I'm trying to run spring-cloud-config-server with an encrypted property in application.yml.
---
server:
port: 8888
spring:
cloud:
config:
server:
git:
uri: file:/Users/gadams/git/cs-config
encrypt:
key-store:
location: classpath:/config-server.jks
password: password
alias: alias
secret: secret
security:
user:
password: '{cipher}encryptedPassword'
I get the following error on startup:
java.lang.IllegalStateException: Cannot decrypt: key=security.user.password
at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:201) ~[spring-cloud-context-1.1.6.RELEASE.jar:1.1.6.RELEASE]
at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:165) ~[spring-cloud-context-1.1.6.RELEASE.jar:1.1.6.RELEASE]
at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.initialize(EnvironmentDecryptApplicationInitializer.java:95) ~[spring-cloud-context-1.1.6.RELEASE.jar:1.1.6.RELEASE]
at org.springframework.cloud.bootstrap.BootstrapApplicationListener$DelegatingEnvironmentDecryptApplicationInitializer.initialize(BootstrapApplicationListener.java:333) ~[spring-cloud-context-1.1.6.RELEASE.jar:1.1.6.RELEASE]
at org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:635) [spring-boot-1.4.2.RELEASE.jar:1.4.2.RELEASE]
at org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:349) [spring-boot-1.4.2.RELEASE.jar:1.4.2.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:313) [spring-boot-1.4.2.RELEASE.jar:1.4.2.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1186) [spring-boot-1.4.2.RELEASE.jar:1.4.2.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1175) [spring-boot-1.4.2.RELEASE.jar:1.4.2.RELEASE]
at com.collegescheduler.ConfigServerApplication.main(ConfigServerApplication.java:12) [bin/:na]
Caused by: java.lang.UnsupportedOperationException: No decryption for FailsafeTextEncryptor. Did you configure the keystore correctly?
at org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$FailsafeTextEncryptor.decrypt(EncryptionBootstrapConfiguration.java:152) ~[spring-cloud-context-1.1.6.RELEASE.jar:1.1.6.RELEASE]
at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:193) ~[spring-cloud-context-1.1.6.RELEASE.jar:1.1.6.RELEASE]
... 9 common frames omitted
I'm using org.springframework.cloud:spring-cloud-dependencies:Camden.SR3. How should one go about encrypting the spring-security user password in the config server?
It's something wrong in your keystore configuration from log.
Use keytool to verify the pass/secret/alias of your key store firstly.
Did you respect the prerequisites?
Prerequisites: to use the encryption and decryption features you need
the full-strength JCE installed in your JVM (it’s not there by
default). You can download the "Java Cryptography Extension (JCE)
Unlimited Strength Jurisdiction Policy Files" from Oracle, and follow
instructions for installation (essentially replace the 2 policy files
in the JRE lib/security directory with the ones that you downloaded).
You should also have in your pom.xml:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-rsa</artifactId>
</dependency>
Related
Facing the below isssue.
Error performing command: --- Command ---
git ls-remote http://gbs05291:******#git...pro/scm/fbkpla/gocd-mobileapp.git refs/heads/InvestmentApp_GoCDTest
--- Environment ---
{}
--- INPUT ----
--- EXIT CODE (128) ---
--- STANDARD OUT ---
--- STANDARD ERR ---
STDERR: fatal: unable to access 'http://*********repoIP**/scm/fbkpla/gocd-mobileapp.git/': SSL certificate problem: self signed certificate in certificate chain
1.Tried adding the certificate to keystore in gocd server with the below command..
keytool -importcert -file "C:\Users\Desktop\BitBucket.cer" -keystore "C:\Program Files (x86)\Go Server\config\keystore"
2.Tried git config --global http.sslVerify false
Please note :Able to clone the same repo from git bash.
Download the certificate, convert it into .pem file and add the .pem certificate to git config at either system level, global level or local level, depending on the requirement. This will resolve SSL self signed certificate problem.
Converting .crt to .pem file using OpenSSL:
x509 -outform der -in /certificate.crt -out /certificate.pem
add certificate to git config:
git config --system http.sslCAInfo /certificate.pem
Please go with this links. Hope your will find better solution of your problem.
Using your own SSL certificates on the Server
I am trying to configure WSO2 API Manager tooling in eclipse luna, as per https://apim.docs.wso2.com/en/latest/Learn/APIGateway/MessageMediation/pass-a-custom-authorization-token-to-the-backend/, however I keep getting javax.net.ssl.SSLHandshakeException when I try to connect to API manager instance. I have added the public certificate in the java trust store, also tried pointing eclipse to custom truststore where the public cert is added, still no luck. I have java 8 installed on Mojave. Not sure, if it is related to new version of the API manager. Here is the error message and stack trace.
