X509 Common Name Invalid - x509

I have created server and client certificates for testing web service on local machine. For server and client certificate i used common name as localhost. When i tried to call web service test method from chrome i am getting common name invalid and forbidden error.
I used following link to create certificates
https://blog.codeship.com/how-to-set-up-mutual-tls-authentication/

Related

Not able to access AEM author using JcrUtils.getRepository with https

I am trying to access the repository from a standalone java application using JcrUtils.
**repository = JcrUtils.getRepository("http://localhost:4502/crx/server"); this works**
**repository = JcrUtils.getRepository("https://localhost:4502/crx/server"); this doesn't work**
Exception in thread "main" javax.jcr.RepositoryException: Unable to
access a repository with the following settings:
org.apache.jackrabbit.repository.uri: https://localhost:4502/crx/server The following
RepositoryFactory classes were consulted:
org.apache.jackrabbit.commons.JndiRepositoryFactory: declined
org.apache.jackrabbit.core.RepositoryFactoryImpl: declined
org.apache.jackrabbit.jcr2dav.Jcr2davRepositoryFactory: declined
org.apache.jackrabbit.jcr2spi.Jcr2spiRepositoryFactory: declined Perhaps the repository you are trying to access is not available at
the moment. at
org.apache.jackrabbit.commons.JcrUtils.getRepository(JcrUtils.java:223)
at
org.apache.jackrabbit.commons.JcrUtils.getRepository(JcrUtils.java:263)
at com.hero.jcr.util.CqHelper.getSession(CqHelper.java:20) at
com.hero.jcr.commandline.CheckConnection.getDamAssets(CheckConnection.java:36)
at
com.hero.jcr.commandline.CheckConnection.main(CheckConnection.java:29)
Thanks in advance
The problem can have different causes.
HTTPS configured and on which port
It looks like you're trying to access http and https in the same situation on the same port. Http and Https don't run on the same port in parallel.
Please use the SSL Wizard as hinted by ronnyfm to check if SSL is activated and on which port it is used: https://docs.adobe.com/content/help/en/experience-manager-65/administering/security/ssl-by-default.html
For instance the default port for https in AEM is 8443, so try https://localhost:8443 to access it, if you have configured it there.
Untrusted Certificate
Also connecting to https might not work if you use an untrusted certificate, which you need to add to the Java security keystore first. In my case I got the same "Unable to access" message, because the original exception regarding the certificate got silently swallowed in the JCR library I was using.
Wrong certificate
When you added the certificate to the keystore and it still doesn't work, check if the certificate was created for them same host you request. If you created it for bla.host, but try to access it via localhost, it also gives you the same exception, while the original message is silently swallowed.

p12 work in NodeDefaultKeyStore but not work in CellDefaultKeyStore in WebSphere

Good day,
My web application need to connect to IBM third party to get some response. Thus, IBM give me a .p12 file which contain of client certificate.
At first I import this .p12 file into my existing CellDefaultKeyStore, and it will hit certificate chain error.
com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by xxx is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
Then I go import this .p12 file into NodeDefaultKeyStore, and surprisingly its work. My application able to call to the third party and get reponse code 200.
I am not understand how to explain to my client on this.
As my understanding, management scope in CellDefaultKeyStore is bigger because its in cell, NodeDefaultKeyStore should consider part of cell only, suppose CellDefaultKeyStore should work.
Anyone can advise on this?
Just to shortly explain few concepts:
CellDefaultTrustStore - is store for signer certificates, for the servers that you connect to, to be trusted. It is shared by all the nodes and servers by default
NodeDefaultKeyStore - is store for private certs, so the certs that are used for client authentication. Each node by default has its own store and private cert to authenticate.
CellDefaultKeyStore - is store for private certs associated with the cell. Used by deployment manager, not nodes serving apps. It is NOT used by federated nodes.
NodeDefaultSSLSettings - this manages SSL config for the given node, you can check it. By default it is using NodeDefaultKeyStore (not CellDefaultKeyStore), and CellDefaultTrustStore
But back to your question.
If you need to connect to some service using client certificate authentication, what you should do is:
create new keystore with cert from the p12 file
create new truststore with all signer certs required to connect to that service
create new SSL Config that will point to these stores
create Dynamic outbound endpoint SSL configuration settings, pointing to your ssl config, select correct client cert, and specify connection info in the form protocol,host,port
This configuration will be picked up when you will be doing outbound ssl connection that matches info you entered.

