I want to run some tests against an internal (with an internally minted cert) web service using SoapUI. I am not sure I fully grasp the SSL handshake stuff. But I exported the cert for the endpoint to a .cer file, then fired up java keytool with this command:
keytool -import -alias ca -file myservice.cer -keystore cacerts –storepass changeit
Which I got from another SO question. Then I added this truststore file (cacerts) to the project properties in SoapUI. But when I try to add a WSDL to the project, I still get the same error as before:
Error loading [https://myservice?wsdl]: org.apache.xmlbeans.XmlException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Am I completely off base? Do I add all the certs in the chain to the truststore? I wasn't able to do that, it told me that the alias was already in use? Or should I just get a cert minted from an outside trusted authority?
The SOAP UI raise the exception because your certificate not properly installed in SOAP UI trust store.
To resolve the above exception follow the below steps.
Export the certificate from the key store or browser (which contain the public key)
Go to the SOAPUI installed directory and locate following directory \SmartBear\soapUI- 4.0.1\jre\lib\security
Import the certificate in to cacerts trust store (Which is the default trust store)
Restart the SOAP UI and load the WSDL...
To understand more about SSL ... follow the below link ...JSSE documentation
Related
I have a package that I signed with my own certificate, issued by my own CA.
I signed a nuget package with the certificate.
When I add the root CA in the trust store of the machine, I can verify the signature successfully with nuget, using
nuget verify test.nupkg -Signatures
But, if I remove the root from the trust store, and instead, I add the thumbprint of my certificate as a trusted signers, in nuget, setting allowUntrustedRoot to true, I cannot verify the signature, for some reason.
> nuget trusted-signers
Registered trusted signers:
1. MyCert [author]
Certificate fingerprint(s):
[U] SHA256 - 39544DEE346D61EB2FF5CF4A35EF4B42DE5B4641E1B9AAA098A2A5291F683631
But
> nuget verify test.nupkg -Signatures
Verifying Test
C:\test.nupkg
Signature Hash Algorithm: SHA256
WARNING: NU3027: The signature should be timestamped to enable long-term signature validity after the certificate has expired.
Signature type: Author
Verifying the author primary signature with certificate:
Subject Name: CN=Test Certificate, OU=Test, C=BE
SHA1 hash: 679B1E503720C69D981B9CC4F0199D5D8593375A
SHA256 hash: 39544DEE346D61EB2FF5CF4A35EF4B42DE5B4641E1B9AAA098A2A5291F683631
Issued by: CN=Test Root, OU=Test, O=Test, C=BE
Valid from: 10/31/2019 10:29:54 AM to 9/24/2023 11:37:39 AM
NU3018: The author primary signature found a chain building issue: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
WARNING: NU3018: The author primary signature found a chain building issue: The revocation function was unable to check revocation because the revocation server could not be reached. For more information, visit https://aka.ms/certificateRevocationMode.
WARNING: NU3018: The author primary signature found a chain building issue: The revocation function was unable to check revocation for the certificate.
Finished with 1 errors and 3 warnings.
Package signature validation failed.
What's the point of adding a trusted signer and setting allowUntrustedRoot to true if the signature is not verify. I mean, it's apparently enough to add the root certificate to the trust store for the signature to be verified, without doing anything with the configuration.
I would like, if possible, to be able to not import the root CA in the trust store, and only use the configuration of Nuget to verify successfully the signature.
Thanks.
Our belief is that if you tried to use that package in a project with those trust policy settings appropriately in nuget.configs, restore will succeed.
Please confirm that.
Next, nuget verify has a -config switch -- please try passing in the path to your nuget.config.
If the first test works, and the second test doesn't, nuget may have a bug in the verify command. If so, please file an issue at https://github.com/nuget/home/issues/
-Rob Relyea (NuGet Client Team)
I'm using the JavaLite implementation and everything works fine when requesting HTTP services but when trying to get data from the HTTPS version of the service I get the HttpException "Failed URL".
Here's my code:
Get get = Http.get(url + "/eds/api/v1/certificados");
get.header("Authorization", "Basic " + Credentials);
get.header("APIKey", APIKey);
get.header("Accept", "application/json");
System.out.println(get.text());
Also tried with
String test = Http.get(url + "/eds/api/v1/certificados").header("Authorization", "Basic " + Credentials).header("APIKey", APIKey).header("Accept", "application/json").text();
Both of them behave the same way, if the URL is HTTP I can get the data, if the URL is HTTPS catch "Failed URL". I've tested the REST service with SOAPui and the HTTPS server works fine.
Any suggestion what I'm missing when trying to send a GET on HTTPS with headers?
I was going to suggest that the site's digital certificate was not signed by a Certificate Authority that is contained in the Java JRE certificate store.
Here is what you can do:
Use the browser and explore the certificate of the site, including a certificate chain, all the way to the root Certificate Authority
Explore what CA certs are installed locally.
The file for Java is:
$JAVA_HOME/jre/lib/security/cacerts
you need to run this command:
keytool -list -keystore cacerts
When prompted for password, just press Enter.
If you do not see a certificate of a CA that was used to sign a certificate of your site, than you will have this error.
How to fix:
Use a well known CA to get a certificate for your site and ensure it is already present in your Java cert database.
or:
Get the certificate from the site using a browser, and import it into your local Java database with command:
keytool -importcert ...
