Dear All,

I am trying to configure 2 way SSL handshake between IS and external partner. We will be using web services to send receive the XML files. I have created a .der encoded private key certificate, raised the CSR and got a .crt certificate from the CA. The CRT certificate received looks like
-----BEGIN PKCS7-----

XYZwefwefwe

-----END PKCS7-----

Now, the admin guide suggested to create a keystore using tools like Portecle and OpenSSL. I am using Portecle and was able to create a keystore of type PKCS#12 and saved it [after giving a password]. Then, when i tried to import the .crt public certificate, it is showing an error stating that

“Only one certificate can be imported as a trusted certificate. The certificate file contained more than one certificate. The import cannot proceed”.

I am assuming that the certificate provided to me by the CA is having the public certificate along with the CA root and intermediate certificates.

I am new to this SSL configuration and as per my understanding we need to create a keystore having the public key and private key stored as a pair, which i can’t proceed to as i am unable to import my certificate itself. I understand i am doing something wrong here and it be great if someone can guide me accordingly.

Requesting for expert opinion in how to tackle this situaction in the best way so that i can create my keystore and go ahead with the keystore alias configuration.

Thanks and cordial regards,
Kushal

Have you also tried selecting this type when you are configuring keystore?

Type JKS
Provider SUN

HTH,
RMG

Hi RMG,

Thanks for replying. Firstly wishing you a very Happy New Year.

Actually, i have not reached the stage where i can set the keystore alias. I understand that i need to create the keystore file and place my public and private key pair in the keystore. Then i need to place the keystore file in my IS folder and record the path. This path needs to be provided while configuring the keystore alias in IS>Security>keystore [Kindly correct me if i am wrong].

I am stuck up with the keystore file creation itself because i am unable to import my public certificate using Portecle due to multiple certificate chain [public key + CA Root + CA intermediate]. Please let me know if i should provide you more details which might help you to further understand my issue.

Thanks and cordial regards,
Kushal

Also, if you meant using the JKS option in Portecle while creation of the keystore,…then i have tried that as well while creating the keystore. Then, when i try to import the certificate, i still got the same error for multiple certificates.

Thanks and regards,
Kushal

Are you sure your CA cert chain is valid and no issues with your public/private key combination?

HTH,
RMG

Hi RMG,

I have checked the certificate chain. It is a valid one but the only reason why the import is failing seems to be due to 3 certificates in the same file.

The .CRT certificate when opened in textpad looks like below:-

-----BEGIN PKCS7-----

some random text

-----END PKCS7-----

Do i need to split the file to extract all the 3 certificates. I just need to make a keypair using this crt file with the public key and the .der file with my private key.

Kindly suggest.

Thanks and regards,
Kushal Bangabash

Yes you don’t all 3 files in the same file which you have in .p7b format and trying?

HTH,
RMG

sure…let me try that and get back to you.

Thanks and regards,
Kushal

OK give it a shot:

Hi RMG,

I am able to import my certificates in keystore now. When i split the certificate file i got from my CA, i found the below certificates:-
-Root CA
-Intermediate CA
-public certificate
I have imported these 3 certificates in the order Root, intermediate and public as of now.

Next, i need to import the private certificate in the keystore to complete the JKS keystore. My private certificate is in a .der format and Portecle is not able to import it in the present format. DO i need to convert it to PKCS#12 file (*.p12 or *.pfx) ?? If so, then how do i do that ??

Reqesting your help for the same.

Thanks and regards,
Kushal

You may try this site also to convert.

Thanks RMG.

Saw the site. It’s very usefull and quick but will it be safe to convert my private key using an external site. Not accusing anyone but from safety point of view, if anyone stores my private key, our transactions can be at risk.

Kindly let me know your views on this.

Thanks and regards,
Kushal Bangabash

Yes there is a added risk sharing a private key online but few used it already and what ever works for them:

yes, thought so…

Thanks for double confirming as i don’t want to take this risk. I’ll better work on installing OpenSSL and try converting the private key manually there

Will be back with updates…

Thanks and regards,
Kushal

Hi RMG,

I have now created the keystore and truststore using portecle. I had to re-request the certificates again as the private key was corrupted.

Now, since our IS will be both producing and consuming web services, i have set up the keystore and truststore alias’s in IS admin console. Next, the admin guide speaks of creating an HTTPs port for incoming requests.

