Domino outbound as client - client

Having some trouble with Domino server as client to a Web Service
Hope someone can answer a pretty easy question, but the easy question dont have a answer some I can find.
There is lots of Root Certificates in NAB
and there is also some common Root Certificates in every *.kyr file you create in certsrv.nsf for your seerver certificates.
I get an error from SSL_DEBUG that says
[108C:005C-0D8C] 2015-12-15 19:07:19,34 SSLCheckCertChain> Invalid certificate chain received
[108C:005C-0D8C] Cert Chain Evaluation Status: err: 3659, Cannot establish trust in a certificate or CRL.
It is pretty obvious what is the problem, I need to include a missing Certificate.
But I like to know if Domino is using the *.kyr file or if it is using the Certificates in the NAB when establishing the connection to the remote server.
Anyone know how Domino acts here ?
/Stefan

You have to find out the TLS certificate chain and add all public TLS certificates as trusted internet certificates to you domino directory.
Find out Certificate Chain
Use on of this Tools:
For internal and external server SSLyze
sslyze.exe <servername>:443 --certinfo=basic
Take a look at Certificate Chain Received:
For external server SSL Labs
Go to the section "Certification Paths"
Download public certificates from CA-Webpage or get from your internal CA responsible person.
Step-by-Step Domino Configuration
Import Certificates
Importing an Internet certifier into the Domino Directory
Cross Certificate Certificates
Server: Choose your Admin Server or server where the Domino CA (not SSL CA) is hosted.
Certifier: Choose your certifier ID or your Domino CA
Creating an Internet cross-certificate in the Domino Directory from a certifier document
Java/LotusScript Side
The Java or LotusScript Consumer has to be told to accept CA security (stub.setSSLOptions(PortTypeBase.NOTES_SSL_ACCEPT_SITE_CERTS);)
Examples based on Creating your first Web Service provider and consumer in LotusScript and Java.
Java
HwProvider stub = new HwProviderServiceLocator().getDomino();
stub.setSSLOptions(PortTypeBase.NOTES_SSL_ACCEPT_SITE_CERTS);
String answer = "" + stub.HELLO("world");
System.out.println("The answer is : " + answer);
LotusScript
Dim stub As New HwProvider()
stub.setSSLOptions(NOTES_SSL_ACCEPT_SITE_CERTS)
MessageBox stub.Hello("world")
Further Information
Question "Create cross certificate for Domino Java agent?" is similar but not a duplicate. It shows further aspects.

Thanks for your input, but that did not solve the problem.
I got solved trough
- downloading KYRtool
- install in /Domino folder
- include the Root certificate(SHA2) from Web Service domain into existing .kyr file
- restart http task
So conclusion is that it is the the .kyr file that is handling all stuff in outgoing connections

Related

MQ client key repository questions

I am currently developing an MQ application client-side, that is meant to establish connection between a machine and a distant server, and I need to implement SSL connection between them. The server was already configured with a given certificate that I was sent. The problem is : I can't understand what exactly needs to be done with the key repository part.
It looks like the MQCONNX call is expecting not only a certificate name (label), but also a key database (kdb) file, which I don't have. Thus I have several question, because it seems like I don't understand every aspect of the certificate part:
How can I get the kdb file linked to the certificate? Is it supposed to be generated by the person who made the certificate?
Where is it supposed to be stored? Can I use any folder/name?
A little background : I am working on Windows and developping with C MQ libraries. Before the SSL requirement was added, everything was working properly : I could connect to the queue manager and post messages into a given queue. Now I get error 2381 MQRC_KEY_REPOSITORY_ERROR, which will probably be gone after this key repository part is solved.
Thanks a lot for all your answers.
Cheers,
I think between them the comments to your question provide the answer. In essence your client application (or the underlying MQ C layer) needs to trust the certificate that the server is sending.
If the certificate you have was signed by a trusted certificate authority,
then your app needs to be told to trust the public key of the certificate authority. If it is self-signed, then your app needs to be told to trust the public certificate.
Either way, you will need a keystore. The keystore holds all the public keys and public keys of certificate signers that you trust.
To create the keystore, follow the "Create a client keystore" section of https://developer.ibm.com/tutorials/mq-secure-msgs-tls/
These steps will create a keystore containing the certificate that you have been sent.
You then tell your application where to find the trusted keys keystore by setting the environment variable MQSSLKEYR
// MQSSLKEYR is need so that the MQ client knows what keystore to use..
// note it is the full path, including the base file name but not the .kdb extension
// my keystore file is user.kdb in the C:\tmp subdirectory..
set MQSSLKEYR=C:\tmp\user
see - https://www.ibm.com/docs/en/ibm-mq/9.0?topic=wsulw-specifying-key-repository-location-mq-mqi-client-unix-linux-windows
and
https://www.ibm.com/support/pages/how-do-i-configure-mq-client-c-based-application-amqsputc-amqsgetc-connect-mq-server-ssl

