I need to import ssl certificate into java local keystore(cacerts) in order to get access to the remote ldaps server.
I have run the following command:
keytool -keystore C:\Program Files\Java\jdk1.8.0_211\jre\lib\security\cacerts -import -alias myalias -file <PATH_TO_CERTIFICATE>/certificate.cer
The certificate successfully added to the keystore:
keytool -list -alias myalias -keystore C:\Program Files\Java\jdk1.8.0_211\jre\lib\security\cacerts
Enter keystore password:
myalias, 24.10.2019, trustedCertEntry
My application properties:
ssl:
key-alias: myalias
key-store-password: changeit
key-store: C:\Program Files\Java\jdk1.8.0_211\jre\lib\security\cacerts
When I run the app I have the following exception:
Caused by: java.lang.IllegalArgumentException: jsse.alias_no_key_entry
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:218)
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1124)
at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1210)
at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:586)
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1005)
... 14 more
Caused by: java.io.IOException: jsse.alias_no_key_entry
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:328)
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
... 20 more
I am using Spring boot 2.2.0
Who knows what is the problem?
What you are doing in your application.properties is, you are securing your springboot application. Which is different from what you are trying to do (call ldaps server).
When you added the ldap server certificate into your cacerts, you don't need to do anything else. You can just make the call.
If you get PKIX exception when you make the call, then you need to make sure the CA and SubCA(s) of the ldap server certificate are trusted as well.
you need to import private key to keystore.
Step1: You need to download openSSL and then move to C:\OpenSSL-win64\bin Next, type this command:
openssl pkcs12 -export -in C:\Keystore\certificate.crt -inkey C:\Keystore\name_key.key -out C:\Keystore\server.p12 -name [name_alias] -CAfile C:\Keystore\rootCA.crt -caname root
Note: if you use alias "tomcat" in server.xml
keyAlias="tomcat"
keystoreFile="C:\Keystore\server.jks"
keystorePass="your pass"
then [name_alias] = tomcat
Step 2: use cmd and move to C:\program files\java\jdk..\ bin and type this command to convert p12 file to jks file:
keytool -importkeystore -deststorepass mypass -destkeystore C:\Keystore\server.jks -srckeystore C:\Keystore\server.p12 -srcstoretype PKCS12
Restart your tomcat server
Related
I have a Spring Boot application, deployed as WAR file in a Tomcat in Godaddy.Now, I do need to enable HTTPS on it.I had installed SSL on our domain and https is working on it.DNS and SSL certificates are managed by GoDaddy. I have already downloaded the certificate for tomcat which contains files as 'randomhex.crt','randomhex.pem','gd_bundle-g2-g1.crt','gdig2.crt.pem' and then I generated 'keystore.jks'&'keystore.p12' using these file following the below commands.
Step 1:
"keytool -import -trustcacerts -alias intermediate -file gd_bundle-g2-g1.crt -keystore keystore.jks" using password as 'password1'
Step 2:
"keytool -import -trustcacerts -alias 'alias1' -file e1......7.crt -keystore keystore.jks" using password as 'password1'
Step 3:
"keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass 'password2' -srcalias 'alias1' -destalias 'alias2'" using password as 'password1'
I know now I need to add this 'keystore.p12' file to my springboot project 'resource' folder and set below ssl properties,but I am not sure about what value to set based on the above mentioned commands.Please help me to set the values for below,
server:
ssl:
key-store: classpath:keystore.p12
key-store-password: ?
key-store-type: ?
key-alias: ?
key-password: ?
enabled: true
port: ?
Also do I need to make anything on my TOMCAT server to make https work for this spring boot project???
Try this for Spring Boot:
server:
ssl:
key-store: classpath:keystore.p12
key-store-password: password2
key-store-type: PKCS12
key-alias: alias2
enabled: true
port: 443
It does not look like a key-password is set. Try leaving it out & try 'changeit' (the default for jks).
For TOMCAT it needs to be set in $TOMCAT_HOME/conf/server.xml - one of the connectors:
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="path/to/keystore.p12" keystorePass="password2" keyAlias="alias2"
clientAuth="false" sslProtocol="TLS"/>
Finally I found the solution.No need to configure SSL on spring boot.Just configure https on tomcat then https will work on your project.To configure https on tomcat you need to generate a keystore file(normally in .jks or .p12 format) by using sslcert.crt(randomhex.crt),sslkey.key,sslCA.crt(gd_bundle-g2-g1.crt) files as shown below:
goto '/opt/apache-tomcat/conf/' on your server and put above/below mentioned files there
openssl pkcs12 -export -in mycert.crt -inkey mykey.key -out mycert.p12 -name tomcat -CAfile myCA.crt -caname root -chain
Here
'mycert.crt' -> your randomhex.crt file,
'mykey.key' -> SSL key file from godaddy,
'myCA.crt' -> gd_bundle-g2-g1.crt ,
'mycert.p12' -> Name of the keystore file you want to generate.
