Integration

Can you try and send the certutil output of origin server (app. server in your case I think) and reverse proxy Web Server instance configuration directory where cert*.db is located? .
$certutil -L -d .

You need to check out trust flags as per
[http://archive.netbsd.se/?ml=mozilla-crypto&a=2007-06&t=4354970|http://archive.netbsd.se/?ml=mozilla-crypto&a=2007-06&t=4354970]

Wondering if your App. Server have cert*.db? Then you could import this Web Server certificate into your App. Server as a trusted CA certificate and App. Server's cert. into Web Server as a trusted CA.

Would you please clarify the followings?

1. Generate selfsigned certificate (webserver) lets say the nickname abc-cert (changing flags to 'CTu,u,u' for trusted CA)
2. Configure web server with http listener points to lets say https://abc.com:443
3. Generate selfsigned certificate (appserver side) lets say def-cert generated by using keytool. (changing flags to 'CTu,u,u')
4. Configure AppServer listener points to 8181 with SSL nickname as def-cert
5. Imports the certificate into the servers:
1. def-cert into Web Server
2. abc-cert into App Server
6. Is it required to associate one another, i mean keystore and truststore?

Please help me on this.

I am still getting the same error. Moreover, I could not open the exported certificate after applying the command
/pk12util -o /tmp/exported.crt -n My-CA-Cert -d .

The error is alerted when I tried to open the certifcate.

This file is invalid for use as the following:Security Certificate

I dont know what is wrong on the steps.

The web server and appserver is running on different machines.
wadm>create-selfsigned-cert config=test.sun.com server-name=test.sun.com --nickname=My-CA-Cert

wadm>create-http-listener listener-port=8888 config=test.sun.com server-name=test.sun.com default-virutal-server-name=test.sun.com mylistener

Could you please tell me how should i specifiy if my server host name is different?
my web server is named it as abc.com and app server is named it as def.com

Is required. In SSL handshake, when Web Server connects to App. Server as client, App. Server has to send back its certificate (def-cert in this case) to Web Server. As App. Server's server certificate is a self signed certificate and is not signed by a trusted CA, you need to add this App. Server's server certificate into Web Server's NSS database with trusted CA flags. For more info about trust flags : [http://www.mozilla.org/en/projects/security/pki/nss/tools/certutil.html|http://www.mozilla.org/en/projects/security/pki/nss/tools/certutil.html] This is required only if client auth is enabled on Application Server which most probably is not.

To export server certificate from App. Server you can try keytool or migrate-jks-keystore Admin. CLI
[http://blogs.sun.com/meena/entry/migrating_jks_keystore_entries_to |http://blogs.sun.com/meena/entry/migrating_jks_keystore_entries_to ]
[http://docs.sun.com/app/docs/doc/820-4842/migrate-jks-keycert-1?a=view|http://docs.sun.com/app/docs/doc/820-4842/migrate-jks-keycert-1?a=view]
Assuming that Web Server certificate nickname is different from AppServer Certificate. Otherwise it will conflict with the Web Server's server certificate.
You will have to manually run certutil on Web Server NSS database l to modify trust flags of this App. Server certificate imported later.

Or easier way is to connect to App. Server via browser with ssltap
[http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html|http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html] in between. It will save the App. Server server certificate as cert.001. You can import that app. server certificate using certutil.

I would like to thank you for all your inputs. Finally, I have achieved it by using keytool ui to import certificate into webserver. now it is working.

The communication between web server to app server is happening via SSL after successful configuration of certificates however I am noticing the below error from web server errors.log. I dont know what is wrong.
HTTP3068: Error receiving request from xxx.xx.xx.xx (SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT: Client had some unspecified issue with the certificate it received.)

Could you please throw a pitch on it?

May be you need to tweak trust flags.

Try "CTu,CTu,CTu" [http://www-archive.mozilla.org/projects/security/pki/nss/ref/ssl/gtstd.html|http://www-archive.mozilla.org/projects/security/pki/nss/ref/ssl/gtstd.html] says
"The trust flag settings "CTu,CTu,CTu" indicate that the certificate is a CA certificate that is trusted to issue both client (C) and server (T) SSL certificates as well as email and object-signing certificates. The u flag indicates that the CA certificate can itself be used for signing or authentication operations.

