SSL Configuration for HTTPS BC

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL Configuration for HTTPS BC

Akshay
This post has NOT been accepted by the mailing list yet.
Hello Friends,

I would like to make Open ESB to listen on HTTPS:443 port configuration while accessing from outside world. My web service will be access by external party to send the data to our integration server. I need to know how to install SSL certificate to work HTTPS having 443 port. Open ESB uses 9081 as default HTTPS ports for its HTTP binding but I need to change that port from 9081 to 443.  Changing the port is not the big task bu how I should configure the SSL certificate in Open ESB so that secure communication can be achieved.

Any help would be highly appreciated.

Regards,
Akshay
Reply | Threaded
Open this post in threaded view
|

RE: SSL Configuration for HTTPS BC

vishnu.piskala

Hi

 

You need to install your certificate in your keystore and set the javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword in java system properties .

 

Go through this thread: http://openesb-community-forum.794670.n2.nabble.com/How-to-install-SSL-Certificates-on-OpenESB-SE-td7581287.html#a7581292

 

 

Regards

Vishnu

www.logicoy.com

 

 

 

 

From: Akshay [via OpenESB Community Forum] [mailto:[hidden email]]
Sent: Wednesday, December 7, 2016 7:03 PM
To: vishnu.piskala <[hidden email]>
Subject: SSL Configuration for HTTPS BC

 

Hello Friends,

I would like to make Open ESB to listen on HTTPS:443 port configuration while accessing from outside world. My web service will be access by external party to send the data to our integration server. I need to know how to install SSL certificate to work HTTPS having 443 port. Open ESB uses 9081 as default HTTPS ports for its HTTP binding but I need to change that port from 9081 to 443.  Changing the port is not the big task bu how I should configure the SSL certificate in Open ESB so that secure communication can be achieved.

Any help would be highly appreciated.

Regards,
Akshay


If you reply to this email, your message will be added to the discussion below:

http://openesb-community-forum.794670.n2.nabble.com/SSL-Configuration-for-HTTPS-BC-tp7581344.html

To start a new topic under OpenESB Community Forum, email [hidden email]
To unsubscribe from OpenESB Community Forum, click here.
NAML

Reply | Threaded
Open this post in threaded view
|

RE: SSL Configuration for HTTPS BC

Akshay
This post has NOT been accepted by the mailing list yet.
Hello Vishnu,

Thanks for input, but this is not what I am stating here.

The thread which you share is, calling Https URL of outside world into Open ESB and to do this we need to import their certificate into our Open ESB server to have communication.

But in my case I need it in reverse way, external application will call my URL (HTTPS of Open ESB), simple web service to send data to my integration server. And for this I need to make my service available on HTTPS:443 with SSL in Open ESB.

Any inputs on this ?

Regards,
Akshay
Reply | Threaded
Open this post in threaded view
|

RE: SSL Configuration for HTTPS BC

vishnu.piskala

Hi Akshay

 

Ok. Here is what we do.

 

1.       Bundle the server certificate, private key, and CA certificates in to a PKCS12 file. You can use openssl to do this.

2.       Convert PKCS12 file into JKS file. Use keytool command to do this. This will be your keystore.

3.       Chain the CA certificates. You can use notepad. Import this into your truststore. This link will help you: https://www.digicert.com/ssl-support/pem-ssl-creation.htm

4.       Add these properties as java system properties: -Djavax.net.ssl.keyStore=pathtojks.jks -Djavax.net.ssl.keyStorePassword=jkspasswd -Djavax.net.ssl.trustStore=pathtojks.jks -Djavax.net.ssl.trustStorePassword=jkspasswd

 

Hope this helps.

 

Regards

Vishnu

 

From: Akshay [via OpenESB Community Forum] [mailto:[hidden email]]
Sent: Wednesday, December 7, 2016 7:26 PM
To: vishnu.piskala <[hidden email]>
Subject: RE: SSL Configuration for HTTPS BC

 

Hello Vishnu,

Thanks for input, but this is not what I am stating here.

The thread which you share is, calling Https URL of outside world into Open ESB and to do this we need to import their certificate into our Open ESB server to have communication.

But in my case I need it in reverse way, external application will call my URL (HTTPS of Open ESB), simple web service to send data to my integration server. And for this I need to make my service available on HTTPS:443 with SSL in Open ESB.

Any inputs on this ?