I need to ask if i require the CA certificates as well from our external partner to be placed in the trusstore or only the public certificate of the partner will do.

Thanks and regards,
Kushal

@KB:

You need to import the complete CA certificate chain. You need to keep [pub key + CA Certificates] in trust store.

HTH.

Thanks,
Rankesh

Also, when i try to enable my HTTPS port, i am getting the below error

Failed to start HTTPSListener@443: Permission denied (errno:13)

I have set up the the port as 443 and listener specific credential…when i check the server log, getting message

7]2014-02-12 10:03:01 EST [ISC.0006.0008I] Listener loaded certificate authorities from location trustStore_XYZ_root
[6]2014-02-12 09:59:35 EST [ISC.0006.0008I] Listener loaded certificate authorities from location trustStore_XYZ_root
[5]2014-02-12 09:57:39 EST [ISC.0006.0008I] Listener loaded certificate authorities from location trustStore_XYZ_root

Please help in understanding what i am missing here.

Thanks and regards,
Kushal

Thanks Rankesh.

You mean the same truststore in which i have kept my CA root certificate.

Also, just clarifying that i have actually placed the client’s public certificate in the Security > Certificates > Configure Client Certificates section by specifying the certificate IS location, mapped to an user and set usage as ‘SSL authentication’. If i am getting this right, then i need to get the CA certificates of my client and add it to the truststore i am maintaining to keep my CA root certificate. ??

Thanking in advance,
Kushal

@KB,

For HTTPS port, did you define the keystore alias, truststore alias[if you want client authentication on the port] and key alias?

Yes, you are correct.

Thanks,
Rankesh

Yes, i had set the listener specific details i.e keystore, key alias and the truststore. But the issue is resolved by changing the port number to a four digit numbmer.

Earlier, i was using default 443 but it was throwing the access denied error. When i tried playing with a different number, it enabled the listener port.

Not sure why it was failing for 443 only though…??

Thanks and regards,
Kushal

@Kushal,

If you are running your IS on Unix/Linux, you need to be root to operate on port less than 1024.

Ref: Privileged Ports

HTH.

Thanks,
Rankesh

Thanks Rankesh…this was useful information

Regards,
Kushal

Rankesh,

Thanks for the note…it seems a useful point.

Hi Rankesh and RMG,

While i am trying to send an outbound transaction to our external partners, i am getting this error:-

iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier

Currently, i believe that the external partner is rejecting my server’s certificate it is receiving at the beginning of the 2 way SSL handshake. Is it because that my partner’s system is unable to trust our server certificate??

Thanking in advance,
Kushal

Yes…and also make sure the partner was given the new cert chain configured in their system as well and that way 2-way SSL hand shake works…

This error is almost always caused by a misconfiguration on either the SSL client or SSL server side.

Make sure to install the CA from both sites into the Integration Server’s Trusted Root directory, so that Integration Server can trust the certificate chain presented by SSL Server.

HTH,
RMG

not only the CA root, also the CA intermediate cert need to be loaded in the Trust Store.
You don’t need to load the server cert to the trust store though.
Also, make sure the server returned the cert chain that they claimed having. You can use openssl to get the cert chain (sometimes, the browser will automatically fix the chain for you, which has different behavior than WM IS)

Also on what OS are you trying to configuring this keystore on Windows or Unix (that IS hosted on) ? so depends on that you need to select the provider (a small note)

HTH,
RMG

Thank you all.

I have already placed my CA root and intermediate in our IS truststore. Working to get the CA and intermediate of partner as well in truststore.

@RMG - our IS is on Unix box. Does this require any special way to create the provider WSDL ?

Thanks in advance,
Kushal

After getting the certificates before installing, cross verify the certificates which are going to use and other party using the same by checking validity, Serial Number and once if every thing in sync then install the certificate and do a testing. Kindly let us know the updates.

I was talking about Provider on the Keystore Properties screen.What did you set it there SUN or some thing else?

HTH,
RMG

Hi RMG,

Apologies for the late reply. The provider is set to SUN and the keystore type is JKS.

Thanks and regards,
Kushal

OK assumed.

Both Public and CA certs can be shared to other partner and same applies to the partner

Just a real late reply but the configuration had worked out. Completely forgot to update and thank everyone.