I'm trying to authenticate through CAS+LDAP in a Jboss app. The config is like this:
Server 1: Jboss 6.10. Cas is deployed here.
Server 1: LDAP using OpenDS.
Server 2: Jboss whith the app to login into.
I've configured both jboss to use SSL correctly and the CAS succesfyuly reads and authenticates against the LDAP.
When I get to (through https) server1:8443/app/ i'm redirected to server2:8443/cas/ and the login screen is displayed. I login with a valid user on the LDAP but when the flow gets back to the app i'm always getting this:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
I've read its a certificate problem and, as it is a dev enviroment i'm trying the self-signed certificate. So I did this:
Gen the self signed in Server1 with
keytool -genkey -alias jbosskey -keypass password -keyalg RSA -keystore server.keystore
Get the certificate of the Server1 with:
keytool -export -alias jbosskey -keypass password -file server.crt -keystore server.keystore
Copy the server.crt to Server2 and import it to the truststore of Jboss.
keytool -import -alias server1 -file server.crt -keystore C:\dev\jboss-6.1.0.Final\server.truststore
This gets me the eception. So I also imported to the cacerts of the JVM.
keytool -import -alias server1 -file server.crt -keystore C:\dev\jdk160_18\jre\lib\security\cacerts
Not working, so I tried to add the certificate to the keystore of the Jboss at Server2.
keytool -import -alias server1 -file server.crt -keystore C:\dev\jboss-6.1.0.Final\keystore.jks
The Server1 Jboss server.xml
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="${jboss.web.https.port}" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
keystorePass="password" sslProtocol = "TLS"
/>
The Server2 Jboss server.xml
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="C:\dev\jboss-6.1.0.Final\keystore.jks"
keystorePass="password"
truststoreFile="C:\dev\jboss-6.1.0.Final\server.truststore"
truststorePass="password"
sslProtocol = "TLS" />
I've been stuck on this for a couple of days and don't know if i'm missing something. Did I missed something important with the keytool?
Thanks in advance.
Related
I'm configuring keycloak as an SP which is connecting to a PingFederate IDP.
I'd like to import the IDP's certificate file into keycloack so that the trust will succeed.
How do I import a crt file into keycloak?
This has been documented in the keycloak's site.
https://www.keycloak.org/docs/3.3/server_installation/topics/network/outgoing.html
keytool -import -alias HOSTDOMAIN -keystore truststore.jks -file host-certificate.cer
The truststore is configured within the standalone.xml, standalone-ha.xml, or domain.xml file in your distribution. The location of this file depends on your operating mode.
<spi name="truststore">
<provider name="file" enabled="true">
<properties>
<property name="file" value="path to your .jks file containing public certificates"/>
<property name="password" value="password"/>
<property name="hostname-verification-policy" value="WILDCARD"/>
<property name="disabled" value="false"/>
</properties>
</provider>
</spi>
New link: https://www.keycloak.org/server/outgoinghttp#_outgoing_https_request_truststore
Keycloak looks to be built on top of the WildFly app server, which is a Java server. Haven't tried it, but I expect you just need to use keytool and import the crt into the Java trust store:
keytool -v -import -file file.crt -alias idp -keystore <whatever keystore your Java process is using>
Keystore default location will depend on OS/java location, but once you do that and (perhaps) restart the Java process you should be good to go.
Navigate to the location of your keycloak.jks trust store (keycloak_install_dir/standalone/configuration)
Then import the .crt into that store using:
sudo keytool -v -importcert -file <your_cert>.crt -alias <whatever_alias_you_want> -keystore keycloak.jks -storepass <the_pw_for_keycloak.jks>
I have a keystore, which contains only 1 keypair (foo). From that keypair, I generated a csr, which was signed by a CA using the certificate bar (bar is the issuer of foo). The issue I have is that I'm unable to import back the certificate foo in my keystore with this command
keytool -importcert -alias foo -file foo.p7b keypass 123456 -keystore keystore.jks -storepass 123456
It failed with the error
Failed to establish chain from reply.
If add the public certificate bar in my keystore, then it is working fine.
Therefore, one will simply think that I absolutely need to insert the public certificate bar in my keystore, but what is bugging me here is that if I use KeyStore Explorer to import the certificate foo in my keystore (which is only containing the keypair foo), then it is working fine. In other word, I able to import the certificate with KeyStore Explorer ("Import CA reply"), but not keytool.
Is anyone have an idea what I'm doing wrong ?
I'm using Jboss application server, i wanted to secure the management interface so i did the following
Creating a keystore with the keytool:
keytool -genkeypair -alias serverkey -keyalg RSA -keysize 2048 -validity 7360 -keystore server.keystore -keypass mypassword -storepass mypassword -dname "cn=Server Administrator,o=Acme,c=GB"
In standalone
<security-realm name="ManagementRealm">
....
<server-identities>
<ssl>
<keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="mypassword" alias="serverkey"/>
</ssl>
</server-identities>
</security-realm>
Also :
<management-interfaces>
<http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
<socket-binding https="management-https"/>
</http-interface>
</management-interfaces>
And :
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
Now i have to to type https://ip#:9993 to access to the management interface so how can i have automatic redirect from http to https (without adding https to the ip#)
Thanks !
You can just access IP:9443. It will automatically redirect to https.
I configured Tomcat 7 for SSL. I generate the keystore like this
keytool -genkey -alias tomcat -keyalg RSA
in the server.xml, i have
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keyAlias="tomcat" keystoreFile="/Users/xxxxx/.keystore" keystorePass="changeit" />
If I run tomcat directly, $TOMCAT_HOME/bin/startup.sh, when I access https://localhost:8443 from Chrome, at least i got the warning of untrusted certificate, etc...
However, if I start Tomcat from Eclipse, it keep getting this error
localhost uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
I even added the ciphers to the Connector, but still same error
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keyAlias="tim" keystoreFile="/Users/z0029mb/.keystore" keystorePass="changeit"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"/>
JAVA_HOME is jdk1.8.0_101, for both Eclipse and Tomcat, running on OS X. So why does Eclipse Tomcat plugin interfere anything with Tomcat starting up that make Tomcat behave differently?
If you use SHA-1 hash function, you might have to re-key the certificate from your Certificate Authority (CA) to use SHA-2. This is because SHA-1 is potentially unsecure.
1) Generate a CSR (Certificate Signing Request)
2) Submit CSR to your CA
3) After your CA issues the certificate files, download and install them based on your server type and CA's instructions.
I want that my app should use some third party APIs with ssl .
Step 1 : I created key at my home directory keytool -genkey -alias tomcat -keypass mypassword -keystore TestKeyStore.keystore -storepass mypassword -keyalg RSA -validity 360 -keysize 2048
Step 2 :I added connector in server.xml from eclipse
<Connector port="8443" SSLEnabled="true" maxThreads="150"
minSpareThreads="25" maxSpareThreads="75" enableLookups="true"
disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https"
secure="true" clientAuth="false" sslProtocol="TLS"
keystoreFile="/media/prashant/important/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/conf/TestKeyStore.keystore"
keystorePass="mypassword" />
When I restart project tomcat Is taking to long time to start and it show nothing at the end . I tried to increase startup time also still not help me. Any idea what I am missing?
Please give more information. But i would check if you have allowed port 8443 in your firewall. To check its allowed, (if its a Linux machine) run telnet 8443. You will connect, meaning its allowed. Otherwise, details from logs will help further