I would like to know if there is any way to serve a keystore file (p12) from config server and use it in "server.ssl" config entry.
Related
I followed the following example https://quarkus.io/blog/quarkus-mutual-tls/
In this example two quarkus applications are created, a "server" and a "client". Additionally two java keystores are created, each for one of them.
On the server the server.keystore is used to enable SSL. The resources are reachable via https on the set port.
Now I want to use postman to query these resources. I know that I can add client certificates to postman. For that I need an crt and key file or an pfx file, which is a container like java keystores if I am right. I used keystore explorer (gui tool) to export crt and key file from the server.keystore and added it as client certificate on postman.
But every request I do with postman fails with "Error: error:1e000065:Cipher functions:OPENSSL_internal:BAD_DECRYPT".
Any help or advice?
I want to create an HttpClient with a TrustStore that includes our signer certificate from the WebSphere NodeDefaultTrustStore.
To do that have to either:
get the certificate and create a TrustStore to load into a custom SSLContext using the TLSv1.2 protocol
get an SSLContext from WebSphere that already incorporates such a TrustStore and protocol.
I have not been able to find a way to achieve either.
I know the disk address of the certificate stored by WebSphere, but it is stored as a .p12 file, and if I create the SSLContext in java, I need a .jks file.
I can import the .cer file into a .jks file and load it from disk from within the java code, but we already have the certificate loaded in WebSphere and would prefer to use that one.
Wondering if JSSEHelper.getSSLContext() works...
https://www.ibm.com/support/knowledgecenter/SSCKBL_8.5.5/com.ibm.websphere.javadoc.doc/web/apidocs/com/ibm/websphere/ssl/JSSEHelper.html#getSSLContext(java.util.Map,%20java.util.Properties)
I understand the setup for Spring Cloud Config Server with both Git & Vault backends. That is straightforward and works fine.
In our organization our Spring Cloud Config Server has clients that do not have anything stored in Vault. It seems though that Config Server still requires the X-Config-Token header from ALL clients, even if that client doesn't need anything from Vault.
Is there some option/setting somewhere where if Config Server doesn't see the X-Config-Token header then it just ignores the Vault backend for that request?
I'm working on Jboss 5 and WAS 7.
I was able to run my application via Mutual Authentication on Jboss following this doc,
https://community.jboss.org/wiki/SSLSetup/
Following the above doc I created server.keystore and server.truststore files that I injected into the Jboss server and everything works fine.
Now, I want to run the same application via Mutual Auth on WAS.
On WAS, the trust store and keystore are specified by navigating to
Security > SSL certificate and key management > SSL configurations > New > Key
stores and certificates
But there I don't see any type related to .keystore and .truststore.(snap below)
My question - what is the equivalent of .keystore and .truststore that can be used in WAS OR what's the way to set up a Browser based Mutual Authentication on a WAS server.
I'm using WAS 7.0.0.21.
Keystores and truststores are the same format in WebSphere. You choose the file format, but any of those formats can be used for either store.
You then point a configuration at specific files.
Security > SSL certificate and key management > Manage endpoint security configurations
Alternatively, what has been simpler for us is to use the existing default stores WebSphere already has and add our certificates to those.
Security > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore
Or CellDefaultTrustStore or NodeDefaultKeyStore, etc.
The link helped me setup SSL on WAS. I just had to add a couple of steps to enable it for Browser based Mutual Authentication.
Since, I had to do a POC hence I'm using Self Signed Certificates.
In a ideal scenario Certificates will be signed by a Certificate Authority and the Certificate of Certificate Authority will be imported to the Trust Store of a WAS Server.
Here are the steps,
Change the password for Default KeyStore and Default TrustStore in WAS
Create a Client Certificate in WAS
Create a Server Certificate in WAS
Export the Client Certificate in PKCS format, e.g. client.p12
Export the Server Certificate in PKCS format, e.g. server.p12
Import the Client Certificate to Default TrustStore
Import the Server Certificate to Default TrustStore
Enable SSL on WAS.
i. Make sure the to select server certificate for both Default server certificate alias and the Default client certificate alias.
ii. In the Quality of protection (QoP) settings, choose Client Authentication as Required.
Create a Web Container Transport Chain with a new SSL port, e.g. 9444.
Add the newly created SSL port to the virtual Host.
Restart the Server.
Import the Client Certificate created in Step 4 client.p12 to the Browser.
An online service provided me with their certificate (a pfx file) along with its password.
I am looking to load that into my WebLogic 8.1 truststore in Unix.
There is a truststore currently that exists in my WebLogic.
I am new to this so I was wondering what was the process to add that other party's certificate to my existing WebLogic keystore.
Do I need to convert the pfx file into a different for Unix?
You could try the opensource GUI keytool replacement Portecle.
http://freshmeat.net/projects/portecle/
I did something similar--import a self-signed certificate into custom keystore on 9.x.