We are using ActiveMQ v5.16.2 and it comes coupled with jetty server.
I have seen many links which point to use MD5 Hash like MD5:xxxxxx in the jetty-realm.properties file.
We need to upgrade this so that the user authentication uses RSA algorithm.
The jetty-realm.properties has entries that are understood by the Jetty org.eclipse.jetty.util.security.Credential implementations.
Jetty ships with support for CRYPT:, MD5:, OBF:, and plain text.
Jetty supports pluggable Credential implementations via the standard java.util.ServiceLoader for any implementation of org.eclipse.jetty.util.security.CredentialProvider.
ActiveMQ does not have an implementation of CredentialProvider.
If you want RSA: support, you'll have to write your own RSA implementation of org.eclipse.jetty.util.security.CredentialProvider to accomplish that.
Related
I am trying to set up MTLS on a Jetty Server. From the documentation I have seen typically the server certificate is set up such as this
SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
sslContextFactory.setKeyStorePath("/Users/name/Downloads/server.jks");
sslContextFactory.setKeyStorePassword("changeit");
sslContextFactory.setTrustStorePath("/Users/name/Downloads/server_truststore.jks");
sslContextFactory.setTrustStorePassword("changeit");
sslContextFactory.setNeedClientAuth(true);
However, I want to have different server certificates to validate against depending on which device sent the client certificate? What settings do i need to change, or classes can I override to dynamically validate certificates?
You'll have to download it and then configure your SslContextFactory.Server to use the local copy.
This is a Java SSL engine limitation.
Use the prior answer on how to download a file from Amazon S3 ...
https://stackoverflow.com/a/28569038/775715
For mTLS, just set the SslContextFactory.Server features you want to use for your set of features.
SslContextFactory.Server.setNeedClientAuth(boolean)
This is the javax.net.ssl.SSLParameters.setNeedClientAuth(boolean) feature in the Java JVM.
SslContextFactory.Server.setWantClientAuth(boolean)
This is the javax.net.ssl.SSLParameters.setWantClientAuth(boolean) feature in the Java JVM.
The behavior is standard Java JVM behavior, Jetty does very little here (Jetty only configures the JVM SSLEngine and SSLParameters objects, and handles host/alias matching if using SNI), all of the mTLS behaviors are baked into the JVM.
Everything from this point forward is standard Java behaviors of Client Auth, and Server Keystore/Truststore, there is nothing unique or special about Jetty. It's all a matter of configuring your Keystore/Truststore and issuing valid client certificates from those stores.
If you want multiple server certificates, go for, that's supported by the keystore / truststore.
If you want the client to validate against different server certificates, then the client needs to use the appropriate combination of server hostname and SNI information (this is an extremely common TLS extension).
I have a client written by C, it uses libcurl to send json to a restful api service(say it server). The server was written by java, the restful api was implemented by jersey, one of JAX-RS( It's very simple and can switch to another JAX-RS implementation). Now I want to do some security work between the C client access to the java restful api server. I searched on the Internet that seems I should use kerberos or spnego for the HTTP access. I met some problem.
I want to use kerberos/spnego authentication. But I look through the security part of jersey doc (https://jersey.java.net/documentation/latest/security.html) and I didn't found any kerberos related doc. Do you know whether jersey support kerberos ?
If I switch to Apache CXF,is it easy to switch ? I checked the doc about CXF kerberos support. Looks like it's too simple, do you have any detail doc or simple example to support kerberos authentication when using Apache CXF ?
If there is anything wrong, please correct me. Thanks.
This is achievable with Jersey. Jersey Client uses ClosableHttpClient in its implementation.
If you want to use SPNEGO authentication scheme for Kerberos, you may have to write a custom Connector and ConnectorProvider [ I haven't found a way to set AuthenticationScheme with ApacheConnector].
