I am using Liberty 16.0.0.4
I am trying to call xxxx SOAP services, but i got the following errors
[ERROR ] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN CN=xxxx, was sent from the target host. The signer might need to be added to local trust store serverHome/resources/security/key.jks, located in SSL configuration alias defaultSSLConfig. The extended error message from the SSL handshake exception is: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I used next command to generate certificate
openssl s_client -connect xxxxURL:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > xxx.cert
Then injecting it into liberty jks default file with next command
keytool -import -trustcacerts -alias xxxSigner -file xxx.cert -keystore *pathToHomeServer/resources/security/key.jks* -storepass Liberty -storetype jks
Also this is my server.xml tags related to that
<featureManager>
<feature>webProfile-7.0</feature>
<feature>jaxb-2.2</feature>
<feature>concurrent-1.0</feature>
<feature>javaMail-1.5</feature>
<feature>localConnector-1.0</feature>
<feature>jaxws-2.2</feature>
<feature>apiDiscovery-1.0</feature>
<feature>ssl-1.0</feature>
</featureManager>
<keyStore id="defaultKeyStore" location="${server.config.dir}/resources/security/key.jks" password="{xor}EzY9Oi0rJg==" type="jks" />
<keyStore id="defaultTrustStore" location="${server.config.dir}/resources/security/key.jks" password="{xor}EzY9Oi0rJg==" type="jks" />
<sslDefault sslRef="defaultSSLConfig" />
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" sslProtocol="TLSv1.2"/>
<httpEndpoint id="defaultHttpEndpoint" httpPort="9080" httpsPort="9443">
<sslOptions sslRef="defaultSSLConfig"></sslOptions>
</httpEndpoint>
So what is the problem my side which
Not sure why your approach is not working, but another way to go about it is to use a browser to retrieve the certificate and then keytool to add it, as described here (see the 8/5/2015 comment at the bottom of the article): developer.ibm.com/wasdev/docs/single-sign-google-liberty
Does it work if you explicitly add the signer itself, shown at the bottom of the stack of certs when you append -showcerts to your openssl command?
Related
I am using JMeter to run some POST requests to CloudRun for my API. When I run the process, the POST returns the error:
javax.net.ssl|DEBUG|12|Single Insert 1-1|2022-04-22 17:39:28.479 BST|Alert.java:238|Received alert message (
"Alert": {
"level" : "fatal",
"description": "unexpected_message"
}
)
javax.net.ssl|ERROR|12|Single Insert 1-1|2022-04-22 17:39:28.479 BST|TransportContext.java:363|Fatal (UNEXPECTED_MESSAGE): Received fatal alert: unexpected_message (
"throwable" : {
javax.net.ssl.SSLProtocolException: Received fatal alert: unexpected_message
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:129)
...etc...
I have created a certificate with:
keytool -keystore clientkeystore -genkey -alias client -keyalg RSA
then copied the file clientkeystore under the bin folder and added in the system.properties file:
javax.net.ssl.keyStore=clientkeystore
javax.net.ssl.keyStorePassword=mypassword
but nothing changes when it run versus a GCP/CloudRun instance. Any idea?
If your application requires a client-side certificate you need to get the appropriate one and not to generate a new random one so if this is the case you will need to import the relevant certificate into keystore
keytool -import -alias your-certificate-alias -file /path/to/your/certificate.cer -keystore clientkeystore.p12-storepass mypassword
and change the javax.net.ssl.keyStore to include the file extension:
javax.net.ssl.keyStore=clientkeystore.p12
More information: How to Set Your JMeter Load Test to Use Client Side Certificates
If your application can be accessed by anyone without having to provide the client-side certificate just remove the properties as you don't need them.
I'm working on the SSL Configuration for WSO2 and currently following this article. Now i had a .pfx file which i converted to a .jks file using
keytool -importkeystore -srckeystore < pkcs12 file name >.pfx
-srcstoretype pkcs12 -destkeystore < JKS name >.jks -deststoretype JKS
The next step was to extract a .csr (Certificate Request Signing) from the .jks using
keytool -certreq -alias certalias -file newcertreq.csr -keystore newkeystore.jks
After having the .csr file extracted, the article asked to provide that .CSR file to the CA. For testing purposes, they preferred this to have a free SSL Certificate for 90 days.
