6 Replies Latest reply on Jul 2, 2010 11:19 AM by mspbrst2

    Using pkcs12 certificates for SSL Security Configuration

    mspbrst2

      Hi Jopr Community,

       

      I would like to use PKCS12 certificates for securing JOPR communication, is it possible to change these entries to allow this?  I'm not sure if it's any different in other versions, but I'm using version 2.3.1 and here are the entries that I'm hoping to change:

       

      # Server-side SSL Security Configuration for HTTPS thru Tomcat
      # These are used for browser https: access and for incoming messages from agents over sslservlet transport
      # [you cannot use ${x} variables - see https://jira.jboss.org/jira/browse/JBWEB-74]
      rhq.server.tomcat.security.client-auth-mode=false
      rhq.server.tomcat.security.secure-socket-protocol=TLS
      rhq.server.tomcat.security.algorithm=IbmX509
      rhq.server.tomcat.security.keystore.alias=RHQ
      rhq.server.tomcat.security.keystore.file=conf/rhq.keystore
      rhq.server.tomcat.security.keystore.password=RHQManagement
      rhq.server.tomcat.security.keystore.type=JKS
      rhq.server.tomcat.security.truststore.file=conf/rhq.truststore
      rhq.server.tomcat.security.truststore.password=RHQManagement
      rhq.server.tomcat.security.truststore.type=JKS

       

      # Server-side SSL Security Configuration (for incoming messages from agents)
      # These are used when secure transports other than sslservlet are used
      rhq.communications.connector.security.secure-socket-protocol=TLS
      rhq.communications.connector.security.keystore.file=${jboss.server.home.dir}/conf/rhq.keystore
      rhq.communications.connector.security.keystore.algorithm=IbmX509
      rhq.communications.connector.security.keystore.type=JKS
      rhq.communications.connector.security.keystore.password=RHQManagement
      rhq.communications.connector.security.keystore.key-password=RHQManagement
      rhq.communications.connector.security.keystore.alias=RHQ
      rhq.communications.connector.security.truststore.file=${jboss.server.home.dir}/conf/rhq.truststore
      rhq.communications.connector.security.truststore.algorithm=IbmX509
      rhq.communications.connector.security.truststore.type=JKS
      rhq.communications.connector.security.truststore.password=RHQManagement
      rhq.communications.connector.security.client-auth-mode=none

       

      # Client-side SSL Security Configuration (for outgoing messages to agents)
      rhq.server.client.security.secure-socket-protocol=TLS
      rhq.server.client.security.keystore.file=${jboss.server.home.dir}/conf/rhq.keystore
      rhq.server.client.security.keystore.algorithm=IbmX509
      rhq.server.client.security.keystore.type=JKS
      rhq.server.client.security.keystore.password=RHQManagement
      rhq.server.client.security.keystore.key-password=RHQManagement
      rhq.server.client.security.keystore.alias=RHQ
      rhq.server.client.security.truststore.file=${jboss.server.home.dir}/conf/rhq.truststore
      rhq.server.client.security.truststore.algorithm=IbmX509
      rhq.server.client.security.truststore.type=JKS
      rhq.server.client.security.truststore.password=RHQManagement
      rhq.server.client.security.server-auth-mode-enabled=false

       

      Thanks in advance!

       

      Regards,

      Steven

        • 1. Re: Using pkcs12 certificates for SSL Security Configuration
          mazz

          You should be able to do this.

           

          Please read the following for more information on securing communications:

           

          http://rhq-project.org/display/JOPR2/Securing+Communications

           

          You are going to want to read and understand the information on that page. If, after reading that, you have any questions or can't get something to work, just post here and we'll try to answer.

          • 2. Re: Using pkcs12 certificates for SSL Security Configuration
            mspbrst2

            Well, I'm struggling with what to put for the rhq.server.tomcat.security.algorithm.  I tried using PBEwithMD5andDES like it shows in JaasSecurityDomain.java, but I got an error telling me that "PBEwithMD5andDES KeyManagerFactory was not found" when I tried to start up Jopr.

             

            The reason I thought it might be PBEwithMD5andDES is because I'm doing something similar to http://community.jboss.org/wiki/EncryptKeystorePasswordIntomcatConnector as a made up example shown below:

             

             <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
                  name="jboss.security:service=PBESecurityDomain">
                  <constructor>
                     <arg type="java.lang.String" value="encrypt-keystore-password"></arg>
                  </constructor>
                  <attribute name="KeyStoreType">pkcs12</attribute>
                  <attribute name="KeyStoreURL">file:///path/to/certificate.p12</attribute>
                  <attribute name="KeyStorePass">{CLASS}this.is.my.class.password</attribute>
               </mbean>

             

            I'm trying to use the same certificate, so I was assuming that the encryption algorithm would be the same, but maybe not?

