wso2-am https API - https

Good day! I created an API and want to use https access to it, for example: https: // localhost: 8243 / ssl / 1.0. Tell me where is the certificate for this API for him?
And the second question is, can I replace it with my own certificate?
Thanks!

You can create a new keystore using a cert you have. Please check - https://apim.docs.wso2.com/en/latest/install-and-setup/setup/security/configuring-keystores/keystore-basics/creating-new-keystores/#creating-new-keystores
openssl pkcs12 -export -in <certificate file>.crt -inkey <private>.key -name wso2carbon -certfile <additional certificate file> -out wso2.pfx
keytool -importkeystore -srckeystore wso2.pfx -srcstoretype pkcs12 -destkeystore wso2carbon.jks -deststoretype JKS
Then you can replace the existing wso2carbon.jks in repository/resources/security location.

Related

Kafka Failed SSL Handshake with Springboot

I have successfully setup SSL on Kafka broker, it's listening on port 9093. I'm using consumers built in Springboot, and when I attempt to bring up client consumer, I'm getting the following error:
....
Caused by: org.apache.kafka.common.errors.SslAuthenticationException:
SSL handshake failed Caused by: javax.net.ssl.SSLException:
Unrecognized SSL message, plaintext connection? ...
Below is the configuration on the broker: (server.properties)
listeners=PLAINTEXT://0.0.0.0:9092,SSL://0.0.0.0:9093
advertised.listeners=PLAINTEXT://192.168.xx.xx:9092,SSL://192.168.xx.xx:9093
ssl.keystore.location=/home/kafka/kafka/ssl/kafka.server.keystore.jks
ssl.keystore.password=password
ssl.truststore.location=/home/kafka/kafka/ssl/kafka.server.truststore.jks
ssl.truststore.password=password
ssl.key.password=password
ssl.client.auth=required
This is the configuration on the consumer (Springboot application.properties)
spring.kafka.bootstrap-servers=192.168.xx.xx:9093
spring.kafka.security.protocol=SSL
spring.kafka.ssl.trust-store-location=file:/var/ssl/kafka.client.truststore.jks
spring.kafka.ssl.trust-store-password=password
spring.kafka.ssl.key-store-location=file:/var/ssl/kafka.client.keystore.jks
spring.kafka.ssl.key-store-password=password
spring.kafka.ssl.key-password=password
This is how the keystore/truststore have been created:
CA certificate (root.crt) has signed server.crt and client.crt
kafka.server.keystore.jks contains root.crt, server.crt
kafka.server.truststore.jks contains root.crt
kafka.client.keystore.jks contains root.crt, client.crt
kafka.client.truststore.jks contains root.crt
What could I be missing? Anyone can help?
I have discovered 2 possible causes for this:
Server host name verification: this is likely to fail, so it's best to disabled it by setting ssl.endpoint.identification.algorithm to an empty string in application.properties
i.e.
ssl.endpoint.identification.algorithm=
Keystore generation: this is how I was initially doing it:
i. Generated self signed cert and key (output: ca.key, ca-cert.crt)
ii. Generated server key
and server cert, that was signed by root.crt (output: server.key, server.crt)
iii. Created
keystore by running this command:
keytool -keystore kafka.server.keystore.p12 -storetype PKCS12 -alias CARoot -import -file ca-cert.crt -storepass password -keypass password -noprompt
iv. Imported server.crt into kafka.server.keystore.p12
This will NOT work. This is the right way to do it:
i. Similar to step i above, generate self-signed ca-cert
ii. Generate keystore, that contains server.csr (command in the bash script below)
iii. 'Extract' server.csr, from the keystore generated in step ii, and sign it with ca-cert (output server.crt)
iv. Import ca-cert, and then server.crt into keystore
I decided to do all this in a bash file, so I can do it all in one command. I also preferred PKCS12 format - JKS is proprietory; however, in the configuration you may need to specify key-store-type as PKCS12 [key-store-type=PKCS12]
Here is it:
#!/bin/bash
##
#
# This script generates the following
# server.keystore.p12
# server.truststore.p12
# client.keystore.p12
# client.truststore.p12
# They are self signed, and so CA certificate is created first (ca.key, ca-cert.crt)
#
##
# Server Keystore and Truststore
#====================================
# 1. Generate CA key
openssl genrsa -out ca.key
# 2. Generate CA cert
openssl req -new -x509 -key ca.key -out ca-cert.crt -subj "/C=KE/ST=Kenya/L=Nairobi/O=John Doe Ltd/CN=*.mydomain.com"
# 3. Generate server keystore. A server CSR will be generated automatically
keytool -keystore kafka.server.keystore.p12 -alias serverkey -validity 3650 \
-genkey -keyalg RSA -ext SAN=DNS:*.mydomain.com -storetype PKCS12 -dname "CN=*.mydomain.com, OU=ICT, O=John Doe Ltd, L=Nairobi, ST=Kenya, C=KE" -storepass ****** -keypass ****** -noprompt
# 4. Export server CSR generated in step 3
keytool -keystore kafka.server.keystore.p12 -alias serverkey -certreq -file server.csr -storepass password -noprompt
# 5. Sign the server CSR generated in step 4 with the CA key - output is server.crt
openssl x509 -req -CA ca-root.crt -CAkey ca.key -in server.csr -out server.crt -days 3650 -CAcreateserial
# 6. Import CA cert into the server keystore
keytool -keystore kafka.server.keystore.p12 -alias CARoot -import -file ca-cert.crt -storepass ****** -noprompt
# 7. Import the server cert [generated in step 5] into the keystore
keytool -keystore kafka.server.keystore.p12 -alias serverkey -import -file server.crt -storepass ****** -noprompt
# 8. Generate server truststore and import CA cert
keytool -keystore kafka.server.truststore.p12 -alias CARoot -import -file ca-cert.crt -storepass ****** -noprompt
# Client Keystore and Truststore
#====================================
# 9. Generate client keystore. A client CSR will be generated automatically
keytool -keystore kafka.client.keystore.p12 -alias clientkey -validity 3650 \
-genkey -keyalg RSA -ext SAN=DNS:*.mydomain.com -storetype PKCS12 -dname "CN=*.mydomain.com, OU=ICT, O=ABC Bank Ltd, L=Nairobi, ST=Kenya, C=KE" -storepass ****** -keypass ****** -noprompt
# 10. Export client CSR generated in step 9
keytool -keystore kafka.client.keystore.p12 -alias clientkey -certreq -file client.csr -storepass ****** -noprompt
# 11. Sign the client CSR generated in step 4 with the CA key - output is client.crt
openssl x509 -req -CA ca-cert.crt -CAkey ca.key -in client.csr -out client.crt -days 3650 -CAcreateserial
# 12. Import CA cert into the client keystore
keytool -keystore kafka.client.keystore.p12 -alias CARoot -import -file ca-cert.crt -storepass ****** -noprompt
# 13. Import the client cert [generated in step 11] into the keystore
keytool -keystore kafka.client.keystore.p12 -alias clientkey -import -file client.crt -storepass ****** -noprompt
# 14. Generate client truststore and import CA cert
keytool -keystore kafka.client.truststore.p12 -alias CARoot -import -file ca-cert.crt -storepass ******a -noprompt
This worked perfectly for me. Any comments and corrections are welcome.

