I have written a restful API project which is developed using spring boot and I am using the embedded tomcat and running a jar on a linux server.
The APIs are live at:
https://api.arevogroup.com:8089/api/regions
and I can see the verified and correct SSL as well as in the given screenshot.
but I am getting an this exception in the postman when I call these apis.
These APIs are consumed by a Xamrin based app which seems to work all good when consumed using iPhone but gives this same exception when the APIs are accessed via android.
I guess, the way I have generated the ssl certificate has some issues.
I have used a pfx file and my SSL config in properties file looks like this:
###SSL Key Info
security.require-ssl=true
server.ssl.key-store-password=PASSWORD
server.ssl.key-store=classpath:ssl_pfx.pfx
server.ssl.key-store-type=PKCS12
I have 2 questions, if disable the ssl verification, would the communication still be encrypted or not? (man in the middle attack is still possible but the info will still be encrypted, right?).
If not, how can I fix this?
You can't disable the verification of the server certificate. No browser will allow you to do it, except on an exceptional basis (the user must confirm the exception). If the client disables the verification, than the communication will be encrypted (i.e. no passive attack will be possible).
The errors you see are cause by a misconfiguration of your server.
Your certificate chain contains just the certificate for your server and lacks the intermediate certificate CN=Go Daddy Secure Certificate Authority - G2. You need to download it from Go Daddy (it is the one named gdig2.crt.pem) and add it to your keystore.
Refer to this question on how to do it.
Some browsers cache intermediate certificates and are able to verify your site even if one certificate is missing. However you should not rely on it.
security.require-ssl=true
server.ssl.key-store-password=PASSWORD
server.ssl.key-store=keystore.jks
server.ssl.key-store-provider=SUN
server.ssl.key-store-type=JKS
Used the jks file instead of pfx and it worked all good. Thought to share with others too.
Our IdP is updating certificate in their IdP metadata.
They are offering one month period in which both old and new certificate will be valid so that we can switch to new certificate.
The issue is, that anytime they updated certificate, we have to redeploy IdP metadata containing new certificate and that includes downtime that we would like to avoid if possible (server restart).
My question is:
is there the possibility to switch to new IdP metadata file without server restart (Java app running in Tomcat 7)
Alternatively, is there the possibility to use 2 metadata files for same IdP, one with new, one with old certificate, and to switch in runtime to new one?
You can include both signature certificates in the same IDP metadata. Spring SAML will be trying to verify signature on an incoming message using all available certificates, until it finds a match or fails. Two files for the same IdP won't work.
You can use the org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider, which will automatically reload metadata when the file its configuration points to gets updated - without application restart.
I am attempting to setup sonarqube instance with HTTPS listener. I understand that sonarqube supports HTTPS out of the box in version 4.2. What I am having difficulty with is encrypting clear text passwords settings in the sonar.properties.
Looking at the their wiki article about encryption support, it seems like it is possible to encrypt clear text passwords. However, I am not having any luck with encrypted value in sonar.web.https.keystorePass property. Tested with clear text and it works fine. Also tested different store types (JKS/PKCS12) or simpler passphrase, nothing seems to be working and keystore read fails when attempting to start the server with encrypted keystore password.
Was anyone able to use built in encryption mechanism in sonarcube to run it with HTTPS?
Unfortunately the properties sonar.web.* can't be encrypted. This limitation is fixed in version 4.4 : https://jira.codehaus.org/browse/SONAR-4781
i'm kind of confused with the SSL setting within Websphere Application Server.
As you can see from the attached picture, the Default SSL setting has been done both in cell and node scope. Below are my qeustions:
is either inbound or outbound data through websphere transfered with SSL way according to the setting?
is the above SSL setting enabled by default? If not, then how to enable it?
in the regard of KeyStore or TrustStore configuration, i can see it refers to path like
${CONFIG_ROOT}/cells/localhostCell01/key.p12
However, i can not find this variable CONFIG_ROOT within Webspehre Variables through Admin Console. Does it mean that SSL is disabled by default so it's ok for this variable having no value?
Thanks in advance
Please see the WebSphere Security Redbook chapter 4 for details - http://www.redbooks.ibm.com/redbooks/pdfs/sg246316.pdf CONFIG_ROOT is a substitution variable, so you should be fine - http://publib.boulder.ibm.com/infocenter/iadthelp/v6r0/index.jsp?topic=/com.ibm.ws.ast.st.v6.doc/topics/tsubvarv6.html. You can test which certificates are enabled using openssl from the command line - http://www.cyberciti.biz/faq/test-ssl-certificates-diagnosis-ssl-certificate/
I installed WebSphere 7.0 and RAD 7.5. Updated WAS to fix pack 11 and update RAD. 7.5.5. latest updates..etc...
I create a server profile.
I start the server.
I turn on global security and use LDAP. (something I have done a billion times)
I don't even attempt to publish an application.
The server constantly debugs out this message every two minutes.
