Home

Set up SSL certificate security

 

+

Search Tips   |   Advanced Search



Cert targets in RAFW

Oct 18, 2001

RAFW Engineer (rafw_engineer@atech.com) created two cert targets at the cell scope for RAFW...

Usage is as follows (using Cybersource as an example):

$RAFW -env $ENV -cell $CELL -t MyCo_was_70_configure_delete_signer_certificate -opt keystore_name=CellDefaultTrustStore -opt certificate_alias=cybersource

$RAFW -env $ENV -cell $CELL -t MyCo_was_70_configure_retrieve_trust_signer_from_host -opt trust_host=ics2wstest.ic3.com -opt trust_port=443 -opt certificate_alias=cybersource

The targets are rough with limited error checking, and only support cell level activites at this point, but he has completed initial functional testing.



Add PayPal certificate

Here is an example of how to add a PayPal cert to AD Stage. Note that this is the first iteration of this procedure. If you spot any errors or omissions, send an email to micheal_pareene@myco.com, and let me know what needs to be corrected.


  1. PayPal cert arrived attached to email in form of file stage2cp05_cert_key_pem.txt.
    -----BEGIN RSA PRIVATE KEY-----
    1111111111111111111111111111111111jjQOPW4hLkZR3c+ZOHFjxlnGs30Fiw
    69ZWtqu29Rij0IJhmvJwEImjV08dAkheTgWiXyyY+uOA32sJcQhhKc/dhQIDAQAB
    AoGAcbIlrJzHaYyQGq5B7CCrYJvf6L8mbDyVryDCdxNjGQ5ZLlcq+HY1eguDCKJv
    dAs6bZcyepvYXNbNZqUZs+xvobu2K3OcRzRNKLvEp053LbGpuqhEcKfqdcYywJe/
    rreFEmRKLoaMWX9DguECQQC5/CXx9v2xS+FLRrayAHOkbMUdnD4tSpc7sSec4k90
    1111111111111111111111111111111111jj1o+NPqTl
    -----END RSA PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    1111111111111111111111111111111111jjAQEFBQAwgZ0xCzAJBgNVBAYTAlVT
    1111111111111111111111111111111111jjFOl5uC0x6eQNDyWYQ3HWph1fZV5c
    t41yH1O4E6DdInNxOSL9dOvWVrartvUYo9CCYZrycBCJo1dPHQJIXk4Fol8smPrj
    gN9rCXEIYSnP3YUCAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQUFAAOB
    1111111111111111111111111111111111jjOjJA9UnvOWGrnz0Fjn3k8QBxk5oL
    MDdjVRz1gOm4DAwtKg/Lh9jYTrgTQecyjD4lEBmyENBmjg==
    -----END CERTIFICATE-----
    

  2. Log on to dmgr as user wasadmin

  3. Copy the contents of BEGIN CERTIFICATE through END CERTFICATE and paste into file...

    /opt/WAS70/AppServer/profiles/Dmgr1/etc/paypal.pem

  4. Log on to deployment manager and go to...

    SSL certificate and key management | Key stores and certificates | NodeDefaultTrustStore | Signer certificates

    The truststore contains certificates from other parties that we expect to communicate with, or from Certificate Authorities that we trust to identify other parties.

  5. Click Add and set...

    Alias paypal1
    File name paypal.pem
    Data type Base64-encoded ASCII data

  6. Obtain keystore file...

    paypal_STAGE.pfx

    ...and scp to appserver...

    cfooad6a:/opt/paypal

    The keystore contains private keys, and the certificates with their corresponding public keys.

  7. Save changes to master repository

  8. Stop dmgr and appserver, and nodeagent

  9. Restart dmgr

  10. On appserver, run...

    syncNode.sh cfooad6d 8879

  11. Restart nodeagent and appserver



NodeDefaultSSLSettings

To configure SSL defaults, go to...

SSL certificate and key management | Manage endpoint security configurations | nodeagent | SSL configurations | NodeDefaultSSLSettings



Sep 30, 2011 - QT Delivery - SSL HANDSHAKE

QT Delivery troubleshoot -node increment

During appserver startup...

[10/3/11 12:01:26:355 EDT] 00000097 SystemOut O CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "SERIALNUMBER=2838921 + CN=ics2wstest.ic3.com, OU=Technical Operations, OID.2.5.4.15=Private Organization, O=Cybersource Corporation, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, L=Mountain View, ST=California, C=US" was sent from target host:port "ics2wstest.ic3.com:443". The signer may need to be added to local trust store "/opt/WAS70/AppServer/profiles/MyCo/config/cells/MyCoCell/nodes/cfooqp8d/trust.p12" located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml". The extended error message from the SSL handshake exception is: "PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error".

