aspose file tools*
The moose likes Security and the fly likes My problem in Java ,SSL,openssl Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "My problem in Java ,SSL,openssl " Watch "My problem in Java ,SSL,openssl " New topic
Author

My problem in Java ,SSL,openssl

Ali Khosravi
Greenhorn

Joined: Jan 06, 2012
Posts: 1
Hello

I study JavaEE and SSL but I encounter a problem in my practice

At first I descripe my problem in summary and then I state what I did in detail and step by step, please if you can
advice me , Thank you so much



I used the "openssl" to be my own CA (Certificate Authority )
and Weblogic as my Application server
I used this instructions for using and configuring openssl http://www.g-loaded.eu/2005/11/10/be-your-own-ca/
Then I created my own certificate and signed it by openssl
and then I configured the Weblogic for SSL by my keystores and the certificate
After that I imported the CA’s certificate to my Web Browser(FireFox) and I expect when I login to the Weblogic
Admin Console (for example https://testserver:7002/console) the web Browser don't show me the "Untrusted Connection"
exception but it shows me this error :



This Connection is Untrusted
You have asked Firefox to connect
securely to testserver:7002, but we can't confirm that your connection is secure.
Normally, when you try to connect securely,
sites will present trusted identification to prove that you are
going to the right place. However, this site's identity can't be verified.

What Should I Do?

If you usually connect to
this site without problems, this error could mean that someone is
trying to impersonate the site, and you shouldn't continue.

Technical Details
testserver:7002 uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is not trusted.
The certificate is only valid for https://testserver:7002/

(Error code: sec_error_untrusted_issuer)


Now I descripe in detail what I did

-----------------------------

1.I create the CA Certificate and Key by this command

openssl req -config openssl.my.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 1825

Generating a 1024 bit RSA private key
........................++++++
..........++++++
writing new private key to 'private/myca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:IR
State or Province Name (full name) [Berkshire]:Teh
Locality Name (eg, city) [Newbury]:TehCity
Organization Name (eg, company) [My Company Ltd]:TehBoo
Organizational Unit Name (eg, section) []:TehU
Common Name (eg, your name or your server's hostname) []:https://testserver:7002
Email Address []:ali@aol.com


2.I use keytool for creating my private key and public key and put it in a keystore ,like this

keytool -genkeypair -keyalg rsa -keystore ali_keytool.jks -storepass ali120 -alias ali_alias

What is your first and last name?
[Unknown]: https://testserver:7002/
What is the name of your organizational unit?
[Unknown]: aliOrgU
What is the name of your organization?
[Unknown]: aliOrg
What is the name of your City or Locality?
[Unknown]: aliCity
What is the name of your State or Province?
[Unknown]: alistate
What is the two-letter country code for this unit?
[Unknown]: IR
Is CN=https://testserver:7002/, OU=aliOrgU, O=aliOrg, L=aliCity, ST=alistate, C=IR correct?
[no]: yes

Enter key password for <ali_alias>
(RETURN if same as keystore password):



3. I create my CSR (Certificate Request) by this command


keytool -certreq -alias ali_alias -keystore ali_keytool.jks -storepass ali120 -file ali_keytool.csr



4. I sign the ali_keytool.csr by openssl . I do it like this :

openssl x509 -req -in ali_keytool.csr -CA ../certs/myca.crt -CAkey ../private/myca.key -out ali_keytool.crt -days 365 -CAcreateserial -CAserial my_ca.seq

Signature ok
subject=/C=IR/ST=alistate/L=aliCity/O=aliOrg/OU=aliOrgU/CN=https://testserver:7002/
Getting CA Private Key
Enter pass phrase for ../private/myca.key:




5.Now I have a signed certificate (ali_keytool.crt) and my CA certificate (myca.crt)
and I import CA certificate to my keystore

keytool -import -alias Openssl_ca -file ../certs/myca.crt -keystore ali_keytool.jks -storepass ali120



Owner: EMAILADDRESS=ali@aol.com, CN=https://testserver:7002, OU=TehU, O=TehBoo, L=TehCity, ST=Teh, C=IR
Issuer: EMAILADDRESS=ali@aol.com, CN=https://testserver:7002, OU=TehU, O=TehBoo, L=TehCity, ST=Teh, C=IR
Serial number: a03d636cfaaad2bb
Valid from: Mon Jan 16 18:28:27 IRST 2012 until: Sat Jan 14 18:28:27 IRST 2017
Certificate fingerprints:
MD5: 34:A0:7C:28:CE:F3D:46:B0:1E9:A4:26:AB:81:89
SHA1: 70:8AE:BB:45:9C:7F:55:4D:F4:20:E8:3F:97:F6:91:BE:B9:24:3A
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 2A 3D E3 AB 79 77 D2 7E 85 F3 12 6A D2 38 83 D7 *=..yw.....j.8..
0010: EA 45 B2 E6 .E..
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 2A 3D E3 AB 79 77 D2 7E 85 F3 12 6A D2 38 83 D7 *=..yw.....j.8..
0010: EA 45 B2 E6 .E..
]

