I have a web application which tries to hit a https url. I have a set of 4 certificates which I import in one common file using keytool
keytool -import -v -alias a_base64 -trustcacerts -file a_Base64.cer -keystore testcacerts
keytool -import -v -alias b_base64 -trustcacerts -file b_base64.cer -keystore testcacerts
keytool -import -v -alias c_base64 -trustcacerts -file c_Base64.cer -keystore testcacerts
keytool -import -v -alias d_base64 -trustcacerts -file d_base64.cer -keystore testcacerts
The file testcacerts is generated fine. In my eclipse IDE, I have a java program that will hit the https url. While running the program, I gave the following in the VM arguments
-Djavax.net.ssl.keyStore=c://testcacerts
The java program ran fine. Now I am deploying the war of the project in tomcat server 7. When my application tries to access https url, it gives the following exception
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
I set the environment variables CATALINA_OPTS and JAVA_OPTS to point to that testcacerts location
JAVA_OPTS=-Djavax.net.ssl.trustStore=/temp/testcacerts
After I re start my tomcat, when my application hits the https url, am getting the same exception.
I even tried to change the configuration in server.xml in tomcat conf as given below
<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25"
maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100"
scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS"
keystoreFile="/temp/testcacerts" keystorePass="samplePassword" />
The password in keystorePass is the one that I gave while generating the keystore.
Even after the above changes, I was getting the same exception.
I am currently running the application in Unix environment and the tomcat is present in Unix server as well. I don't have access to the java installation directory and because of which I am not able to place this certificate file in the jre\lib\security folder.
Am I missing anything here. Please guide me.
In case it is valid self-signed certificates you should select one certificate for the SSL connector. Please add keyAlias with the selected certificate (e.g. a_base64) to your connector configuration
<Connector port="8443" ... keyAlias="a_base64" />
Usefull links:
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html
You may remove your -Djavax settings.
Related
I have a Spring Boot application, deployed as WAR file in a Tomcat in Godaddy.Now, I do need to enable HTTPS on it.I had installed SSL on our domain and https is working on it.DNS and SSL certificates are managed by GoDaddy. I have already downloaded the certificate for tomcat which contains files as 'randomhex.crt','randomhex.pem','gd_bundle-g2-g1.crt','gdig2.crt.pem' and then I generated 'keystore.jks'&'keystore.p12' using these file following the below commands.
Step 1:
"keytool -import -trustcacerts -alias intermediate -file gd_bundle-g2-g1.crt -keystore keystore.jks" using password as 'password1'
Step 2:
"keytool -import -trustcacerts -alias 'alias1' -file e1......7.crt -keystore keystore.jks" using password as 'password1'
Step 3:
"keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass 'password2' -srcalias 'alias1' -destalias 'alias2'" using password as 'password1'
I know now I need to add this 'keystore.p12' file to my springboot project 'resource' folder and set below ssl properties,but I am not sure about what value to set based on the above mentioned commands.Please help me to set the values for below,
server:
ssl:
key-store: classpath:keystore.p12
key-store-password: ?
key-store-type: ?
key-alias: ?
key-password: ?
enabled: true
port: ?
Also do I need to make anything on my TOMCAT server to make https work for this spring boot project???
Try this for Spring Boot:
server:
ssl:
key-store: classpath:keystore.p12
key-store-password: password2
key-store-type: PKCS12
key-alias: alias2
enabled: true
port: 443
It does not look like a key-password is set. Try leaving it out & try 'changeit' (the default for jks).
For TOMCAT it needs to be set in $TOMCAT_HOME/conf/server.xml - one of the connectors:
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="path/to/keystore.p12" keystorePass="password2" keyAlias="alias2"
clientAuth="false" sslProtocol="TLS"/>
Finally I found the solution.No need to configure SSL on spring boot.Just configure https on tomcat then https will work on your project.To configure https on tomcat you need to generate a keystore file(normally in .jks or .p12 format) by using sslcert.crt(randomhex.crt),sslkey.key,sslCA.crt(gd_bundle-g2-g1.crt) files as shown below:
goto '/opt/apache-tomcat/conf/' on your server and put above/below mentioned files there
openssl pkcs12 -export -in mycert.crt -inkey mykey.key -out mycert.p12 -name tomcat -CAfile myCA.crt -caname root -chain
Here
'mycert.crt' -> your randomhex.crt file,
'mykey.key' -> SSL key file from godaddy,
'myCA.crt' -> gd_bundle-g2-g1.crt ,
'mycert.p12' -> Name of the keystore file you want to generate.