Regards,
Akshay


If you reply to this email, your message will be added to the discussion below:

http://openesb-community-forum.794670.n2.nabble.com/SSL-Configuration-for-HTTPS-BC-tp7581344p7581346.html

To start a new topic under OpenESB Community Forum, email [hidden email]
To unsubscribe from OpenESB Community Forum, click here.
NAML

Reply | Threaded
Open this post in threaded view
|

RE: SSL Configuration for HTTPS BC

Akshay
This post has NOT been accepted by the mailing list yet.
Ok Vishnu,

Thanks for guidance, I will try these steps right away and update you.

Just one question, do we need to enable the option of (SSL) Client authentication enabled check box on sun-http-binding Binding components ?

Regards,
Akshay
Reply | Threaded
Open this post in threaded view
|

RE: SSL Configuration for HTTPS BC

Akshay
This post has NOT been accepted by the mailing list yet.
In reply to this post by vishnu.piskala
Hello Vishnu,

I performed the following steps to generate *.jks file and then setting up VM arguments in openesb.bat file while starting the Open ESB server.

1. Created private key
openssl genrsa -des3 -out otmesb-test.key 1024

2. Created CSR file
openssl req -new -key otmesb-test.key -out otmesb-test.csr

3. Created Self signed SSL
openssl x509 -req -days 365 -in otmesb-test.csr -signkey otmesb-test.key -out otmesb-test.crt

4. Created PKCS12 format file
openssl pkcs12 -export -out otmesb-test.pfx -inkey otmesb-test.key -in otmesb-test.crt

5. Using keytool created *.jks file
keytool -importkeystore -srckeystore otmesb-test.pfx -srcstoretype pkcs12 -srcalias 1 -destkeystore otmesb-test.jks  -deststoretype jks -deststorepass AKSHAY -destalias 1

6. Setup below arguments in openesb,bat file,
"%JAVA_HOME%\bin\java" "-Dcom.atomikos.icatch.file=%OPENESB_HOME%/tm/jta.properties" "-Djava.util.logging.config.file=%OPENESB_HOME%/config/logger.properties" -Djava.util.logging.manager=net.openesb.standalone.logging.LogManager -cp "%filename%;%OPENESB_HOME%/lib/ext/jansi-1.11.jar" "-Djavax.net.ssl.keyStore=E:\InstalledSW\Open-ESB-3.0.5\OE-Instance\otmesb-test.jks" "-Djavax.net.ssl.trustStore=E:\InstalledSW\Open-ESB-3.0.5\OE-Instance\otmesb-test.jks" -Djavax.net.ssl.keyStorePassword=AKSHAY -Djavax.net.ssl.trustStorePassword=AKSHAY -Djmx.invoke.getters=true "-Dopenesb.home=%OPENESB_HOME%" net.openesb.standalone.startup.Bootstrap %*

7. Restarted server and deployed the simple HTTP application, but while access from browser, I am getting secure connection failed and wsdl is not opening
URL : https://otmesb-test:443/newWSDLService/newWSDLPort?wsdl

Error while accessing link in Mozilla :
Secure Connection Failed
The connection to otmesb-test was interrupted while the page was loading.
    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

Any thoughts on this ? Is it happening because I am using Self signed SSL instead of CA signed SSL.
Can you provide some guidance on this, it will be very helpful.

Regards,
Akshay

Reply | Threaded
Open this post in threaded view
|

RE: SSL Configuration for HTTPS BC

vishnu.piskala

Yes. It could be because of self signed certificate. Ignore the error or trust the certificate to view the page.

 

Regards

Vishnu

 

From: Akshay [via OpenESB Community Forum] [mailto:[hidden email]]
Sent: Wednesday, December 7, 2016 9:25 PM
To: vishnu.piskala <[hidden email]>
Subject: RE: SSL Configuration for HTTPS BC

 

Hello Vishnu,

I performed the following steps to generate *.jks file and then setting up VM arguments in openesb.bat file while starting the Open ESB server.

1. Created private key
openssl genrsa -des3 -out otmesb-test.key 1024

2. Created CSR file
openssl req -new -key otmesb-test.key -out otmesb-test.csr

3. Created Self signed SSL
openssl x509 -req -days 365 -in otmesb-test.csr -signkey otmesb-test.key -out otmesb-test.crt

4. Created PKCS12 format file
openssl pkcs12 -export -out otmesb-test.pfx -inkey otmesb-test.key -in otmesb-test.crt

5. Using keytool created *.jks file
keytool -importkeystore -srckeystore otmesb-test.pfx -srcstoretype pkcs12 -srcalias 1 -destkeystore otmesb-test.jks  -deststoretype jks -deststorepass AKSHAY -destalias 1

