I have a customer who wants to implement SAML2 SSO, the customer will be the Identity Provider (IDP) and my web application will effectively be the Service Provider (SP).
But my customer only give me the certificate file (.crt) and metadata xml file, and i checked the openSAML code which need SPKeystore.jks to initialize KeyStore Object.
So how to implements the service provider without the .jks file?
Is the jks file necessary ?
who know it, thanks a lot!
you create the keystore (jks) yourself and add the certificate to it. In a java environment, you use the keytool for doing so.
You can use keytool import certificate file into SPKeystore.jks
keytool -import -alias <alias> -trustcacerts -file <xx.crt> -keystore SPKeystore.jks -storepass <SPKeystorePassPhrase>
Related
I am using SAP Commerce Cloud, in Public Cloud. And I am trying to insert a .cer file to make rest calls to API Gateway.
I read about importing it in java using command lines to import to keystore.
But, I don't know how to do it in the SAP Commerce Cloud
To install a certificate in a keystore. please follow the steps -
Create the keystore (if not created) using the below command
keytool -importkeystore -srckeystore /<path_to_the_pfx>/<pfx_name>.pfx -srcstoretype pkcs12 -destkeystore /<path_to_the_keystore_to_be_created>/<name_of_the_keystore>.jks -deststoretype JKS
You can control the keystore credentials as below:
a) sso.keystore.location - The path to the keystore (in this way the keystore can be repo managed)
b) sso.keystore.password - keystore password (default is changeit)
c) sso.keystore.privatekey.alias - Alias of the private key
Import the certificate using the below command
keytool -importcert -alias <alias_of_the_certificate> -file /<path_of_the_cert>/<name_of_the_cert>.cer -keystore /<path_to_the_keystore_to_be_created>/<name_of_the_keystore>.jks
To remind again, the keystore (with the installed certificate) can be repository controlled as well using the sso.keystore.location.
Alsternatively, if your question is to enable the REST calls from the Commerce cloud environment, please follow the steps mentioned here.
Hope this helps.
I'm currently creating an Android app, which is supposed to send a POST request to a server. Unfortunately, the server is using self-signed certificate. So I have to create a PKCS12 keystore, which will include the CA Certificate, and make my App use that keystore.
To create such a keystore, I'm currently using the command below:
keytool -import -trustcacerts -alias my-alias -file cacert.pem
-keystore mykeystorefile -storetype PKCS12
Unfortunately the keystore doesn't work. (Request fails on SSL handshake.)
When I inspected the keystore using this command:
keytool -list -v -keystore mykeystorefile
I noticed a strange line at the very end of this list.
#8: ObjectId: 2.5.29.18 Criticality=false
Unparseable IssuerAlternativeName extension due to
java.io.IOException: No data available in passed DER encoded value.
0000: 30 00 0.
*******************************************
*******************************************
Keytool failed to parse an extension, which is part of the CA certificate.
I tried the same for LetsEncrypt's CA certificates and it worked just fine.
I'd be glad for any pointers on how to approach and solve this problem.
Thanks.
Edit: Keytool I'm currently using is part of java-8-openjdk.
Edit2: So after inspecting the ca certificate, Issuer Alternative Name extension doesn't have any value. Wondering if there is a way how to skip that extensions?
There is no way to skip anything that's on a certificate.
If the Issuer Alternative Name is blank, whoever generated that certificate has generated it wrong. If it is a self-signed certificate, the Issuer Alternative Name and the Subject Alternative Name are the same value. If it is signed by any CA, the CA's Subject Alternative Name is put in the end user's Issuer Alternative Name.
You might need to ask them for the right CA certificate.
My Need is to accept the SSL certificate enabled on REST Webservice URL ( https:/:/dctm-rest) from standalone Java application(which will be bundled as JAR).
To my knowledge best way is to create KeyStore/TrustStore using Keytool, download the certificate from browser/openssl and add it to TrustStore.With this we are creating a dependency and someone has to keep on updating the certificate for every renewal.
Can someone guide me to get this implemented by removing the manual dependency?
