WSO2 API Manager - Expose Publisher & Store URLs to public - api

I'm using WSO2 API Manager for creating and managing a developer community. According to my knowledge API manager is driven on WSO2 Carbon Server which again runs on Apache Tomcat.
Up to now I'm able to run WSO2 API manager without any issues. I could open up store and publisher using below urls.
https://<MyHostName>:9443/publisher
https://<MyHostName>:9443/store
What I want to know is, how can I expose these two URLs to public? I would like something like below as URLs(without ports).
https://<MyHostName>/publisher
https://<MyHostName>/store
or
https://publisher.<MyHostName>
https://store.<MyHostName>
Given that for URLs without https(just http) would be great if possible.
In WSO2 API Manager, How can I expose Publisher & Store URLs to public?

You can do this by editing catalina-server.xml file located in <APIM>/repository/conf/tomcat folder. Change the port and redirectPort values specified in NIO Connectors.
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="80"
redirectPort="443"
bindOnInit="false"
maxHttpHeaderSize="8192"
acceptorThreadCount="2"
maxThreads="250"
minSpareThreads="50"
disableUploadTimeout="false"
connectionUploadTimeout="120000"
maxKeepAliveRequests="200"
acceptCount="200"
server="WSO2 Carbon Server"
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/javascript,application/x-javascript,application/javascript,application/xml,text/css,application/xslt+xml,text/xsl,image/gif,image/jpg,image/jpeg"
URIEncoding="UTF-8"/>
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="443"
bindOnInit="false"
sslProtocol="TLS"
maxHttpHeaderSize="8192"
acceptorThreadCount="2"
maxThreads="250"
minSpareThreads="50"
disableUploadTimeout="false"
enableLookups="false"
connectionUploadTimeout="120000"
maxKeepAliveRequests="200"
acceptCount="200"
server="WSO2 Carbon Server"
clientAuth="false"
compression="on"
scheme="https"
secure="true"
SSLEnabled="true"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/javascript,application/x-javascript,application/javascript,application/xml,text/css,application/xslt+xml,text/xsl,image/gif,image/jpg,image/jpeg"
URIEncoding="UTF-8"/>

Related

tomcat ssl configuration in port 443

I am trying to configure ssl into my web app. Generated the .jks file from .cer file using java keytool and configured it in server.xml
But Tomcat refuses to start in port 443 or port 8443 after this configuration.
server.xml
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" connectionTimeout="20000" SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="/home/file.jks" keystorePass="****" />
and
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" connectionTimeout="20000" SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="/home/file.jks" keystorePass="****" />
URL used in browser:
https://10.111.77.66/MY-APP
and https://10.111.77.66:8443/MY-APP
Both URL not working.
Error message in Browser:
This site can’t provide a secure connection
10.111.77.66 uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Before SSL configuration, Application was running fine in port 8082. ( http://10.111.77.66:8082/MY-APP )
What is wrong here? Stuck up badly. Please help.
Server is Linux.
Tomcat Logs:
java.net.SocketException: Permission denied
at java.base/sun.nio.ch.Net.bind0(Native Method)
at java.base/sun.nio.ch.Net.bind(Net.java:455)
at java.base/sun.nio.ch.Net.bind(Net.java:447)
org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-443]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:568)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)

ServletRequest.getAttribute("javax.servlet.request.X509Certificate") returns null

I've got a stop-ship problem that is driving me crazy. I hope that one of you experts out there can help.
I'm running the latest release version of TomEE+ (1.6.0.2) and the latest version of Java 8 (build 1.8.0_05-b13). No matter what I try, the following line of code in my HttpServlet always returns null.
X509Certificate certs[] = (X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");
I initially assumed that I had specified the attribute name incorrectly, so to diagnose the problem, I decided to take a look at the full list of attributes using the following:
Enumeration<String> enums = request.getAttributeNames();
However that showed me were only two attributes: one for the cipher suite and the other for the key strength.
I read the other articles and verified that my connector was correct and that it had the clientAuth attribute set properly. Here's the connector:
<Connector port="4449" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLSv1.2"
SSLCertificateFile="/etc/unipagos/certs/pay.crt"
SSLCertificateKeyFile="/etc/unipagos/certs/pay.key"
SSLVerifyClient="required"
SSLHonorCipherOrder="true"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"/>
The connection seems to work, however using openssl s_client with -msg shows that the server isn't asking for the client certificate.
Why is the server not asking for a client certificate? What am I doing wrong?
I have a working connector configuration for tomee and server is requesting client cert.
you can try
<Connector port="7443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
SSLProtocol="TLSv1.2"
SSLVerifyClient="require"
SSLCertificateFile="/opt/_cdrom_apache/certs/ec-dev-apr.pem"
SSLCertificateKeyFile="/opt/_cdrom_apache/certs/ec-dev.key"
SSLCACertificateFile="/opt/_cdrom_apache/certs/CA.pem"
/>

How can I get client certificate authentication working in JBoss 5.1.0.GA when I'm using APR, and not all web deployments use CLIENT-CERT auth?

