WebSphere Liberty -- Connecting to Secure gateway from Java

0
votes

My colleague set up a (Bluemix) secure gateway using mutual auth for our project to use. He tested it with Ruby and CURL and it works fine. but when configuring my Liberty server to use it, I am running in to many issues.

I used the instructions found here.

Basically...

To create a key store for the client, enter the following command. In the following example, key.p.12 is created.

openssl pkcs12 -export -in "[client]_cert.pem" -inkey "[client]_key" -out "sg_key.p12" -name BmxCliCert -noiter –nomaciter –password pass:<password>

Which creates a PKCS12 store. (I use this in server.xml below)

I then added the certs into my keystore.

I then changed my server.xml to have a trust store as referenced in my 

<ldapRegistry baseDN="o=ibm.com" host="bluepages.ibm.com" id="bluepages" ignoreCase="true" 
    ldapType="IBM Tivoli Directory Server" port="636" realm="w3" sslEnabled="true" sslRef="SSLSettings">

    <idsFilters groupFilter="(&amp;(cn=%v)(objectclass=groupOfUniqueNames))" groupIdMap="*:cn" groupMemberIdMap="groupOfUniqueNames:uniquemember" userFilter="(&amp;(emailAddress=%v)(objectclass=person))" userIdMap="*:emailAddress"/>

</ldapRegistry>

<ssl id="SSLSettings" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore"/>     

<keyStore id="defaultKeyStore" password="xxxxxx" 
    location="${server.output.dir}/resources/security/key.jks"/>

<keyStore id="defaultTrustStore"
    location="${server.output.dir}/resources/security/sg_key.p12"
    type="PKCS12" password="xxxxxx" />

Here's issue #1

When I add the trust store, I can no longer authenticate via my LDAP server. It just says invalid user or password. I remove the trust store.. and I can authenticate again. So adding the truststore has some type of affect.

Issue #2. When I remove my LDAP server and just use basic user registry... I can login in.. but when I try and use the secure gateway, I get..

[err] javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

I have imported the certificate from the secure gateway so not sure why I get this?

So two issues.. Using a truststore.. I can no longer auth via LDAP... and second.. cannot connect to the secure gateway even after importing all certs...

Anyone had success using Bluemix with a Secure Gateway (Mutual Auth) from Java?

Requested info (edited)

Enter Import Password:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
    friendlyName: portal
    localKeyID: 5F A0 D5 5D 68 C5 39 65 7D 24 D7 78 9B CD 7D 01 FB 1B 00 6D 
subject=/ST=NC/C=US/L=RTP/O=IBM Corporation/OU=SWG/CN=*.integration.ibmcloud.com
issuer=/ST=NC/C=US/L=RTP/O=IBM Corporation/OU=SWG/CN=*.integration.ibmcloud.com
-----BEGIN CERTIFICATE-----
INFO
4Q==
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
    friendlyName: portal
    localKeyID: 5F A0 D5 5D 68 C5 39 65 7D 24 D7 78 9B CD 7D 01 FB 1B 00 6D 
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
INFO
-----END ENCRYPTED PRIVATE KEY-----
1
javasslibm-cloudwebsphere-libertysecure-gateway
Can you please use ikeyman or command line tool to display signer certificates added correctly to sg_key.p12? It seems like some with your trust store file. - M. Tamboli
Hi, Thanks.. Added info above. Extracted via openSSL - James
You've replaced your truststore. You may want to keep it and add/import the new certificate in it (to the default jks keystore) - gusto2
Tx Gabriel... Not sure I follow... I have a keystore and a trust store. The PKCS12 one being what was created from openSSL.. The keystore -- my original. I must be missing something? tx! - James
Looks like I had my key and trust stores mixed up... I can now login using my LDAP server again.. Now I am stuck at the handshake failure. Does this not mean that the servers can not agree on a CIPHER to use? - James

1 Answers

0
votes

Finally got this to work.

previous code..

. . . .

connection = (HttpsURLConnection) url.openConnection();

Where url was the URL of the Secure Gateway.

Added before this...

KeyStore clientStore = KeyStore.getInstance("PKCS12");
clientStore.load(new FileInputStream(KEY_STORE_PATH), "xxxxxx".toCharArray());

KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

kmf.init(clientStore, "xxxxxx".toCharArray());

KeyManager[] kms = kmf.getKeyManagers();

KeyStore trustStore = KeyStore.getInstance("JKS");

trustStore.load(new FileInputStream(TRUST_STORE_PATH), "xxxxxx".toCharArray());

TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

tmf.init(trustStore);

TrustManager[] tms = tmf.getTrustManagers();

SSLContext sslContext = null;

sslContext = SSLContext.getInstance("TLS");

sslContext.init(kms, tms, new SecureRandom());

HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());`

connection = (HttpsURLConnection) url.openConnection();

Now it works... tx

Some good info in this thread.. LINK