[EMAILADDRESS=ali@aol.com, CN=https://testserver:7002, OU=TehU, O=TehBoo, L=TehCity, ST=Teh, C=IR]
SerialNumber: [ a03d636c faaad2bb]
]

Trust this certificate? [no]: yes
Certificate was added to keystore



6.I import the signed certificate into my keystore with alias of private key

keytool -import -alias ali_alias -file ali_keytool.crt -keystore ali_keytool.jks -storepass ali120

Certificate reply was installed in keystore



7.I import the CA certificate again into a new keystore for creating Trust

keytool -import -alias my_ca -file ../certs/myca.crt -keystore ali_keytool_trust.jks -storepass ali120


Owner: EMAILADDRESS=ali@aol.com, CN=https://testserver:7002, OU=TehU, O=TehBoo, L=TehCity, ST=Teh, C=IR
Issuer: EMAILADDRESS=ali@aol.com, CN=https://testserver:7002, OU=TehU, O=TehBoo, L=TehCity, ST=Teh, C=IR
Serial number: a03d636cfaaad2bb
Valid from: Mon Jan 16 18:28:27 IRST 2012 until: Sat Jan 14 18:28:27 IRST 2017
Certificate fingerprints:
MD5: 34:A0:7C:28:CE:F3D:46:B0:1E9:A4:26:AB:81:89
SHA1: 70:8AE:BB:45:9C:7F:55:4D:F4:20:E8:3F:97:F6:91:BE:B9:24:3A
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 2A 3D E3 AB 79 77 D2 7E 85 F3 12 6A D2 38 83 D7 *=..yw.....j.8..
0010: EA 45 B2 E6 .E..
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 2A 3D E3 AB 79 77 D2 7E 85 F3 12 6A D2 38 83 D7 *=..yw.....j.8..
0010: EA 45 B2 E6 .E..
]

[EMAILADDRESS=ali@aol.com, CN=https://testserver:7002, OU=TehU, O=TehBoo, L=TehCity, ST=Teh, C=IR]
SerialNumber: [ a03d636c faaad2bb]
]

Trust this certificate? [no]: yes
Certificate was added to keystore




8. Now I want to test that did I configured the certificates , keystores and Weblogic right I do it by this program



And I run the program by this command :


J:\JDeveloperWLS\jdk160_18\bin\java.exe -classpath C:\JDeveloper\mywork\SSLApplication\.adf;C:\JDeveloper\mywork\SSLApplication\SSLProject\classes -Djavax.net.s
l.trustStore=H:\test3\ali_https_testserver7002\ali_keytool_trust.jks -Dsun.security.ssl.allowUnsafeRenegotiation=false sslproject.SslSocketClient

Socket class: class com.sun.net.ssl.internal.ssl.SSLSocketImpl
Remote address = testserver/172.17.33.139
Remote port = 7002
Local socket address = /172.17.33.59:10721
Local address = /172.17.33.59
Local port = 10721
Need client authentication = false
Cipher suite = SSL_RSA_WITH_RC4_128_MD5
Protocol = TLSv1

The program runs without error and I result my kestores and Weblogic configuration is OK


9 .I user Firefox as WebBrowser so I configure my Browser I select Tools-->Options-->Advanced-->Encription-->ViewCertificates --> Authorities tab
and I import the server certificate here is "myca.crt the openssl certificate"
in Downloading Certificate window I select
"Trust this CA to identify web sites"
"Trust this CA to identify email users"
"Trust this CA to identify software developers"



When I try to loging in weblogic like this "https://testserver:7002/console" the FireFox shows me this follow Exception while I expect it doesn't,
I don't know what is problem why FireFox shows me this Exception while i imported the CA’s certificate ,do you know , please advice me ? thanks


This Connection is Untrusted
You have asked Firefox to connect
securely to testserver:7002, but we can't confirm that your connection is secure.
Normally, when you try to connect securely,
sites will present trusted identification to prove that you are
going to the right place. However, this site's identity can't be verified.


What Should I Do?

If you usually connect to
this site without problems, this error could mean that someone is
trying to impersonate the site, and you shouldn't continue.

Technical Details
testserver:7002 uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is not trusted.
The certificate is only valid for https://testserver:7002/
 
 
subject: My problem in Java ,SSL,openssl