Troubled appservers: cfooqp8d, cfooqp8f, cfooqp8i

Debugging steps...

  1. Run retrieveSigners on cfooqp8d...

    ./retrieveSigners.sh CellDefaultTrustStore ClientDefaultTrustStore -host cfooqp7j 8879 -conntype SOAP -autoAcceptBootstrapSigner -username wcs7infra -password foo
    CWPKI0308I: Adding signer alias "default" to local keystore "ClientDefaultTrustStore" with the following SHA digest: 81:E7:85:8F:FD:B4:29:99:E1:02:B2:B0:9C:23:51:9F:E4:F1:B1:90
    CWPKI0308I: Adding signer alias "default_1" to local keystore "ClientDefaultTrustStore" with the following SHA digest: CF:E1:9F:19:23:41:EA:78:51:6B:6E:85:76:F3:D1:02:08:5B:36:44
    CWPKI0308I: Adding signer alias "default_2" to local keystore "ClientDefaultTrustStore" with the following SHA digest: 73:A6:38:BE:C4:EE:79:17:8F:3F:6F:D6:B6:21:A8:E8:67:62:53:5E
    CWPKI0308I: Adding signer alias "default_3" to local keystore "ClientDefaultTrustStore" with the following SHA digest: D6:25:FD:DF:49:23:B3:C3:AC:60:B1:4F:51:D9:B4:D6:20:7D:B6:9D

  2. Retrieve Signer Information

    • Log into the administrative console and go to...

      Security | SSL certificate and key management | Configuration settings | Manage endpoint security configurations | (cell):MyCoCell:(node):cfooqp8d management scope | Related Items | Key stores and certificates | NodeDefaultTrustStore | Additional Properties| Signer certificates |

    • Put a check next to...

      cybersource cert

      ...and select...

      Retrieve From Port

    • In the Host field, enter ics2wstest.ic3.com in the host name field, enter 443 in the Port field, and ics2wstest.ic3.com_cert in the Alias field.

      Alternately, in the Host field, enter node agent host and port (cfooad6a, port 9401).

    • Click Retrieve Signer Information.

    • Verify that the certificate information is for a certificate that you can trust.

    • Click Apply and Save and then save changes to nodes

      System Administration | Save changes to master repostory | Synchronize changes with Nodes

Step 2 seems to have fixed the problem. Exception is no longer appearing. So far, fix has been applied to cfooqp8d and cfooqp8f.


Global Header

Issue with Global Header and Footer emitting SSl Handshake Exceptions. To fix, new Verisign certificate needed to be added at the load balancer as well as the web server level.




SSL Settings


SSL certificate and key management | SSL configurations


SSL certificate and key management > SSL configurations > NodeDefaultSSLSettings

Name NodeDefaultSSLSettings
Trust store name NodeDefaultTrustStore ((cell):MyCoCell:(node):cfooqa8a)
Keystore name NodeDefaultKeyStore ((cell):MyCoCell:(node):cfooqa8a)
Default server certificate alias none
Default client certificate alias none
Management scope (cell):MyCoCell:(node):cfooqa8a


SSL certificate and key management | Dynamic outbound endpoint SSL configurations

Name Connection Information SSL Configuration Management Scope
crossref *,cptdnp13.myco.com,* XREF (cell):MyCoCell


SSL certificate and key management | Dynamic outbound endpoint SSL configurations | crossref

Name crossref
Management scope (cell):MyCoCell
Description crossref
Connection information *,cptdnp13.myco.com,*
SSL configuration XREF
Certificate alias ecom


