I have a standalone Tomcat application with CRaSH shell library embedded.
I can successfully connect to the application via telnet but I am struggling with ssh.
Here is my crash.properties config :
# Key authentication
crash.auth=key
crash.auth.key.path=/usr/share/tomcat8/conf/id_rsa.pem
# SSH configuration
crash.ssh.port=2000
I have generated a ssh keypair via ssh-keygen, then I created a pem file via openssl rsa -in id_rsa -outform pem -pubout > id_rsa.pem command.
Whatever the ssh key used, I have the error when I try to connect via ssh -i /usr/share/tomcat8/conf/id_rsa -p 2000 myserver.example.com command :
Permission denied (publickey).
I have tried the solution described here but without success. I have also tried to put the id_rsa.pem key in my war /WEB-INF/sshd folder. Same result.
Any clue ?
After debugging, I notice that org.crsh.auth.KeyAuthenticationPlugin was comparing the authorized key and the key given at login, and they were identical but the method authenticate was always returning false (bad authentication). After fixing the bug, I realized that it was already declared here and a pull request was available the same way.
Related
I read almost all resources, tried everything I could get my hands on which would seem to be duplicate on this website but have no luck to make it work.
The following works when running in IntelliJ on a windows machine but failed when running as a JAR compiled with Maven on Ubuntu. It would seem to me as if it cannot find the file.
8443 is free, there are no firewall.
I tried the long path as well but not working (server.ssl.keystore=file:/home/###/Documents/keystoref.p12
)
server.ssl.key-alias=tomcat
server.ssl.key-store-type=PKCS12
server.ssl.key-store-password=###
server.ssl.key-store=classpath:keystoref.p12
server.port=8443
server.ssl.enabled=true
***************************
APPLICATION FAILED TO START
***************************
Description:
The Tomcat connector configured to listen on port 8443 failed to start. The port may already be in use or the connector may be misconfigured.
Action:
Verify the connector's configuration, identify and stop any process that's listening on port 8443, or configure this application to listen on another port.
I am also unsure what private key to use. Should I use the private key which helps to generate the CSR which I had to convert into p12
Generating CSR
Or should I use the p12 generated from the mix of my private key and the 'certificate.crt' I received in email as per this previous answer. I would think the private key is linked to the certificate anyway so that should make no difference?
openssl pkcs12 -export -in <mycert.crt> -inkey <mykey.key> -out keystore.p12 -name <alias>
Similar issue
You mentioned that you tried
server.ssl.keystore=file:/home/###/Documents/keystoref.p12
Did you try using:
server.ssl.key-store=file:/home/###/Documents/keystoref.p12 ?
I was not able to locate the issue with this problem. I started a fresh project and built on it and never encountered this issue again, so on my end this issue is being closed. Also the first key used to generate the CSR works just fine.
Update
The issue came from the spring version on pom.xml for whatever reason, once changed from
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.1.9.RELEASE</version>
to version 2.3.1.RELEASE it worked fine.
I am new in JAVA, Consuming web service(.wsdl) in Web Service Client project. I import the client certificate in java cacerts store in jrd. My code is as follows:
System.setProperty("javax.net.ssl.trustStore","[PATH]/cacerts.jks");
System.setProperty("javax.net.ssl.trustStorePassword","changeit");
ServicesProxy service = new ServicesProxy();
ServiceRequest request = new ServiceRequest(1498);
ServiceResponse response = service.getDetails(request);
I'm failed to handshake, I am getting the following exception:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
I have no clue why there is an exception. Any help will be appreciated.
You probably have to add the key chain in the certificate (PEM format).
CA Root -> Intermediate Cert -> Cert.
Or the certificate cannot be found in the keystore, do you use the correct alias etc.
And I do not recognize the SOAP JAX-WS implementation you use.
Not a solution to your problem, but maybe it helps to find it:
You can start your client with the VM parameter -Djavax.net.debug=all which will give you a lot of information about the SSL connection.
Check here for details about the output:
https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html
Use -Djavax.net.ssl.trustStore property directly instead.
One more thing the server you use in that also u need to place the jks for handshake.
