WebSphere Liberty -- Connecting to Secure gateway from Java

Question

My colleague set up a (Bluemix) secure gateway using mutual auth for our project to use. He tested it with Ruby and CURL and it works fine. but when configuring my Liberty server to use it, I am running in to many issues.

I used the instructions found here.

Basically...

To create a key store for the client, enter the following command. In the following example, key.p.12 is created.

openssl pkcs12 -export -in "[client]_cert.pem" -inkey "[client]_key" -out "sg_key.p12" -name BmxCliCert -noiter –nomaciter –password pass:<password>

Which creates a PKCS12 store. (I use this in server.xml below)

I then added the certs into my keystore.

I then changed my server.xml to have a trust store as referenced in my

<ldapRegistry baseDN="o=ibm.com" host="bluepages.ibm.com" id="bluepages" ignoreCase="true" 
    ldapType="IBM Tivoli Directory Server" port="636" realm="w3" sslEnabled="true" sslRef="SSLSettings">

    <idsFilters groupFilter="(&amp;(cn=%v)(objectclass=groupOfUniqueNames))" groupIdMap="*:cn" groupMemberIdMap="groupOfUniqueNames:uniquemember" userFilter="(&amp;(emailAddress=%v)(objectclass=person))" userIdMap="*:emailAddress"/>

</ldapRegistry>

<ssl id="SSLSettings" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore"/>     

<keyStore id="defaultKeyStore" password="xxxxxx" 
    location="${server.output.dir}/resources/security/key.jks"/>

<keyStore id="defaultTrustStore"
    location="${server.output.dir}/resources/security/sg_key.p12"
    type="PKCS12" password="xxxxxx" />

Here's issue #1

When I add the trust store, I can no longer authenticate via my LDAP server. It just says invalid user or password. I remove the trust store.. and I can authenticate again. So adding the truststore has some type of affect.

Issue #2. When I remove my LDAP server and just use basic user registry... I can login in.. but when I try and use the secure gateway, I get..

[err] javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

I have imported the certificate from the secure gateway so not sure why I get this?

So two issues.. Using a truststore.. I can no longer auth via LDAP... and second.. cannot connect to the secure gateway even after importing all certs...

Anyone had success using Bluemix with a Secure Gateway (Mutual Auth) from Java?

Requested info (edited)

Enter Import Password:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
    friendlyName: portal
    localKeyID: 5F A0 D5 5D 68 C5 39 65 7D 24 D7 78 9B CD 7D 01 FB 1B 00 6D 
subject=/ST=NC/C=US/L=RTP/O=IBM Corporation/OU=SWG/CN=*.integration.ibmcloud.com
issuer=/ST=NC/C=US/L=RTP/O=IBM Corporation/OU=SWG/CN=*.integration.ibmcloud.com
-----BEGIN CERTIFICATE-----
INFO
4Q==
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
    friendlyName: portal
    localKeyID: 5F A0 D5 5D 68 C5 39 65 7D 24 D7 78 9B CD 7D 01 FB 1B 00 6D 
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
INFO
-----END ENCRYPTED PRIVATE KEY-----

Can you please use ikeyman or command line tool to display signer certificates added correctly to sg_key.p12? It seems like some with your trust store file. — M. Tamboli, Apr 11 '16 at 17:42
You've replaced your truststore. You may want to keep it and add/import the new certificate in it (to the default jks keystore) — gusto2, Apr 11 '16 at 18:18
Tx Gabriel... Not sure I follow... I have a keystore and a trust store. The PKCS12 one being what was created from openSSL.. The keystore -- my original. I must be missing something? tx! — James, Apr 11 '16 at 19:10
Looks like I had my key and trust stores mixed up... I can now login using my LDAP server again.. Now I am stuck at the handshake failure. Does this not mean that the servers can not agree on a CIPHER to use? — James, Apr 11 '16 at 19:46
Glad that #1 connection to LDAP is resolved. So you have the correct signer certificate for Bluemix (secure gateway) in your correct trust file? Please check logs and ffdc to see if it indicates anything about not finding common Cipher Suites. — M. Tamboli, Apr 11 '16 at 20:58
Yes.. the trust file has the DigicertCA2 certification. Something interesting though? From the trace log... Cipher Suites: [TLS_DHE_RSA_WITH_AES_128_CBC_SHA, etc.etc] When I look at the server via openssl.. it is using.. SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 And that CIPHER is not in the list above... — James, Apr 11 '16 at 22:00
I know that CIPHER is supported by JAVA and I have used the unrestricted policy files too.. — James, Apr 11 '16 at 22:02
Please make sure that all the steps are completed on the Bluemix side to enable mutual SSL. You are probably already aware of this doc https://console.ng.bluemix.net/docs/services/SecureGateway/sg_023.html#sg_023. — M. Tamboli, Apr 12 '16 at 15:12

score 0 · Answer 1 · edited May 23 '17 at 11:52

Finally got this to work.

previous code..

. . . .

connection = (HttpsURLConnection) url.openConnection();

Where url was the URL of the Secure Gateway.

Added before this...

KeyStore clientStore = KeyStore.getInstance("PKCS12");
clientStore.load(new FileInputStream(KEY_STORE_PATH), "xxxxxx".toCharArray());

KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

kmf.init(clientStore, "xxxxxx".toCharArray());

KeyManager[] kms = kmf.getKeyManagers();

KeyStore trustStore = KeyStore.getInstance("JKS");

trustStore.load(new FileInputStream(TRUST_STORE_PATH), "xxxxxx".toCharArray());

TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

tmf.init(trustStore);

TrustManager[] tms = tmf.getTrustManagers();

SSLContext sslContext = null;

sslContext = SSLContext.getInstance("TLS");

sslContext.init(kms, tms, new SecureRandom());

HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());`

connection = (HttpsURLConnection) url.openConnection();

Now it works... tx

Some good info in this thread.. LINK

WebSphere Liberty -- Connecting to Secure gateway from Java

1 Answers1