SSL certificate and key management > Key stores and certificates

Name Description Management Scope Path
CMSKeyStore CMSKeyStore for web server webserver1. (cell):MyCoCell:(node):cfooqa9c.myco.com-node:(server):webserver1 ${CONFIG_ROOT}/cells/MyCoCell/nodes/cfooqa9c.myco.com-node/servers/webserver1/plugin-key.kdb
CMSKeyStore CMSKeyStore for web server cfooqa9cWeb. (cell):MyCoCell:(node):cfooqa9c.myco.com-node:(server):cfooqa9cWeb ${CONFIG_ROOT}/cells/MyCoCell/nodes/cfooqa9c.myco.com-node/servers/cfooqa9cWeb/plugin-key.kdb
CMSKeyStore CMSKeyStore for web server cfooqa9c. (cell):MyCoCell:(node):cfooqa9c:(server):cfooqa9c ${CONFIG_ROOT}/cells/MyCoCell/nodes/cfooqa9c/servers/cfooqa9c/plugin-key.kdb
CellDefaultKeyStore Default key store for MyCoCell (cell):MyCoCell ${CONFIG_ROOT}/cells/MyCoCell/key.p12
CellDefaultTrustStore Default trust store for MyCoCell (cell):MyCoCell ${CONFIG_ROOT}/cells/MyCoCell/trust.p12
NodeDefaultKeyStore Default key store for cfooqa9a (cell):MyCoCell:(node):cfooqa9a ${CONFIG_ROOT}/cells/MyCoCell/nodes/cfooqa9a/key.p12
NodeDefaultTrustStore Default trust store for cfooqa9a (cell):MyCoCell:(node):cfooqa9a ${CONFIG_ROOT}/cells/MyCoCell/nodes/cfooqa9a/trust.p12
XrefKeyStore XrefKeyStore (cell):MyCoCell ${CONFIG_ROOT}/cells/MyCoCell/crossref_key.p12
XrefTrustStore XrefTrustStore (cell):MyCoCell ${CONFIG_ROOT}/cells/MyCoCell/crossref_trust.p12
qakeystore
(cell):MyCoCell:(node):cfooqa9a:(server):server1 /opt/WAS70/AppServer/profiles/dmgr/etc/cer.sa.el-00077ecomQA.jck
qatruststore
(cell):MyCoCell:(node):cfooqa9a:(server):server1 /opt/WAS70/AppServer/profiles/dmgr/etc/cer.sa.el-00077ecomQA.jck


SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore

Name CellDefaultKeyStore
Description Default key store for MyCoCell
Management scope (cell):MyCoCell
Path ${CONFIG_ROOT}/cells/MyCoCell/key.p12
Password
Type PKCS12
Remotely managed
Read only
Initialize at startup
Enable cryptographic operations on hardware device


SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore

Name CellDefaultTrustStore
Description CellDefaultTrustStore
Management scope (cell):MyCoCell
Path ${CONFIG_ROOT}/cells/MyCoCell/trust.p12
Password
Type PKCS12
Remotely managed Host list
Read only
Initialize at startup
Enable cryptographic operations on hardware device


SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates

Alias Issued To Issued By Serial Number Expiration
default CN=cfooqa9d.myco.com, OU=MyCoCell, OU=CommerceManager, O=IBM, C=US CN=cfooqa9d.myco.com, OU=Root Certificate, OU=MyCoCell, OU=CommerceManager, O=IBM, C=US 1304481868710621244 Valid from May 3, 2011 to May 2, 2012.

CN=cfooqa9d.myco.com, OU=Root Certificate, OU=MyCoCell, OU=CommerceManager, O=IBM, C=US CN=cfooqa9d.myco.com, OU=Root Certificate, OU=MyCoCell, OU=CommerceManager, O=IBM, C=US 1304481866175383792 Valid from May 3, 2011 to Apr 29, 2026.
ecom CN=CER.SA.EL-00077 HD.COM QA, OU=Applications, DC=myco, DC=com CN=MyCo QA XREF Issuing CA v2, O=My Company, DC=myco, DC=com 35186075532749654505599786761780227453 Valid from Aug 24, 2008 to Aug 24, 2011.

CN=MyCo QA XREF Issuing CA v2, O=My Company, DC=myco, DC=com CN=MyCo QA Root CA v2, O=My Company, DC=myco, DC=com 237805959845363788083959832446253356038 Valid from Dec 27, 2007 to Sep 19, 2027.

CN=MyCo QA Root CA v2, O=My Company, DC=myco, DC=com CN=MyCo QA Root CA v2, O=My Company, DC=myco, DC=com 171749322859236606049062357921192209291 Valid from Sep 21, 2007 to Sep 21, 2027.


SSL certificate and key management > Key stores and certificates > NodeDefaultKeyStore

Name NodeDefaultKeyStore
Description NodeDefaultKeyStore
Management scope (cell):MyCoCell:(node):cfoosa7b
Path ${CONFIG_ROOT}/cells/MyCoCell/nodes/cfoosa7b/key.p12
Password
Type PKCS12
Remotely managed Host list
Read only
Initialize at startup
Enable cryptographic operations on hardware device


SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore

Name NodeDefaultTrustStore
Description NodeDefaultTrustStore
Management scope (cell):MyCoCell:(node):cfoosa7b
Path ${CONFIG_ROOT}/cells/MyCoCell/nodes/cfoosa7b/trust.p12
Password
Type PKCS12
Remotely managed Host list
Read only
Initialize at startup
Enable cryptographic operations on hardware device


SSL certificate and key management > Key stores and certificates > XREFKeyStore

Name XREFKeystore
Description XREFKeystore
Management scope (cell):MyCoCell
Path ${CONFIG_ROOT}/cells/MyCoCell/crossref_key.p12
Password
Type PKCS12
Remotely managed Host list
Read only
Initialize at startup
Enable cryptographic operations on hardware device


