Original Message:
Sent: Mon January 13, 2025 08:51 AM
From: Doug Breaux
Subject: KEYSTORE AND JAVA IBM J9 VM (build 2.9, JRE 1.8.0 OS/400 ppc64-64-Bit vs JAVA ORACLE
Glad you got it working!
I want to explicitly note that, in addition to adding the alias property, you're also using a separate Properties object rather than System.properties. Again, I suspect this was also part of the earlier problems.
------------------------------
Doug Breaux
Software Engineer
Kyndryl
Original Message:
Sent: Sun January 12, 2025 04:03 AM
From: Jose Luis Nebril
Subject: KEYSTORE AND JAVA IBM J9 VM (build 2.9, JRE 1.8.0 OS/400 ppc64-64-Bit vs JAVA ORACLE
Sorry, Doug, for responding on a Sunday.
Wow, It works fine
The link you sent me has solved the problem.
I'm attaching the code that was needed to make it work, because a property was missing "com.ibm.ssl.alias"
import com.ibm.websphere.ssl.JSSEHelper;
....
JSSEHelper jsseHelper = JSSEHelper.getInstance();
try {
System.out.println("Set SSLProps like JAVA." );
Properties sslProps = new Properties();
sslProps.setProperty("com.ibm.ssl.trustStore", CaCertsFileName );
sslProps.setProperty("com.ibm.ssl.trustStorePassword", "password" );
sslProps.setProperty("com.ibm.ssl.trustStoreType", "JKS" );
sslProps.setProperty("com.ibm.ssl.keyStore", PfxFileName );
sslProps.setProperty("com.ibm.ssl.keyStoreType", "PKCS12" );
sslProps.setProperty("com.ibm.ssl.keyStorePassword", PfxPwd );
sslProps.setProperty("com.ibm.ssl.alias", Empresa.toLowerCase() );
jsseHelper.setSSLPropertiesOnThread(sslProps);
System.out.println("Set SSLProps to JSSHelper." );
PrintProperties ( Empresa, sslProps );
}
catch ( Exception e) {
e.printStackTrace();
}
You're very welcome, Doug! If I can help you with these topics at any time, count on me.
JL
------------------------------
Jose Luis Nebril
Original Message:
Sent: Fri January 10, 2025 02:25 PM
From: Doug Breaux
Subject: KEYSTORE AND JAVA IBM J9 VM (build 2.9, JRE 1.8.0 OS/400 ppc64-64-Bit vs JAVA ORACLE
I'm not surprised that trying to set it JVM-wide, which is what System property is doing, doesn't work. Instead, look down this path:
https://www.ibm.com/docs/en/was/8.5.5?topic=ascdoprse-programmatically-specifying-outbound-ssl-configuration-using-jssehelper-api-2
------------------------------
Doug Breaux
Software Engineer
Kyndryl
Original Message:
Sent: Fri January 10, 2025 01:56 PM
From: Jose Luis Nebril
Subject: KEYSTORE AND JAVA IBM J9 VM (build 2.9, JRE 1.8.0 OS/400 ppc64-64-Bit vs JAVA ORACLE
Thanks Doug
That's exactly what I'm trying to do.
I have tried creating different SSL configurations through the WebSphere console using SSL Certificate and Key Management > SSL Configurations.
In each configuration, I specify a keystore and a truststore that I previously created.
Then, to try to use each of them, I used the system property com.ibm.ssl.context, but it doesn't seem to work because it keeps using NodeDefaultSSLSettings.
Any suggestions?
------------------------------
Jose Luis Nebril
Original Message:
Sent: Thu January 09, 2025 01:37 PM
From: Doug Breaux
Subject: KEYSTORE AND JAVA IBM J9 VM (build 2.9, JRE 1.8.0 OS/400 ppc64-64-Bit vs JAVA ORACLE
Hmmm, I see @Brian S Paskin was sending you down the same path in https://community.ibm.com/community/user/wasdevops/discussion/java-developement-ssl-with-client-certificate-pfxp12
It looks like your complication is wanting to use multiple different client certs to the same server?
