I am trying to configure Jetty (via the jetty-maven-plugin) to use client certificates. I have it working (somewhat) without the client certificate, but with the set to yes, absolutely nothing happens.
What I need to know is how to configure Jetty to log its startup and operation to try to figure out the issue. Can anyone assist?
Never mind. The answer is to run maven with the -X parameter:
maven -X jetty:run
Related
I basically follow the steps in this question to create SSL certificates for ActiveMQ. Now with some help, I can connect my C# application to ActiveMQ. However when I tried to connect my Angular application to it, I got ERR_CERT_COMMON_NAME_INVALID error.
I actually have an ActiveMQ instance running in AmazonMQ and it works fine with my Angular application. So I think this is the issue of the certificate when I try to run the ActiveMQ in my own docker image.
For some details, I am using a domain name dev.com pointing to 127.0.0.1, which is set in host file. I am using dev.com to access both C# application and Angular application so I plan to use wss://dev.com:61619 to access ActiveMQ from my Angular application. When I generate keystore, I specify dev.com as the CN. In addition, I have another self-signed certificate generated with OpenSSL for Angular and C# application, not sure if there will be any conflict between them.
Can anyone please help to see what could be wrong?
Thank you
I am trying to connect Jenkins(version 2.121.2) running on AWS to an on-premise Atlassian Crowd Server (version 3.1.2) using Jenkin's crowd 2 Plugin. The Crowd server requires two-way SSL authentication.
Steps followed:
Import the Certificate chain of the Crowd server in to Java Trust store located at $JAVA_HOME/jre/lib/security/cacerts, so Jenkins trusts Crowd Server.
Create a keystore(JKS) with the private key and certificate for Client authentication in jenkins.
Modify jenkins startup parameters (/etc/default/jenkins) to use the Trust store and Keystore. I have tried both the variations as below.
Variation 1:
JAVA_ARGS="-Djavax.net.debug=ssl -Djava.awt.headless=true
-Djavax.net.ssl.trustStore=/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/security/cacerts
-Djavax.net.ssl.trustStorePassword=changeit
-Djavax.net.ssl.keyStore=/var/lib/jenkins/identity.jks
-Djavax.net.ssl.keyStorePassword=changeit"
Variation 2:
# JVM Arguments
JAVA_ARGS="-Djavax.net.debug=ssl -Djava.awt.headless=true
-Djavax.net.ssl.trustStore=/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/security/cacerts
-Djavax.net.ssl.trustStorePassword=changeit"
# Jenkins arguments
JENKINS_ARGS="--webroot=/var/cache/$NAME/war
--httpPort=$HTTPS_PORT
--httpsKeyStore=/var/lib/jenkins/identity.jks
--httpsKeyStorePassword=changeit"
After filling up the details in the plugin configuration section in jenkins and trying to establish a connection, I receive a hand_shake failure in jenkins log. Information from the log,
The Server Hello passes, and provides a list of CA's that it trusts which shows the Atlassian crowd server. During jenkins startup, I can also see that it adds the certificate as trusted.
But when jenkins is responding to the verification from Crowd, it is not sending the client key/certificate from keystore. An excerpt of the log can be seen below.
CN=cloud.company.com, OU=OUnit, O=Org, L=City, ST=State, C=Country
ServerHelloDone
Warning: no suitable certificate found - continuing
without client authentication
Certificate chain <Empty>
I am not sure if this is possible using the Crowd2 Plugin or If I am doing something wrong. I had a look at this issue , but there is no definitive answer if this is possible or not.
Any help/direction is greatly appreciated.
So, The problem was due to Crowd 2 Jenkins Plugin. Version 2 of the plugin was recently released 3 months ago and I was using this. But, after downgrading the plugin to version 1.8, I was able to authenticate with the Crowd Server.
Good day.
I'm trying to realize integration Jenkis/Bitbucket Server/Jira Server.
All servers are working under SSL (Private PKI) with Peer authentication enabled.
So first step is to connect to BitBucket and it was successfull.
Everything i've done is added JVM_ARGS to jenkins
-Djavax.net.ssl.keyStoreType=pkcs12
-Djavax.net.ssl.keyStore=/ssl/jenkins.p12
-Djavax.net.ssl.trustStore=/ssl/cacerts
-Djavax.net.ssl.keyStorePassword=JenkinsPassword1
-Djavax.net.ssl.trustStorePassword=changeit
So Jenkins authenticated on BitBucket.
After that i tried to connect Jenkins to JIRA. And without a success.
Caused by: javax.net.ssl.SSLException: Received fatal alert: bad_certificate
All servers have certificates deployed under same CA chain.
All servers have that chain in trust store.
So i wonder what i'm doing wrong?
I've enbled SSL debug (javax.net.debug=ssl).
And saw follwing strings during jira site configuration validation:
Found trusted certificate: //So there is no problem with truststore.
....
....
Warning: no suitable certificate found - continuing without client authentication // WHY??
*** Certificate chain
<Empty>
***
But with bitbucket server it picks right certificate.
Double cheked everything, moreover, bitbucket server is working good.
Some dig in code i found that JIRA Plugins uses Attlasians Library, which is uses Apache HTTP Client. And i could not understand why HTTP Client not initializing keystore for JIRA Connection.
May be someone faced same problem? Any solution without rfactoring Plugin or libraries?
Any suggestions are welcome.
I'm using Jenkins 2.89.2 with Jira Plugin 2.5 /Bitbucket Server 5.3/ Jira 7.63
Jenkins running in docker.
PS: Skip Certificate Verification Plugin not an option. Peer authentication is mandatory.
I'm using gradle scripts with dependency management.
I have a Sonatype Nexus repository sitting on a server that requires me to authenticate via apache before I can view the page.
I think this is stopping me from running my gradle script. My error is peer not authenticated.
It is on an SSL server.
Can someone help me with which step I may be missing?
Try creating a certificate and importing it into the Java keystore with keytool. See here for how.
When one develops a self-hosted WCF http server,
one of the steps needed is to bind an SSL certificate to a port number:
httpcfg set ssl -i 0.0.0.0:8012 -h 0000000000003ed9cd0c315bbb6dc1c08da5e6
as stated in:
http://msdn.microsoft.com/en-us/library/ms733791.aspx
However,
It is hardly expected that in my deployment environment one would be able to do it.
(I don't even know if the httpcfg.exe is redistributable)
Moreover, if the user changed the port after he installed the product then he will need to run the command again....
how can this step be automated pro grammatically?
preferably in C# but if it can only be done in C++ (direct access to the Http Server API)
then I will manage :)
Have a look here: an open source C# UI for configuring HTTP.SYS that directly drives the API. This should get you an idea of the code necessary for configuring the certs.
For those tuning in a couple of years later:
This article from Mike Bouck's RAM has a clean C# wrapper for the http.sys api.
Таке а look on https://github.com/segor/SslCertBinding.Net
It also has nuget available
Install-Package SslCertBinding.Net
and does what you need perfectly. Thanks to the author.