Problems configuring Transport Securiy (SSL) in CASA

Hi all,

I'm trying to configure Transport Security (SSL) as security mechanism, but I'm having problems.

First of all, keystore and trustore configuration buttons are disabled. I read that this wasn't necessary in order to implement this security type.

So, what i do is:
 - I import some certificates into keystore.jks, using either keytool or keytool IUI.
 - I enable "Secure Service" and "Transport Security (SSL)" as security mechanism from CASA editor, the deploy the application.
 - I try to connect to the service using soapUI, but I get the following error: "Security Requirements not met - No Security header in message", and it shows me that the certificate the server is using, in this case, is one of the four defined in keystore.jks (for example xwssecurityclient among s1as, wssip, xws-security-client and xws-security-server). That's normal because at this point I haven't defined any alias for the connection in SoapUI.
 - Then, I configure (in soapUI) the alias the server shows (xwssecurityclient in this case). I don't know how the server chooses among all certificates keystore.jks contains, so the only solution I see is to configure only the certificate I want the server to work with.
 - After all, I keep getting the same error from soapUI.

So, my questions are:

1. How can I choose among all of the certificates included in keystore.jks? Must it has been configured with only one alias?
2. How does the server use a particular certificate?
3. Am I missing any important step?
4. How do I configure in soapUI the right certificate I want to use?

Any help will be appreciated.

Thanks in advance,

Javier.

Hi Havier,

Could you provide more details? What do you exactly want to acheive.
* Is glassfish a server or client in this case?
* Do you wan't to use mutual SSL?

You can use multiple certificates in glassfish on the SSL server side (just configure alias on http listener).
With glassfish acting as SSL client you can only use one outbound certificate specified by -Dcom.sun.enterprise.security.httpsOutboundKeyAlias=YOUR_ALIAS jvm option

Hope it helps.

Regards,
Jakub Grabowski
Perfectsource <http://www.perfectsource.pl>

jvn wrote:

Hi all,

I'm trying to configure Transport Security (SSL) as security mechanism, but I'm having problems.

First of all, keystore and trustore configuration buttons are disabled. I read that this wasn't necessary in order to implement this security type.

So, what i do is:
 - I import some certificates into keystore.jks, using either keytool or keytool IUI.
 - I enable "Secure Service" and "Transport Security (SSL)" as security mechanism from CASA editor, the deploy the application.
 - I try to connect to the service using soapUI, but I get the following error: "Security Requirements not met - No Security header in message", and it shows me that the certificate the server is using, in this case, is one of the four defined in keystore.jks (for example xwssecurityclient among s1as, wssip, xws-security-client and xws-security-server). That's normal because at this point I haven't defined any alias for the connection in SoapUI.
 - Then, I configure (in soapUI) the alias the server shows (xwssecurityclient in this case). I don't know how the server chooses among all certificates keystore.jks contains, so the only solution I see is to configure only the certificate I want the server to work with.
 - After all, I keep getting the same error from soapUI.

So, my questions are:

1. How can I choose among all of the certificates included in keystore.jks? Must it has been configured with only one alias?
2. How does the server use a particular certificate?
3. Am I missing any important step?
4. How do I configure in soapUI the right certificate I want to use?

Any help will be appreciated.

Thanks in advance,

Javier.

Hi Jakub and thanks for replying.

GlassFish is the server where my composite applications are.
I don't want to use mutual SSL.

I've configured the port 19005 to allocate these CASA's, so I don't need to use explicitly the alias on the server, because 19005 is not configured as a HTTPS Listener (I solved the rest of conflicts with the listeners on GF).
I have to specify only one alias on the keystore so the server be able to show the certificate I want. Furthermore I have to disable the WSIT configuration in the CASA project, and put httpS like my applications end point. This way, the server use the only certificate it has defined (s1as alias by default).
But if I want to change s1as alias and its certificate with an own certificate it doesn't work. That's because when I import a certificate into keystore.jks, a certificate is imported, but GF only starts if it's a "certificate chain" (like s1as is).

So, my point now is to import my own certificate like a "certificate chain".

Does anybody know something about this?

Thanks a lot,

Javier.

jvn wrote:

Hi all,

I'm trying to configure Transport Security (SSL) as security mechanism, but I'm having problems.

First of all, keystore and trustore configuration buttons are disabled. I read that this wasn't necessary in order to implement this security type.

So, what i do is:
 - I import some certificates into keystore.jks, using either keytool or keytool IUI.
 - I enable "Secure Service" and "Transport Security (SSL)" as security mechanism from CASA editor, the deploy the application.
 - I try to connect to the service using soapUI, but I get the following error: "Security Requirements not met - No Security header in message", and it shows me that the certificate the server is using, in this case, is one of the four defined in keystore.jks (for example xwssecurityclient among s1as, wssip, xws-security-client and xws-security-server). That's normal because at this point I haven't defined any alias for the connection in SoapUI.
 - Then, I configure (in soapUI) the alias the server shows (xwssecurityclient in this case). I don't know how the server chooses among all certificates keystore.jks contains, so the only solution I see is to configure only the certificate I want the server to work with.
 - After all, I keep getting the same error from soapUI.