How make Self-Signed certificate trusted from remote connection

I created a self-signed certificate using these commands
sudo keytool -genkeypair -alias <MyAlias> -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore <MyCert>.p12 -validity 3650
sudo keytool -genkeypair -alias <MyAlias> -keyalg RSA -keysize 2048 -keystore <MyCert>.jks -validity 3650
sudo keytool -importkeystore -srckeystore <MyCert>.jks -destkeystore <MyCert>.p12 -deststoretype pkcs12
which created a P12 file and a jks file.
If I log in to my server remotely, the connection is blocked and an error is shown that indicates your connection is not private, because the certificate is not trusted.
How can I fix this issue?
Maybe I should chain the certificate to another certificate? (example: using Let's Encrypt)?
Create a Certificate Authority
You can create a Certificate Authority certificate and then sign a certificate with your own CA and then add your CA to the system keychain.
More on that at https://gist.github.com/Soarez/9688998
Use a Let's Encrypt client
... however, it's probably much easier to use a Let's Encrypt client.
I'm the author so you can take my opinion for a grain of salt, but Greenlock is about the easiest suite of Let's Encrypt / ACME tools available.
Browser-based client
https://greenlock.domains
If you use the DNS challenge you can easily get certs for private domains with internal IP addresses as well.
CLI Clients
If you want it automatic you could use something like Greenlock CLI or Greenlock Express (for node.js)
There's also certbot, but it can be more difficult to install due to it's size, various dependencies, and RAM usage. Greenlock is only about 100kb and has no external dependencies, so it works fine on home servers and memory constrained IoT devices (which is exactly the problem I had when I first wrote it).

