I have a worklight project with an adapter that connects to a SOAP service through HTTPS. This service requires a certificate. I received the cert form the server in a p12 file, I've added this cert to my default.keystore in worklight. I added the sslCertificateAllias in the adapter.xml. When I go to run the adapter I get an error saying it was unable to locate the certificate chain.
The Error
{
"errors": [
"Runtime: FWLSE0152E: Unable to find certificate chain with alias: 'MyAlias' [project OhPleaseWork]"
],
"info": [
],
"isSuccessful": false,
"warnings": [
]
}
The Adapter.xml
<sslCertificateAlias>MyAlias</sslCertificateAlias>
<sslCertificatePassword>changeit</sslCertificatePassword>
The keystore is located in server/conf along with the properties file. I ran the keytool -list on the keystore and the alias was listed. The server file is specific to each application, is there something I am missing about adding this to the "Worklight Development Server." Thank you for you help!
You need to define sslCertificateAllias only in case mutual SSL connection, in your scenario you have only one way SSL connection so you needn't to define sslCertificateAllias for your adapter, just remove or comment out it in adapter XML.
Morover, make sure that you received your backend SOAP server certificate using a SSL tool like open SSL, but not by browser like mozilla etc.
Related
I am attempting to create a windows service that opens a secure web socket and listens for connections on a certain port (wss://localhost:1234). The sample code includes referencing a certificate for the server to use:
var serverCertificate = new X509Certificate2(certificatePath, "mypassword");
This works fine.
The issue happens when the a client attempts to connected:
using (SslStream n = new SslStream(client.TcpClientInstance.GetStream()))
{
n.AuthenticateAsServer(serverCertificate, clientCertificateRequired: false, enabledSslProtocols: System.Security.Authentication.SslProtocols.Tls12, checkCertificateRevocation: false);
This line errors out with a generic "A call to SSPI failed, see inner exception", "InnerException = {"An unknown error occurred while processing the certificate"}":
This occurs with a self-signed cert registered in the Trusted Root Certificate Authorities.
Interestingly enough if I use the generic localhost cert generated by Visual Studio it works.
Any thoughts welcome.
TIA
Might solve your issue.
Create a sub-domain like sub-domain.domain.com ( using your actual domain )
With an A record to 127.0.0.1
Request a SSL certificate for sub-domain.domain.com
When you open a connection to sub-domain.domain.com it will be valid and should resolve to 127.0.0.1 which is where your "server" is listening.
I have a Mosca MQTT broker running on a node instance and I would like to encrypt all the incoming communications with SSL/TLS (MQTTs protocol) but without the client having to link any certificate to the connexion (I guess it has to do with self-signed certificates) just as https works. I want all my clients to connect just with credentials specifying the MQTTs protocol and the communication can be encrypted. I was using Amazon MQ just before and that's how it works so I want the same.
I can't figure how to configure properly Mosca to do so, I don't know what kind of certificate I must use.
I added the secure field in the configuration as shown here
For the certificate I tried to create a self signed certificate as shown here
I also tried with certbot certificates (Let's Encrypt) registered for my domain name : mq.xxx.com .
I'm running everything on a ec2 (ubuntu 18) and my network and firewall are open for 1883 and 8883. My key and cert are at the root of my project where the deamon is running with good rights and ownership. I know my instance access them correctly.
new mosca.Server({
port: 1883,
secure: {
keyPath: "./privkey.pem",
certPath: "./cert.pem"
},
backend: {
type: 'redis',
redis: require('redis'),
host: "localhost",
port: 6379,
db: 0,
return_buffers: true,
},
persistence: {
factory: mosca.persistence.Redis
}
});
My server is running and working with simple mqtt on port 1883 but when I try to connect with ssl/tls with a client on port 8883 specifying that the server uses self-signed certificates (I tried with MQTT.fx) it fails saying : "unable to find valid certification path to requested target".
I can't make my head around this issue, I think somehow the client cannot "accept" or "verify" the certificate provided. Maybe I'm providing the wrong key or certificate to Mosca but there is only one of each resulting openssl or certbot. Maybe I created wrong but I follow many tutorials on the very same subject such as this one
What kind of certificate do I need to do ?
Is there something more to do with them ?
Thank you.
If you are using a self created certificate then the client will need a copy of certificate that signed the broker's certificate. This certificate will be added to the list of trusted sources so it can prove the broker is who it claims to be.
If you do not want to / can not distribute a certificate then you will need to use a certificate for your broker that is issued by CA (Certificate Authority) whoes signing certificate you already have (bundled into the OS/client that you are using).
The Lets Encrypt signing certificates should be bundled into most OSes by now but they are also cross signed by IdenTrust again who's certs should be bundled with most OSes. If you are having problems with the Lets Encrypt certs then I suggest you ask a new question with the exact details of how you configured mosca with those certs and more details of how you are configuring MQTT.fx and the errors you receive.