For example server is JBoss then bin
I guess your cacert is not correct or the path is unaccessible. I followed the instructions given here
Use SSL Poke to verify connectivity
Download SSLPoke.class
Execute the class as follows, changing the URL and port:
$JAVA_HOME/bin/java SSLPoke yoururl 443
A successful connection would look like this:
$JAVA_HOME/bin/java SSLPoke yoururl 443
Successfully connected
Try to use a different truststore to connect
$JAVA_HOME/bin/java -Djavax.net.ssl.trustStore=[PATH]/cacerts.jks SSLPoke yoururl 443
If it fails the truststore does not contain the proper certificates.
How to solve it
The solution is extracted from here
Fetch the certificate again from the server:
openssl s_client -connect yoururl:443
You need openssl. Save the output to a file called public.crt. This is how your file should look like:
-----BEGIN CERTIFICATE-----
< Bunch of lines of your certificate >
-----END CERTIFICATE-----
Import the certificate:
$JAVA_HOME/bin/keytool -import -alias -keystore $JAVA_HOME/jre/lib/security/cacerts -file public.crt
Enter the password if prompted (the default is changeit)
Recommendation
In the same post it is not recommended to use a configured trustStore different than the JVM cacert because then java could not access other root certificates.
This is a quite common error while dealing with soap services over SSL, I've had it a few times.
Your certificate may not be correctly installed in your truststore.
You can use openssl to check and install the correct certificate in the truststore, as explained here
Hi Looks like certificates are not imported correctly or path used in code not pointing to correct keystore.
I hope following steps in below article will help you.
http://magicmonster.com/kb/prg/java/ssl/pkix_path_building_failed.html
I have a Spring Boot application (version 2.1.1) using Postgresql 9.6 as database.
I have to connect to the db via SSL with sslmode=verify-ca.
What I have done till now is to set in the Application.properties file the property
spring.datasource.url=jdbc:postgresql://`url`:`port`/`db`?
ssl=true&
sslmode=verify-ca&
sslcert=`path_to_client_cert`&
sslkey=`path_to_client_key`&
sslrootcert=`path_to_ca_cert`
Is there a way to specify the ssl properties in some others spring properties and not in the connection url?
Also, there is the possibility to specify relative paths for the certificates instead of using the absolute paths?
I used a relative path for a certificate I placed in src/main/resources and that worked just fine:
jdbc:postgresql://db_host:db_port/db_name?
sslmode=require&
sslrootcert=`my_root_certificate.crt`
It appears the URL is the only place to specify these parameters. You could do interpolation with environment variables as well.
I was not able to get it working with org.postgresql.ssl.NonValidatingFactory
I appended ?sslmode=verify-full to the end of the connection string.
By default it will use org.postgresql.ssl.LibPQFactory
By default it will look for certificates under $HOME/.postgresql/ as follows:
org.postgresql.PGProperty.SSL_ROOT_CERT; root.crt
org.postgresql.PGProperty.SSL_CERT; postgresql.crt
org.postgresql.PGProperty.SSL_KEY; postgresql.pk8
To convert your private key to pk8 format:
openssl pkcs8 -topk8 -inform PEM -outform DER -in postgresql.key -out postgresql.pk8 -nocrypt
If you are using GCP, Please follow the below process to connect cloudsql-postgres with spring boot.
I was able to solve it.
Create the DB in cloud and create client certifcates.
Allow SSL connections only" should be configured in the GCP DB.
GCP provides you with 3 things client-cert.pem client-key.pem server-ca.pem
The client key must be converted to pk8 with the following command:
sudo openssl pkcs8 -topk8 -inform PEM -outform DER -in client-key.pem -out client-key.pk8 -nocrypt
These files must be saved somewhere in the server that is running TB, the folder I used was /root/pgcerts/ since I was already using it for something else (This folder was created by me)
Privileges must be given:
chmod o+r /root/pgcerts/client-key.pk8
In the POSTGRESQL section in the file application.properties the following information must be used.