How do you make it stop? I have tried making new keys doesn't work, I blow away the profile and make a new one. Nothing works. Nothing. The server is running at 400 MB without an application installed. Is this supposed to be normal? 400 MB with no app published?
The server profile creation wizard forces this SSL nonsense into the config.
What's really going on here?
I would love to utilize the latest server technology IBM has to offer but it seems to be broken right out of the box, out of the gate. 5 fix packs later and it's still broken.
[8/25/10 8:12:44:896 CDT] 0000000b SSLHandshakeE E SSLC0008E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at com.ibm.jsse2.b.a(b.java:34)
at com.ibm.jsse2.pc.a(pc.java:155)
at com.ibm.jsse2.pc.unwrap(pc.java:104)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:17)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.readyInbound(SSLConnectionLink.java:531)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.ready(SSLConnectionLink.java:291)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1550)
I was wrong. Creating it from either way causes the issue. (running the pmt.bat or through the rad tool).
The real issue was not copying the global security stuff as a security domain. Basically you go to Security > Security Domains > then click the Copy from Global Security option.
This is just crazy. Why not simply have the goofy wizard ask if you would like this to happen also??? IBM infuriates me.
I solve this issue by enabling security in the server screen.
Open the Servers view, double click on the server, expand security, enable "Security is enabled in this server" and provide a user ID + password. After this the problem went away.
For some reason it was disabled even though I enabled it through the admin console.
Its too late but may be it helps others like me :)
Agree with Peter above, its IDE which checks status from server..
You need to add the certificate 'X' i.e. exportedCertificate.cer to JRE keystore. To do this, run this command in a Windows CMD window:
$ keytool -import -file exportedCertificate.cer -storepass changeit -keystore %JAVA_HOME%/jre/lib/security/cacerts -alias myAlias
Certificate 'X' is the default certificate in your Websphere server. You can find and export it through IBM console. Alternative is to hit HTTPS url at browser and export it from browser in DER format.
I found that this solution worked best for me.
http://wiing.fr/websphere-application-server-ssl-error/
The way to fix it is to connect to the administration console,
navigate to: Security > SSL certificate and key
management > Key stores and certificates >
NodeDefaultKeyStore > Personal certificates
Select the default alias and click on renew. Restart WAS.
I recently got that error because the certificate’s beginning date was
set to a date in the future, could not understand what happened to my
configuration…
Your app server is trying to establish a ssl connection on a port that is not ssl. An easy way to see it live is trying to access the admin console using http but using the ssl port.
If you use the standard ports you can try this:
http://localhost:9043/ibm/console/
This error may be caused by your IDE (let it be Rational Application Developer RAD, Rational Software Architect RSA or plain Eclipse), which is trying to update the server status in the "Servers View".
As somebody here already said, the IDE's call to WebSphere Application Server's console fails, because it's malformed:
Unrecognized SSL message, plaintext connection?
Since your IDE tries to update the status regularly, the server prints this error message as often.
What worked in my case, was to remove the server from the "Servers View" (Right click - delete) and add a new one (Right click - new).
In my case, my IDE is not run with IBM's JRE. Since it's eclipse. so i update the eclipse.ini to include
-vm
E:/IBM/WebSphere/AppServer/java/bin/javaw
In most cases, this is due to expired SSL Certificate. Go to:
C:\Program Files (x86)\IBM\WebSphere\AppServer\profiles\AppSrv01\config\cells\XXXXXXNode01Cell\nodes\XXXXXXXXNode01
and see key.p12 and trust.p12 files. Check the created/modified date. It will typically be more than 1 year older. This means it's expired as typically above files are valid for 1 year only.
Solution
Delete entire websphere server profile (which will delete everything under C:\Program Files (x86)\IBM\WebSphere\AppServer\profiles\AppSrv01 and create a new. this will wipe out key.p12 and trust.p12 files along with other files and create a new key.p12 and trust.p12 files when you create new profile.
Copy key.p12 and trust.p12 from your colleague's machine whose key files(key.p12 and trust.p12) are not expired. You can also use iKeyman tool to renew key.p12.
I also faced this issue . finally sorted out this issue. Below are the steps may helpful.
delete the profiles which you have created earlier.
to view all profiles: IBM/AppServer/bin/manageprofiles.bat -listProfiles
deletion of profiles: IBM/AppServer/bin/manageprofiles.bat -delete ProfileName
Windows-->Start-->Services find any IBM WebSphere servers are running background. try to stop them and restart the server.
Modify your eclipse.ini to explicitly use the IBM JRE as follows:
-vm C:/Program Files (x86)/IBM/WebSphere/AppServer/java_1.7_64/jre/bin/javaw.exe
--launcher.appendVmargs
-vmargs
-Dosgi.requiredJavaVersion=1.7
-Xms512m
-Xmx6144m
Restart Eclipse and Restart your IBM Websphere Application Server to fix the issue.