You should asked a password when running above command and remember that password to configure tomcat server.xml file.
Now open server.xml o tomcat conf folder in edit mode and add below connector there,after that exit and save changes and restart tomcat then https will start working on your project.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" compression="on" scheme="https" secure="true" keystoreFile="conf/mycert.p12"
keystorePass="password" SSLVerifyClient="none" SSLProtocol="TLSv1.2" />
Don't forget to add port 8443 on your spring boot 'application.yml'
server:
port: 8443
In our Project, we use Netty as webserver, In spring boot project.
we would like to enable HTTPS and SSL in the project.
we added the certificate to the truststore by keytool.
keytool -keystore truststore.jks -import -noprompt -trustcacerts -alias "try" -file "test.cer" -keypass pass -storepass pass
Than added the keypath and keystore information in project yaml file as :
server:
ssl:
enabled: true
key-store: 'truststore.jks'
key-store-password: "pass"
key-store-type: JKS
key-alias: "try"
but eveytime we try to send request to https://127.0.0.1:8080
we get below exception :
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: error:100000ae:SSL routines:OPENSSL_internal:NO_CERTIFICATE_SET
Caused by: javax.net.ssl.SSLHandshakeException: error:100000ae:SSL routines:OPENSSL_internal:NO_CERTIFICATE_SET
There are two types of key store in java,
Truststore
Keystore
Truststore: stores all public keys that need to be added to communicate with the third-party systems.
Keystore: contains the private key.
I was putting the public key in Keystore and was the problem.
I've encountered a problem with setting tls on my queue manager.
Here are the commands that I've used on my windows 10 to create and setup queue manager aswell as channel and keystores.
"C:\Program Files\IBM\MQ\bin64\crtmqm.exe" QMTLS
"C:\Program Files\IBM\MQ\bin64\strmqm.exe" QMTLS
"C:\Program Files\IBM\MQ\bin64\runmqsc.exe" QMTLS
DEF LISTENER(TCP.1416) TRPTYPE(TCP) CONTROL(QMGR) PORT(1416) REPLACE
START LISTENER(TCP.1416)
DEF CHL(CONNECTION.TLS) CHLTYPE(SVRCONN) TRPTYPE(TCP) SSLCIPH('TLS_RSA_WITH_AES_128_CBC_SHA256') SSLCAUTH(REQUIRED) DESCR('Channel with tls support')
DEFINE CHANNEL (CONNECTION.TLS) CHLTYPE (CLNTCONN) TRPTYPE (TCP) CONNAME (127.0.0.1) QMNAME (QMTLS) SSLCIPH('TLS_RSA_WITH_AES_128_CBC_SHA256') MAXMSGL (104857600) DESCR ('Client connection to Server')
exit
cd C:\ProgramData\IBM\MQ\qmgrs\QMTLS\ssl
"C:\Program Files\IBM\MQ\bin64\runmqakm.exe" -keydb -create -db key.kdb -pw passw0rd -stash
"C:\Program Files\IBM\MQ\bin64\runmqakm.exe" -cert -create -db key.kdb -label ibmwebspheremqqmtls -stashed -size 2048 -sigalg SHA256WithRSA -dn CN=QMTLS -fips -ca false
"C:\Program Files\IBM\MQ\bin64\runmqakm.exe" -cert -extract -db key.kdb -label ibmwebspheremqqmtls -target qmtls.arm -stashed
mkdir jks
cd jks
"C:\Program Files\IBM\MQ\java\jre\bin\keytool.exe" -genkey -alias ibmwebspheremquser -keyalg RSA -sigalg SHA256withRSA -dname "cn=user#example.com,C=US" -keystore userkey.jks -storetype jks -storepass passw0rd -keypass passw0rd -validity 365 -keysize 2048
"C:\Program Files\IBM\MQ\java\jre\bin\keytool.exe" -export -keystore userkey.jks -alias ibmwebspheremquser -storepass passw0rd -file userkey.arm -rfc
cd ..
