I am running Oracle Weblogic 11g (10.3.6) and attempting to configure two-way SSL (client certificate requested and enforced). The client certificate is on a smart card.
I have enabled "basic" ssl in the weblogic server, and used keytool to import the relevant root CA certificates into the DemoTruststore.jks file. I have set the Two-way client cert behavior to Client Certs Requested and Enforced for the server.
Unfortunately, attempting to access my application causes the following:
<Certificate chain received from 127.0.0.1 - 127.0.0.1 was incomplete.>
<NO_CERTIFICATE alert was received from 127.0.0.1 - 127.0.0.1. Verify the SSL configuration has a proper SSL certificate chain and private key specified.>
<Certificate chain received from 127.0.0.1 - 127.0.0.1 was incomplete.>
The ActivClient dialog never appears to select a certificate from the Smart Card, and a pin is never requested. Therefore, I think I misconfigured something.
Help would be greatly appreciated.
Jason
Had forgotten I asked this, so I couldn't prove an answer. Here are the steps I took to set this up:
Log into the weblogic console, http://whateveryourhostnameis.com:7001/console. You'll have to know your username and password (I won't know it)
Click on the Servers link, then the name of your actual server instance. (A dev box with weblogic will probably only have one)
On the general tab, click the "SSL Listen Port Enabled". Click save.
On the SSL tab, click the Advanced arrow to open up the advanced options.
Change the "Two Way Client Cert Behavior" to "Client Certs Requested and Enforced"
Check the box for "Use JSSE SSL"
Even though the server might say a restart is not required, keep in mind it's an Oracle product and thus inherently evil. I recommend a server restart.
Related
Pulling my hair out here. Yesterday I set up an SSL Certificate in IIS10. This is the process I followed:
In IIS, under Server Certificates complete Create Certificate Request (generated server.csr & server.key)
Go to sslforfree.com and start "create certificate" process.
Enter Static IP in Domain box
In Validity, choose paste Existing CSR (paste in contents of server.csr)
Select free 90 day certificate
Choose HTTP file upload and add auth file to virtual share in IIS.
Verified OK.
Download certificate
Back in IIS, select "Complete Certificate Request"
Browse to and select "certificate.crt" file.
Give it a friendly name etc, and save.
Browse to website under sites in IIS, and select Bindings. Choose the IP of the server, the incoming Port, and the newly imported SSL certificate.
Back in sslforfree, check the installation.
Everything all good
So everything was working beautifully, could see the certificate in the browser etc, job done.
Now come to today, and the server is actively refusing requests. Go back to check the installation of my SSL on sslforfree, and it's no longer found. Tried removing and re-adding, but nothing I do seems to get the SSL to be visible.
It's not that the certificate is refused, the browser doesn't even think it's there. Why would IIS suddenly stop sharing the certificate? I am totally stumped.
EDIT
As per the advice below, I set up a DNS name with CloudFlare and pointed it at my server.
I Set up the bindings in IIS to link to the new hostname and removed the old certificate (one for port 443 and this one for port 4443 which the API runs on):
Ports 80, 443 and 4443 are all port-forwarded on the router to my server:
I then downloaded Win-ACME and successfully created the Let's Encrypt certificate, and the renewal task created in Task Scheduler.
SSL Cert now shows in Bindings:
SSL Certificate appears to be all good:
...but when I go to the site, using the new domain name. Same problem... no certificate:
So I'm not sure what the problem is here...
This issue may happens when the imported cert does not have a private key associated. solution would be to import the .CER file to your system(from where certificate is requested) personel store and export it with private key. Then copy the .pfx file to required server and import it from server certificate option under IIS.
And you can refer to this link: The Whole Story of "Server Certificate Disappears in IIS 7/7.5/8/8.5/10.0 After Installing It! Why!".
Thanks to Lex Li, I was able to dig around with Jexus Manager, and IIS Crypto to work out what was wrong.
Seems having TLS 1.2 an TLS 1.3 enabled on my machine at the same time was causing issues. Discovered this using Postman and disabling certain TLS Protocols, eventually getting it to work.
For those of you who may experience similar issues, using this application and setting it to "Best Practices" after disabling TLS 1.3 in my Registry, I finally have it working, with a certificate.
I have my website https://www.MyWebSite.com running on port 433. But I also have a admin login that only are available from the office local network http://MyServer:9999/Login.aspx. Both addresses points to the same site but different bindings.
Is it possible to get the one on port 9999 to use https? I tried creating a self signed certificate in IIS but my browser still complained, even though I exported the certificate and stored it in my CA Trusted root.
So just to sum everything:
My regular site: https://MyWebSite.com <-- working fine
My admin login, only accessible via local network: http://MyServer:9999/Login.aspx works fine.
