I'm a novice to SSL certifications. I created a web service with Java on a cloud WebSphere Liberty server. I also created certificates by adding the following tags to server.xml
<featureManager>
<feature>webProfile-7.0</feature>
<feature>localConnector-1.0</feature>
<feature>ssl-1.0</feature>
</featureManager>
<keyStore id="defaultKeyStore" location="squery.keystore" type="JCEKS" password="forget1t"/>
However, when my application which is hosted on a different server makes a request to the websphere server, it gets an error Failed to load resource: net::ERR_INSECURE_RESPONSE
I also tried to open the websphere server by Google Chrome, and it responded with NET::ERR_CERT_AUTHORITY_INVALID. What was I missing with the configuration? I really could not find any documents about that. Thanks
Related
I am trying to setup SSO using Azure AD. Our aplication is a spring boot application deployed on Amazon ECS.
For this I have refered https://dummybot.medium.com/saml-integration-with-spring-boot-spring-security-microsoft-azure-ad-b9610bdb78b9, which uses Spring Security SAML2 with Spring Boot.
In our case the application exposes the port 8080 from docker container and doesn't have its own SSL configuration. We are using Amazon ELB as load balancer in which the SSL is configured and through the load balancer we can access the application https://our-domain.com
When testing application locally I am able to login successfully when https://localhost:8443/saml/sso is added as a reply Url in Azure AD.
When I add only the https://our-domain.com/saml/sso as reply URL and try logging in while executing application locally, I get this error:
correct http protocol and port in AD request
which is expected as we dont have https://localhost:8080/.. as white listed reply URL in Azure AD now.
But what I noticed here in the error message is https://localhost:8080/... doesn't match the reply URL, which is correct, but there is no change in HTTP protocol or port 8080 which I am trying to access.
But, When I try to access the application deployed on AWS ECS using https://our-domain.com, I am successfully redirected to login page, but there I get this error.
incorrect http protocol and port in AD request
Where I can see HTTP protocol has been changed from https to http and the port is passed in the request as 8443.
I could see only in our AWS ELB which has configuration for SSL certificate and has a HTTPS listener 8443, and I am suspecting it is due to this the incorrect reply URL is passed by the Spring Security in the Azure AD Authentication request.
Amazon ELB configuration
I have tried to find solution for this and found an issue reported in Spring-Security-Saml project at https://github.com/spring-projects/spring-security-saml/issues/447, which talks about SAMLContextProviderLB as the context provider bean.
More details in Spring-Security SAML Extension documentation: https://docs.spring.io/spring-security-saml/docs/1.0.x/reference/htmlsingle/#configuration-load-balancing
Although it is mentioned in the documentation for latest version of Spring-Security SAML Extension, I cant find this class, but it is available in older 1.0.x version of extension. Hence I am not able to use it.
Can someone please provide any pointers to fix this issue..
Thanks
I am trying to do a https rest API call with a SSL certificate(PFX file) which have a password. I tested the connection from my desktop with SOAP UI and it is working fine.
I have a web application which is running on tomcat and I need my tomcat to send this certificate for all the http/https call which it will make.
I am not a tomcat person so i am stuck with this now.
I can find in online about how to set up a keystore & server.xml so that my web app can use Client Authentication against things connecting to it, not for when it needs to connect out to some other server(outgoing call).
my tomcat version is : 9.0.22
connector settings on my server.xml file
I've been trying to install LetsEncrypt on my server. My server is running on GlassFish and I've been getting a whole bunch of challenge errors from all of the letsencrypt services, any help would be appreciated!
System Info:
CentOS 7
Webservice: GlassFish
Here are some images of the error codes:
The problem is not in your GlassFish configuration but because LetsEncrypt services are not able to find the letsencrypt file under the url displayed in the error (starting with https://mdjdreview.com/index.php/.well-known/acme-challenge/...).
This is because your GlassFish does not serve the file, but redirects the URL to EdgeMAX application, which just returns a 404 page - not found.
I recommend to follow the steps in the letsencrypt guide here: https://certbot.eff.org/#centosrhel7-other, and use the certonly option with --standalone. You would need to stop GlassFish (or a proxy server listening on port 80) for a while, as this option needs to run a standalone HTTP server and it would collide with GlassFish.
Letsencrypt requires your server to serve the letsencrypt file from the specified URL, and with your current configuration, it is not possible to do it with GlassFish.
I'm consuming a web service in a java class standalone and it works fine.
I deployed that class as a part of a web-app in tomcat apache and it works fine.
Then, I deployed it in a glassfish server and I get this error:
WSS1601: Transport binding configured in policy but incoming message was not SSL enabled
I have several weeks stuck here. Seems like some glassfish setting doesn't accepts that my web-app uses a web service that works through HTTP (this is, and has to be the case).
The webservice client was made with the web service client wizard tool of netbeans (it uses wsimport-JAX-WS). More details on the error trace from the server:
com.sun.xml.wss.impl.XWSSecurityRuntimeException: WSS1601: Transport binding configured in policy but incoming message was not SSL enabled
at com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.verifyPolicy(MessagePolicyVerifier.java:125)
Has anybody else faced this issue?
Any help or ideas appreciated.
EDIT: I tried generating the stubs using the axis2 tool and it works great, so i'm sensing some kind of error in jax-ws when used in glassfish.
I guess you are trying to access the service enables with SSL. Try invoking the service with https also you have to install the valid SSL certificate in the client JDK.
The following link explain how to obtain and install a signed certificate :
https://docs.oracle.com/cd/E19798-01/821-1794/aeogl/index.html
Good luck :)
I built a web-service application using Jdeveloper 11.1.1.7 and deployed on weblogic 10.3.6 on physical server let us call it back-end server.
I do not want to give client direct access to back-end server so I make use of Apache 2.2 to be in the middle of client and back-end server. Apache 2.2 is configured on different physical server let us call it middle server.
I defined application's context root (which deployed in back-end server) on middle server in Apache httpd.conf file.
I shared WSDL file location to client ( WSDL URL which referring to the middle server domain name). The external client can access the URL thorug browser where he/she can see the WSDL content
But when the client trying send requests to middle server URL it get rejected with the following error:
[error] [client -clinet public IP goes here-] ap_proxy: trying POST /[application context root goes
here] at backend host '[back-end server local IP]/[port goes here]; got exception 'CONNECTION_REFUSED
[os error=0, line 1602 of URL.cpp]: apr_socket_connect call failed with error=730061, host=[back-end
server local IP], port=[port goes here]'
This error from middle server Apache error log file. No logs from back-end server
What is done so far:
I check the if I can access the middle server as external user using the telnet command. telnet IP port. It is working and the middle server is listening.
I also checked for all ports. between external client and middle server, between middle server and back-end server also using telnet. All ports working.
In this answer : ssl - Apache 2 with Weblogic Plug-in Redirection, original location still requested to backend - Server Fault
they are suggestion to increase the Accept Backlog value from weblogic server tuning . I did that in back-end server but still the issue is not resolved.
Problem resolved
I need to enable (WebLogic Plug-In Enabled) option from weblogic server where the application is deployed
from Domain Structure (Left Panel in admin console) - > Environment - > Servers -> (select the server where you deploy your application on it) - > General tab (from server setting)-> Advance - > (tic the option) WebLogic Plug-In Enabled
Then restarted the server.
By this your are telling the server you will get indirect request through proxy server or load balancer for example
You can do this on many level like cluster or server based on your needs check this site for more information
Understanding the use of “WebLogic Plugin Enabled”