Loading ...
Sorry, an error occurred while loading the content.
 

RE: [solarisx86] Glassfish with in-house CA

Expand Messages
  • Jeff Brower
    Hi John, THANK YOU SO MUCH FOR RESPONDING! This is running on a highly controlled government server and openssl is not installed - but I can list the
    Message 1 of 8 , Jul 16, 2013
      Hi John,



      THANK YOU SO MUCH FOR RESPONDING!



      This is running on a highly controlled government server and openssl is not
      installed - but I can list the certificate with keytool and it looks normal
      - other than referring to an LDAP server rather than a normal CA.



      The self-signed certificate works perfectly.



      I don't really know how to respond to the format question.



      --

      Jeff





      From: solarisx86@yahoogroups.com [mailto:solarisx86@yahoogroups.com] On
      Behalf Of John D Groenveld
      Sent: Tuesday, July 16, 2013 1:38 PM
      To: solarisx86@yahoogroups.com
      Subject: Re: [solarisx86] Glassfish with in-house CA





      In message <0e2e01ce8239$1ea54f20$5befed60$@...
      <mailto:0e2e01ce8239%241ea54f20%245befed60%24%40PointHere.net> >, "Jeff
      Brower" write
      s:
      >It appears to install correctly using keytool, but when I try to use it,
      >Glassfish stops responding (and I have to restart the server). The log is
      >silent.

      What format does their CA spew?

      Can you interrogate it with openssl(1)?
      <URL:http://www.modssl.org/docs/2.8/ssl_faq.html#ToC32>

      Does your Glassfish work with a dummy self-signed certificate?
      <URL:http://docs.oracle.com/cd/E26576_01/doc.312/e24940/system-security.htm>

      John
      groenveld@... <mailto:groenveld%40acm.org>





      [Non-text portions of this message have been removed]
    • John D Groenveld
      In message , Jeff Brower write ... First install the client s CA software, Solaris and Glassfish on an
      Message 2 of 8 , Jul 16, 2013
        In message <11d801ce825a$1a65cdb0$4f316910$@...>, "Jeff Brower" write
        s:
        >This is running on a highly controlled government server and openssl is not
        >installed - but I can list the certificate with keytool and it looks normal
        >- other than referring to an LDAP server rather than a normal CA.
        >
        >
        >
        >The self-signed certificate works perfectly.
        >
        >
        >
        >I don't really know how to respond to the format question.

        First install the client's CA software, Solaris and Glassfish
        on an uncontrolled developer system and debug there before men
        with machine guns escort you away from the console.


        Do you know that the signed certificate references a
        queer LDAP server from reading the ASCII preface to the signed
        cert?
        If so, perhaps try deleting the lines before and after
        BEGIN CERT / END CERT and try re-importing with keytool
        in case Tom Kurian and company's keytool is borked and
        can't parse it.
        <URL:http://en.wikipedia.org/wiki/X.509#Sample_X.509_certificates>

        You might also try exporting the working dummy cert,
        deleting it from the keystore, sanity checking the
        Glassfish's preferred cert and key format, and then
        re-importing.


        Glassfish is the kind of niche product that probably has a
        Communities.Oracle.COM or Java.NET support forum that
        Chuck Rozwat and company maybe staffs with more than 50 cent
        bloggers.

        Good luck,
        John
        groenveld@...
      • Jeff Brower
        Thanks John, especially about the part about the official escort! Yes, that is where I got it, the cert has a chain in it that refers to the CA by URL and LDAP
        Message 3 of 8 , Jul 16, 2013
          Thanks John, especially about the part about the official escort!



          Yes, that is where I got it, the cert has a chain in it that refers to the
          CA by URL and LDAP appears there. I know it is getting installed because I
          can see matching fingerprints and the dates of generation are right.



          I just came off of a conference call with admins out there and now he and I
          are scheduled to work on it together with a whole host of folks of varying
          technical backgrounds listening in and watching electronically while we both
          bang on the same command line on different coasts.



          Somebody shoot me please.



          --

          Jeff Brower





          From: solarisx86@yahoogroups.com [mailto:solarisx86@yahoogroups.com] On
          Behalf Of John D Groenveld
          Sent: Tuesday, July 16, 2013 4:07 PM
          To: solarisx86@yahoogroups.com
          Subject: Re: [solarisx86] Glassfish with in-house CA





          In message <11d801ce825a$1a65cdb0$4f316910$@...
          <mailto:11d801ce825a%241a65cdb0%244f316910%24%40PointHere.net> >, "Jeff
          Brower" write
          s:
          >This is running on a highly controlled government server and openssl is not
          >installed - but I can list the certificate with keytool and it looks normal
          >- other than referring to an LDAP server rather than a normal CA.
          >
          >
          >
          >The self-signed certificate works perfectly.
          >
          >
          >
          >I don't really know how to respond to the format question.