SSL certificate and key management > Key stores and certificates > XREFTrustStore

Name XREFTrustStore
Description XREFTrustStore
Management scope (cell):MyCoCell
Path ${CONFIG_ROOT}/cells/MyCoCell/crossref_trust.p12
Password
Type PKCS12
Remotely managed Host list
Read only
Initialize at startup
Enable cryptographic operations on hardware device


SSL certificate and key management | Manage endpoint security configurations | Outbound | MyCoCell(CellDefaultSSLSettings) | nodes | nodename(NodeDefaultSSLSettings)

Name nodename
Direction Outbound
Inherited SSL configuration name CellDefaultSSLSettings
Inherited certificate alias null
Override inherited values checked
SSL configuration NodeDefaultSSLSettings
Certificate alias in key store (none)


SSL certificate and key management | Manage endpoint security configurations | Outbound | MyCoCell(CellDefaultSSLSettings) | nodes | nodename(NodeDefaultSSLSettings) | Manage certificates

Valid default CN=appserver.myco.com CN=dmgr.myco.com, OU=Root Certificate, OU=MyCoCell, OU=CommerceManager, O=IBM, C=US 1314158525314133039 Valid from Aug 23, 2011 to Aug 22, 2012.
Chained
CN=dmgr.myco.com, OU=Root Certificate, OU=MyCoCell, OU=CommerceManager, O=IBM, C=US CN=dmgr.myco.com, OU=Root Certificate, OU=MyCoCell, OU=CommerceManager, O=IBM, C=US 1308783229174271246 Valid from Jun 21, 2011 to Jun 17, 2026.



Set up new environment

There are two ways one can set up certificates on a new non production environment.

  1. Copy existing non-prod env key and trust store into the new set up.
  2. Set up key and trust store from scratch.


Approach 1: Leverage an existing non-prod env key and trust store

Currently we have AD71 and QA7 cell2 configured with all certificates. For any new environment going forward we can use key and trust store files from these environment and directly use them in new set up. Use key.p12 and trust.p12 from any of these servers.

Node-level key and trust stores can be found at...

$WC_PROFILE/config/cells/<Cell name>/nodes/<Node name>/key.p12
$WC_PROFILE/config/cells/<Cell name>/nodes/<Node name>/trust.p12

Back up original key.p12 and trust.p12 files and then copy key.p12 and trust.p12 from an existing (working) non-production environment and use them directly in the new set up. The default password is WebAS.

After you are done copying key.p12 and trust.p12 into new set up restart appserver server to reflect changes.


Verification - Key Store

Look for private certificate named as ecom under Personal Certificate. This is needed for cross ref services.


Verification - Trust Store

Look for certificates from cptdnp13.myco.com, ics2wstest.ic3.com and webapps-qa.myco.com


Approach 2: Set up key and trust store from scratch

Below are two key points one needs to understand before starting to set up certificates on new enviorment.

Procedure...

  1. Logon on to WAS Admin Console

  2. Identify default key and trust store for your application. Normally it is at node level. Key.p12 can be found at...

    {CONFIG_ROOT}/cells/MyCoCell/nodes/cfooqa9a/key.p12

    ...and trust store can be found at...

    {CONFIG_ROOT}/cells/MyCoCell/nodes/cfooqa9a/trust.p12

    If you are using cell level then following would be the location for keyp12 and trust.p12 respectively.

    ${CONFIG_ROOT}/cells/MyCoCell/key.p12
    ${CONFIG_ROOT}/cells/MyCoCell/trust.p12

  3. Import private server certificate into default key store

    • Go to...

      SSL certificate and key management | Key stores and certificates | NodeDefaultKeyStore | Personal certificates | Import

      ...and select...

      Key store file option

      Provide the path to 00077ecomQA certificate for CrossRef.

    • Select appropriate key store type. For 00077ecomQA it is JCEKS.

    • Click on "Get Key File Aliases"

    • Select ecom from list of certificate

    • Enter desc if you want and click Apply.

    You are done importing private certificate which is required by CrossRef. Your list of personal certificate should look something like this: pay attention to ecom cert and associated chain.

  4. Import signer certificates into default trust store

    • Identify which is the default trust store used by application: normally it would be at node level.Node level inherits from Cell normally.

    • Navigate to default trust store i.e. SSL certificate and key management | Manage endpoint security configurations | MyCoCell | Key stores and certificates | CellDefaultTrustStore

      Navigate to Signer certificates.

      Click Retrieve from port

      Provide following host names and port as shown below and then click retrieve signer information and then save.

      Description Host Port
      XREF cptdnp13.myco.com 9336.
      Bopis webapps-qa.myco.com 443
      Cybersource ics2wstest.ic3.com 443

      After above singer certificate are imported your screen should look something like