You have to include the server certificate at https://dctm-rest into the whitelist of your JRE (the truststore)
Options
1) Include the server certificate in JRE trustore (jre/lib/security/cacerts) (Not recommended)
To download the server certificate, open site with browser, right-click on green lock, select 'view certificate' and download
The simplest way to explore cacerts and import trusted certificate is to use a GUI tool like portecle (http://portecle.sourceforge.net/). You can also use keytool
keytool -import -trustcacerts -keystore /opt/java/jre/lib/security/cacerts -alias mycert -noprompt -storepass changeit -file /tmp/examplecert.crt
See How to properly import a selfsigned certificate into Java keystore that is available to all Java applications by default?
2) Use your own truststore and include the server certificate (recommended)
System.setProperty ("javax.net.ssl.trustStore", path_to_your_trustore_jks_file);
System.setProperty ("javax.net.ssl.trustStorePassword", "password");
You can also create an SSLSocketFactory and add to your connection before connecting or apply to all connections using the static method
HttpsURLConnection.setDefaultSSLSocketFactory(sslFactory);
This is an example to create the socket factory
//Load JKS keystore that includes the server certificate or the root
KeyStore keyStore = ...
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(keyStore);
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, tmf.getTrustManagers(), null);
sslFactory = ctx.getSocketFactory();
3) Do not use truststore at all (Not recommended at all)
See Disable SSLHandshakeException for a single connection (I will not copy the solution)
I don't have much knowledge in this area, but i have still tried to do things by googling. Here is the problem i am facing.
Case 1(Works):
I have a CA signed certificate and i would like to use it in my Web Application. I first created a keystore. I see that it creates an entry type "keyEntry" in the keystore. Then i import the CA signed certificate to the keystore created.
Here are the steps:
keytool -genkeypair -keystore keystore.jks
I see an entry in the keystore of type "keyEntry" of alias "mykey"
Now i import the certificate:
keytool -importcert -alias abc -file cert.crt -keystore keystore.jks
Now i see another entry of trype "trustedcertEntry".
With this keystore i am able to access my web application when i uploaded it.
Case 2 (doesn't work):
I create a keystore on the fly while importing the certificate.
keytool -importcert -alias abc -file cert.crt -keystore keystore2.jks
Here i see only one entry type which is "trustedcertEntry"
With this keystore i am not able to access my web application.
Question:
What is key entry type "keyEntry" and "trustedcertEntry" and why does my keystore works only when i have the entry type "keyEntry"
My understanding of keytool is tenuous at best but I think the trick is that with Case 2, by omitting the -genkeypair, you're not generating the necessary private key.
In Case 1, the steps you're using are: create a private key pair (public key and private key), and then import a certificate into the trusted certificates for the keystore. Presumably you have another certificate in the keystore that's joining with the private key though it's possible the trusted cert is acting as the cert or your application isn't using a joined keypair/cert in the same file.
I can say that a 'trustedCertEntry' is a certificate which is trusted by the keystore. This is essential for allowing certificate chains (ex: Root-CA signs Intermediate-CA1 which signs End-Cert1. Without having both Root-CA and Intermediate-CA1 as trustedCertEntry, the keystore doesn't trust the end cert). TrustedCertEntry do not have private keys associated with them, only the public key the certificate contains.
A keyEntry (I think!) is a public/private key pair without the certificate.
A privateKeyEntry is a public/private key pair with an associated CA-signed or self-signed certificate.
I have a .Net SAML implementation that verifies assertions' signatures against a PKCS 7 certificate in a .p7b file.
I have a customer who have a Java based identity provider. They can only provide their certificate in a Java key store .jks file.
I can verify the assertions that their identity provider sends, but I can't check that those assertions were signed by a trusted provider without verifying them against the certificates in the Java key store.
I can find lots online on how to add a .p7b certificate to a .jks file, but nothing on how to reverse the process.
How do I get a .p7b certificate (that .Net and Windows can open) from a supplied .jks file?
Alternatively I'm loading the .p7b into .Net using the native X509Chain implementation. If I can't convert the .jks is there any way to load it in .Net in a way that lets me check the assertions' signatures?
It turns out that there is a command line utility in Java that do what I need. In the Java runtime directory (C:\Program Files (x86)\Java\jre7\bin on my machine) there is a utility called keytool (my newlines for readability):
>keytool -importkeystore
-srckeystore clientStore.jks -srcstoretype JKS
-destkeystore outputStore.p12 -deststoretype PKCS12
This produces an output store called outputStore.p12 that I can load in .Net with X509Certificate2Collection.Import()