          First install the client's CA software, Solaris and Glassfish
          on an uncontrolled developer system and debug there before men
          with machine guns escort you away from the console.

          Do you know that the signed certificate references a
          queer LDAP server from reading the ASCII preface to the signed
          cert?
          If so, perhaps try deleting the lines before and after
          BEGIN CERT / END CERT and try re-importing with keytool
          in case Tom Kurian and company's keytool is borked and
          can't parse it.
          <URL:http://en.wikipedia.org/wiki/X.509#Sample_X.509_certificates>

          You might also try exporting the working dummy cert,
          deleting it from the keystore, sanity checking the
          Glassfish's preferred cert and key format, and then
          re-importing.

          Glassfish is the kind of niche product that probably has a
          Communities.Oracle.COM or Java.NET support forum that
          Chuck Rozwat and company maybe staffs with more than 50 cent
          bloggers.

          Good luck,
          John
          groenveld@... <mailto:groenveld%40acm.org>





          [Non-text portions of this message have been removed]
        • John D Groenveld
          In message , Jeff Brower write ... I don t grasp why Glassfish would fall over your signed cert s queer
          Message 4 of 8 , Jul 16, 2013
            In message <132801ce8267$cb6cca70$62465f50$@...>, "Jeff Brower" write
            s:
            >Yes, that is where I got it, the cert has a chain in it that refers to the
            >CA by URL and LDAP appears there. I know it is getting installed because I
            >

            I don't grasp why Glassfish would fall over your signed cert's
            queer certification chain.
            The client should obviously care enough to validate that your
            Glassfish's cert is signed by a trusted third party but Glassfish
            should work merrily without care.

            However, are you authenticating with client certificates?
            If so, then Glassfish certainly does need to check the
            signature chain.

            John
            groenveld@...
          • Jeff Brower
            That is bothered me too. I expected it would simply throw an error that the certificate failed and the connection is not trusted and then just move on without
            Message 5 of 8 , Jul 16, 2013
              That is bothered me too. I expected it would simply throw an error that the
              certificate failed and the connection is not trusted and then just move on
              without SSL - but then I realized that I do force SSL. The opening screen
              is a login and no non-secure traffic is allowed. I am guessing that the SSL
              fails and since I force it to SSL, the server just gives up. That is all I
              could come up with. Still - why is the log silent?



              The authentication is done with login user id and password and not client
              certificates (as far as Glassfish is concerned).



              Working from memory here, I just create the key pair into its own keyfile
              with the CN and alias set to the expected URL and then create the CSR from
              it. I give them the CSR and they send me a single file in return which is
              supposed to have everything I need. I import that and then import the key
              pair from the first keyfile. Keytool finishes without throwing any errors
              and the list looks OK to my eyes. Everything has the same default password.
              I go into the administration panel and change the alias from s1as to the new
              alias and restart the server. After that, I can't get into the application.
              I do see a partial draw of the application login screen, but I think that it
              is an image that is not SSL protected.



              See anything obvious?

              --

              Jeff





              From: solarisx86@yahoogroups.com [mailto:solarisx86@yahoogroups.com] On
              Behalf Of John D Groenveld
              Sent: Tuesday, July 16, 2013 6:36 PM
              To: solarisx86@yahoogroups.com
              Subject: Re: [solarisx86] Glassfish with in-house CA





              In message <132801ce8267$cb6cca70$62465f50$@...
              <mailto:132801ce8267%24cb6cca70%2462465f50%24%40PointHere.net> >, "Jeff
              Brower" write
              s:
              >Yes, that is where I got it, the cert has a chain in it that refers to the
              >CA by URL and LDAP appears there. I know it is getting installed because I
              >

              I don't grasp why Glassfish would fall over your signed cert's
              queer certification chain.
              The client should obviously care enough to validate that your
              Glassfish's cert is signed by a trusted third party but Glassfish
              should work merrily without care.

              However, are you authenticating with client certificates?
              If so, then Glassfish certainly does need to check the
              signature chain.

