Using tomcat Trust-store in jetty for SSL - apache

I am planning to secure my jetty by SSL implementation. But I want to use my tomcat certificates, rather than the default jetty certificates. My jetty version is 8.x. I did a search on web regarding the ssl configuration on jetty. and i found this. Please suggest is it possible for me to use tomcat trustore instead of default jetty?

A java keystore is a keystore unless you are using some specific Tomcat implementation of a keystore. Jetty uses the default keystore bits that java itself provides, it should be a simple matter of configuring Jetty to look for the correct file, provide the necessary authentication bits to open it and any alias you may need to specify which key in the keystore to use. That documentation is for Jetty 9/9.1 and may be a bit different than the specifics for 8. You can get to the 8 documentation through the hub:
http://www.eclipse.org/jetty/documentation/

Related

Tomcat is not picking up the keystore

I am setting up the tomcat server which communicate with external system through SOAP web services(I am using the external system stubs and apache Axis2 library for that).
The external system is secured with ssl client/server authentication. The system provides me keystore file in .pfx format which contains two certificates.
Things I have tried:
I have extract those two certificates and added in my keystore. I added below entry in my tomcat/bin/catalina.bat file
set JAVA_OPTS = %JAVA_OPTS% -Djavax.net.ssl.trustStore=/pathtomykeystore/cacerts -Djavax.net.ssl.keyStore=/pathtomykeystore/cacerts -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStorePassword=changeit
With above configuration my request fails with No X.509 client certificate HTTP header found in request.
I have enable ssl logs then I found that serverHelloDone is printed and after that it says
"No suitable client certificate could be found - continuing without
client authentication"
The same thing I have tried from SOAPUI Tool where I directly configure .pfx file as keystore and it is working fine there
The diff between Tomcat and SOPAUI logs is
SOAPUI can successfully competing Client authentication where tomcat is not.
also below lines are missing from tomcat ssl logs
keystore is:
keystoreType is: jks
keystore provider is
Update1:
I remove the keystore configuration from SOAPUI->project view-> WS Security Configuration -> keystore (This is working configuration) and added above mentioned JAVA_OPTS entries in soapui.bat file and now SOAPUI also giving a same error.
Anyone helps arround how soap ui pick and send the certificates from keystore configured in project view->keystore

Using Lets-Encrypt SSL cert with Jetty

Has anyone been successful with using Letsencrypt SSL with a default jetty install? I can't seem to get it right.
More info:
OS: Ubuntu 16.04
Jetty Path: /opt/jetty
Only thing adjusted is enabling http on port 80 in start.ini.
Problems I have run into:
When I input --module-ssl into the start ini, I get the error
No default protocol for ServerConnector#48aca48b{null,[]}{0.0.0.0:8443}`
starting jetty and it fails.
I have tried inputting the SSL info into the ini, as well as editing the .xml files with the info.
I know this is an older question, but in-case people stumble across it on Google with a similar issue:
The SSL module in Jetty is just the base cryptographic functionality. You need to do something with it - i.e. also enable the https or http2 modules.
In other words, for standard https you actually need:
java -jar start.jar --add-to-startd=ssl,https
So it's not the best of error messages, but:
No default protocol for ServerConnector
Means just that - it didn't previously have a protocol (implementation) to use the ssl module with, because the https (or http2) modules hadn't been loaded.

Setting Up "Outbound SSL" in JBoss and/or underlying JRE

Looking to port Outbound SSL configuration from Websphere to JBoss. In my case, JBoss is the client. It wants to pass a client cert to a remote machine as part of a 2-way SSL communication.
In Websphere, you explicitly specify...
keystore / keystore password (where are the certs?)
certificate alias (which client cert to apply?)
matching outbound url pattern (when do i apply the client cert?)
You may have many of these configurations. Between these 3 pieces of info, the container can selectively choose when/which client certificate to include when making outbound SSL calls.
What is the JBoss way of doing the same thing as I described above ?
Can this be done by simply configuring your JRE ?
Are there parts of this that cannot be done in JBoss and/or java?
Thanks,
Wade.

OpenShift SSL cipher preferences configuration

I have a question regarding the configuration of SSL preferences on OpenShift.
As far I know, the SSL termination in OpenShift is executed on the HAproxy, which serves as reverse proxy to route to user gears.
Is there a possibility, to configure the SSL preferences, to use user specific order of prefered ciphers, and also to turn off some versions of SSL/TLS as it is possible for instance in tomcat, or is the SSL cipher and versions configuration platform specific and can't be changed by user?

Putting X509 Certificate in HTTP Request

I'm using Spring Security for X.509 preauthentication.
To make sure the client sends its certificate per HTTP request, is it necessary to:
Modify pom.xml to set <wantClientAuth> and <needClientAuth> to true
Set Apache's SSLVerifyClient to require reference
Based on reading, the web server must tell the client-side to sends its certificate in order for the client to actually send it. I'm confused if Spring Security AND Apache configuration is required to achieve this.
Spring Security configuration has nothing to do with whether the client sends a certificate or not. That's decided at the SSL protocol level and hence by the negotiation between the client and the server. Your question is a bit unclear in that it refers to a maven pom and an Apache configuration without explaining how your system is set up. Are you running the maven Jetty plugin with an Apache server in front?
Spring Security's X.509 authentication won't work if the SSL connection doesn't terminate at the servlet container. So if you have HTTPS between the client and Apache, and a non-SSL connection from Apache to the servlet container, then the client certificate won't normally be available.
If you are using an AJP connector, then you can configure Apache to pass the certificate on to the back end using the ExportCertData option. If you aren't, you can still take the exported certificate and pass it as a request header (you'll find examples of this elsewhere on SO). You would also need to customize the Spring Security X.509 code to extract the certificate from the header, rather than the standard java property name which it uses by default.