copy jks\userkey.arm userkey.arm
"C:\Program Files\IBM\MQ\bin64\runmqakm.exe" -cert -add -db key.kdb -stashed -file userkey.arm -label userkey -trust enable -fips
copy qmtls.arm jks\qmtls.arm
cd jks
"C:\Program Files\IBM\MQ\java\jre\bin\keytool.exe" -import -alias QMTLS -file qmtls.arm -storepass passw0rd -keystore userkey.jks
"C:\Program Files\IBM\MQ\bin64\runmqsc.exe" QMTLS
SET CHLAUTH('CONNECTION.TLS') TYPE(BLOCKUSER) USERLIST('*NOACCESS') DESCR('allow access to tls') WARN(NO) ACTION(ADD)
refresh security type(ssl)
exit
When I try to connect directly to queue manager with channel CONNECTION.TLS and userkey.jks keystore I get an error AMQ4199 with message:
Queue manager QMTLS is not available for client connection due to an SSL configuration error. (AMQ4199)
Queue manager QMTLS is not available for client connection due to an SSL configuration error. (AMQ4199)
Severity: 30 (Severe Error)
Explanation: The user is trying to connect to a remote queue manager using a secure connection.
Response: Check the SSL configuration of the target queue manager and the local SSL trust store.
I need to import ssl certificate into java local keystore(cacerts) in order to get access to the remote ldaps server.
I have run the following command:
keytool -keystore C:\Program Files\Java\jdk1.8.0_211\jre\lib\security\cacerts -import -alias myalias -file <PATH_TO_CERTIFICATE>/certificate.cer
The certificate successfully added to the keystore:
keytool -list -alias myalias -keystore C:\Program Files\Java\jdk1.8.0_211\jre\lib\security\cacerts
Enter keystore password:
myalias, 24.10.2019, trustedCertEntry
My application properties:
ssl:
key-alias: myalias
key-store-password: changeit
key-store: C:\Program Files\Java\jdk1.8.0_211\jre\lib\security\cacerts
When I run the app I have the following exception:
Caused by: java.lang.IllegalArgumentException: jsse.alias_no_key_entry
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:218)
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1124)
at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1210)
at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:586)
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1005)
... 14 more
Caused by: java.io.IOException: jsse.alias_no_key_entry
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:328)
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
... 20 more
I am using Spring boot 2.2.0
Who knows what is the problem?
What you are doing in your application.properties is, you are securing your springboot application. Which is different from what you are trying to do (call ldaps server).
When you added the ldap server certificate into your cacerts, you don't need to do anything else. You can just make the call.
If you get PKIX exception when you make the call, then you need to make sure the CA and SubCA(s) of the ldap server certificate are trusted as well.
you need to import private key to keystore.
Step1: You need to download openSSL and then move to C:\OpenSSL-win64\bin Next, type this command:
openssl pkcs12 -export -in C:\Keystore\certificate.crt -inkey C:\Keystore\name_key.key -out C:\Keystore\server.p12 -name [name_alias] -CAfile C:\Keystore\rootCA.crt -caname root
Note: if you use alias "tomcat" in server.xml
keyAlias="tomcat"
keystoreFile="C:\Keystore\server.jks"
keystorePass="your pass"
then [name_alias] = tomcat
Step 2: use cmd and move to C:\program files\java\jdk..\ bin and type this command to convert p12 file to jks file:
keytool -importkeystore -deststorepass mypass -destkeystore C:\Keystore\server.jks -srckeystore C:\Keystore\server.p12 -srcstoretype PKCS12
Restart your tomcat server
I am looking for a detailed guide to configure SSl in JBOSS 7. I am not using any front end server but only JBOSS. Can anybody guide me through the steps of generating a key from an authorised certificate and configuring the connector under jboss?
Use the following procedure for self-signed certificate
1.Generate key + keystore
$JAVA_HOME/bin/keytool -genkey -alias your_alias_here -keyalg RSA -keypass PASSWORD -storepass PASSWORD -keystore ENTER_KEYSTORE_NAME
2.Configure jboss for SSL ( file server.xml )
<Connector port="8443" address="${jboss.bind.address}"
maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
scheme="https" secure="true" clientAuth="false"
keystoreFile="PATH_TO_KEYSTORE"
keystorePass="PASSWORD" sslProtocol = "TLS" />
2.Import certs
$JAVA_HOME/bin/keytool -import -v -alias your_alias_here -file FILE_YOU_RECEIVED_FROM_CA -keystore ENTER_KEYSTORE_NAME -storepass PASSWORD -keypass PASSWORD