How to Get Self Signed Certificate in Ec2

I am working in Ec2 instance. I have connected my php files like http://13.57.220.172/phpinsert.php. But it is not secured site. So i want to convert http into https://13.57.220.172.
I have cloudflare ssl. When i try to add ssl certificate. It shows
com.amazonaws.pki.acm.exceptions.external.ValidationException: Provided certificate is not a valid self signed. Please provide either a valid self-signed certificate or certificate chain. Choose Previous button below and fix it.
i have enclose the image with it.
So how can i get the self signed certificate. is there any online tool available.
I think the error message your seeing has to do with this sentence:
If your certificate is signed by a CA, you must include the
certificate chain when you import your certificate.
from https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-prerequisites.html.
Since it sounds like you're not yet in "production" mode, I'm guessing you're not particularly attached to your existing certificate, but just want a certificate to be able to do HTTPS on your web server (and don't really care if it's self-signed).
If you want to use AWS Certificate Manager, I think it would be easier to just let them (AWS) issue you a certificate instead of trying to import one from somewhere else. AWS doesn't charge anything for certificates. https://docs.aws.amazon.com/acm/latest/userguide/acm-billing.html
Even if you get the certificate setup in AWS Certificate Manager, that's not going to be installed directly on your EC2 instance, but rather (most likely) on a load balancer in front of your web server, which will add a little complexity to your setup. https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html
If all you want to do is use HTTPS on your web server, Let's Encrypt (also free) is probably a simpler option. If you are using AWS Linux 2, there are instructions for getting a certificate here - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html
Well, add to the points which #jefftrotman has already mentioned.
If your expectation is to just secure your IP address using HTTPS you can achieve that using the below approaches:
A SELF SIGNED certificate that you can create using OpenSSL.
You can also get an SSL certificate from a trust signing authority like (GoDaddy or VeriSign) or Let's encrypt.
The only requirement in the second point is that for getting a certificate from a valid signing authority you need to have a domain name like "myphpapp.com" and then use this domain to get the SSL certificate.
The below details are in case you want to use AWS ACM(Amazon Certificate Manager)
If you prefer ACM, you can get the free Public SSL certificate which you can map to the IP address and your web application will be secured.
If your requirement is to add SSL certificates (like PEM files) to a web server like
NGINX or Apache then you first need to create a Private CA using in ACM and then you using this CA you will be able to create Private SSL certificates. After creating those you can export the files and add those files to the configuration file. (try to use Amazon Linux 2) ec2 image for ease.

From self managed Let's Encrypt to AWS Certificate Manager

I have been managing Let's Encrypt's SSL certificates for a domain.
Now I am moving to Amazon API gateway. I will be using the AWS Certificate Manager to generate HTTPS certificates for the root domain and a bunch of subdomains.
If I make the transfer, what happens to my current HTTPS certificate which is associated with my domain. If browsers suddenly start seeing a new HTTPS certificate for a domain, for which they had been getting a different HTTPS certificate until now, would this be a problem?
Also, once I make the shift, what do I do with my current (manually managed) Let's Encrypt certificate? Is there a way to permanently void it?
Szabolcs Dombi says
You can have multiple valid certificates for the same domain at the
same time. Moving from one certificate issuer to another should not
cause a problem.
Toby Osbourn says
SSL certificates don’t last forever, most of them need to be renewed
on a yearly cycle and occasionally you will want to change the type of
the SSL certificate mid-cycle.
Since you are replacing certificates, I suggest you to back up the ones you have.
Once you have backed up the old certificates, just overwrite the .crt and .key files with your new ones. Then, reload your web server so it knows to look at these new certificates, and you should be good to go.
If it's within your interest to know more about how to Generate SSL certificate using Amazon Certificate Manager (ACM), I suggest Barguzar, A. (July 2018). Building Serverless Python Web Services with Zappa. where one can read a good step by step guide. See an excerpt of it below:
ACM is a service that manages and creates SSL/TSL certificates for
AWS-based services and applications. An ACM certificate works with
multiple domain names and subdomains. You can also use ACM to create a
wildcard SSL.
ACM is strictly linked with AWS Certificate Manager Private
Certificate Authority (ACM PCA). ACM PCA is responsible for validating
the domain authority and issuing the certificate.
You can have multiple valid certificates for the same domain at the same time. Moving from one certificate issuer to another should not cause a problem.
This also means that if you create a new certificate the old one still can be used unless it already expired.

Why use SSL for the NuGet repository?