For more information on the keytool program:
keytool --help
I am trying to send a SOAP request(signed) using HTTP Request Sampler along with SOAP Message Signer plugin. Request works fine with SOAPUI. It seems to fail through JMeter if i use same parameters(for SOAP Message Signer).
As a part of SOAP Request, Header needs to be signed. I am getting the below error while Signing. Could anyone please let me know the reason for failure?
n.c.b.j.m.AbstractWSSecurityPreProcessor: Building WSS header
o.a.w.d.m.WSSecSignature: Beginning signing... ERROR
n.c.b.j.m.AbstractWSSecurityPreProcessor:
org.apache.wss4j.common.ext.WSSecurityException: No certificates for
user "cert_alias" were found for signature
Did you add in jmeter keystore the certificate under alias cert_alias?
That's what message is saying:
No certificates for user "cert_alias" were found for signature
Keystore is located in jmeter/bin folder
You may want to try this plugin:
https://github.com/tilln/jmeter-wssecurity/blob/master/README.md
Finally i was able to send a successful request using the plugin.
I was using the Signed Header as a part of SOAP request.
Plugin Config:
Keystore File : Path to .jks file
Keystore Password : password
Cert Alias - cert_alias
Cert Password - cert password
After removing the Signed Header from the SOAP request, it worked. Thanks you.
If your SOAP endpoint expects the message to be encrypted with a client-side certificate you can configure JMeter to use it by adding the next lines to system.properties file:
javax.net.ssl.keyStoreType=pkcs12 or jks
javax.net.ssl.keyStore=/path/to/your/jsk keystore or .p12 certificate
javax.net.ssl.keyStorePassword=your certificate or keystore password
JMeter restart will be required to pick the properties up.
You can also pass them via -D command line argument like:
jmeter -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStore=your-certificate.p12 -Djavax.net.ssl.keyStorePassword=secret
More information:
Customizing the Default Key and Trust Stores, Store Types, and Store Passwords
How to Set Your JMeter Load Test to Use Client Side Certificates
We are getting an error "Unable to connect to GitHub API: org.kohsuke.github.HttpException: Server returned HTTP response code: -1, message: 'null' for URL: https://github.xxx.com/api/v3/user" when trying to use github pull request builder in jenkins
You may need to add your Certificate Authority cert to the java keytool.
If you look in your jenkins log and find something like this:
org.kohsuke.github.HttpException: Server returned HTTP response code: -1, message: 'null' for URL: https://github.xxx.com/api/v3/user
Scroll down and see if there is a line like this:
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This error is saying that the SSL handshake failed with something about the PKIX path/certpath. Try adding your CA Cert to the keytool and restarting Jenkins to see if that helps.
Here's the post that helped me modify the java certs with the keytool. (the default keytool password is "changeit")
You can also try installing the skip certificate check plugin, in plugin manager.
it seems your java cacerts is not having correct certificate for your git URL. you may try following steps.
Step 1 : Get root certificate of https://www.google.com
Open https://www.google.com in a chrome browser.
Select Inspect from context menu(right clicking on page) and navigate to security tab
Click on view certificates
Click on top most certificate on hierarchy and confirm it is tailed with Root CA phrase.
drag and drop that image which you saw written certificate on desktop.
Thats it! you got your root certificate!
Step 2 : install certificate to your java cacerts
please verify you have system variable JAVA_HOME declared and you will perform these steps on that jre cacerts only!
Navigate to cacerts by JAVA_HOME/jre/lib/security/cacerts
Download and install keytool explorer it is available for all platforms
open cacerts in that tool and import cetificate by "import trusted certificate" button.
Save your changes (you may come across issue if it is mac and you do not have write access!)
Step 3 : Restart jenkins
You should not get ssl handshake problem now onwards.
My Need is to accept the SSL certificate enabled on REST Webservice URL ( https:/:/dctm-rest) from standalone Java application(which will be bundled as JAR).
To my knowledge best way is to create KeyStore/TrustStore using Keytool, download the certificate from browser/openssl and add it to TrustStore.With this we are creating a dependency and someone has to keep on updating the certificate for every renewal.
Can someone guide me to get this implemented by removing the manual dependency?
You have to include the server certificate at https://dctm-rest into the whitelist of your JRE (the truststore)
Options
1) Include the server certificate in JRE trustore (jre/lib/security/cacerts) (Not recommended)
To download the server certificate, open site with browser, right-click on green lock, select 'view certificate' and download
The simplest way to explore cacerts and import trusted certificate is to use a GUI tool like portecle (http://portecle.sourceforge.net/). You can also use keytool
keytool -import -trustcacerts -keystore /opt/java/jre/lib/security/cacerts -alias mycert -noprompt -storepass changeit -file /tmp/examplecert.crt
See How to properly import a selfsigned certificate into Java keystore that is available to all Java applications by default?
2) Use your own truststore and include the server certificate (recommended)
System.setProperty ("javax.net.ssl.trustStore", path_to_your_trustore_jks_file);
System.setProperty ("javax.net.ssl.trustStorePassword", "password");
You can also create an SSLSocketFactory and add to your connection before connecting or apply to all connections using the static method
HttpsURLConnection.setDefaultSSLSocketFactory(sslFactory);
This is an example to create the socket factory
//Load JKS keystore that includes the server certificate or the root
KeyStore keyStore = ...
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(keyStore);
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, tmf.getTrustManagers(), null);
sslFactory = ctx.getSocketFactory();
3) Do not use truststore at all (Not recommended at all)
See Disable SSLHandshakeException for a single connection (I will not copy the solution)