An online service provided me with their certificate (a pfx file) along with its password.
I am looking to load that into my WebLogic 8.1 truststore in Unix.
There is a truststore currently that exists in my WebLogic.
I am new to this so I was wondering what was the process to add that other party's certificate to my existing WebLogic keystore.
Do I need to convert the pfx file into a different for Unix?
You could try the opensource GUI keytool replacement Portecle.
http://freshmeat.net/projects/portecle/
I did something similar--import a self-signed certificate into custom keystore on 9.x.
Related
I want to create an HttpClient with a TrustStore that includes our signer certificate from the WebSphere NodeDefaultTrustStore.
To do that have to either:
get the certificate and create a TrustStore to load into a custom SSLContext using the TLSv1.2 protocol
get an SSLContext from WebSphere that already incorporates such a TrustStore and protocol.
I have not been able to find a way to achieve either.
I know the disk address of the certificate stored by WebSphere, but it is stored as a .p12 file, and if I create the SSLContext in java, I need a .jks file.
I can import the .cer file into a .jks file and load it from disk from within the java code, but we already have the certificate loaded in WebSphere and would prefer to use that one.
Wondering if JSSEHelper.getSSLContext() works...
https://www.ibm.com/support/knowledgecenter/SSCKBL_8.5.5/com.ibm.websphere.javadoc.doc/web/apidocs/com/ibm/websphere/ssl/JSSEHelper.html#getSSLContext(java.util.Map,%20java.util.Properties)
We are trying to install a third party CA cert on our WSO2 ESB server (Linux). We are unable to install CA certificate. Always falling back to default certificate.
While the WSO2 service is started, it shows that the new cert is being referred and loaded, but at client browser, it gives error and shows the default inbuilt cert.
Can someone guide us to where we need to look for errors?
We followed the instructions from
http://wso2.org/library/knowledge-base/2011/08/adding-ca-certificate-authority-signed-certificate-wso2-products
All steps are followed correctly,
Sreejith, the document you're following is correct. I've used the same to configure our servers.
you can get the certificate being used by your server by executing this from a consumer host (client):
echo -n | openssl s_client -connect esb.yourdomain.co.nz:8243 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate.cert
Then you can see if the certificate being used is the one you expect.
To replace the default certificate, you'll need to replace the WSO_HOME$/repository/resources/security/wsocarbon.jks keystore and modify WSO2_HOME$/repository/conf/carbon.xml and $WSO2_HOME/repository/conf/axis2/axis2.xml with the new keystore (along with alias and passwords) whenever necessary.
According with my experience the keystore need to be replaced. You can not simply add your certificate to the existent keystore, you need to force wso2 server to use your certificate by making it the only certificate in the keystore. Also the certificate CN and alias must match your server hostname (as in the url) for this to work.
Then add the certificate to the WSO_HOME$/repository/resources/security/client-truststore.jks keystore.
And don't forget to restart the server after the changes.
Regards
I'm using OpenSSO 8 which I haven't configured myself. It's fully configured and without any problems. My problem is that I need to find the issuer certificate used to validate digital signatures on the SAML credentials. Can you tell me where should I look for it?
You usually get the certificate in the metadata. Here is a link on how to exchange the metadata from OpenSSO
The certificates are actually stored in opensso/opensso folder and can be exported using keytool
I'm working on Jboss 5 and WAS 7.
I was able to run my application via Mutual Authentication on Jboss following this doc,
https://community.jboss.org/wiki/SSLSetup/
Following the above doc I created server.keystore and server.truststore files that I injected into the Jboss server and everything works fine.
Now, I want to run the same application via Mutual Auth on WAS.
On WAS, the trust store and keystore are specified by navigating to
Security > SSL certificate and key management > SSL configurations > New > Key
stores and certificates
But there I don't see any type related to .keystore and .truststore.(snap below)
My question - what is the equivalent of .keystore and .truststore that can be used in WAS OR what's the way to set up a Browser based Mutual Authentication on a WAS server.
I'm using WAS 7.0.0.21.
Keystores and truststores are the same format in WebSphere. You choose the file format, but any of those formats can be used for either store.
You then point a configuration at specific files.
Security > SSL certificate and key management > Manage endpoint security configurations
Alternatively, what has been simpler for us is to use the existing default stores WebSphere already has and add our certificates to those.
Security > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore
Or CellDefaultTrustStore or NodeDefaultKeyStore, etc.
The link helped me setup SSL on WAS. I just had to add a couple of steps to enable it for Browser based Mutual Authentication.
Since, I had to do a POC hence I'm using Self Signed Certificates.
In a ideal scenario Certificates will be signed by a Certificate Authority and the Certificate of Certificate Authority will be imported to the Trust Store of a WAS Server.
Here are the steps,
Change the password for Default KeyStore and Default TrustStore in WAS
Create a Client Certificate in WAS
Create a Server Certificate in WAS
Export the Client Certificate in PKCS format, e.g. client.p12
Export the Server Certificate in PKCS format, e.g. server.p12
Import the Client Certificate to Default TrustStore
Import the Server Certificate to Default TrustStore
Enable SSL on WAS.
i. Make sure the to select server certificate for both Default server certificate alias and the Default client certificate alias.
ii. In the Quality of protection (QoP) settings, choose Client Authentication as Required.
Create a Web Container Transport Chain with a new SSL port, e.g. 9444.
Add the newly created SSL port to the virtual Host.
Restart the Server.
Import the Client Certificate created in Step 4 client.p12 to the Browser.
We are using JBoss 5.1. We have deployed a web service and wish to add certificate functionality. We have created a CA and a certificate signed by that CA (we used openssl and the java keytool to create the .keystore file). We imported both the CA and the certificate in the .keystore file and pointed the connector (in server.xml) on that .keystore:
The common name used for the CA is aname.com while the common name for the certificate is hostname. The validity period of the certificate is almost one year while for the CA is a little more.
Trying to access the web service url (https://hostname:8443/path_to_webservice) with Internet Explorer we get the error that our certificate is not issued by a trusted certificate authority.
When we select to view the certificate in the browser, we get a certificate that is issued for hostname, issued by hostname and its validity period is only 3 months. Obviously, the certificate we get from Internet Explorer is very different than the one we created.
How can I solve this issue? Is it a certificate issue or do I need to make some changes in JBoss?
Is it a certificate issue or do I need to make some changes in JBoss?
While I'm not able to provide you a precise answer, I'll provide you some guiding questions that may help you solve the problem :-) Are you able to import this certificate (the pem file, which you used to create the keystore file) in a browser? What about the fingerprint, does it looks the same as the one stored in the JBoss? Does this bogus certificate reminds you of any previous attempt?
I'd say that this is most certainly a problem with the certificate itself, as I don't believe JBoss is able to fake your certificate :-)