              John
              groenveld@... <mailto:groenveld%40acm.org>





              [Non-text portions of this message have been removed]
            • Jeff Brower
              Just wanted to complete the thread in case anyone searches for the same solution - using an internal CA on a Windows Server network on Glassfish SSL. Even
              Message 6 of 8 , Jul 18, 2013
                Just wanted to complete the thread in case anyone searches for the same
                solution - using an internal CA on a Windows Server network on Glassfish
                SSL.



                Even though the answer has always been "everything you need is already in
                the certificate" when I asked for Root and Issuer (intermediate)
                certificates, the solution was in adding those to the keystore - and making
                sure they are added in the correct sequence one at a time. The LDAP thing
                was no issue whatsoever, worrying about that was grasping at straws.



                Note that it WILL install the private and public certificate without errors
                and it will look like it worked, but without the root and issuer
                certificates in the chain the reply is missing and it will fail. When you
                telnet into 443 or 80 you can tell you have the server listening, but it
                will not connect.



                SO. (1) Generate the keypair in keystore.jks and create the CSR with both
                the alias and the CN set to whatever you want to use in the URL. (2) Have
                it signed. (3) Import the root certificate with the alias set to root. (4)
                Import the intermediate (issuer) certificate WITHOUT AN ALIAS. (5) import
                the signed public key with the same alias as the CN and alias above. (6)
                Using the Glassfish Administration Panel change the SSL nickname to the
                alias/CN that you used in step 1.



                Bottom line, business as usual - just don't let them try to tell you that
                you don't need the root and intermediate certificates because they don't
                need them on any of their other machines. You need them, or it will not
                work.



                Thanks for talking it through with me John!



                --

                Jeff Brower



                From: solarisx86@yahoogroups.com [mailto:solarisx86@yahoogroups.com] On
                Behalf Of Jeff Brower
                Sent: Tuesday, July 16, 2013 7:53 PM
                To: solarisx86@yahoogroups.com
                Subject: RE: [solarisx86] Glassfish with in-house CA





                That is bothered me too. I expected it would simply throw an error that the
                certificate failed and the connection is not trusted and then just move on
                without SSL - but then I realized that I do force SSL. The opening screen
                is a login and no non-secure traffic is allowed. I am guessing that the SSL
                fails and since I force it to SSL, the server just gives up. That is all I
                could come up with. Still - why is the log silent?

                The authentication is done with login user id and password and not client
                certificates (as far as Glassfish is concerned).

                Working from memory here, I just create the key pair into its own keyfile
                with the CN and alias set to the expected URL and then create the CSR from
                it. I give them the CSR and they send me a single file in return which is
                supposed to have everything I need. I import that and then import the key
                pair from the first keyfile. Keytool finishes without throwing any errors
                and the list looks OK to my eyes. Everything has the same default password.
                I go into the administration panel and change the alias from s1as to the new
                alias and restart the server. After that, I can't get into the application.
                I do see a partial draw of the application login screen, but I think that it
                is an image that is not SSL protected.

                See anything obvious?

                --

                Jeff

                From: solarisx86@yahoogroups.com <mailto:solarisx86%40yahoogroups.com>
                [mailto:solarisx86@yahoogroups.com <mailto:solarisx86%40yahoogroups.com> ]
                On
                Behalf Of John D Groenveld
                Sent: Tuesday, July 16, 2013 6:36 PM
                To: solarisx86@yahoogroups.com <mailto:solarisx86%40yahoogroups.com>
                Subject: Re: [solarisx86] Glassfish with in-house CA

                In message <132801ce8267$cb6cca70$62465f50$@...
                <mailto:132801ce8267%24cb6cca70%2462465f50%24%40PointHere.net>
                <mailto:132801ce8267%24cb6cca70%2462465f50%24%40PointHere.net> >, "Jeff
                Brower" write
                s:
                >Yes, that is where I got it, the cert has a chain in it that refers to the
                >CA by URL and LDAP appears there. I know it is getting installed because I
                >

                I don't grasp why Glassfish would fall over your signed cert's
                queer certification chain.
                The client should obviously care enough to validate that your
                Glassfish's cert is signed by a trusted third party but Glassfish
                should work merrily without care.

                However, are you authenticating with client certificates?
                If so, then Glassfish certainly does need to check the
                signature chain.

                John
                groenveld@... <mailto:groenveld%40acm.org> <mailto:groenveld%40acm.org>


                [Non-text portions of this message have been removed]





                [Non-text portions of this message have been removed]
              Your message has been successfully submitted and would be delivered to recipients shortly.