I can't make my weblogic 11g to work on https. The problem is with identity keystore. How should I create identity keystore? I have private key, web server certificate and intermediate certificate in pem format. I import private key and certificates like this:
keytool -import -keystore myIdentity.jks -storepass mypass -storetype JKS -alias myPrivateKey -file mykey.pem -keypass mypass
keytool -import -keystore myIdentity.jks -storepass mypass -storetype JKS -alias mycert -trustcacerts -file certificate.pem -keypass mypass
I am dummy at this and don't know what is wrong
Generate the IdentityStore :
keytool -genkey -keystore myIdentityStore.jks -storepass welcome1 -alias dummy -dname CN="dummy,C=FR" -keypass welcome1
Import certificates in the TrustStore
keytool -import -v -noprompt -trustcacerts -alias myCertificateAliasName -file myCertificateLocation -keystore myTrustStore.jks -storepass welcome1
Configure your weblogic Server :
Environment -> Servers – AdminServer -> Keystores, then
Change Demo Identity and Demo Trust to Custom Identity and Custom Trust.
Also, change those values for Identity
Custom Identity Keystore : $OSB_HOME/vesiKeyStore/vesiIdentityStore.jks,
Custom Identity Keystore Type : JKS,
Confirm Custom Identity Keystore Passphrase :welcome1.
Do the same for Trust.
restart the server.
Found very useful:
This link
I generated keystore with IBM Keyman and solved my problems.
Related
I have installed ActiveMQ Artemis in Linux and configured broker.xml. I am using a certificate, but ActiveMQ Artemis uses keystore and truststore. How to create those and how to enable SSL for MQTT protocol?
Below shows configuration broker.xml
<acceptor name="mqtt">tcp://0.0.0.0:1883?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=MQTT;useEpoll=true
sslEnabled=true;
keyStorePath=home/certs/server-ks/server1.p12;keyStorePassword=abc#1234;
trustStorePath=home/certs/server-ks/server1.p12;
trustStorePassword=abc#1234;needClientAuth=true
</acceptor>
I have converted a certificate (.pem) to keystore and truststore
keytool -import -alias rootCA -trustcacerts -file certs/ca.pem -keystore certs/activeMQ-truststore.jks
openssl pkcs12 -inkey certs/server-cert/server1.pem -in certs/server-cert/server1.pem -name server1 -export -out certs/server-ks/server1.p12
keytool -importkeystore -deststorepass abc#1234 -destkeystore certs/server-ks/server-keystore1.jks -srckeystore certs/server-ks/server1.p12 -srcstoretype PKCS12
As above same I have created/converted for client keystore.
I need to connect broker using MQTT.FX client with self signed client keystore.
How to achieve this I am getting confused. Please help me if any one have idea.
In a self-signed configuration typically you'll create a certificate for both the broker and the client, export each, and then import the broker's cert into the client's truststore and import the client's cert into the broker's truststore. You can do all this using Java's keytool command.
Take a look at the example that ships with ActiveMQ Artemis in the examples/features/standard/ssl-enabled-dual-authentication directory. It demonstrates how to do this, e.g.:
keytool -genkey -keystore server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
keytool -export -keystore server-side-keystore.jks -file server-side-cert.cer -storepass secureexample
keytool -import -keystore client-side-truststore.jks -file server-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
keytool -export -keystore client-side-keystore.jks -file client-side-cert.cer -storepass secureexample
keytool -import -keystore server-side-truststore.jks -file client-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
Your acceptor will need both sslEnabled=true and needClientAuth=true.
I am trying to establish a secure connection for my application using jetty http server version 8.1.8.v20121106 with self signed certificate.
I am generating self signed certificate with the following command,
keytool -genkey -alias mykey -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 365 -keypass password -keystore keystore.jks -storepass password
keytool -export -alias mykey -file server.cer -keystore keystore.jks -storepass password
keytool -import -alias mykey -file server.cer -keystore truststore.jks -storepass password
So, totally 3 files generate (keystore.jks,server.cer,truststore.jks)
After the server gets started, I got the following error in my browser. There are issues with the site's certificate chain (net::ERR_CERT_AUTHORITY_INVALID).
Could anyone help me to generate a trusted self signed certificate using keytool.
Thanks in advance.
It is the problem with java jdk. I have verified using java 1.8 and jdk1.7.0_79 it is working fyn for me. Change your java jdk version and verify. For further clarification, Please refer this link.
https://bugs.eclipse.org/bugs/show_bug.cgi?id=398644
We have IBM liberty server (8.5.5.0) running in CICS (v5.1) region. I am getting error message listed below when we tried to activate ssl. I deleted default ssl keystore key.jks and key store recreated automatically but keep getting the same message.
