our customer using Websphere 7 decided to no longer use the self-signed certificates, but from now on always use some CA certificates.
I was browsing via the Security guide for Websphere environment and SSL settings, and just found this information:
A CA client must be created to connect to the CA server before
creating a CA certificate. You need to implement the
com.ibm.wsspi.ssl.WSPKIClient interface to enable WebSphere
Application Server security to communicate with a remote CA. The class
name needs be provided as part of the CA client when it is created
I am not sure if I understand it correctly. But for the situation, where I already have some CA certificate, and I just want to import it onto our environment, do I need to implement this interface?
Does that mean, that if I need to switch from self-signed certificates on Websphere to CA certificate, our software needs some implementation change?
I would expect only importing new truststores, keystores etc. but no java implementation.
Does someone have the knowledge about this change?
But for the situation, where I already have some CA certificate, and I just want to import it onto our environment, do I need to implement this interface?
No, you don't need to implement this interface, you can just import your certificates into your environment (to trust and key stores).
This interface is required if you would like to have automatic management with remote CA e.g. if certificate expires to allow WAS to automatically connect to CA and request for new one.
Related
I am currently developing an MQ application client-side, that is meant to establish connection between a machine and a distant server, and I need to implement SSL connection between them. The server was already configured with a given certificate that I was sent. The problem is : I can't understand what exactly needs to be done with the key repository part.
It looks like the MQCONNX call is expecting not only a certificate name (label), but also a key database (kdb) file, which I don't have. Thus I have several question, because it seems like I don't understand every aspect of the certificate part:
How can I get the kdb file linked to the certificate? Is it supposed to be generated by the person who made the certificate?
Where is it supposed to be stored? Can I use any folder/name?
A little background : I am working on Windows and developping with C MQ libraries. Before the SSL requirement was added, everything was working properly : I could connect to the queue manager and post messages into a given queue. Now I get error 2381 MQRC_KEY_REPOSITORY_ERROR, which will probably be gone after this key repository part is solved.
Thanks a lot for all your answers.
Cheers,
I think between them the comments to your question provide the answer. In essence your client application (or the underlying MQ C layer) needs to trust the certificate that the server is sending.
If the certificate you have was signed by a trusted certificate authority,
then your app needs to be told to trust the public key of the certificate authority. If it is self-signed, then your app needs to be told to trust the public certificate.
Either way, you will need a keystore. The keystore holds all the public keys and public keys of certificate signers that you trust.
To create the keystore, follow the "Create a client keystore" section of https://developer.ibm.com/tutorials/mq-secure-msgs-tls/
These steps will create a keystore containing the certificate that you have been sent.
You then tell your application where to find the trusted keys keystore by setting the environment variable MQSSLKEYR
// MQSSLKEYR is need so that the MQ client knows what keystore to use..
// note it is the full path, including the base file name but not the .kdb extension
// my keystore file is user.kdb in the C:\tmp subdirectory..
set MQSSLKEYR=C:\tmp\user
see - https://www.ibm.com/docs/en/ibm-mq/9.0?topic=wsulw-specifying-key-repository-location-mq-mqi-client-unix-linux-windows
and
https://www.ibm.com/support/pages/how-do-i-configure-mq-client-c-based-application-amqsputc-amqsgetc-connect-mq-server-ssl
I have a 3rd party development tool that was written in Golang. My company uses Netskope which injects self-signed certificates in any SSL traffic from my machine so they can monitor all traffic for security purposes. The application is failing with the error
"self signed certificate in certificate chain" when it tries to connect out to a site on the public internet, I assume because of these self-signed certificates in the chain
I found some comments that say the logic for certification verification on Windows can be found in https://go.dev/src/crypto/x509/root_windows.go, but I cannot find any documentation for Windows about this (only Linux). From looking at that code, my understanding is I need to have the CA certification set up in the local machine store as a Trusted Root CA but that isn't working for me. The screenshot here shows the CA certificates in my Local Machine trusted root CA store. I deploy to Linux containers, in JVM or other applications to allow them to trust these self-signed certificates.
Am I doing something wrong in setting up the CA certs in my Certificate Store? Is there any documentation on this? Is there another way I can configure on Windows any Golang application running on my machine to trust the CA for these self-signed certificates? I see on Linux you can similarly add the CA to your store, or use environment variables SSL_CERT_FILE and SSL_CERT_DIR, and I've been able to do this for other Golang applications in Linux containers.
I am working in Ec2 instance. I have connected my php files like http://13.57.220.172/phpinsert.php. But it is not secured site. So i want to convert http into https://13.57.220.172.
I have cloudflare ssl. When i try to add ssl certificate. It shows
com.amazonaws.pki.acm.exceptions.external.ValidationException: Provided certificate is not a valid self signed. Please provide either a valid self-signed certificate or certificate chain. Choose Previous button below and fix it.
i have enclose the image with it.
So how can i get the self signed certificate. is there any online tool available.
I think the error message your seeing has to do with this sentence:
If your certificate is signed by a CA, you must include the
certificate chain when you import your certificate.
from https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-prerequisites.html.
Since it sounds like you're not yet in "production" mode, I'm guessing you're not particularly attached to your existing certificate, but just want a certificate to be able to do HTTPS on your web server (and don't really care if it's self-signed).
