialog that appears, choose JKS. In most cases it is fine, but in other platform
for example on Android you need to use the BKS format type.
Now right click and choose 'Create new Key Pair'. You can safely accept the default.
(RSA/2048)
In the dialog that appears, customize it to your needs. Anyway i suggest to use the
Version 3 and SHA-256 with RSA.
Click on the 'Edit name' button in the bottom-right area of the dialog, that corresponds
to the Name field. Fill all fields and click ok.
Click ok on the other dialog.
Now it will be asked to insert a neme for an alias. Type jbossWildfly and click ok, and then
insert the password that will be used to unlock this alias. I highly suggest to
save this data somewhere in your computer.
Now you have successfully generated a key pair. Save it with the name keystore.jks in the keystore folder that we have created previously, then insert a new password that
will be used to unlock the keystore. You can use the same of the previously one if
you want.
Now open the standalone.xml file located in:
$WILDFLY_HOME$\standalone\configuration
And add a new Security Realm inside the <security-realms> tag:
<security-realm name="MyNewSecurityRealm">
<server-identities>
<ssl>
<keystore path="$WILDFLY_HOME$\keystore\keystore.jks" keystore-password="keystore_password" alias="jbossWildfly" key-password="alias_password"/>
</ssl>
</server-identities>
</security-realm>
Again change $WILDFLY_HOME$ with the real path to the home dir and change the password to what you've typed.
Now you need to assign your new Security realm to the HTTPS listener of the default-server:
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="MyNewSecurityRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="MyNewSecurityRealm"/>
</host>
</server>
Remember that by default the HTTPS listener is binded to the 8443 port:
<socket-binding name="https" port="${jboss.https.port:8443}"/>
So your calls to the server would be something like this: (accessing on localhost)
https://localhost:8443/
Hope it can help! :)