Note: I will be answering my own question... just wanted to add this tidbit to the collective wisdom of The Internets.
I've successfully configured certificate authentication on my JBoss 5.1.0.GA server, largely with the help of the information on this page: http://docs.jboss.org/jbossas/jboss4guide/r1/html/ch8.chapter.html
I have one context (let's call it /openContext) that doesn't require any authentication, and another context (let's call it /securedContext) that requires client certificate authentication (i.e., it's configured to use CLIENT-CERT in web.xml). When using JBoss's default web connector, this works splendidly. I can hit http://myhost/openContext and I'm not prompted for a certificate, but when I hit http://myhost/securedContext, I'm prompted for a client certificate as I'd expect.
However, when I install JBossWeb Native and use APR as my web connector, I'm no longer prompted for a certificate when I hit http://myhost/securedContext.
My APR connector config in server.xml looks like:
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
SSLProtocol="SSLv3+TLSv1"
SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW"
SSLRandomSeed="/dev/urandom"
SSLCertificateFile="/etc/pki/tls/certs/mycert.crt"
SSLCertificateKeyFile="/etc/pki/tls/private/mycert.key"
SSLPassword="mypasswordwhichiassureyouisbetterthanthisone"
SSLCACertificateFile="/etc/pki/tls/certs/clientCAs.crt"
/>
I've also tried adding the SSLVerifyClient parameter to that configuration and setting it to optional, but that prompts for a certificate in both /openContext and /securedContext, which isn't the behavior I want.
How can I get JBoss with APR to require certificate authentication for one web context, but not another web context?
What worked for me was to just add a whole new web connector, and have clients use that alternate port for the secured web context. My connectors config now looks like:
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
SSLProtocol="SSLv3+TLSv1"
SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW"
SSLRandomSeed="/dev/urandom"
SSLCertificateFile="/etc/pki/tls/certs/mycert.crt"
SSLCertificateKeyFile="/etc/pki/tls/private/mycert.key"
SSLPassword="mypasswordwhichiassureyouisbetterthanthisone"
/>
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8543" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="true"
SSLProtocol="SSLv3+TLSv1"
SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW"
SSLRandomSeed="/dev/urandom"
SSLCertificateFile="/etc/pki/tls/certs/mycert.crt"
SSLCertificateKeyFile="/etc/pki/tls/private/mycert.key"
SSLPassword="mypasswordwhichiassureyouisbetterthanthisone"
SSLCACertificateFile="/etc/pki/tls/certs/clientCAs.crt"
SSLVerifyClient="require"
/>
Now, if I hit http://myhost:8443/openContext, I'm not prompted for a certificate, but when I hit http://myhost:8543/securedContext, I am prompted for a certificate. Of course, I can still access either web app with the "wrong" port, but the consequences are negligible for my purposes. If a client hits http://myhost:8443/securedContext, they simply get an HTTP authentication error. If a client hits http://myhost:8543/openContext, they're prompted for a client certificate. If they provide one, great (though I don't care who you are), and if they don't provide one or provide an invalid one, they get an HTTP auth error (they should have used the correct port in the first place).
I'm pretty sure there's an alternative way to get this working without requiring a second connector by putting httpd in front of JBoss and doing some clever configuration there, but this worked well enough for my purposes.