             

            EDIT: actually the error was "java.io.IOException: ${rhq.server.tomcat.security.algorithm} KeyManagerFactory not available" and that I've also tried IbmX509

            • 3. Re: Using pkcs12 certificates for SSL Security Configuration
              mspbrst2

              I solved my problem.  I did in fact need to use IbmX509 as the algorithm.  I had some of the truststore stuff commented out and that was causing my errors.

               

              While I'm on the topic though, why does jopr require the truststore information to exist?

              • 4. Re: Using pkcs12 certificates for SSL Security Configuration
                mazz

                You only need the truststores if you require authentication. If you only care about encryption, you do not need them. This is talked about here: http://rhq-project.org/display/JOPR2/Securing+Communications#SecuringCommunications-Authentication

                That's what these settings are all about:

                 

                ...client-auth-mode
                ...server-auth-mode-enabled

                 

                "Client auth mode" set to true means incoming requests from a remote endpoint (i.e. a "client") will only be allowed if that client has a valid SSL certificate that is authenticated in your truststore.

                 

                "Server auth mode enabled" set to true means outgoing messages will only be sent to the remote endpoint (i.e. the "server") if that server has a valid SSL certificate that is authenticated in your truststore.

                 

                You should not need truststores if both of those are false because you aren't asking to authenticate the remote endpoints SSL certificates. You always need a keystore when using secure SSL comm because its the keystore that has the data necessary to encrypt/decrypt the traffic - i.e. without a keystore and its enclosing certificate, you can't even do encryption.

                 

                That said, I'm not sure what Tomcat does if you don't provide some sort of truststore. You could just use a copy of your keystore as your truststore just to make Tomcat happy (even if you aren't using ssl auth, it might still want to be given a valid truststore, I'm not sure).

                • 5. Re: Using pkcs12 certificates for SSL Security Configuration
                  mazz

                  sorry - I misspoke about client-auth-mode. the valid values are "none", "want", "need".


                  "need" means you require the remote endpoint to have a valid SSL cert in your truststore. "want" means "if the remote endpoint has a cert, make sure its authenticated; if the user is anonymous, allow the user". "none" means no authentication is required.

                  • 6. Re: Using pkcs12 certificates for SSL Security Configuration
                    mspbrst2

                    John Mazzitelli wrote:

                     

                    You only need the truststores if you require authentication. If you only care about encryption, you do not need them. This is talked about here: http://rhq-project.org/display/JOPR2/Securing+Communications#SecuringCommunications-Authentication

                    That's what these settings are all about:

                     

                    ...client-auth-mode
                    ...server-auth-mode-enabled

                     

                    "Client auth mode" set to true means incoming requests from a remote endpoint (i.e. a "client") will only be allowed if that client has a valid SSL certificate that is authenticated in your truststore.

                     

                    "Server auth mode enabled" set to true means outgoing messages will only be sent to the remote endpoint (i.e. the "server") if that server has a valid SSL certificate that is authenticated in your truststore.

                     

                    You should not need truststores if both of those are false because you aren't asking to authenticate the remote endpoints SSL certificates. You always need a keystore when using secure SSL comm because its the keystore that has the data necessary to encrypt/decrypt the traffic - i.e. without a keystore and its enclosing certificate, you can't even do encryption.

                     

                    That said, I'm not sure what Tomcat does if you don't provide some sort of truststore. You could just use a copy of your keystore as your truststore just to make Tomcat happy (even if you aren't using ssl auth, it might still want to be given a valid truststore, I'm not sure).

                    Well, just to add to what you have said, I think Tomcat does require some sort of truststore.  I have the client-auth-mode  and server-auth-mode-enabled set as follows:

                    rhq.server.tomcat.security.client-auth-mode=false

                    rhq.communications.connector.security.client-auth-mode=none

                    rhq.server.client.security.server-auth-mode-enabled=false

                     

                    When  I remove the truststore information for the non-Tomcat sections,  everything seems to work fine, but when I remove the truststore  information for Server-side SSL for HTTPS through Tomcat, it complains  and gives me the following error:

                    java.io.IOException:  Exception trying to load keystore  ${rhq.server.tomcat.security.truststore file}: KeyStore  ${rhq.server.tomcat.security.truststore.type} implementation not found.

                     

                    My fix was to create an empty truststore and provide it that information.

                     

                    Anyway, thanks John, you've been a big help.

                     

                    Regards,

                    Steven