I'm using Jboss application server, i wanted to secure the management interface so i did the following
Creating a keystore with the keytool:
keytool -genkeypair -alias serverkey -keyalg RSA -keysize 2048 -validity 7360 -keystore server.keystore -keypass mypassword -storepass mypassword -dname "cn=Server Administrator,o=Acme,c=GB"
In standalone
<security-realm name="ManagementRealm">
....
<server-identities>
<ssl>
<keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="mypassword" alias="serverkey"/>
</ssl>
</server-identities>
</security-realm>
Also :
<management-interfaces>
<http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
<socket-binding https="management-https"/>
</http-interface>
</management-interfaces>
And :
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
Now i have to to type https://ip#:9993 to access to the management interface so how can i have automatic redirect from http to https (without adding https to the ip#)
Thanks !
You can just access IP:9443. It will automatically redirect to https.
Related
My setup: A https loadbalancer with http wildflynodes running in domain mode
Entry to the application by https loadbalancer to application nodes : 443 to 8080 & 8180 - application forwarding works, and all functions are usable of the application.
The problem appears only for SOAP-Webservice.
The wsdl is accessible under https//loadbalancerurl:443/.. and the problem comes by accessing the webservice methods.
The problem seems to be forwarding from 443 to confidential port 8443 - the error message is when the access from client to the SOAP-webservice happens:
UT010053: No confidential port is available to redirect the current request.
I know that this comes from Undertow-Servlet from here:
protected URI getRedirectURI(HttpServerExchange exchange) throws URISyntaxException {
int port = portManager.getConfidentialPort(exchange);
if (port < 0) {
throw MESSAGES.noConfidentialPortAvailable();
}
return super.getRedirectURI(exchange, port);
}
So port is < 0.
So the question is how to achieve for Undertow that confidentialport will be delivered = is configured in the right way ?
My domain xml contains:
<server name="default-server">
<ajp-listener name="ajp" socket-binding="ajp"/>
<http-listener name="default" socket-binding="http" certificate-forwarding="true" proxy-address-forwarding="true" />
</server>
<socket-binding-group name="pze4-sockets" default-interface="public">
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
<socket-binding name="iiop" interface="unsecure" port="3528"/>
<socket-binding name="iiop-ssl" interface="unsecure" port="3529"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
In the application jboss-webservices.xml Confidential is configured:
<?xml version="1.0" encoding="UTF-8" ?>
<webservices xmlns="http://www.jboss.com/xml/ns/javaee">
<port-component>
<ejb-name>MyWebservice</ejb-name>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</port-component>
</webservices>
The same setup of loadbalancer and wildfly-nodes had worked for Wildfly8 for the SOAP Webservice.
My tries so far:
Adding the https-listener did not help:
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm"/>
The hint from did not work too:
https://developer.jboss.org/thread/270026
Adding the SSL-cetrifacate to java on the nodes did not help too.
Any ideas ?
Thanks in advance
You are missing redirect-socket attribute in http-listener it solved my problem
see here : https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html/configuration_guide/configuring_the_web_server_undertow
I'm configuring keycloak as an SP which is connecting to a PingFederate IDP.
I'd like to import the IDP's certificate file into keycloack so that the trust will succeed.
How do I import a crt file into keycloak?
This has been documented in the keycloak's site.
https://www.keycloak.org/docs/3.3/server_installation/topics/network/outgoing.html
keytool -import -alias HOSTDOMAIN -keystore truststore.jks -file host-certificate.cer
The truststore is configured within the standalone.xml, standalone-ha.xml, or domain.xml file in your distribution. The location of this file depends on your operating mode.
<spi name="truststore">
<provider name="file" enabled="true">
<properties>
<property name="file" value="path to your .jks file containing public certificates"/>
<property name="password" value="password"/>
<property name="hostname-verification-policy" value="WILDCARD"/>
<property name="disabled" value="false"/>
</properties>
</provider>
</spi>
New link: https://www.keycloak.org/server/outgoinghttp#_outgoing_https_request_truststore
Keycloak looks to be built on top of the WildFly app server, which is a Java server. Haven't tried it, but I expect you just need to use keytool and import the crt into the Java trust store:
keytool -v -import -file file.crt -alias idp -keystore <whatever keystore your Java process is using>
Keystore default location will depend on OS/java location, but once you do that and (perhaps) restart the Java process you should be good to go.