Using multiple SSL certificates in Tomcat 7

I've been using a wildcard SSL certificate in Apache Tomcat 7. But now that I have to renew, I see there are these EV (extended verification) SSL certificates where browsers show a nice green bar so users feel better. That would be important for my site, so I want it! But I have multiple subdomains and apparently EV SSL certificates are NOT wildcard by nature. So ok, I have a set number of subdomains, I can just buy a bunch (I definitely need at least 2) EV SSL certificates for each subdomain.
Can I set this up in Tomcat 7 so that there are multiple SSL certificates on 1 web application? It's not a problem for me to assign multiple IP addresses to this machine.
Without Server Name Indication (SNI), which is not supported in Java (6), you need one certificate per IP address.
You can configure Tomcat to use multiple connectors, with different IP addresses and certificates, using the address attribute.
For example:
<Connector
port="8443" maxThreads="200" address="10.0.0.1"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="keystore1.jks" keystorePass="..."
clientAuth="false" sslProtocol="TLS"/>
<Connector
port="8443" maxThreads="200" address="10.0.0.2"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="keystore2.jks" keystorePass="..."
clientAuth="false" sslProtocol="TLS"/>
You may also be able to use the same keystore, if you need, and use the keyAlias attribute (in Connector) to tell the connector which key/certificate to use (based on the alias name in the keystore).
I am not sure, here if "SNI" is really relevant.
But in your case, the typical solution would be so called ssloffloading or ssl Termination:
i.e. put your tomcat behinde an apache, which configured to use multiple vhosts / domain names on the same ip. You could configure for each vhost in apache to use its own SSL certificate.
There is a step by step guide for this topic here:
http://milestonenext.blogspot.de/2012/09/ssl-offloading-with-modjk-part-1.html
I am using tomcat 8.5 and now it is possible to configure tomcat with multiple SSL/ multi domain. Here is my config.
<Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
defaultSSLHostConfigName="localhost" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig hostName="localhost">
<Certificate certificateKeyFile="/$path/privkey.pem"
certificateFile="/$path/certificate.pem"
certificateChainFile="/$path/chain.pem"
type="RSA" />
</SSLHostConfig>
<SSLHostConfig hostName="domainname.com">
<Certificate certificateKeyFile="/$path/privkey.pem"
certificateFile="/$path/certificate.pem"
certificateChainFile="/$path/chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
I have just got this to work on a server with multiple SSL's and IP's.
Added IP's this way:
http://www.loadtestingtool.com/help/how-setup-ip.shtml
Added code to make the server use maximum possible security with the "ciphers" (when having a 2048bit key).
Tested first that this will work with self-signed keys this way:
http://community.jboss.org/wiki/GeneratingSelfSignedCertificateWithKeytool
Note that the test in this page has erroneous characters in the beginning of the "-keystore" text (on multiple places).
Here is the code:
<Connector protocol="org.apache.coyote.http11.Http11Protocol" address="###.###.###.##1" port="443" minSpareThreads="5"
enableLookups="true" acceptCount="100" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true" keystoreFile="key1.key"
keystorePass="password1" clientAuth="false" sslProtocol="TLS"
ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"/>
<Connector protocol="org.apache.coyote.http11.Http11Protocol" address="###.###.###.##2" port="443" minSpareThreads="5"
enableLookups="true" acceptCount="100" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true" keystoreFile="key2.key"
keystorePass="password2" clientAuth="false" sslProtocol="TLS"
ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"/>
You could just make life easier and get an EV SAN (also know as UCC) and add each domain as an entry in the subject alternative name field. And if want to use several ip addresses, just export the certificate and reimport it onto each ip address (http://www.ssltools.com/manager is great for that if you are running windows). A good example of an EV SAN certificate is the certificate found at https://www.ssl.com, just examine it.

Error while configuring SSL in jboss 4.2?

I've tried to setup .keystore on Jboss 4.2. due to this documentation from jboss community
http://community.jboss.org/wiki/sslsetup
but Jboss console generate this error
LifecycleException: service.getName(): "jboss.web"; Protocol handler start failed:
java.io.FileNotFoundException: C:\Documents and Settings\mebada\.keystore (The system cannot find the file specified)
even I specify location of keystore in server.xml
<Connector className = "org.apache.coyote.tomcat4.CoyoteConnector"
address="${jboss.bind.address}" port = "8443" protocol="HTTP/1.1" SSLEnabled="true" scheme = "https"
secure = "true">
<Factory className = "org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
keystoreFile="D:/Projects/Demo/jboss-4.2.3.GA/jboss-4.2.3.GA/server/default/conf/server.keystore"
keystorePass="tc-ssl"
protocol = "TLS"></Factory>
Any Help ?
Thanks in advance
The above tag was invalid.
I used this tag:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150"
scheme="https" secure="false" strategy="ms" address="${jboss.bind.address}"
keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
keystorePass="tc-ssl" sslProtocol="TLS"
truststorePass="tc-ssl"
acceptAnyCert="true" clientAuth="want" />