database=postgresql
spring.jpa.properties.hibernate.dialect = org.hibernate.dialect.PostgreSQLDialect
spring.jpa.database-platform= org.hibernate.dialect.PostgreSQLDialect
spring.jpa.hibernate.show-sql= true
spring.datasource.username= <username>
spring.datasource.password= <password>
spring.sql.init.mode=always
spring.datasource.url= jdbc:postgresql://DATABASEIP:5432/postgres?sslmode=require&sslrootcert=/root/pgcerts/server-ca.pem&sslcert=/root/pgcerts/client-cert.pem&sslkey=/root/pgcerts/client-key.pk8
I followed a guide to enable https in Spring Boot. The application was beforehand working on https://localhost:8080
I've created a keystore.jks which is in the same directory as my application.properties, which now looks like:
# Define a custom port instead of the default 8080
server.port = 8444
# Tell Spring Security (if used) to require requests over HTTPS
security.require-ssl=true
# The format used for the keystore
server.ssl.key-store-type:PKCS12
# The path to the keystore containing the certificate
server.ssl.key-store=keystore.p12
# The password used to generate the certificate
server.ssl.key-store-password=<somepassword>
# The alias mapped to the certificate
server.ssl.key-alias=tomcat
Now, if I run the main method to start the spring boot app, it throws:
Description:
The Tomcat connector configured to listen on port 8444 failed to start. The port may already be in use or the connector may be misconfigured.
Action:
Verify the connector's configuration, identify and stop any process that's listening on port 8444, or configure this application to listen on another port.
The port isn't in use, so it must be misconfiguration?
I'm unsure of what to change. It's a simple SPA app, Spring just serves an index.html and has a single REST endpoint. How should tomcat/spring be configured to accept https in this case, and start up without errors?
I too had the same problem and was able to fix it. My problem was generating the keystore.p12 file.
If you have a certificate file and private key file, you can generatekeystore.p12 file using following command.
openssl pkcs12 -export -in <mycert.crt> -inkey <mykey.key> -out keystore.p12 -name <alias>
You will be prompted for a password,there you can enter a password you like.
Once the keystore file is generated copy it to the directory where your .jar file exist.
Following is a working example configuration.
server.port=8443
security.require-ssl=true
server.ssl.key-store-type=PKCS12
server.ssl.key-store=file:keystore.p12
server.ssl.key-store-password=<password>
server.ssl.key-alias=<alias>
Note the key store file path file:keystore.p12 if it is going to reside in the same directory as the executable .jar file.
I solved the same issue by using the following configuration
# Define a custom port instead of the default 8080
server.port=8443
# Tell Spring Security (if used) to require requests over HTTPS
security.require-ssl=true
# The format used for the keystore
server.ssl.key-store-type=PKCS12
# The path to the keystore containing the certificate
server.ssl.key-store=src/main/resources/keystore.p12
# The password used to generate the certificate
server.ssl.key-store-password=root0
I removed alias name and it worked perfectly.
"You probably won't need a key alias, since there will only be one key entry" referred from
TOMCAT SSL Error: Alias name does not identify a key entry
From Spring Boot 2.0 and higher, you can ignore this property.
security.require-ssl=true
To enable SSL, use the below configuration in your application.properties
The format used for the keystore
server.ssl.key-store-type=JKS
The path to the keystore containing the certificate
server.ssl.key-store=classpath:somecert.jks
The password used to generate the certificate
server.ssl.key-store-password=password
The alias mapped to the certificate
server.ssl.key-alias=alias_name
Note : server.ssl.key-store refers to the keystore location. Use
classpath prefix, if it is present in src/main/resources. Otherwise use,
file:/some/location.
I had the same issue as well but in my case the file path (in application.properties) for keystore file was incorrect on Linux and causing this error message.
I had same problem. for me server.ssl.key-alias was set to a wrong key. So, it sounds that some server mis-configurations in application.properties can cause this error message to appear.
I am having difficulty connecting to mongo v2.6 using x509 certificates for authentication from Java/Groovy. I have built mongo with ssl and feel I have it configured correctly.