If so, I wonder if defining multiple SSL configurations and referencing them by name in your code would work. I admit this is something I've not done before, though.
------------------------------
Doug Breaux
Software Engineer
Kyndryl
Original Message:
Sent: Thu January 02, 2025 09:09 AM
From: Doug Breaux
Subject: KEYSTORE AND JAVA IBM J9 VM (build 2.9, JRE 1.8.0 OS/400 ppc64-64-Bit vs JAVA ORACLE
First, let's be clear that NodeDefaultKeyStore is not an external certificate file, it's a single keystore file that can contain multiple certificates in it. Perhaps you both imported these certificates into that file and have them still in external files to try to reference, but those are duplicates.
Also, I only recognize the term "NodeDefaultKeyStore" in the context of WebSphere Application Server. Which your URL seems to confirm, but I want to be sure.
Next, then, you have a few approaches you could use. Note that using System properties is setting things for the entire JVM, which is probably not what you want unless each execution of this call is from a separate JVM instance. That is, a new run of a standalone Java application, not, say, multiple requests within a web application. And might well not work at all if you're trying to change it for a middleware product globally (like a WebSphere server).
If this is indeed a WebSphere application, the simplest and cleanest approach, IMO, is to use "Dynamic outbound endpoint SSL configurations", under "Security" > "SSL certificate and key management". Here, you can specify particular certificates (aliases) from a key store to use for particular hosts.
If this isn't for WebSphere, we can discuss other approaches.
------------------------------
Doug Breaux
Software Engineer
Kyndryl
Original Message:
Sent: Fri December 27, 2024 08:00 AM
From: Jose Luis Nebril
Subject: KEYSTORE AND JAVA IBM J9 VM (build 2.9, JRE 1.8.0 OS/400 ppc64-64-Bit vs JAVA ORACLE
Hi Doug
I'm soerry, but I can not find a solucion to this problem.
We need to be able to select a specific certificate among the three certificates loaded in the nodedefaultkeystore.
We exec three times SOAP connextion to https://www.agenciatributaria.com but in each connexion we need use a different client pfx certificate.
Could you help us?
JL
------------------------------
Jose Luis Nebril
Original Message:
Sent: Mon December 16, 2024 09:14 AM
From: Doug Breaux
Subject: KEYSTORE AND JAVA IBM J9 VM (build 2.9, JRE 1.8.0 OS/400 ppc64-64-Bit vs JAVA ORACLE
Those properties are specifying a file, not a certificate within a file. So, you're wanting to use an external file, not the NodeDefaultKeyStore, correct?
------------------------------
Doug Breaux
Software Engineer
Kyndryl
Original Message:
Sent: Mon December 16, 2024 08:11 AM
From: Jose Luis Nebril
Subject: KEYSTORE AND JAVA IBM J9 VM (build 2.9, JRE 1.8.0 OS/400 ppc64-64-Bit vs JAVA ORACLE
I have four personal certificates upload into NodeDefaultKeyStore
When I establish a connection with a web service, in Oracle Java, the next properties are used to specify which certificate I want to use.
System.setProperty("javax.net.ssl.keyStore", "file.pfx");
System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");
System.setProperty("javax.net.ssl.keyStorePassword", "password");
However, in IBM Java, these properties are ignored, and it directly uses the NodeDefaultKeyStore, always utilizing the first loaded certificate, but I want select one of them.
I try to use the properties
System.setProperty("com.ibm.ssl.keyStore", "file.pfx");
System.setProperty("com.ibm.ssl.keyStoreType", "PKCS12" );
System.setProperty("com.ibm.ssl.keyStorePassword", "password" );
Any idiea about this issue?
best regards
------------------------------
Jose Luis Nebril
------------------------------