Navigate to the location of your keycloak.jks trust store (keycloak_install_dir/standalone/configuration)
Then import the .crt into that store using:
sudo keytool -v -importcert -file <your_cert>.crt -alias <whatever_alias_you_want> -keystore keycloak.jks -storepass <the_pw_for_keycloak.jks>
I configured Tomcat 7 for SSL. I generate the keystore like this
keytool -genkey -alias tomcat -keyalg RSA
in the server.xml, i have
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keyAlias="tomcat" keystoreFile="/Users/xxxxx/.keystore" keystorePass="changeit" />
If I run tomcat directly, $TOMCAT_HOME/bin/startup.sh, when I access https://localhost:8443 from Chrome, at least i got the warning of untrusted certificate, etc...
However, if I start Tomcat from Eclipse, it keep getting this error
localhost uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
I even added the ciphers to the Connector, but still same error
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keyAlias="tim" keystoreFile="/Users/z0029mb/.keystore" keystorePass="changeit"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"/>
JAVA_HOME is jdk1.8.0_101, for both Eclipse and Tomcat, running on OS X. So why does Eclipse Tomcat plugin interfere anything with Tomcat starting up that make Tomcat behave differently?
If you use SHA-1 hash function, you might have to re-key the certificate from your Certificate Authority (CA) to use SHA-2. This is because SHA-1 is potentially unsecure.
1) Generate a CSR (Certificate Signing Request)
2) Submit CSR to your CA
3) After your CA issues the certificate files, download and install them based on your server type and CA's instructions.
I want that my app should use some third party APIs with ssl .
Step 1 : I created key at my home directory keytool -genkey -alias tomcat -keypass mypassword -keystore TestKeyStore.keystore -storepass mypassword -keyalg RSA -validity 360 -keysize 2048
Step 2 :I added connector in server.xml from eclipse
<Connector port="8443" SSLEnabled="true" maxThreads="150"
minSpareThreads="25" maxSpareThreads="75" enableLookups="true"
disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https"
secure="true" clientAuth="false" sslProtocol="TLS"
keystoreFile="/media/prashant/important/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/conf/TestKeyStore.keystore"
keystorePass="mypassword" />
When I restart project tomcat Is taking to long time to start and it show nothing at the end . I tried to increase startup time also still not help me. Any idea what I am missing?
Please give more information. But i would check if you have allowed port 8443 in your firewall. To check its allowed, (if its a Linux machine) run telnet 8443. You will connect, meaning its allowed. Otherwise, details from logs will help further
I'm trying to authenticate through CAS+LDAP in a Jboss app. The config is like this:
Server 1: Jboss 6.10. Cas is deployed here.
Server 1: LDAP using OpenDS.
Server 2: Jboss whith the app to login into.
I've configured both jboss to use SSL correctly and the CAS succesfyuly reads and authenticates against the LDAP.
When I get to (through https) server1:8443/app/ i'm redirected to server2:8443/cas/ and the login screen is displayed. I login with a valid user on the LDAP but when the flow gets back to the app i'm always getting this:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
I've read its a certificate problem and, as it is a dev enviroment i'm trying the self-signed certificate. So I did this:
Gen the self signed in Server1 with
keytool -genkey -alias jbosskey -keypass password -keyalg RSA -keystore server.keystore
Get the certificate of the Server1 with:
keytool -export -alias jbosskey -keypass password -file server.crt -keystore server.keystore
Copy the server.crt to Server2 and import it to the truststore of Jboss.
keytool -import -alias server1 -file server.crt -keystore C:\dev\jboss-6.1.0.Final\server.truststore
This gets me the eception. So I also imported to the cacerts of the JVM.
keytool -import -alias server1 -file server.crt -keystore C:\dev\jdk160_18\jre\lib\security\cacerts
Not working, so I tried to add the certificate to the keystore of the Jboss at Server2.
keytool -import -alias server1 -file server.crt -keystore C:\dev\jboss-6.1.0.Final\keystore.jks
The Server1 Jboss server.xml
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="${jboss.web.https.port}" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
keystorePass="password" sslProtocol = "TLS"
/>
The Server2 Jboss server.xml
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="C:\dev\jboss-6.1.0.Final\keystore.jks"
keystorePass="password"
truststoreFile="C:\dev\jboss-6.1.0.Final\server.truststore"
truststorePass="password"
sslProtocol = "TLS" />
I've been stuck on this for a couple of days and don't know if i'm missing something. Did I missed something important with the keytool?
Thanks in advance.