NOTE: The u flag should not be set in a root CA certificate intended for deployment in a real (as opposed to a test) PKI for chaining purposes. Only the authorized CA should be able to sign anything or authenticate itself with a CA certificate. "

Can you attach ssltap [http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html|http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html] and see what's happening?

You can also truss to see which function was called and is returning this error

$truss -o truss.out -fall -u "*" <wwebservd-largest-pid>

I could not able to open the certificate which I generated from Sun Java Web Server 7. but when I try to print using certutil it is showing the details. The problem here is after exporting the one using pk12util -o /local/temp/certs/test.crt -n aliasname -d . I could not able to open it from the file. It is throwing the message that It is invalid for use as the following:Security Certificate. it means for security reason. Can't we open it?

Are you trying to export server certificate from Web Server? If your Application Server does NOT have client authentication enabled you can skip this step.

Which tool are you using to open the certificate (which is giving this error message)?

I found 2 related links in google search :
[https://knowledge.verisign.com/support/eca-support/index?page=content&id=SO4410&actp=LIST] [https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1163]

MS Windows decides what to do with a file based on the "file name extension"
(the letters after the last "dot" in the name). Some common file name
extensions related to certificates are:

.cer  .crt  .der  - a file with a single certificate in PEM or binary DER

.p7b              - a PKCS#7 signedData object, containing a signature 
                      and certificates, also called a "certificate package".

.pfx .p12         - a PKCS#12 file containing a private key and one 
                        or more certificates.

Since you do not intend to copy the private key, but only want to copy the certificate, then pk12util was the wrong tool. In that case, use certutil to create a .crt file, e.g.

  $certutil -L -o /tmp/exported.crt -n My-CA-Cert -d .

The self-signed certificate is working fine as per steps given by you. I have tried with third party certificate from verisign in another environment,

This is what I get after loading the certificate on web server
mycertificate u,u,u
VeriSign, Inc. - VeriSign, Inc. CT,,

I exported and imported this certificate into App. Server using pk12util; In App. Server, this is what I get
mycertificate u,u,u
Verisign Class 3 Public Primary Certification Authority c,c,c
VeriSign, Inc. - VeriSign, Inc. CT,,

After restarting the both server, we got the error like
Gateway Timeout

And in the web server's log the error is
error sending request (SEC_ERROR_CA_CERT_INVALID: Issuer certificate is invalid.)


Could you provide me a pithc on this issue?

1. do we need to have server certificate and instance name should exactly the same or not? since the above scenario the instance name and subject or name of the certificate is different.

lets say an example
my certificate url name is 'uat.mycertificate.com' my instance name is 'uatweb.mycompany.com'


if the answer to question 1 is yes, if the certificate url and instance name are exactly same, then how do we create an another instance using the same as url certificate name? since we already have one instance. we dont want disturb the existing one.

In that case, Please mention the steps for creating an another instance.

Do u get any error at the time of start up of the instance like :
[http://forums.sun.com/thread.jspa?threadID=5272256|http://forums.sun.com/thread.jspa?threadID=5272256]

warning ( 3256): CORE1251: On HTTP listener http-listener-1, server name SSL does not match subject "www.ourdomain.com" of certificate Server-Cert.

These trust flags look ok. For server certificates u,u,u is ok. For CA certificates, trust flags should be CT.

You can try modifying trust flag of this "Verisign Class 3 Public Primary Certification Authority" to "CTu,CTu,CTu"

You can use certutil to modify these flags.