You should asked a password when running above command and remember that password to configure tomcat server.xml file.
Now open server.xml o tomcat conf folder in edit mode and add below connector there,after that exit and save changes and restart tomcat then https will start working on your project.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" compression="on" scheme="https" secure="true" keystoreFile="conf/mycert.p12"
keystorePass="password" SSLVerifyClient="none" SSLProtocol="TLSv1.2" />
Don't forget to add port 8443 on your spring boot 'application.yml'
server:
port: 8443
I'm trying to connect to a SSL enabled MQ channel in order to place a message using JMS(within Spring boot app) . below are the connection factory properties set before sending the message. I'm getting the
following error when jms trying to put the message.
Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR')....
.....
at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:203)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
... 81 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
** certificates are already installed at QM level. it seems jms client is not picking the root certificate from the specified location. the CA root certificate(myCAcertfile.cer) (self signed) was generated using runmqckm tool in IBM mq.
MQ channel information
CHANNEL(KAU.CONN) CHLTYPE(SVRCONN)
ALTDATE(2014-02-28) ALTTIME(17.28.55)
CERTLABL( ) COMPHDR(NONE)
COMPMSG(NONE)
DESCR(Server-connection to windows host)
DISCINT(0) HBINT(300)
KAINT(AUTO) MAXINST(999999999)
MAXINSTC(999999999) MAXMSGL(4194304)
MCAUSER( ) MONCHL(QMGR)
RCVDATA( ) RCVEXIT( )
SCYDATA( ) SCYEXIT( )
SENDDATA( ) SENDEXIT( )
SHARECNV(10) SSLCAUTH(REQUIRED)
SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
SSLPEER( ) TRPTYPE(TCP)
JMS connection factory properties
// Create a connection factory
JmsFactoryFactory ff = JmsFactoryFactory.getInstance(WMQConstants.WMQ_PROVIDER);
JmsConnectionFactory cf = ff.createConnectionFactory();
// Set the properties
cf.setStringProperty(WMQConstants.WMQ_HOST_NAME, HOST);
cf.setIntProperty(WMQConstants.WMQ_PORT, PORT);
cf.setStringProperty(WMQConstants.WMQ_CHANNEL, CHANNEL);
cf.setIntProperty(WMQConstants.WMQ_CONNECTION_MODE, WMQConstants.WMQ_CM_CLIENT);
cf.setStringProperty(WMQConstants.WMQ_QUEUE_MANAGER, QMGR);
cf.setStringProperty(WMQConstants.WMQ_APPLICATIONNAME, "Manual message publihser");
cf.setBooleanProperty(WMQConstants.USER_AUTHENTICATION_MQCSP, true);
cf.setStringProperty(WMQConstants.USERID, "");
cf.setStringProperty(WMQConstants.PASSWORD, "");
System.setProperty("com.ibm.mq.cfg.useIBMCipherMappings", "false" );
cf.setStringProperty("Djavax.net.ssl.trustStore", "D:\\mq-message-handler-1.0\\ssl\\myCAcertfile.cer");
cf.setStringProperty(WMQConstants.WMQ_SSL_CIPHER_SUITE, "TLS_RSA_WITH_AES_128_CBC_SHA256");
Commands used to create CA's certificate
runmqckm -keydb -create -db myCA.kdb -type cms -pw mycakeypassword -stash
runmqckm -cert -create -db myCA.kdb -type cms -label "myCAcertificate" -dn "CN=demmoCA,O=DemmoOrg,OU=DemmoDepartment,L=DemmoLocation,C=UK" -expire 1000 -size 1024
runmqckm -cert -extract -db myCA.kdb -type cms -label "myCAcertificate" -target myCAcertfile.cer -format ascii -stashed
then created the keystore for the client using above certificate using key tool
keytool -keystore kautstclient.jks -genkey -alias winclientcert -storepass clientpassword
keytool -import -keystore kautstclient.jks -file myCAcertfile.cer -alias theCARoot
30/02/2022 update > I have now added the certificates to the client side using below commands.
generating client side's CA to self sign the client's certificate
================================================================
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
creating certificate request from the jks in order to signed by the above CA.