We had an issue with our automated build machine yesterday. We are using a TFS Build server, and when it tried to automatically download NuGet packages, we got the infamous "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel" error.
There are a lot of threads around the 'net regarding why this happens. That isn't my question. It can be fixed easily enough by changing your NuGet repository from
https://nuget.org/api/v2/
to
http://nuget.org/api/v2/
or
http://packages.nuget.org/v1/FeedService.svc/
What I'd like to know is why the repository is using SSL in the first place? I assume it is there for a reason, but I can't figure out what. There is no login that would require security. I can't think of any information being sent that would need to be secure. I just want to make sure that by using an unsecured connection (which works just fine) we aren't somehow compromising our build machine.
Can anyone explain what is gained from connecting to NuGet using a secured connection?
I can't think of any information being sent that would need to be
secure.
It is not necessarily because the information you exchange with nuget.org contains anything secret and thus needs to be secure. By using using SSL you will be certain that it actually is nuget.org you're talking with. Without SSL, somebody might in theory be feeding you bogus packages, and that might be a security problem.
As for the issue you're experiencing with "Could not establish trust relationship for the SSL/TLS secure channel", we've had a similar problem when we started using a new build server:
If you look at the SSL certificate presented by https://nuget.org/, the certification path is: GeoTrust Global CA > RapidSSL CA > *.nuget.org
GeoTrust Global CA was missing as a trusted CA on our new build server, so the problem was easily solved by adding them to the build servers list of trusted root CAs (using the MMC console with the Certificates snap-in).
Update:
On a later service, I've experienced the same SSL issue, and adding GeoTrust as a trusted CA alone didn't solve the problem. In addition, the server was also missing to root CA for https://go.microsoft.com/, which is Baltimore CyberTrust Root (go to https://microsoft.com, and you'll be able to view and download the certificate). Adding this to the servers list of trusted root CAs solved the issue.

Creating a web service that requires client certificates

I am currently working on a project that has the following components (all .NET 2.0)
Client Application
Web Service Invocation API
Web Service
In summary the Client Application creates and instance of the API and this calls the Web Service. Nice and simple and this all works exactly as I want it to.
The next stage of the project was to secure the Web Service with SSL. So I have created a "Self Signed CA" and from this signed a server certificate for IIS. Again, nice and simple and this all works exactly as I want it to.
The next stage of the project is to secure the Web Service by requiring the invoker to supply a client certificate. So I have created a client certificate (via the Self Signed CA). I am then adding this to the Web Service invocation call in the API:
WSBridge.Processor processor = new WSBridge.Processor();
processor.Url = this.endpoint;
processor.ClientCertificates.AddRange(this.clientCertificates);
processor.Timeout = (int)Settings.Default["DefaultTimeout"];
In debug I can see that this.clientCertificates contains the certificate I created. So in theory it is being presented to the web server.
However, when I attempt to call the Web Service I get the following exception in the API:
The request failed with HTTP status 403: Forbidden.
Fairly self explantory, but I have no idea what is causing the problem.
Other relevant information:
In my dev environment Client, API & Web Service are all running on the same machine
If I attempt to access the Web Service Description in IIS I get the following error (I am not prompted to choose a client certificate):
HTTP Error 403.7 - Forbidden
The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes.
The client certificate is loaded into the Personal store for the current user, the CA root is in trusted root for the local machine and current user.
If I switch off "Require SSL" and put "Client Certificates" on accept in IIS I can make my request. However when I look at HttpContext.Current.Request.ClientCertificate.Count in the Web Service this comes back as 0.
I need to be able to run my development with client certificates as portions of the service code use the CN of the client certificate to perform various actions. I could hack it in but it would be nice to be able to do a real end to end.
All the certificates mention here were generated using OpenSSL. I am developing on Windows 7 so I do not have the facility to install Microsoft CA
So, does anybody have any ideas as to the cause of this problem?
As an aside (not worth creating a new question for this) - for some reason when I enable SSL for the Web Service Visual Studio is no longer able to debug the service.
EDIT : Some more information
The client certificate has an intended purpose of <All>
Although I am working on localhost the server certificate for the web server was issued to devserver.xyz.com so I have changed my hosts file to point that to localhost. As such I can now browse (with client certs switched off in IIS) to my service descriptor page without seeing any SSL certificate warnings.
Well I have solved the problem, in summary this was due to the format of the client certificate this should have been PKCS12.
More Detail
Although the MMC Certificate plugin was showing the client certificate in the personal store for the current userm I noticed that when viewing the same store via Internet Explorer (Tools -> Internet Options -> Content -> Certificates) the certificate was not present.
After a little Googling it seems that IE will only accepts PKCS12 format for client certificates, so I convert the certificate with the following OpenSSL command:
openssl pkcs12 -export -in client_alpha.cer -inkey client_alpha.key -out client_alpha.p12
I then imported the p12 file into IE which allowed me to browse to the Web Service description page with full client/server certificated TLS.
Once I had made this change, I then retried by client application and this now works aswell. This is due to the fact that IIS, like IE, will only accept client certificates in PKCS12 format.

Resources