6. Setup below arguments in openesb,bat file,
"%JAVA_HOME%\bin\java" "-Dcom.atomikos.icatch.file=%OPENESB_HOME%/tm/jta.properties" "-Djava.util.logging.config.file=%OPENESB_HOME%/config/logger.properties" -Djava.util.logging.manager=net.openesb.standalone.logging.LogManager -cp "%filename%;%OPENESB_HOME%/lib/ext/jansi-1.11.jar" "-Djavax.net.ssl.keyStore=E:\InstalledSW\Open-ESB-3.0.5\OE-Instance\otmesb-test.jks" "-Djavax.net.ssl.trustStore=E:\InstalledSW\Open-ESB-3.0.5\OE-Instance\otmesb-test.jks" -Djavax.net.ssl.keyStorePassword=AKSHAY -Djavax.net.ssl.trustStorePassword=AKSHAY -Djmx.invoke.getters=true "-Dopenesb.home=%OPENESB_HOME%" net.openesb.standalone.startup.Bootstrap %*

7. Restarted server and deployed the simple HTTP application, but while access from browser, I am getting secure connection failed and wsdl is not opening
URL : https://otmesb-test:443/newWSDLService/newWSDLPort?wsdl

Error while accessing link in Mozilla :
Secure Connection Failed
The connection to otmesb-test was interrupted while the page was loading.
    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

Any thoughts on this ? Is it happening because I am using Self signed SSL instead of CA signed SSL.
Can you provide some guidance on this, it will be very helpful.

Regards,
Akshay



If you reply to this email, your message will be added to the discussion below:

http://openesb-community-forum.794670.n2.nabble.com/SSL-Configuration-for-HTTPS-BC-tp7581344p7581349.html

To start a new topic under OpenESB Community Forum, email [hidden email]
To unsubscribe from OpenESB Community Forum, click here.
NAML

Reply | Threaded
Open this post in threaded view
|

RE: SSL Configuration for HTTPS BC

Akshay
This post has NOT been accepted by the mailing list yet.
Hello Vishnu,

There is no option I am getting to trust the certificate and view the page while accessing the link.

Would you please confirm whether steps which I performed here are correct or not ?

Regards,
Akshay
Reply | Threaded
Open this post in threaded view
|

RE: SSL Configuration for HTTPS BC

Akshay
This post has NOT been accepted by the mailing list yet.
Hello Vishnu,

Any further inputs on this subject. I would really appreciate your help.

Regards,
Akshay

On Dec 8, 2016 1:17 PM, "Akshay [via OpenESB Community Forum]" <[hidden email]> wrote:
Hello Vishnu,

There is no option I am getting to trust the certificate and view the page while accessing the link.

Would you please confirm whether steps which I performed here are correct or not ?

Regards,
Akshay


If you reply to this email, your message will be added to the discussion below:
http://openesb-community-forum.794670.n2.nabble.com/SSL-Configuration-for-HTTPS-BC-tp7581344p7581351.html
To unsubscribe from SSL Configuration for HTTPS BC, click here.
NAML
Reply | Threaded
Open this post in threaded view
|

RE: SSL Configuration for HTTPS BC

Akshay
This post has NOT been accepted by the mailing list yet.
Hello Friends,

Can anyone help me on this ?

Akshay
Reply | Threaded
Open this post in threaded view
|

RE: SSL Configuration for HTTPS BC

vishnu.piskala

Hello Akshay

 

I can see few issues:

 

The PKCS file does not contain the CA certificate chained in it. This link will help: http://jackstromberg.com/2013/01/generating-a-pkcs12-file-with-openssl/

 

And I see you have not generated a CA certificate. You create a new CA certificate and sign your own certificate using CA certificate. This will help : https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/

 

So you have to follow these steps:

 

1. Create a new CA certificate:

2. Create your own certficate:

3. Sign your certificate using CA's certificate

4. Create a PKCS12 keystore with server’s certificate and CA certificate chained

5. Convert PKCS12 keystore to JKS

 

Regards

Vishnu

 

 

 

From: Akshay [via OpenESB Community Forum] [mailto:[hidden email]]
Sent: Tuesday, December 13, 2016 9:47 AM
To: vishnu.piskala <[hidden email]>
Subject: RE: SSL Configuration for HTTPS BC

 

Hello Friends,

Can anyone help me on this ?