I am setting up the tomcat server which communicate with external system through SOAP web services(I am using the external system stubs and apache Axis2 library for that).
The external system is secured with ssl client/server authentication. The system provides me keystore file in .pfx format which contains two certificates.
Things I have tried:
I have extract those two certificates and added in my keystore. I added below entry in my tomcat/bin/catalina.bat file
set JAVA_OPTS = %JAVA_OPTS% -Djavax.net.ssl.trustStore=/pathtomykeystore/cacerts -Djavax.net.ssl.keyStore=/pathtomykeystore/cacerts -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStorePassword=changeit
With above configuration my request fails with No X.509 client certificate HTTP header found in request.
I have enable ssl logs then I found that serverHelloDone is printed and after that it says
"No suitable client certificate could be found - continuing without
client authentication"
The same thing I have tried from SOAPUI Tool where I directly configure .pfx file as keystore and it is working fine there
The diff between Tomcat and SOPAUI logs is
SOAPUI can successfully competing Client authentication where tomcat is not.
also below lines are missing from tomcat ssl logs
keystore is:
keystoreType is: jks
keystore provider is
Update1:
I remove the keystore configuration from SOAPUI->project view-> WS Security Configuration -> keystore (This is working configuration) and added above mentioned JAVA_OPTS entries in soapui.bat file and now SOAPUI also giving a same error.
Anyone helps arround how soap ui pick and send the certificates from keystore configured in project view->keystore
I'm having some issues with two way SSL, hoping I can find some guidance. I've tried a lot of info I've found online, and while helpful I can't get past this issue..
First some background on what I have done and how I'm setup.
IIS Server Setup:
SSL Settings:
Auth Settings:
Mapping Config:
Mapped Certs:
Bindings:
Server Cert:
Server Trusted Root:
Cert Path:
OK. So for starters I'm trying to get this to work on the server itself. I've imported the server cert into my personal store:
With the same root authority:
So... That should cover it, Right?!
Nope. I get this error in IE when I hit the site locally??
You seem to use the same certificate for the server and the client. That's not how it works.
You need to have a client certificate in your personal store. IE can't find one doesn't send one to the server. IIS then complains about it with a 403.7 because IE didn't send a client certificate.
So you need to get a client (sometimes known as SMIME) certificate from your CA and install it into your personal store.
If you look at the details of your existing certificates it should show:
Enhanced Key Usage: Server Authentication (1.3.6.1.5.5.7.3.1)
what you need there is:
Enhanced Key Usage:
Client Authentication (1.3.6.1.5.5.7.3.2)
Secure Email (1.3.6.1.5.5.7.3.4)
I am working on yeoman based angular.js app.
We have set up the gruntfile to run over https.
It works fine on my workmates machine but not on mine.
In Chrome I get:
SSL connection error.
Unable to make a secure connection to the server.
This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
In Firefox I get:
The connection was interrupted
The connection to localhost:9000 was interrupted while the page was loading.
The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer's network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.
I have double checked we have the same npm modules installed.
Relevant parts of gruntfile are
connect: {
options: {
port: 9000,
hostname: 'localhost',
protocol: 'https',
key: grunt.file.read('server.key').toString(),
cert: grunt.file.read('server.crt').toString(),
ca: grunt.file.read('ca.crt').toString(),
passphrase: 'grunt',
},
livereload: {
options: {
protocol: 'https',
middleware: function (connect) {
return [
modRewrite([
'^/api/(.*) /api/index.php?$1 [L]',
'!\\.html|\\.js|\\.php|\\.css|\\.png$ /index.html [L]'
]),
lrSnippet,
phpGateway('app'),
mountFolder(connect, '.tmp'),
mountFolder(connect, yeomanConfig.app)
];
}
}
},
my workmate generated the certificate files, but that shouldn't matter as I have exact copies of those files.
The strangest part is that I can still run the site over http where on my workmates machine it won't run over http at all, only https.
Is there anything else anyone can think of as to why this would be?
Based on the error "This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have" and the fact that it runs on your friend's computer but not yours leads me to believe that it's a problem with the SSL keys and certificate on your computer. You can generate your own using the tutorial here: http://www.akadia.com/services/ssh_test_certificate.html
key: grunt.file.read('server.key').toString(),
cert: grunt.file.read('server.crt').toString(),
ca: grunt.file.read('ca.crt').toString()
Make sure that the above files are in your base folder from which you are running grunt. The ca.crt file is also necessary for self-signing your own certificate using a certificate authority that you create using the tutorial above. Hope this helps!
I would first look for the log file and tail that as you're making the request. It might give you hints as to what is wrong