===========================================================================
keytool -certreq -v -alias winclientcert -file kauclient.csr -keypass clientpassword -storepass clientpassword -keystore kautstclient.jks
signing the certificate requst(csr file) using the generated CA key
==================================================
openssl x509 -req -in kauclient.csr -CA cert.pem -CAkey key.pem -CAcreateserial -out kauclientown.crt
Import the the signed and then provided certificate certificate into your keystore using the following command:
========================================================================================
keytool -import -v -alias kauclientowncert -file kauclientown.crt -keystore kautstclient.jks -keypass clientpassword -storepass clientpassword
adding the client's key signed root CA in to queue manager's key.db
=================================================================
runmqckm -cert -add -db myqmgr.kdb -file cert.pem -label kauclientsignercertificate
Djavax.net.ssl.trustStore is not a connection factory property. You need to pass it as a Java system property. The value of the property needs to be either a JKS or PKCS12 file.
You can do this in two ways:
As a -D command line option:
-Djavax.net.ssl.trustStore=D:\mq-message-handler-1.0\ssl\myCAcertfile.jks
Using System.setProperty:
System.setProperty(javax.net.ssl.trustStore, "D:\mq-message-handler-1.0\ssl\myCAcertfile.jks");
In our Project, we use Netty as webserver, In spring boot project.
we would like to enable HTTPS and SSL in the project.
we added the certificate to the truststore by keytool.
keytool -keystore truststore.jks -import -noprompt -trustcacerts -alias "try" -file "test.cer" -keypass pass -storepass pass
Than added the keypath and keystore information in project yaml file as :
server:
ssl:
enabled: true
key-store: 'truststore.jks'
key-store-password: "pass"
key-store-type: JKS
key-alias: "try"
but eveytime we try to send request to https://127.0.0.1:8080
we get below exception :
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: error:100000ae:SSL routines:OPENSSL_internal:NO_CERTIFICATE_SET
Caused by: javax.net.ssl.SSLHandshakeException: error:100000ae:SSL routines:OPENSSL_internal:NO_CERTIFICATE_SET
There are two types of key store in java,
Truststore
Keystore
Truststore: stores all public keys that need to be added to communicate with the third-party systems.
Keystore: contains the private key.
I was putting the public key in Keystore and was the problem.
I am looking for a detailed guide to configure SSl in JBOSS 7. I am not using any front end server but only JBOSS. Can anybody guide me through the steps of generating a key from an authorised certificate and configuring the connector under jboss?
Use the following procedure for self-signed certificate
1.Generate key + keystore
$JAVA_HOME/bin/keytool -genkey -alias your_alias_here -keyalg RSA -keypass PASSWORD -storepass PASSWORD -keystore ENTER_KEYSTORE_NAME
2.Configure jboss for SSL ( file server.xml )
<Connector port="8443" address="${jboss.bind.address}"
maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
scheme="https" secure="true" clientAuth="false"
keystoreFile="PATH_TO_KEYSTORE"
keystorePass="PASSWORD" sslProtocol = "TLS" />
2.Import certs
$JAVA_HOME/bin/keytool -import -v -alias your_alias_here -file FILE_YOU_RECEIVED_FROM_CA -keystore ENTER_KEYSTORE_NAME -storepass PASSWORD -keypass PASSWORD
I have a web application which tries to hit a https url. I have a set of 4 certificates which I import in one common file using keytool
keytool -import -v -alias a_base64 -trustcacerts -file a_Base64.cer -keystore testcacerts
keytool -import -v -alias b_base64 -trustcacerts -file b_base64.cer -keystore testcacerts
keytool -import -v -alias c_base64 -trustcacerts -file c_Base64.cer -keystore testcacerts
keytool -import -v -alias d_base64 -trustcacerts -file d_base64.cer -keystore testcacerts
The file testcacerts is generated fine. In my eclipse IDE, I have a java program that will hit the https url. While running the program, I gave the following in the VM arguments
-Djavax.net.ssl.keyStore=c://testcacerts
The java program ran fine. Now I am deploying the war of the project in tomcat server 7. When my application tries to access https url, it gives the following exception
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
I set the environment variables CATALINA_OPTS and JAVA_OPTS to point to that testcacerts location
JAVA_OPTS=-Djavax.net.ssl.trustStore=/temp/testcacerts
After I re start my tomcat, when my application hits the https url, am getting the same exception.
I even tried to change the configuration in server.xml in tomcat conf as given below
<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25"
maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100"
scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS"
keystoreFile="/temp/testcacerts" keystorePass="samplePassword" />
The password in keystorePass is the one that I gave while generating the keystore.
Even after the above changes, I was getting the same exception.
I am currently running the application in Unix environment and the tomcat is present in Unix server as well. I don't have access to the java installation directory and because of which I am not able to place this certificate file in the jre\lib\security folder.
Am I missing anything here. Please guide me.
In case it is valid self-signed certificates you should select one certificate for the SSL connector. Please add keyAlias with the selected certificate (e.g. a_base64) to your connector configuration
<Connector port="8443" ... keyAlias="a_base64" />
Usefull links:
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html
You may remove your -Djavax settings.