Akshay


If you reply to this email, your message will be added to the discussion below:

http://openesb-community-forum.794670.n2.nabble.com/SSL-Configuration-for-HTTPS-BC-tp7581344p7581360.html

To start a new topic under OpenESB Community Forum, email [hidden email]
To unsubscribe from OpenESB Community Forum, click here.
NAML

Reply | Threaded
Open this post in threaded view
|

RE: SSL Configuration for HTTPS BC

Akshay
This post has NOT been accepted by the mailing list yet.
Hello Vishnu,

Thanks for your valuable inputs. I tried all the steps as per your new comments but still struggling with problem.
Below is the error coming while accessing my Localhost Open ESB HTTPS application link,

Error :

Secure Connection Failed

An error occurred during a connection to 192.168.1.226. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

I really do not understand is it happening because of Self signed SSL or it is something else.
Any thoughts on this ?

Regards,
Akshay
Reply | Threaded
Open this post in threaded view
|

RE: SSL Configuration for HTTPS BC

vishnu.piskala

Hello Akshay

 

Did you try this : http://stackoverflow.com/questions/119336/ssl-error-rx-record-too-long-and-apache-ssl?

 

Regards

Vishnu

 

 

 

From: Akshay [via OpenESB Community Forum] [mailto:[hidden email]]
Sent: Wednesday, December 14, 2016 1:26 PM
To: vishnu.piskala <[hidden email]>
Subject: RE: SSL Configuration for HTTPS BC

 

Hello Vishnu,

Thanks for your valuable inputs. I tried all the steps as per your new comments but still struggling with problem.
Below is the error coming while accessing my Localhost Open ESB HTTPS application link,

Error :

Secure Connection Failed

An error occurred during a connection to 192.168.1.226. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

I really do not understand is it happening because of Self signed SSL or it is something else.
Any thoughts on this ?

Regards,
Akshay


If you reply to this email, your message will be added to the discussion below:

http://openesb-community-forum.794670.n2.nabble.com/SSL-Configuration-for-HTTPS-BC-tp7581344p7581375.html

To start a new topic under OpenESB Community Forum, email [hidden email]
To unsubscribe from OpenESB Community Forum, click here.
NAML

Reply | Threaded
Open this post in threaded view
|

RE: SSL Configuration for HTTPS BC

Akshay
This post has NOT been accepted by the mailing list yet.
Hello Vishnu,

I checked this post but did not helped me.
My Open ESB is running on Windows machine. Also I am able to do the telnet to my localhost on port 443. Still not sure the exact cause of this issue.

Regards,
Akshay
Reply | Threaded
Open this post in threaded view
|

RE: SSL Configuration for HTTPS BC

Akshay
This post has NOT been accepted by the mailing list yet.
Hello Vishnu,

I have validated my SOA project and I did a mistake while configuring the WSDL for HTTP binding. I was using plain HTTP in wsdl, now i changed to HTTPS. After deployment, I could see certificate chain gets loaded, but when I am trying to access my application URL on browser nothing comes up. In console Log below lines are getting appeared,

Using SSLEngineImpl.
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

Any thoughts on this.

Many thanks for your help so far.

Regards,
Akshay
Reply | Threaded
Open this post in threaded view
|

RE: SSL Configuration for HTTPS BC

Akshay
This post has NOT been accepted by the mailing list yet.
Hello Friends,

Anyone can help me out with this issue ?

Akshay
Reply | Threaded
Open this post in threaded view
|

RE: SSL Configuration for HTTPS BC

Akshay
This post has NOT been accepted by the mailing list yet.
Hello Vishnu,

Thanks for your help. I did managed to configure SSL process on Open ESB.

Regards,
Akshay
Reply | Threaded
Open this post in threaded view
|

RE: SSL Configuration for HTTPS BC

vishnu.piskala

Hi Akshay

 

That’s great. Yes, I saw you documented the process. Thanks a lot

 

-Vishnu

 

From: Akshay [via OpenESB Community Forum] [mailto:[hidden email]]
Sent: Monday, January 2, 2017 5:57 PM
To: vishnu.piskala <[hidden email]>
Subject: RE: SSL Configuration for HTTPS BC

 

Hello Vishnu,

Thanks for your help. I did managed to configure SSL process on Open ESB.

Regards,
Akshay


If you reply to this email, your message will be added to the discussion below:

http://openesb-community-forum.794670.n2.nabble.com/SSL-Configuration-for-HTTPS-BC-tp7581344p7581470.html

To start a new topic under OpenESB Community Forum, email [hidden email]
To unsubscribe from OpenESB Community Forum, click here.
NAML