I have an application on a Glassfish server instance. I need to do a two way authentication with certificates. I have a closed group of users, so installing the self signed certificate is not a problem.
The question is, how do you go about doing this entire process? I am using the java based Keystore Explorer instead of the command line tool keytool.
Before shooting me down, could you please give me a chance to explain my situation better, I know right now the question is a bit hazy, but as the comments come in, I will be able to clarify a bit better!
If you refer to mutual authentication, please read the following Oracle resource first.
http://docs.oracle.com/javaee/6/tutorial/doc/glien.html#bnbyi
If you still have problems, please provide more details and where you are stuck.
Related
I'm working on creating a local image registry for an OKD installation by following along with this Medium article which assumes the creation of
the self-sign CA, server certificate with both the short and fully
qualified hostname of this VM
It calls for
the CA cert, server cert, server key saved as myca.pem,
registry.pem, registry-key.pem
I'm pretty new to certs so I was following the guidance of this article and using cfssl (as recommended by the former article) for generating those. I've gotten through generating and signing the "Intermediate CA". I'm a little unclear on where and how to generate the specific certs the former article requires. I'd really appreciate some clarifications or guidance, if possible, on the following issues.
I believe the ca.pem generated in the first "CA Authority" process in the
latter article is the equivalent of the myca.pem file mentioned in
the former article, but with a different name. Is this the case?
I am unclear where exactly the registry.pem and registry-key.pem
files are generated. Are these just certificates generated using the
"server" profile and assigned the name "registry"? Are they a
completely separate profile I should be adding to the
cfssl.json file? Are they neither?
In whichever case, are there any additional usages I need in the
cfssl.json file or additional config files I need to create in order for it to be suitable for an image registry? Do I
still need to create the additional "host certificate config file" mentioned in
the latter article?
I have tried absorbing as much information about ssl certificates as I could but so far I am unfortunately not finding anything that clears up the specific questions I have. I am sure this is probably simpler than I realize, so any help clarifying what's needed here would be profoundly appreciated. Thanks very much.
I was able to figure this all out. Here are the answers to my three questions:
This was the correct assumption.
These are generated using the "server" profile and given whichever name I choose.
I had to create the additional host certificate config file and point the CN in that file to my local fully qualified domain name. This config file was then used as an argument for generating the certificates.
as described in the header, I can't create a new SSL certificate with Let's Encrypt on my Synology NAS.
I tried everything, reboot, turn off the firewall, (..) but yet I always get the same failure "The Operation failed. please login again and retry."
Does someone know where the problem could be?
The domain works, I can access it from the internet but it always uses the standard certificate of synology and thats valid..
Thank you for your help and ideas!
I ran into the same problem some months ago. For Let's Encrypt you must provide proper data. If you have multiple alternative names (like www.website.com;website.com;mail.website.com) they must all be valid and provided similar to this list.
I've just started my linux security classes and my task is to set up an apache2 server (nginx is allowed aswell but chose the first one) with configuration listed below:
There is one domain (localhost) with different subfolders:
/ssl (any user can access, force redirect to https)
/ssl/user_1 (access with certificate "user_1")
/ssl/user_2 (access with certificate "user_2")
/ssl/any (access with any certificate (user_1, user_2))
/no_ssl (access without certificate)
I don't have much experience with apache2 but succesfully managed to set it up and configured basic ssl. However, I managed to set just one certificate for all folders/subfolders - I've been digging through whole Google (I have three pages of results marked already as visited..) but could not find a proper solution, tutorial or docs how to set up few different certificates, each for a different folder. I found few but it's often the case that the code was written few years ago and does not work anymore in the new version.
I'm not asking for a full solution but I'd appreciate if someone could point me in the right direction or provide some good tutorials/docs about the matter. Some configuration snippets would be awesome aswell of course!
Thank you so much in advance,
F.
I don't think I'm giving too much away when I say you are misunderstanding that part of the question. You are assuming that user_1 and user_2 are server certificates.
This is about client certificates - otherwise options 1 and 4 are the same. Also I think this is implied with the certs being user_1 and user_2 rather than server_1 and server_2. So go read up about client certificates.
Saying that I still don't know how to do this simply for options 2 and 3 so it's still a tricky question. Let us know how this is done after the assignment is finished for my own curiosity and good luck figuring it out yourself!
I am trying to monitor a https URL using VirtualUser Generator, I have the pfx certificate of the user which is used to login as a user on the portal. I used the Openssl utility with Loadrunner to convert the same to PEM and used web_set_certificate_ex on my script but still I see the script demands user certificate for the user. Please help...
I am trying to monitor
I don't know exactly what you mean by trying to "monitor" the URL using vugen but the latter part of your question sounds like you're trying to record a script and play it back. Since this is generally the function of vugen I'll answer this question. I'm also going to assume you're recording in the web/http protocol and not something like truClient.
Here's the thing - vugen will generally take care of the certificate exchange for you. The primary exception to this is mobile testing. I also actually made the same mistake I think you're making when I first started perf testing. I spent quite a bit of time futzing with certificates, but that is generally unnecessary.
You should make an attempt to record a very simple script, like login, and play it back. If it works, you're set. If you happen to be testing a middleware application you should consider recording in clear text and adding an 's' to your http:// URI.
Very simple advice, but if I understand the nature of your inquiry, it should work.
Try recording without certificate and see weather you can see the request bodies, if not, then you can think of placing client certificates also make sure you are using the right socket, SSL version and cipers to record the application.
I have two "Web Sites" running under IIS6 (Windows Server 2003R2 Standard), each bound to a separate IP address (one is the base address of the server).
I used SelfSSL to generate and install an SSL certificate for development purposes on one of these sites and it works great. I then run SelfSSL to generate a certificate for the second site and the second site works, but now the first site is broken over SSL.
I run SSL Diagnostics and it tells me:
WARNING: You have a private key that corresponds to this certificate but CryptAcquireCertificatePrivateKey failed
If I re-run SelfSSL on the first site (to fix it), the first site works but then the second site is broken.
It seems like SelfSSL is doing something in a way that is designed to work with only one Website, but I can't seem to put my finger on exactly what it's doing and figure out how to suppress it. I would manually configure SSL but I don't have a certificate server handy, but maybe there is a way to get SelfSSL to just gen the cert and let me install it?
FWIW I have also followed the guidance of several posts that indicate changes to the permissions of the RSA directory are in order, etc. but to no avail. I don't work with SSL everyday so I may be overlooking something that someone with more experience might notice, or perhaps there is a diagnostic process that I could follow to get to the bottom of the issue?
We had a similar problem today. Our IT guy said he solved it by basically using ssldiag instead of selfssl to generate the certs.
See the reply from jayb123 at this URL: http://social.msdn.microsoft.com/forums/en-US/netfxnetcom/thread/15d22105-f432-4d8f-a57a-40941e0879e7
I have to admit I don't fully understand what happened, but I'm on the programming side rather than the network admin side.