$certutil -M              Modify trust attributes of certificate
   -n cert-name   The nickname of the cert to modify
   -t trustargs      Set the certificate trust attributes:
                          p      valid peer
                          P      trusted peer (implies p)
                          c      valid CA
                          T      trusted CA to issue client certs (implies c)
                          C      trusted CA to issue server certs (implies c)
                          u      user cert
                          w      send warning
   -d certdir        Cert database directory
   -P dbprefix     Cert & Key database prefix

In my Admin Server instance, I see certificates with these flags:

$certutil -L -d .
Admin-Server-Cert    u,u,u
Admin-Client-Cert      u,u,u
Admin-CA-Cert         CTu,u,u
clientcacert               CT,,

I checked NSS Code, it has something to do with issuer privilege (I do not know what it is) or Basic Contraints of isCA of the server certificate.
/security/nss/lib/certhigh/certvfy.c located @ [http://mxr.mozilla.org/security/source/security/nss/lib/certhigh/certvfy.c|http://mxr.mozilla.org/security/source/security/nss/lib/certhigh/certvfy.c]

445     switch (last_type) {
446       case cbd_User:
...
451         /* now check for issuer privilege */
452         if ((rv != SECSuccess) || ((priv & 0x10) == 0)) {
...
454             PORT_SetError (SEC_ERROR_CA_CERT_INVALID);
...
458       case cbd_CA:
459         if ((priv & 0x20) == 0) {
...
461             PORT_SetError (SEC_ERROR_CA_CERT_INVALID);
...
691             if ( basicConstraint.isCA == PR_FALSE ) {
692                 PORT_SetError (SEC_ERROR_CA_CERT_INVALID);
...
790             if (  !isca  ) {
791                 PORT_SetError(SEC_ERROR_CA_CERT_INVALID);
...
968         if ( basicConstraint.isCA == PR_FALSE ) {
969             PORT_SetError (SEC_ERROR_CA_CERT_INVALID);
....
1031         if (!isca) {
1032             PORT_SetError(SEC_ERROR_CA_CERT_INVALID);
...

For my Admin Server CA certificate, I see Basic Constraints if CA.

$certutil -L -d . -n Admin-CA-Cert
...
        Signed Extensions:
            Name: Certificate Basic Constraints
            Critical: True
            Data: Is a CA with a maximum path length of -2.
...
$certutil -L -d . -n clientcacert
...
        Signed Extensions:
            Name: Certificate Type
            Data: <SSL CA,S/MIME CA,ObjectSigning CA>
            Name: Certificate Basic Constraints
            Critical: True
            Data: Is a CA with a maximum path length of 10.
...

No. It is only necessary that the CN value in the certificate's subject DN has the same name as that of the host value in the URL used to access the instance.
For example, if you had to access your instance as foo.bar.com then the CN value of the certificate's subject DN should be foo.bar.com even if your instance name is uatweb.mycompany.com.
Only 1 instance can be created per configuration in any given m/c (host).
In other words, if you want another instance in the same m/c for the same configuration then it's not allowed/supported/possible.
One way could be to clone the configuration (with a different name) and then create an instance for the new configuration on the same m/c. You can use the administrative interfaces to clone a configuration.

HTH.

I got the exception like

'webserver host appserver does not match the name of the certificate'

Can you send the exact line you are seeing in error logs so I can search in code base? (replace confidential machine names with abc or def)

Even though we try to chang the attributes as you said CTu,CTu,CTu, it still showing CT,C,C

In the error log it shows

CORE1251: On HTTP listener http-listener-1, server name web.uat.webservname.com does not match subject uat.mycerticate.com of certificate uat.mycerticate.com.
[21/Jan/2009:12:42:32] warning (19122): CORE1250: In secure virtual server web.uat.webservname.com , host app.uat.appservername.com does not match subject uat.mycerticate.com of certificate uat.mycerticate.com.

Above:
mycertifciate.com is nothing but the certifcateurlname
webservername: web.uat.webservname.com
Appservername: app.uat.appservername.com

Could you please let me know what is wrong?

Thanks and appreciate your help.

Would you please throw a light on this?

Yeah it will show u if key is also in the db. its ok. ignore.

One more thing, can you check
$certutil -L -d . -n mycertificate
and
$certutil -L -d . -n "VeriSign, Inc. - VeriSign, Inc."
If they have basic constraints does it have CA somewhere?