If you want to use AWS Certificate Manager, I think it would be easier to just let them (AWS) issue you a certificate instead of trying to import one from somewhere else. AWS doesn't charge anything for certificates. https://docs.aws.amazon.com/acm/latest/userguide/acm-billing.html
Even if you get the certificate setup in AWS Certificate Manager, that's not going to be installed directly on your EC2 instance, but rather (most likely) on a load balancer in front of your web server, which will add a little complexity to your setup. https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html
If all you want to do is use HTTPS on your web server, Let's Encrypt (also free) is probably a simpler option. If you are using AWS Linux 2, there are instructions for getting a certificate here - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html
Well, add to the points which #jefftrotman has already mentioned.
If your expectation is to just secure your IP address using HTTPS you can achieve that using the below approaches:
A SELF SIGNED certificate that you can create using OpenSSL.
You can also get an SSL certificate from a trust signing authority like (GoDaddy or VeriSign) or Let's encrypt.
The only requirement in the second point is that for getting a certificate from a valid signing authority you need to have a domain name like "myphpapp.com" and then use this domain to get the SSL certificate.
The below details are in case you want to use AWS ACM(Amazon Certificate Manager)
If you prefer ACM, you can get the free Public SSL certificate which you can map to the IP address and your web application will be secured.
If your requirement is to add SSL certificates (like PEM files) to a web server like
NGINX or Apache then you first need to create a Private CA using in ACM and then you using this CA you will be able to create Private SSL certificates. After creating those you can export the files and add those files to the configuration file. (try to use Amazon Linux 2) ec2 image for ease.
I have been managing Let's Encrypt's SSL certificates for a domain.
Now I am moving to Amazon API gateway. I will be using the AWS Certificate Manager to generate HTTPS certificates for the root domain and a bunch of subdomains.
If I make the transfer, what happens to my current HTTPS certificate which is associated with my domain. If browsers suddenly start seeing a new HTTPS certificate for a domain, for which they had been getting a different HTTPS certificate until now, would this be a problem?
Also, once I make the shift, what do I do with my current (manually managed) Let's Encrypt certificate? Is there a way to permanently void it?
Szabolcs Dombi says
You can have multiple valid certificates for the same domain at the
same time. Moving from one certificate issuer to another should not
cause a problem.
Toby Osbourn says
SSL certificates don’t last forever, most of them need to be renewed
on a yearly cycle and occasionally you will want to change the type of
the SSL certificate mid-cycle.
Since you are replacing certificates, I suggest you to back up the ones you have.
Once you have backed up the old certificates, just overwrite the .crt and .key files with your new ones. Then, reload your web server so it knows to look at these new certificates, and you should be good to go.
If it's within your interest to know more about how to Generate SSL certificate using Amazon Certificate Manager (ACM), I suggest Barguzar, A. (July 2018). Building Serverless Python Web Services with Zappa. where one can read a good step by step guide. See an excerpt of it below:
ACM is a service that manages and creates SSL/TSL certificates for
AWS-based services and applications. An ACM certificate works with
multiple domain names and subdomains. You can also use ACM to create a
wildcard SSL.
ACM is strictly linked with AWS Certificate Manager Private
Certificate Authority (ACM PCA). ACM PCA is responsible for validating
the domain authority and issuing the certificate.
You can have multiple valid certificates for the same domain at the same time. Moving from one certificate issuer to another should not cause a problem.
This also means that if you create a new certificate the old one still can be used unless it already expired.
I have WSO2 API manager deployed in AWS EC2 instance.
I have purchased a SSL certificate via sslforfree.com. I tried to import it via keytool command. But its not working and throwing error. It gives me
KrbException: Cannot locate default realm
How can I associate this certificate with the API Manager? I don't have a domain name for WSO2 and I access it via IP address.
Is it possible for have CA signed certificate in this case?
In case if I want a domain name for this EC2, how can I have one?
You can import the certificate inside Carbon. Log into <your_server>:9443/carbon as admin. After that go on Main -> Manage -> Keystores -> List
If you're still using the default settings you'll have the wso2carbon.jks entry here. Click on Import cert, chose your cert file and click on Import. Your certificate should be working after this.
there are several topics in this question:
I tried to import it via keytool command.But its not working and
throwing error.It gives me KrbException: Cannot locate default realm
The keytool gives you this exception? It would be useful to provide the keytool command you've used. There's not reason for that exception.
please not that the certificate CN must be the same as the fqdn (domain name) of the server (how your browser access it).
How can I associate this certificate with the API Manager?
There are two options.
Import the keypair (private key and certificate chain) into a keystore and configure the APIM to use the keystore (in the repository/conf/tomcat/catalina-server.xml)
Have a reverse proxy server (Apache HTTP, NGinx), and configure the SSL on that proxy server. This is my favorite approach .
See: https://docs.wso2.com/display/AM210/Adding+a+Reverse+Proxy+Server
Then you have control over who/where can access the carbon console, store and publisher.
I don't have a domain name for WSO2 and I access it via IP address. Is
it possible for have CA signed certificate in this case?
Certificate authorities don't provide IP based certificate, as they can validate ownership/control of a domain name, but not of the IP address.
You can create (and made trusted) your own CA and certificate (good for PoC, DEV environment, ..) but in long run you'll need a trusted certificate on a hostname.
In case if i want a domain name for this EC2 , how can i have one ?
You can always buy one :D For start - when having EC2 instance with a dynamic IP address, you may use some dynamic dns service (e.g. https://ydns.io/ , just search for more if you wish)