The site asks for the content of the CSR file and gave me the following error
Your Domain Name may not contain a * Please purchase a Wildcard
Certificate if you wish to use a * in your Domain Name
Please note that my certificate is for a domain: *.domain.com, its pretty obvious that i'll have to purchase a wild card certificate for this but i'm currently trying to set up a TESTING ENVIRONMENT just to be sure before purchasing a particular domain certificate AND for that, i'm looking for alternatives to get the following files:
The Root certificate of the CA i.e. AddTrustExternalCARoot.crt
Intermediate certificates i.e. COMODORSAAddTrustCA.crt, COMODORSADomainValidationSecureServerCA.crt
SSL Certificate signed by CA i.e. test_sampleapp_org.crt
I tried this and it gave me a domain.cer file which is not what i need. Any guesses? Thanks.
For development, you can export a self-signed certificate with this keytool command.
keytool -export -alias certalias -file test_sampleapp_org.crt -keystore newkeystore.jks
I'm attempting to set up TLS (SSL) with my domain hosted on AWS Bitnami so that users can access it over HTTPS. It is running on Apache Tomcat standalone and is not fronted by a LB.
To generate the Certificate Signing Request (CSR) I have:
sudo openssl genrsa -out /opt/bitnami/apache-tomcat/conf/server.key 2048
And entered all the correct information i.e. hostname in www.hostname.com format, then:
sudo openssl req -new -key /opt/bitnami/apache-tomcat/conf/server.key -out /opt/bitnami/apache2/conf/cert.csr
Following that I have copied to the .csr file contents to the CA (ssl.comodo.com) & saved the resulting files: .ca-bundle and .crt file.
Following that I have uploaded the files to the Tomcat directory and loaded them into the Java keystore:
keytool -import -trustcacerts -alias root -file www_domainname_com.ca-bundle -keystore KeyStore.jks
and the .crt:
keytool -import -trustcacerts -alias tomcat -file www_domainname_com.crt -keystore KeyStore.jks
Tomcat is configured to use this keystore with the following config in server.xml:
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" keystoreFile="/home/bitnami/KeyStore.jks" keystorePass="passwordhere" sslProtocol="TLS"/>
Then apache has been restarted. The browser errors that I receive are:
Chrome:
uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Firefox:
no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP
My thoughts
Based on this Stack Overflow question here I think this may have something to do with RSA - when I generate a new keystore with the -keyalg RSAparameter:
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA and point the Tomcat server.xml SSL config to that the site loads over HTTPS and I get warnings in the browser telling me that it is a self-signed certificate.
If you want to generate using OpenSSL, you must then convert the PRIVATE KEY AND certificate chain, not just the certificate(s) alone, to a Java-usable keystore, either PKCS12 or JKS.
If you want to generate using Java, you do use keytool -genkeypair -keyalg RSA (and before j7 add -keysize 2048), then you use Java keytool to generate the CSR which you give to the CA (Comodo), and you use Java keytool to import the new cert and its chain from the CA.
See the options at (my) https://stackoverflow.com/a/37423399/2868801 and several additional dupes linked there.
I'm installed WSO2 DAS Server on my LAN network, but I can't create new Dashboard because this error:
javax.net.ssl.SSLException: hostname in certificate didn't match:
<192.168.3.27> != localhost
in log file here.
Please help and thanks
It happens due to certificate is for localhost not for the domain that we run. For that we need to generate new certificate with specific domain and configuration changes with correct .jks file and correct password.
It will resolve the certificate didn't match. We need to replace all the localhost in the portal folder. If I have worked like these and fixed with gaudiness. For more refernce please visit
http://www.vitharana.org/2012/12/how-to-add-new-keystore-to-carbon-4_3.html
Above error log happens due to certificate is for localhost not for the host (192.168.3.27). You can fix this by importing KeyStore file to the trustore by using following commands in the terminal.
keytool -export -alias <HostName> -file mycert.crt -keystore myjks.jks -storepass <pwd>
keytool -import -alias <HostName> -file /usr/local/app/wso2/wso2das-3.0.0/repository/resources/security/mycert.crt -keystore cacerts -storepass changeit
Please refer following articles for more details [1]. On the other hand for a quick test you can access dashboard portal in http by using following URL
http://localhost:9763/portal/
[1] https://medium.com/#dunithd/wso2-das-how-to-fix-javax-net-ssl-sslexception-160c13bc8fe7#.npua5d4nf
Hi Everyone,
I have certificate can any one tell me how to add and apply to use ssl connection with java class.I am facing javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching localhost found exception.
hello everyone i got the ans of my question after a long struggle.
1.For my first exception i used this link http://www.mkyong.com/webservices/jax-ws/java-security-cert-certificateexception-no-name-matching-localhost-found/
2.For my second exception i did not import that my certificate to keystore for that this is the command sudo /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/keytool -import -file "give full path of certificate" -keystore "/usr/lib/jvm/java-7-openjdk-amd64/jre/lib/security/cacerts" -alias "certificate"