Check this post too for reference if it solves your usecase Can JCIFS be used with Jersey? :)
I need to encrypt my soap message with my private key before sending it to server
How do I configure Spring Ws with private key encryption.If any links or code please update
You can always go with some Apache project like suggested depending on the level of abstraction you want. You can use a lower level library like Apache Santuario, or the balanced Apache WSS4J, or CXF WSS4J. But to me it seems like you want to use Spring. Spring has it's own WSS4J wrapper which I think they call 'Spring-WS', and signing xml (the soap envelope) is possible with it within Spring. http://docs.spring.io/spring-ws/site/reference/html/security.html <- Chapter 7 of the Spring Docs
You're going to need to create 1 or 2 keystores. One keystore to contain your private keys for signing and the other for your public keys (certs) to see who the service trusts. You can use java keytool or openssl to create these. The following link shows you how to create them. http://cxf.apache.org/docs/ws-security.html#WS-Security-UsingX.509Certificates
You may also want to refer to: Sign SOAP request on client-side with Spring for context
-mario
I have been provided with a SOAP 1.1 WSDL and a Password protected P12 X509 certificate to connect to a web service to periodically transmit records. I have also been provided with a how to guide to sign the message using the X509. The example provided illustrates how to sign the message and provide appropriate security message headers. The sample code is in Java, and includes functions for signing the message which interact with the SOAP message directly.
The application I'm writing is a c# console app with entity framework elements to retrieve the data.
My question is related to the best approach for tackling this problem:
Use WCF with static configuration where possible.
Use WCF with programmatic configuration (e.g. using custom
MessageHeaders).
Use WebRequest/WebResponse and craft the messages manually.
Use WSE 3.0 and convert the WSDL to a proxy class using the older command line tools.
I've been investigating the WCF routes - WCF is ideal if you control both sides of the equation - but the articles are thinning out for my specific use case.
I'm a bit confused about using OpenSSL in my Delphi webservice in relation to the available ciphers for a HTTPS connection.
Setup:
My webservice runs on a client's server. OpenSSL is installed there. The webservice uses Indy (a TIdHTTPWebBrokerBridge) and the OpenSSL DLLs (with TIdServerIOHandlerSSLOpenSSL) to load the client's certificate
Our Android/iOS apps connect to this webservice over HTTPS
The client has configured a domain and IP that the app users can connect to and reach my webservice. If we test that domain using e.g. the SSLLabs server test we get an overview of the supported ciphers and protocols (SSLLabs even mimics handshakes from devices and browsers and shows what ciphers were negotiated).
Question: Is there anything my webservice (in combination with OpenSSL) has to do/can do to influence the available ciphers for the TLS handshake between app and webservice? Is there anything additional that needs to be setup with OpenSSL?
I thought the answer is 'no', i.e. that it is just the server setup that (in the handshake with the app through Android/iOS) determines which cipher to use from the available server ones. Is this a correct assumption? Or do I miss something?
(As a matter of fact, I am not actually interested in limiting or expanding the available ciphers, but the client insists that something "should be done" in/with the webservice/OpenSSL to have it communicate "safely" with the apps. The SSLLabs test shows that their domain only supports TLS 1.0 and ciphers with the RSA key exchange mechanism, so e.g. no Perfect Forward Secrecy. To me, that looks like something that needs to be fixed anyway).
Notes:
This SO question suggests I may have to do something, but it has no answers.
I posted an earlier somewhat related question, but that has no answers.
This SO post states OpenSSL honors the client's cipher preference, not the server's, during the SSL handshake, which again suggest there are things I can do?
I had some doubts whether this question is in the proper place here (also because Why we are not customer support), but since this may be relevant to more programmers I decided to put it on SO.
You can specify available ciphers via TIdServerIOHandlerSSLOpenSSL.SSLOptions.CipherList (as well as SSL/TLS versions via TIdServerIOHandlerSSLOpenSSL.SSLOptions.SSLVersions).
If you want Perfect Forward Secrecy, you has to create DHParam keys using openssl.exe (fill TIdServerIOHandlerSSLOpenSSL.SSLOptions.DHParamsFile by result file name). If you want not only DHE, but ECDHE ciphers you need to call some additional openssl api, see a Support for Perfect Forward Secrecy in SSL with indy 10 for example.