So, my questions are:

1. How can I choose among all of the certificates included in keystore.jks? Must it has been configured with only one alias?
2. How does the server use a particular certificate?
3. Am I missing any important step?
4. How do I configure in soapUI the right certificate I want to use?

Any help will be appreciated.

Thanks in advance,

Javier.

Assuming that you need to do this on the HTTP BC, the discussion in "GlassFish ESB, v2.1 - Exploring Effects of Security Policies, Rev.0.2, More SSL and EJB-based projects", at http://blogs.sun.com/javacapsfieldtech/entry/glassfish_esb_v2_1_exploring1, provides details and examples.

Regards

Michael


jvn wrote:

Hi all,

I'm trying to configure Transport Security (SSL) as security mechanism, but
I'm having problems.

First of all, keystore and trustore configuration buttons are disabled. I
read that this wasn't necessary in order to implement this security type.

So, what i do is:
 - I import some certificates into keystore.jks, using either keytool or
keytool IUI.
 - I enable "Secure Service" and "Transport Security (SSL)" as security
mechanism from CASA editor, the deploy the application.
 - I try to connect to the service using soapUI, but I get the following
error: "Security Requirements not met - No Security header in message", and
it shows me that the certificate the server is using, in this case, is one
of the four defined in keystore.jks (for example xwssecurityclient among
s1as, wssip, xws-security-client and xws-security-server). That's normal
because at this point I haven't defined any alias for the connection in
SoapUI.
 - Then, I configure (in soapUI) the alias the server shows
(xwssecurityclient in this case). I don't know how the server chooses among
all certificates keystore.jks contains, so the only solution I see is to
configure only the certificate I want the server to work with.
 - After all, I keep getting the same error from soapUI.

So, my questions are:

1. How can I choose among all of the certificates included in keystore.jks?
Must it has been configured with only one alias?
2. How does the server use a particular certificate?
3. Am I missing any important step?
4. How do I configure in soapUI the right certificate I want to use?

Any help will be appreciated.

Thanks in advance,

Javier.
  

Hello, Javier.

The assumption is that the server has a single private key and a single certificate. By default the alias is s1as. The server (app server) can be configured to use a keystore and and a truststore which are different from the defaults. See http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html, section Customisation, for system properties that can change that and examples of their use.

There is more to all this stuff then meets the eye so cookbook receipts are not enough to ensure infrastructure security.

Regards

Michael

jvn wrote:

Hi Jakub and thanks for replying.

GlassFish is the server where my composite applications are.
I don't want to use mutual SSL.

I've configured the port 19005 to allocate these CASA's, so I don't need to
use explicitly the alias on the server, because 19005 is not configured as a
HTTPS Listener (I solved the rest of conflicts with the listeners on GF).
I have to specify only one alias on the keystore so the server be able to
show the certificate I want. Furthermore I have to disable the WSIT
configuration in the CASA project, and put httpS like my applications end
point. This way, the server use the only certificate it has defined (s1as
alias by default).
But if I want to change s1as alias and its certificate with an own
certificate it doesn't work. That's because when I import a certificate into
keystore.jks, a certificate is imported, but GF only starts if it's a
"certificate chain" (like s1as is).

So, my point now is to import my own certificate like a "certificate chain".

Does anybody know something about this?

Thanks a lot,

Javier.


jvn wrote:
  

Hi all,

I'm trying to configure Transport Security (SSL) as security mechanism,
but I'm having problems.

First of all, keystore and trustore configuration buttons are disabled. I
read that this wasn't necessary in order to implement this security type.

So, what i do is:
 - I import some certificates into keystore.jks, using either keytool or
keytool IUI.
 - I enable "Secure Service" and "Transport Security (SSL)" as security
mechanism from CASA editor, the deploy the application.
 - I try to connect to the service using soapUI, but I get the following
error: "Security Requirements not met - No Security header in message",
and it shows me that the certificate the server is using, in this case, is
one of the four defined in keystore.jks (for example xwssecurityclient
among s1as, wssip, xws-security-client and xws-security-server). That's
normal because at this point I haven't defined any alias for the
connection in SoapUI.
 - Then, I configure (in soapUI) the alias the server shows
(xwssecurityclient in this case). I don't know how the server chooses
among all certificates keystore.jks contains, so the only solution I see
is to configure only the certificate I want the server to work with.
 - After all, I keep getting the same error from soapUI.

So, my questions are:

1. How can I choose among all of the certificates included in
keystore.jks? Must it has been configured with only one alias?
2. How does the server use a particular certificate?
3. Am I missing any important step?
4. How do I configure in soapUI the right certificate I want to use?

Any help will be appreciated.

Thanks in advance,

Javier.

    

Thank you for answering Michael.

I've finally configured GF correctly by using a single private key and a single certificate.
For someone interested on how I did it, these are the steps I followed using keytool:

0. I deleted de default alias s1as.
1. I generated a new key pair with any alias (I will use myalias for this example).
2. I generated a CSR (Certificate Signing Request) for myalias key pair.
3. I submitted this CSR to a CA (Certificate Authority) in order to receive an authenticated certificate or certificate chain (I asked for a certificate chain that contains the root CA needed).
4. I imported this certificate chain to myalias key pair.

From this point, the authenticated certificate for this server is done.

I hope this to be helpful for someone who was in a similar situation.

Regards,

Javier.