I have read the posts that are about this subject but I have not found any one that helps me.
I have an adapter that invokes a service using HTTPS.
It works if I do the SSL configuration using the server/conf/worklight.properties file with the properties: (after importing the backend server certificate in the default.keystore)
ssl.keystore.path=conf/default.keystore
ssl.keystore.type=jks
ssl.keystore.password=worklight
But if I comment those properties and edit the server.xml with this configuration:
<feature>ssl-1.0</feature>
<keyStore id="worklight" location="${server.config.dir}/default.keystore" password="worklight"/>
The adapter does not work and fails with the error:
Http request failed: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
The "${server.config.dir}/default.keystore" file and "conf/default.keystore" file are the same file.
Is it possible to invoke https services from adapters in the Worklight Studio Liberty Profile Server without using the worklight.properties file and making the SSL configuration directly in the server.xml?
Worklight is not seeking SSL certificates in liberty key store. If the certificate is selfsigned it should be added to the keystore defined into worklight.properties or into default OS/JVM keystore.
Related
I am setting up the tomcat server which communicate with external system through SOAP web services(I am using the external system stubs and apache Axis2 library for that).
The external system is secured with ssl client/server authentication. The system provides me keystore file in .pfx format which contains two certificates.
Things I have tried:
I have extract those two certificates and added in my keystore. I added below entry in my tomcat/bin/catalina.bat file
set JAVA_OPTS = %JAVA_OPTS% -Djavax.net.ssl.trustStore=/pathtomykeystore/cacerts -Djavax.net.ssl.keyStore=/pathtomykeystore/cacerts -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStorePassword=changeit
With above configuration my request fails with No X.509 client certificate HTTP header found in request.
I have enable ssl logs then I found that serverHelloDone is printed and after that it says
"No suitable client certificate could be found - continuing without
client authentication"
The same thing I have tried from SOAPUI Tool where I directly configure .pfx file as keystore and it is working fine there
The diff between Tomcat and SOPAUI logs is
SOAPUI can successfully competing Client authentication where tomcat is not.
also below lines are missing from tomcat ssl logs
keystore is:
keystoreType is: jks
keystore provider is
Update1:
I remove the keystore configuration from SOAPUI->project view-> WS Security Configuration -> keystore (This is working configuration) and added above mentioned JAVA_OPTS entries in soapui.bat file and now SOAPUI also giving a same error.
Anyone helps arround how soap ui pick and send the certificates from keystore configured in project view->keystore
Coverity instance details:
SA Version: 8.6
Connect: 8.7
While trying to upload defects to coverity instance, the following error is seen
Connecting to server xxx.xxx.com:9090
[ERROR] SSL solicitation failed: Server's SSL preference is "preferred" but SSL is not configured on the server.
Though we haven't configured https (ldap ssl) in our instance, cov commit defects fails with SSL error.
Is this something introduced newly in coverity connect 8.7? Or an environment settings issue?
You may have configured Coverity Connect to use SSL.
Please check SSL settings in cim.properties
grep commit.encryption <coverity-connect-install-path>/config/cim.properties
commit.encryption should not be present or set to none if you do not intend to use SSL. Alternatively open server.xml to check if SSL is enabled. Connector section is commented when SSL is disabled
$ grep -A2 'Enable this connector to add SSL' <coverity-connect-install-path>/server/base/conf/server.xml
<!-- Enable this connector to add SSL support. -->
<!--
<Connector port="****"
We have Web Service deployed on WebSphere 8.5 that needs to communicate with LDAP over ssl. The ssl communication works only when the ldap certificates are imported in JRE cacerts store.
For other services we use, the certificate can be imported in CellDefaultTrustStore from the console, however the LDAP communication does not work by simply importing the certs on console in CellDefaultTrustStore.
Is there a specific configuration required to avoid using cacerts ? Appreciate any help in this regard.
Here is the code snippet making LDAP connection [ variable names updated ]
Hashtable env = new Hashtable();
env.put(DirContext.SECURITY_AUTHENTICATION, "simple");
env.put(DirContext.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_PRINCIPAL, bindUserName);
env.put(Context.SECURITY_CREDENTIALS, bindPassword);
// this is the url with ldaps://hostname
env.put(Context.PROVIDER_URL, url);
DirContext dirContext = new InitialDirContext(env);
Unfortunately I do not know the details about how your LDAP connection is being made. If it's going to the cacerts file, it suggests the JSSE default SSL Configuration is being used. So something about the call is making it go to the JSSE default and not use the WebSphere socket factories.
You probably want to leverage dynamic outbound SSL configurations.
Configure a trust store when your LDAP's cert.
(You probably have this already).
Create an SSL Configuration for communicating with LDAP
using trust store from step 1.
Create a dynamic outbound endpoint configuration using
the host/port info of your LDAP. Reference the SSL
configuration from step 2.
I am using jboss as the server and my java program as the client, I have modified the server.xml file in jboss to send certificate from server to the client. this happens automatically, when the requesting client has the same domain as the domain in the server keystore.
But I want the jboss server to validate the client certificate also. How can I send the client certificate to jboss and receive it in jboss?
You are trying to achieve a two way ssl so lookup "jboss two way ssl".
The steps would be similar to setting up ssl on the server ; the only difference would be that you would need to import the client cert into the server truststore (assuming the client cert is self-signed).
I am using IIS V5.1
I have wcf service application for which I am using security mode = Transport.
and wshttpbinding.
How can I Configure the Virtual Directory to Require SSL ?
You need to install a server certificate for your web site to enable SSL for a virtual Directory.
See Microsoft for details about setting up ssl.
You will need to get a server certificate from somewhere you can create a self-signed certificate by following these instructions.