I was able to view certificate in same keystore on my pc with keytool.
We also tried converting the file into IBM-1047 and IBM-037 code pages but no luck.
Error Message:
[11/9/15 15:47:15:572 EST] 0000001d com.ibm.ws.ssl.config.WSKeyStore E CWPKI0033E: The keystore located at /xxx/resources/security/key.jks id not load because of the following error: Invalid keystore format.
We are using default ssl provided by IBM
<!-- SSL Feature -->
<featureManager>
<feature>ssl-1.0</feature>
</featureManager>
<!-- Disable SSLv3 -->
<ssl id="defaultSSLConfig"
keyStoreRef="defaultKeyStore"
sslProtocol="TLS" />
<!-- Generate a default keystore -->
<keyStore id="defaultKeyStore" password="defaultPassword" />
Anybody had similar issue ? Could you please help ?
I had a similar problem where the keystore was empty, so I had to create it myself with Verisign CA certs. Here are my notes:
On a mac, see java home via: /usr/libexec/java_home
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
Verisign Class 3 and Class 3 G3 & G5
Aliases:
verisignclass3ca
verisignclass3g5ca
verisignclass3g3ca
keytool -export -alias verisignclass3ca -file verisign_c3.crt -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
keytool -export -alias verisignclass3g3ca -file verisign_c3g3.crt -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
keytool -export -alias verisignclass3g5ca -file verisign_c3g5.crt -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
keytool -import -trustcacerts -file verisign_c3.crt -alias verisign_c3ca -keystore key.jks -storepass worklight
Enter keystore password:
Certificate already exists in system-wide CA keystore under alias
Do you still want to add it to your own keystore? [no]:Y
keytool -import -trustcacerts -file verisign_c3g3.crt -alias verisign_c3g3ca -keystore key.jks -storepass worklight
keytool -import -trustcacerts -file verisign_c3g5.crt -alias verisign_c3g5ca -keystore key.jks -storepass worklight
[EDIT]
I used those two commands to generate the csr:
keytool -genkey -alias tomcat -keyalg RSA -keystore XY.key
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore XY.key
gd_bundle-g2-g1.crt has 3 blocks in it, the other two have only 1.
[/EDIT]
I want to install the certificates. I want to use:
keytool -import -alias [AB] -keystore [CD.key] -trustcacerts -file [EF.crt]
I know CD; that's the keystore I generated, but what alias (AB) is correct for which certificate (EF)? The three certificates I get are:
b715e55ecaeeba39.crt
gd_bundle-g2-g1.crt
gdig2.crt
And after I did that correctly, am I right by using the:
keytool -import -alias tomcat -keystore <your_keystore_filename> -file certreq.csr
The file with which I requested the Certificate?
Thank you for your help.
You can use any alias you want as long as you specify it in the server.xml file (parameter keyAlias, case sensitive).
tomcat seems to be the default alias : https://docs.jboss.org/jbossweb/7.0.x/ssl-howto.html
I've been working on a client API using QuickFIX and I'm planning to use SSL and certificate based authentication. I generated self signed certificates for acceptor and initiator the following way:
1) Generate and export server/acceptor certificate:
keytool -genkeypair -keyalg RSA -keysize 2048 -alias server -keystore server.jks
keytool -export -alias server -file server.cer -keystore server.jks
2) Generate and export client/initiator certificate:
keytool -genkeypair -keyalg RSA -keysize 2048 -alias client -keystore client.jks
keytool -export -alias client -file client.cer -keystore client.jks
3) Import server/acceptor certificate to client keystore:
keytool -import -v -trustcacerts -alias server -file server.cer -keystore client.jks
4) Import client/initiator certificate to server/acceptor keystore:
keytool -import -v -trustcacerts -alias client -file client.cer -keystore server.jks
Acceptor config:
SocketUseSSL=Y
SocketKeyStore=server.jks
SocketKeyStorePassword=password
Initiator config:
SocketUseSSL=Y
SocketKeyStore=client.jks
SocketKeyStorePassword=password
Everything seems to work fine and data is getting encrypted. However, if I remove the initiator's client.jks keystore file, I will get a QuickFIX log entry saying "client.jks: keystore not found, using empty keystore". Strange thing, the initiator is still able to connect and establish a valid FIX session. I would expected the connection to be dropped immediately since no valid certificate is provided. Am I missing something?
The client certificate is not required by default, you must set this:
NeedClientAuth=Y