Error Message
Getting WS Feature Available in Regisrty check failed Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
https://pastebin.com/5bSpKJ4x Stack trace link
This is a ssl Handshake error, which usually occurs if you don't have trusted certificates in your trust store. Do the following
Download the certificate from what ever back-end service you are trying to hit.
Add it to the client-truststore.jks file in < apim-home >/repository/resources/security using the following command in cmd.
Open cmd from \jdk\bin
keytool -keystore "< apim-home >\repository\resources\security\client-truststore.jks" -storepass wso2carbon -importcert -file "< certFile-loction >"
I've tried to install an instance on AWS using aws RDS as
my datasource through the mysql-connector-java-5.1.45-bin.jar
with jdbc url
jdbc:mysql://< instance>.< zone>.rds.amazonaws.com:3306/carbon_db
i've got an exception
com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failurecom.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failure
The last packet successfully received from the server was 7 milliseconds ago. The last packet sent successfully to the server was 7 milliseconds ago.
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at com.mysql.jdbc.Util.handleNewInstance(Util.java:425)
.
.
.
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
I've tried to run
keytool -importcert -keystore <keystore> -storepass <pass> -noprompt -file rds-combined-ca-bundle.pem
on cacerts.jks in JVM and client-trustore.jks inside WSO2 repository with no effect
This happens since the public certificate from your DB connection, is not trusted by the WSO2 Identity Server.
Since you have tried adding the certificate, verify whether this has been added properly.
Get the public certificate from your DB instance.
Go to the <IS_HOME>/repository/resources/security folder. Import the public certificate to the client-truststore.jks file. Use the command below.
keytool -importcert -file certificate.cer -keystore client-truststore.jks -alias "Alias"
Restart the wso2 IS instance and check if the issue still persists.
According to the MySQL connector documentation in [1], following JDBC URL parameters should be included into the JDBC url to enable the SSL communication between MySQL server and the wso2 server.
useSSL=true
requireSSL=true
clientCertificateKeyStoreUrl
clientCertificateKeyStorePassword
I was able to successfully create the secure connection between MySQL server and the wso2 server with the below JDBC URL.
jdbc:mysql://<HOST_NAME>:<PORT>/apimgtdb?useSSL=true&requireSSL=true&clientCertificateKeyStoreUrl=file:<WSO2_HOME>/repository/resources/security/client-truststore.jks&clientCertificateKeyStorePassword=wso2carbon
While connecting to Amazon RedShift, I getting the below error:
2016-04-14 13:49:30 ERROR SQL Exception when connecting [Amazon](500150) Error setting/closing connection: General SSLEngine problem.
java.sql.SQLException: [Amazon](500150) Error setting/closing connection: General SSLEngine problem.
at workbench.db.DbDriver.connect(DbDriver.java:546)
at workbench.db.ConnectionMgr.connect(ConnectionMgr.java:244)
at workbench.db.ConnectionMgr.getConnection(ConnectionMgr.java:172)
at workbench.gui.components.ConnectionSelector.doConnect(ConnectionSelector.java:227)
at workbench.gui.components.ConnectionSelector$1.run(ConnectionSelector.java:131)
Caused by: java.sql.SQLException: [Amazon](500150) Error setting/closing connection: General SSLEngine problem.
at com.amazon.redshift.client.PGClient.<init>(Unknown Source)
at com.amazon.redshift.core.PGJDBCConnection.connect(Unknown Source)
at com.amazon.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.amazon.jdbc.common.AbstractDriver.connect(Unknown Source)
at workbench.db.DbDriver.connect(DbDriver.java:513)
at workbench.db.ConnectionMgr.connect(ConnectionMgr.java:244)
at workbench.db.ConnectionMgr.getConnection(ConnectionMgr.java:172)
at workbench.gui.components.ConnectionSelector.doConnect(ConnectionSelector.java:227)
I am using SQL Workbench J to connect to the database system. The strangeness here it that the connection was working fine two days ago. This problem appeared from nowhere. Any idea??
We are following the exact steps written in the setup guide to add certificates to Java.
https://community.boomi.com/docs/DOC-2381
Am I missing anything here?