How do I generate X.509 certificate from key generated by openssl

I've a web server running on an ec2-instance which internally calls a REST server that is built using Spring Boot. Now, I am trying to get this REST server running under SSL. Here's what I've done so far:
1) Created a CSR & a key file using this command
openssl req -newkey rsa:2048 -nodes -keyout mydomain.key -out mydomain.csr
2) Copied 'csr' to get SSL certificate from GoDaddy.
3) Successfully installed the certificate under Nginx on my ec2-instance.
4) When I hit the home page under https, it works. I no longer get 'Not secure' message from the browser.
5) Login fails because it makes a REST call but REST server is not running under SSL so I am trying to get it running under SSL.
6) Ran following commands:
keytool -import -alias mydomain -keystore tomcat.keystore -trustcacerts -file mydomain.com.chained.crt
keytool -import -alias mydomain-key -keystore tomcat.keystore -trustcacerts -file mydomain.key
The previous command gives me an error message:
"keytool error: java.lang.Exception: Input not an X.509 certificate"
But this was the one created in step 1 above & the same file works under Nginx. What am I missing (other than the fact that I know very little about setting up SSLs!)? I need the second command to specify the value of 'server.ssl.keyAlias' in application.properties, I believe.
Not really an answer but overflowed comment.
You don't need to 'generate' an X.509 cert; you already got that from GoDaddy. If (and only if) the SpringBoot server is accessed by the same name(s) as (external) nginx -- which is unclear to me -- you need to convert the pair of private key AND certificate CHAIN from PEM format to a format Java uses. See:
How to import an existing x509 certificate and private key in Java keystore to use in SSL?
How can I set up a letsencrypt SSL certificate and use it in a Spring Boot application?
How to use .key and .crt file in java that generated by openssl?
Importing the private-key/public-certificate pair in the Java KeyStore
maybe Import key and SSL Certificate into java keystore
Thanks #Dave_thompson_085. Following 2 commands did the trick!
openssl pkcs12 -export -in mydomain.com.chained.crt -inkey mydomain.key -out keystore.p12 -name my-alias -caname root
keytool -importkeystore -deststorepass mypassword -destkeypass mypassword -destkeystore keystore.jks -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass mypassword -alias my-alias
and then in the application.properties I specified following properties:
server.port=8443
server.ssl.enabled=true
security.require-ssl=true
server.ssl.key-store=/etc/nginx/ssl/keystore.jks
server.ssl.key-store-password=mypassword
server.ssl.keyStoreType=JKS
server.ssl.keyAlias=my-alias

SAML HTTPS connection with kennisnet staging environment

I took sample webapp from https://github.com/vdenotaris/spring-boot-security-saml-sample and it is working file. Later. I tried to connect kennisnet staging environment.
Kennisnet details here
https://developers.wiki.kennisnet.nl/index.php?title=KNF:Hoofdpagina/en
I updated metadata which is downloadable from this url https://hub-s.entree.kennisnet.nl/openaselect/profiles/saml2/
I generated smalKeyStore.jks using below commands
keytool -genkey -alias tomcat -keyalg RSA -keystore samlKeyStore.jks
keytool -importkeystore -srckeystore samlKeyStore.jks -destkeystore
samlKeyStore.jks -deststoretype pkcs12
I followed all Spring SAML https threads in stackoverflow and not able to figure it out this issue.
LOGS:
Add the certificate to your JDK so that your application can get the metadata from URL https://aselect-s.entree.kennisnet.nl/openaselect/profiles/saml2.
These are the steps you need to fillow:
Download the certificate for aselect-s.entree.kennisnet.nl
Import the certificate to your JDK/JRE using this command:
keytool -keystore #path to java_home#/lib/security/cacerts -importcert -alias #anything relevent# -file #path to certificate#
Make sure your server is using same java_home where you are importing the certificate, also verify the subjectname in the certificate before importing, it must be "CN = *.entree.kennisnet.nl"
Restart the server.

How to generate SSl Certificate (CRT), Private Key (KEY), Certificate Authority Bundle: (CABUNDLE) from domain.pfx file?

I have two files with me. One is domain.pfx and another one is domain.cer. To convert my website from http to https through cPanel, I need Certificate (CRT), Private Key (KEY), Certificate Authority Bundle: (CABUNDLE). How to generate these files from the two files that I have?
PFX content: Your domain.pfx should contain everything(Certificate, private key, Ca-chain), you can check with: openssl pkcs12 -info -in keyStore.p12
Key file: openssl pkcs12 -in domain.pfx -nocerts -out domain.key
Certificate:openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.crt
CA bundle:
openssl pkcs12 -in domain.pfx -cacerts -nokeys -out cabundle.pem

Resources