Our project has two applications that connect to Mongo - one written in NodeJS and one written in Java/Groovy. The NodeJS project is successfully able to authenticate using an X509 Certificate and query. Additionally, I am able to shell into mongo by specifying ssl and providing the PEM file on the command line. However, I am unable to connect to mongo using the Java Mongo Driver. I would greatly appreciate some assistance and here are the steps I have taken thus far:
Building MongoDB 2.6 to run with ssl using SCONS:
I have downloaded the 2.6 release of MongoDB from the mongodb github page
Then, built it with scons to include ssl
scons --64 --dd --ssl all
scons --ssl --prefix=/opt/mongo install
Generating Keys for Mongo::
I generated the following keys/certs
openssl req -new -newkey rsa:1024 -nodes -out myMongo.req -keyout myMongo.key -subj "/C=US/ST=myState/CN=myMongo/OU=myUnit/L=myLocation" -days 36500
openssl x509 -CA myCA.pem -CAkey myCa.key -CAserial myCa.srl -req -in myMongo.req -out myMongo.pem -days 36500
This gives me the following files:
myMongo.key ( Containing a private key )
myMongo.pem ( Containing a certificate )
myMongo.req ( Containing a certificate request ) (I'm not sure if I need this one, and haven't used it yet )
In compliance with the mongo instructions, I concatenated the key and certificate together into 1 file
cat myMongo.key myMongo.pem > combined.pem
Following the mongo instructions for x509 configuration:
http://docs.mongodb.org/manual/tutorial/configure-x509/
openssl x509 -in combined.pem -inform PEM -subject -nameopt RFC2253
which gives me the subject: "C=US,ST=myState,CN=myMongo,OU=myUnit,L=myLocation"
I then add that subject to the users on the database
db.getSiblingDB("$external").runCommand(
{
createUser: "C=US,ST=myState,CN=myMongo,OU=myUnit,L=myLocation",
roles: [
{ role: 'readWrite', db: 'mydbName' },
{ role: 'userAdminAnyDatabase', db: 'admin' }
],
writeConcern: { w: "majority" , wtimeout: 5000 }
}
)
In my mongod.conf file, I specify the following options:
sslMode = requireSSL
sslPEMKeyFile = /path/to/my/combined.pem
sslCAFile = /path/to/myCA.pem
At this point, I can launch
mongod --config /path/to/my/mongod.conf
after launching, I can only access the shell by specifying
mongo --ssl -- sslPEMKeyFile /path/to/my/combined.pem
Connecting to MongoDB from Java-Mongo-Driver version 2.12.0
I'm trying to follow the example given on the java-mongo-driver github page:
"https://github.com/mongodb/mongo-java-driver/blob/master/src/examples/example/X509CredentialsExample.java"
The code fails with an exception which we will offer up below, but it seems pretty strange that you would attempt to connect by just providing the DN in string format rather than actually attaching a certificate to the request. Doesn't that defeat the entire purpose of X509 to begin with? We looked at the Ruby example and they attach a pem file. My team understands java keystores and truststores, and will happily send that pem file along its merry way if that's what we're supposed to be doing. Additionally, when using the node driver we're absolutely specifying the location of the PEM file.
The final result is this. We can instantiate the MongoClient just fine, and we can even get a collection using the db object. When we attempt to query any collection in any way, we get back an exception whose message is "Unable to connect to any server."
It seems logical that the MongoClientOptions.Builder would allow us to add this information as that seems to be how it's done elsewhere. But we did an introspection of the class just in case it was missing from the documentation, and there's nothing in there that relates to x509 as far as we can tell.
I appreciate your help.
In the example that you linked to, note that it's just using SSLSocketFactory.getDefault(), which relies on the JDK-defined system properties for specifying keystores and truststores, e.g
javax.net.ssl.keyStoreType=pkcs12
javax.net.ssl.keyStore=/path/to/pkc
javax.net.ssl.keyStorePassword=
javax.net.ssl.trustStoreType=jks
javax.net.ssl.trustStore=/path/to/truststore
javax.net.ssl.trustStorePassword=
You have to add your client certificate to the keystore and the signing authority's certificate for the MongoDB server to the truststore.