UPDATE
My Redshift database is SSL configured. We use SQL Workbench J (http://www.sql-workbench.net/) client to connect to that database. The issue now is that everytime we try to connect, we are getting the error I mentioned.
Below is our URL format:
jdbc:redshift://hostname:5439/dbname?ssl=true&sslmode=verify-full
It worked for me when I followed the solution given by cfregly on databricks forum. Please follow below URL for this solution:
https://forums.databricks.com/questions/867/ssl-connection-issues-with-redshift.html
Please try appending sslfactory value in the Connection URL string like below - it might work.
ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory
Please add the following without the server certificate
ssl=true&sslfactory=com.amazon.redshift.ssl.NonValidatingFactory
The following would be the possible values for sslfactory
com.amazon.redshift.ssl.NonValidatingFactory
org.postgresql.ssl.NonValidatingFactory
Please see http://docs.aws.amazon.com/redshift/latest/mgmt/configure-jdbc-options.html
Try the following.
Run the keystore keytool based on the Java install for the environment variable JAVA_HOME (you may have multiple java installs so just use the default). Use the default cacerts keystore that comes with the JRE which will have a password of "changeit". You need to download the Redshift Certificate.
Then install the certificate for example:
C:\Program Files\Java\jdk1.8.0_25\jre\bin>keytool.exe -keystore "C:\Program Files\Java\jdk1.8.0_25\jre\lib\security\cacerts" -import -alias redshift -file redshift-ssl-ca-cert.pem
It will prompt you for the password ("changeit") and then should say the key has been added. If it fails its probably because you are not an admin user, so if in linux use sudo or in windows open the command window as administrator.
Start MYSQL Workbench using the cacerts keystore and the password entered above eg:
C:\apps\SQL-Workbench-Build118>java -Djavax.net.ssl.trustStore="C:\Program Files\Java\jdk1.8.0_25\jre\lib\security\cacerts" -Djavax.net.ssl.trustStorePassword=changeit -jar sqlworkbench.jar
You should be able to use the URL above and it should now work.
I'm having a major pain getting my new SSL certificate to work with GlassFish 3.1.2.2. My current SSL certificate is due to expire soon, so I ordered a renewal at GlobalSign.
With my current SSL certificate I get following response (this is done through SoapUI for testing purposes):
HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0 JSP/2.2 (Oracle GlassFish Server 3.1.2.2 Java/Oracle Corporation/1.7)
Server: Oracle GlassFish Server 3.1.2.2
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 01:00:00 CET
Content-Type: application/xml
Transfer-Encoding: chunked
Date: Mon, 11 Jan 2016 13:38:32 GMT
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..(xmlresponse)..</xml>
However, with the new SSL certificate active, I get following message:
SoapUI:
Error getting response; javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake.
Browser:
This page can’t be displayed
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to again. If this error persists, contact your site administrator.
The only thing I changed in the config of glassfish is the following:
Configurations > server-config > HTTP Service > Http Listeners > http-listener-2 > SSL tab
The Certificate NickName field from my old alias (mydomain) to my new alias (mydomain.net), which matches the alias of my private key in the keystore
The Key Store field value (file name) from the old keystore (server.keystore) to my new keystore (ssl_mydomain_net.jks)
Both new and old keystores are inside the C:\glassfish3\glassfish\domains\mydomain\config folder.
Old SSL settings:
New SSL settings:
I already had contact with GlobalSign support and we verified that the keystore is correctly generated.
When I run keytool -list -keystore ssl_mydomain_net.jks I get following output which should be correct:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
root, Jan 8, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): <...>
intermediate, Jan 8, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): <...>
<mydomain>.net, Jan 8, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): <...>
As far as I concluded, it has something to do with Glassfish. Does anyone have any idea because I'm out of options here...
Update January 13th, 2016
I upgraded from Glassfish 3.1.2.2 to Payara 4.1 (which is basicly Glassfish 4.1). I created a new fresh domain and noticed that by default the following jks files were in the mydomain/config folder:
cacerts.jks
keystore.jks
I added my own jks (ssl_mydomain_net.jks) to this folder and adjusted the settings for the http-listener-2 as above in the new SSL image. This gave me the same result as mentioned at the start of this post.
What am I missing? Do I have to adjust something to the default jks files? Do I have to create a csr from the keystore.jks instead of my own made keystore?
What do I need?
