Is there a way to identify which application is using a particular certificate? Especially one issued by GTE CyberTrust.
We have different certs used by our application in making outgoing connection to other applications. I was wondering if this can be displayed in Weblogic Server Admin Console? If not can they be displayed via other methods?
I think what makes this tricky is there are many ways to "use" a certificate.
To start with a certificate can be stored in an individual keystore, or inside jre/lib/security/cacerts, on weblogic admin console configuration, or passed using java system property -Djavax.net.ssl.trustStore. It can be used by classes such as SSLSocket, or any arbitrary library that uses this class, or configured via Spring xml.
Typically an application would "use" a certificate if it made a HTTPS connection into a domain with matching CN. I would begin by searching the source code for this (eg: search for SSLSocket / HTTPS / the CN name)
Related
I am testing and debugging a system where application A submits a POST request to a URL when some event occurs. One of my programs, application B, must react to this event.
Application A requires that the URL uses HTTPS. I don't want to use a self-signed certificate because it may cause problems (curl complains about the self-signed certificate when I test it locally).
Letsencrypt can create a SSL certificate for free, but requires a domain. This is a problem for me because application B runs on a virtual machine. Whenever the machine is restarted, it gets a different IP address. Currently, there is no domain associated with that machine (i. e. you can only access it via a URL like http://aaa.bbb.ccc.ddd/).
Is there a way to use a non-self-signed certificate for an application without domain (i. e. one that runs on a URL like http://aaa.bbb.ccc.ddd/)? If not, what is the easiest way to make a Spring boot application (application B) support a non-self-signed SSL certificate?
There is one answer suggesting to create one's own certificate authority and installing it on all machines that access the URL. This is not an option for me because I have no control over application A.
Update 1: Application B runs on an EC2 instance in AWS.
Letsencrypt can create a SSL certificate for free, but requires a domain. This is a problem for me because application B runs on a virtual machine. Whenever the machine is restarted, it gets a different IP address.
It does not matter if the IP changes since all what is checked is the domain name. Thus, if the machine gets a new IP address you need to update the DNS to point to this new domain name.
In general the client will check if the subject/SAN of the certificate matches the domain in the URL. It is not possible to get a certificate which is generic enough to cover all the IP addresses you could get. Thus, having your own fixed domain name with a dynamic IP address behind it is the way to go if you want to use normal clients to access the site.
I am trying to create multiple on-demand secure connections with different As400 instances. I made jdbc connections which depends on user input.
Now The problem is the certificates of those instances are also different.
I know to create a secure connection we set our certificates and password in System properties like - javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword. But this happens at startup only. We cannot change it again during lifetime of the application.
Is there any possible way to change the trusted certificates at runtime?
So i have my site on hosting company, and this company support let encrypt certificate, so i generated it and now the site is running with https protocol.My server side(spring boot application web service oriented started on VPS) for this site is on another company. My questions are:
How can i use this generated certificate on my server side part,
is it possible, what should i do?
What i need to provide to the server, and all things that are needed the server to work?
When i was without the certificate everything worked perfect, but right now on the server side i get
java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens
and in the browser i get
net::ERR_SSL_PROTOCOL_ERROR,
when I`m trying the get resources from server.
From the hosting company i can get everything connected to the certificate
It seems that you are passing HTTPs traffic to web server which "talks" in plain HTTP.
Normally SSL termination is done on software like Apache HTTPD or Nginx.
Then you configure it to act as reverse proxy to your actual Spring boot application running in JVM.
You can also configure your JVM webserver (Jetty,Tomcat .. whatever you have) to use your Let's encrypt certificate, but I have doubt that certbot will be able to easily renew them.
In HTTPS technology, an SSL certificate is required for a secure connection. This certificate must be acquired through self-generation, or through a certificate authority (CA).
In Java, an SSLSocket to SSLSocket connection promises the same security as an HTTPS connection (No man-in-the-middle, encryption, etc).
When connecting two SSLSockets instantiated in two separate, stand-alone Java programs (One client, one server), is it necessary to supply Java (The server) with a valid certificate?
What are the methods used to specify which certificate to use? The documentation doesn't seem to have anything to say about this.
I'm talking about pure Java here. I'm not talking about using Java to connect to a web service via HTTPS.
The purpose of these sockets is to send user names and passwords from one Java application (The client) to another (The server) for identity verification purposes, so it is imperative that they are as secure as possible.
When connecting two SSLSockets instantiated in two separate, stand-alone Java programs (One client, one server), is it necessary to supply Java (The server) with a valid certificate?
In normal usage the server (the end with the SSLServerSocket) needs a certificate that is trusted by the peer.
The client only needs a certificate if the server is configured to require it, which is not the default.
What are the methods used to specify which certificate to use? The documentation doesn't seem to have anything to say about this.
See the JSSE Reference Guide. You can do this via system properties. You can also write a foot or so of code, but it isn't necessary.
If you want to have a secure encryption you need to have either a pre-shared key only known to both parties or you have to do some kind of key exchange to compute the encryption key. Key Exchange requires proper identification, otherwise a man-in-the-middle attack would be possible and you would not have secure end-to-end encryption anymore.
For use of pre-shared key look out for TLS-PSK. When googling for it it looks like that there are some hits for Android implementations but mostly it is people asking if it is possible. It might be possible to do this with the alternative SSL implementation BouncyCastle.
If not using PSK you might try to use anonymous ciphers (ADH). I don't know if they are supported by Java but in any case you would still need to have some kind of identification to make sure you are talking to the expected server.
And then there are of course certificates. You might use self-signed certificates together with public key pinning if you don't want to use public certificates for your application.
In HTTPS technology, an SSL certificate is required for a secure
connection. This certificate must be acquired through self-generation,
or through a certificate authority (CA). In Java, an SSLSocket to
SSLSocket connection promises the same security as an HTTPS connection
(No man-in-the-middle, encryption, etc).
No : HTTPS = HTTP traffic going through an SSL socket.
When connecting two SSLSockets instantiated in two separate,
stand-alone Java programs (One client, one server), is it necessary to
supply Java (The server) with a valid certificate?
Yes - Certificate and private key. If you want two way SSL, client would also need its own set of key/cert
What are the methods used to specify which certificate to use? The
documentation doesn't seem to have anything to say about this.
There's a lot of ground to cover. I'm not sure how much you already know, the things that you need to read up on include keytool, KeyStore, SSLContext, SSLServerSocketFactory, KeyManager.
Or you could directly go to examples like this
I have my J2EE application deployed into a JBossAS. My Application has to respond to two different hostnames (https://foo.com/myApp and https://bar.com/myApp). It is the same instance of the app serving those two hostnames.
But I don't know how to configure the keystores. I need different keystores for each hostname. Is there a way to tie a virtual host in JBoss' server.xml to a specific connector?
Or do I have to use two different IP-addresses and create a connector for each?
A solution that does not require a second IP-address would be greatly appreciated.
With SSL you have to use two different I.P. addresses if you wish to use different SSL certificates. This isn't a shortcoming in Tomcat/JBoss, it is just the reality of the protocol.
I can't remember the technical reason off the top of my head (Google knows), but it comes down to the server not being able to read the domain name until it has decoded the incoming SSL request.
To use two different keystores you will need to define two different connectors (using different I.P. addresses or ports) in the jbossweb-tomcat55.sar/server.xml file. This will get your SSL certificates working, but if you only have one I.P. your second certificate will need to be setup on a non-standard port.
two apps can share one keystore which holds two certificates. The certificate is issued for a given domain. Define the second domain as a virtual host with different domain and do not touch the server.xml. It should work this way.