When adding a selfsigned certificate issued to "MyServer" (not MyWebSite) and add the new binding on port 9999 I though to the website but Chrome is giving me a warning NET::ERR_CERT_COMMON_NAME_INVALID, even though the cert is Issued To MyServer and are trusted
Is it possible to get the one on port 9999 to use https?
yes it is possible to setup another port with selfsigned
certificate.
Normally Selfsigned certificate will have fully qualified machine name
e.g. machinename.subdomain.domain so you have to browse using https://machinename.subdomain.domain:9999/
Please double check what error you are running into ,In chrome
Your connection is not private
Attackers might be trying to steal your information from in08706523d (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID
in IE,you may get
There is a problem with this website’s security certificate.
The security certificate presented by this website was issued for a different website's address.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
In that case,assuming you have given hostname as * in IIS binding, and also installed the selfsigned certificate installed your "Root Certification Authorities " You should be able to browse to
https://machinename.subdomain.domain:9999/ without any issues
I am working on WebSphere clustering. Everything was working fine. But for SSL, I accidentally change protocol from SSL_TLS to TLSV1.2.
I have changed it here
Security - - SSL certificate and key management - - SSL configuration - - CellDefultsetting - QOP - protocol
And now my administrator console is not opening.
Error in logs :
CWPKI0028E: SSL handshake protocol "SSLv2" is not valid. This protocol is specified in the SSL configuration alias "CellDefaultSSLSettings" loaded from SSL configuration file "security.xml".
The extended error message is: "no such algorithm: SSLv2 for provider IBMJSSE2".
I checked security.xml in cell, but the value f SSL protocol is still SSL_TLS.
Where do I need to revert the changes done in console? Console is no more opening.
First make sure that your browser supports TLSv1.2 and is enabled. If not, try to open admin console from a different browser which supports TLSv1.2.
If you really need to disable admin security so that you can change back the SSL settings, here is a document:
http://www-01.ibm.com/support/docview.wss?uid=swg21405302
Hello I would like some pointers for enabling ssl on bitnami joomla that works with xampp I have read many tutorials nothing seems to work.I have tried to forse ssl from joomla adminstrator it says that the connection is not safe where might the problem be i see that the cert is not trusted i accepted it as trusted but still doesn't work .if someone knows the answer please share!
Bitnami developer here,
I have created a new auto-signed certificate using our guide at https://wiki.bitnami.com/Components/Apache#How_to_create_a_SSL_certificate.3f and modified file installdir/etc/extras/httpd-ssl.conf to use the new certificate files and after that restarted Apache server with sudo installdir/ctlscript.sh restart apache. It worked for me. The lines I modified in httpd-ssl.conf are:
...
SSLCertificateFile "/opt/lampp/etc/ssl.crt/server.crt"
...
SSLCertificateKeyFile "/opt/lampp/etc/ssl.key/server.key"
...
Then, I browsed my server using HTTPS and it showed an error page with error code NET::ERR_CERT_AUTHORITY_INVALID.
That means that the certificate is invalid because of the Certificate Authority is not a trusted one. It is completely normal because I have auto-signed the certificate. To skip this, click the "Advanced options" button and then click the link "Proceed to ...". You should see your website.
Also in the navigation bar you will see text "https" in red. If you click in the lock close to it, it will prompt a window with text:
The identity of this website has not been verified.
• Server's certificate is not trusted.
Your connection to your_domain.com is encrypted with modern cryptography.
The connection uses TLS 1.2.
The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.
Regards,
Gonzalo
I have installed a renewed SSL certificate on my web server running IIS7.
After installation, I applied website binding to port 443.
My application uses client certificates too, so I have changed the SSL setting to Require 'client certificate'.
Both client and SSL server certificates are valid but still I am not able to access my application. The error I get is:
403 - Forbidden: Access is denied.
I have enabled client certificate mapping in IIS role settings also but still not getting rid of this 403 error.
I guess client certificate is not able to handshake with server certificate. Please help!
In certificate Store verified all server certificate and client cert with its authority hierarchy are available.
also cross check below settings
Application Authentication: Anonymous
Application SSL Setting: Require SSL/ Accept
ApplicationHost.config: enabled OnetoOneMapping under iisClientCertificateMappingAuthentication also added base64 certificate mapped with service accounts
Also based on my past experience we need to ensure we have SChannel registry setting as mentioned in below post.
https://support.microsoft.com/en-us/kb/2464556
Simplest workaround just discovered this today. In IIS for your application, Go to Edit Bindings and change your port number. 443 to 4431 or 44301. Any variation you want. In your client computer, type in the new URL using new port number and you will establish a fresh connection to application. Make sure you SSL Settings for IIS Application is set to "Accept" instead of "Require". This means you can click "Cancel" when the pop up asks you to select a certificate you can simply hit "Cancel" and still hit the site. No 403 Error.
Do not spend hours trying to mess with your certificate store, just simply change the port on IIS Server and you'll be fine.