A GlobalSign SSL Certificate
Windows server with IIS installed
Payara instance
Getting your certificate from GlobalSign
Order or renew your SSL certificate at the GlobalSign website. During the process, choose the option Order with AutoCSR. The password of the new certificate will exist out of a password that you have to give during the creating process added by an extra string created by GlobalSign. Please remember this password as you will need it in the next phases.
Once your order is complete, you should be receive a PFX file. Copy this file to the Windows server where IIS is running.
Setting/Changing the master password for Payara
The password of the certificate which will contain your private and public key will have to match the master password of Payara (This can be freely chosen, this is NOT the password of your certification request at GlobalSign). You can change the master password by running following command:
asadmin change-master-password –savemasterpassword=true mydomain
Installing the certificate
Right click the PFX file and choose Install PFX
At the welcome screen, click Next
At the File to import screen, click Next as the PFX file location should be in there by default.
Enter the password. Remember, this is the password you gave up at the certificate creation extended by the string GlobalSign created.
Select the Mark this key as exportable. option.
Select the Include all extended properties. option.
Click Next
In the Certificate Store window, choose the Place all certificates in the following store option.
Click the Browse button.
Choose the Personal store.
Click OK
Click Next
Click Finish
Export the public and private key
Open the Microsoft Management Console (Start > Run > mmc > OK)
Click File > Add/Remove Snap-ins
Choose Certificates under the Available snap-ins list
Click the Add button
In the next window, choose the My user account option
Click Finish
Click OK
In the management console, expand Certificates - Current User > Personal > Certificates. If all want correct, you should see 3 certificates: GlobalSign Domain Validation CA, GlobalSign Root CA and mydomain.net.
Right click the mydomain.net entry
Choose All Tasks > Export...
In the welcome screen, press Next
Choose Yes, export the private key option
Click Next
In the Export File Format window, Choose Personal Information Exchange - PKCS # 12 (.PFX) and select the Include all certificates in the certification path if possible and Export all extended properties options.
Click Next
In the Password window, enter your Payara master password (this has to match!)
Click Next
Select the location were you want to put the export PFX file (e.g. mydomain.pfx) and click Next.
Click Finish
Getting the alias name
Run the following command to find out the generated alias name:
keytool -list -storetype pkcs12 -keystore mydomain.pfx
You will have to enter your keystore password, which should be the same as your Payara master password (see step 29).
When this command runs succesful, you should see your alias on the first line of the export. This looks like a long string of text (e.g. {fa2ebfd3-z11b-492d-2c73-f5z199732p2k}) followed by the date. Copy this string of text as we will need it later.
Adding the certificate to Payara
These are the two important steps that I was missing. We have to add the certificate to the cacerts.jks and keystore.jks who is located in the payara_install_folder/glassfish/domains/mydomain/config. This can be done by following two commands:
keytool -importkeystore -deststorepass <payara masterpassword> \
-destkeypass <payara masterpassword> -destkeystore cacerts.jks \
-srckeystore mydomain.pfx -srcstoretype PKCS12 \
-srcstorepass <payara masterpassword> \
-alias mydomain_alias_name //in our example this would be {fa2ebfd3-z11b-492d-2c73-f5z199732p2k}
keytool -importkeystore -deststorepass <payara masterpassword> \
-destkeypass <payara masterpassword> -destkeystore keystore.jks \
-srckeystore mydomain.pfx -srcstoretype PKCS12 \
-srcstorepass <payara masterpassword> \
-alias mydomain_alias_name //in our example this would be {fa2ebfd3-z11b-492d-2c73-f5z199732p2k}
Setting http-listener in Payara
Open your Payara admin console (normally this would be http://localhost:4848)
Go to Configurations > server-config > HTTP Service > HTTP Listeners > http-listener-2
Enable Security on the General tab
On the SSL tab, Enable SSL3 and TLS
In the Certificate NickName enter mydomain_alias_name (in our case {fa2ebfd3-z11b-492d-2c73-f5z199732p2k})
In the Key Store field, enter keystore.jks
Press the Save button
Restart your domain
Test if it works! :)
Thanks a lot to GlobalSign support and Max Lam who created a guide How To Install Comodo SSL Certificate Chain On Payara / Glassfish 4.x. Combining all this knowledge made me come up with the solution.
There is probably a way to replace the Installing the certificate and Export the public and private key part by running keytool commands. But as I'm not a 100% familiar with certificates, I left those out. If someone can tell me the right commands, let me know and I'll update the answer.
Add your new certificate to the truststore of the JVM that your server is using. If you take a look to your output when list the certificates of your keystore, you could see that your new certificate is not a trustedCertEntry.