Setting up clientCredentials Endpoint Behaviour on WCF-Custom Send Adapter

I am trying to wrap my head around how this should be set up correctly. I have two certificates, a client certificate and a service certificate. I've placed these in the MMC, on the service account for the host instance that handles the send port. So the client certificate is placed in the Personal folder and the service certificate is placed in the Trusted People folder.
I've tried using several "Find" methods to locate these certificates, such as thumbrprint and serial number, but I always get a "Certificate not found" exception back.
My current settings on the adapter.
Client certificate:
Service certificate:
My settings for Authentication:
SSL Certificate Authentication settings:
What is the correct way to add the certificates to the different stores, so that they can be located by Biztalk? I've found the MSDN documentation on the topic, but it doesn't really provide any answers: https://learn.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/wcf/clientcertificate-of-clientcredentials-element
You have to be logged in as the BizTalk Service Account to manage Certificates. Run As doesn't typically work.
Other than that, the instructions should be correct.

REST Service - SSL Implementation (HTTP Error 403.7 - Forbidden)

In order to secure my Rest Services, I have enabled SSL in IIS and Created a Self-Signed Certificate and assigned it to the HTTPS binding in IIS. I exported the same as pfx file and added the same in IE also but when I try to access the Services, I get the following error on Windows 7, Enterprise edition
HTTP Error 403.7 - Forbidden
The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes.
And on Windows Server 2003, this is
HTTP Error 403.7 - Forbidden: SSL client certificate is required.
Internet Information Services (IIS)
I am not sure what shall I do except adding the certificate in IE under “Personal” and “Trusted Root Certification Authorities”? Could you please suggest me some step, in order to make this work.
Note: I have tried with “Self-Signed Certificates” as well as with Certificates generated from Microsoft “Certificate Services” also.
Any help is greatly appreciated.
SSL is used to verify the identity of the server, not the identity of the client. The error suggests (http://support.microsoft.com/kb/199215, "This is used for authenticating you as a valid user of the resource. ") the server wants to identify the client. Which of the two are you trying to do?
Edit: SSL requires the public part of the SSL certificate to be available to the client. Adding it to the trusted root certificates seems to me to be the only way to make the public part of a self-signed certificate available to the browser.

CFHTTP How to Ignore certificate name mismtach

I am trying to consume a HTTPS based SOAP WebService via ColdFusion, but it is returning "Connection Failure".
On dumping the result variable, it showed:
Error Detail: "I/O Exception: Name in certificate 'subdomain1.domain.com' does not match host name 'subdomain2.domain.com'"
I can ignore such warning if I browse the HTTPS wsdl in browser, But the Question is; How can I bypass this warning using <CFHTTP>?
Thanks
Better solution is to have the host of the service. Get a proper SSL certificate for that subdomain or a wildcard certificate that will allow them to have as many subdomains as needed with a single certificate.
I have been looking for a solution to this as well (a well-known payment gateway provider has an SSL issue on their server I have to work around). One solution I came up with was to put an entry into the server's hosts file and set it to the IP address of the hostname the SSL certificate was using. Fortunately their web server just accepts connections based on IP rather than hostname, so I was able to fool my server into thinking that I was connecting to the "proper" hostname published in the SSL cert and override the IP for that hostname in the public DNS. A way to tell Java that the name mismatch is "okay" would be nice though.