Here is
../../../lib/certutil -L -d . -n "VeriSign, Inc. - VeriSign, Inc."
Certificate:
Data:
Version: 3 (0x2)

Signed Extensions:
Name: Certificate Basic Constraints
Data: Is a CA with a maximum path length of 0.

Name: Certificate Policies
Data:
Policy Name: Verisign User Notices
Policy Qualifier Name: PKIX CPS Pointer Qualifier
Policy Qualifier Data: "https://www.verisign.com/CPS"

Name: Extended Key Usage
TLS Web Server Authentication Certificate
TLS Web Client Authentication Certificate
Strong Crypto Export Approved
OID...
Name: Certificate Key Usage
Usages: Certificate Signing
CRL Signing

Name: Certificate Type
Data: <SSL CA,S/MIME CA>

Name: CRL Distribution Points
URI: "http://crl.verisign.com..


Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
Trusted Client CA
Email Flags:
Object Signing Flags:

and

here is our certificate

../../bin/certutil -L -d . -n uat.mywebservercertifcate.com
Certificate:
Subject: "CN=uat.mywebservercertifcate.com,OU=testing,O=myCompany,L=I,ST=G,C=US"

Signed Extensions:
Name: Certificate Subject Alt Name
DNS name: "uat.mywebservercertifcate.com"

Name: Certificate Basic Constraints
Data: Is not a CA.

Name: Certificate Key Usage
Usages: Digital Signature
Key Encipherment

Name: CRL Distribution Points
URI: "http://crl.verisign.com/..
Name: Certificate Policies
Data:
Policy Name: Verisign Class 3 Certificate Policy
Policy Qualifier Name: PKIX CPS Pointer Qualifier
Policy Qualifier Data: "https://www.verisign.com.."

Name: Extended Key Usage
Strong Crypto Export Approved
TLS Web Server Authentication Certificate
TLS Web Client Authentication Certificate

Name: Authority Information Access
Method: PKIX Online Certificate Status Protocol
Location:
URI: "http://ocsp.verisign.com..




Certificate Trust Flags:
SSL Flags:
User
Email Flags:
User
Object Signing Flags:
User


Would you please help us to resolve this issue?
Tell me what should i do in order to move further.

One more question is App. Server server certificate "VeriSign, Inc. - VeriSign, Inc." or "Verisign Class 3 Public Primary Certification Authority" ?

I see you have 2 certificates in App. Server :
"Verisign Class 3 Public Primary Certification Authority" c,c,c
VeriSign, Inc. - VeriSign, Inc. CT,,

As far as I remember you said App. Server certificate was self signed. What does the App. Server return when you connect to it via ssltap ? Refer [http://blogs.sun.com/jyrivirkki/entry/observing_ssl_requests|http://blogs.sun.com/jyrivirkki/entry/observing_ssl_requests] . Do you get 2 certificates or 1? (you wills ee cert.001 and cert.002 etc. getting created)

It is required to import web server certificates into application server.

I have created self-signed certificate from app.server and then exported into web server. The web server certificate is imported into app. server.

This is how we configured it.

Yes. we have two verisign certificates which comes along with our certificate.

Given that you have configured web server as a reverse proxy, you will find a entry similar to the following in the <instance-name>-obj.conf.

<Object name="reverse-proxy-/">
Route fn="set-origin-server" server="http://abc.com:<port_number>"
</Object>

The value of the server parameter (i.e http://abc.com:<port_number>) is the application server hostname and you have to make sure that the subject name of the certificate on the application server is EXACTLY the same as being specified here.

Hope this helps!!

Thanks for all your inputs. I really appreciate.

I did all the steps but I got the same exception.

I have valid Verisign CA certificate along with my certificate which is installed on web server. In the application server side we have generated self-signed certificate as subject name of the application server hostname. Is that correct?

I have configured reverse proxy too pointing to application server host name. I have tested SSL in local machine by generating self-signed certificate in both web and app server. But when I do the steps in real certificate in UAT environment causing the exception.

Could you please throw me a light on this?

I have valid CA certificate from verisign. I want to setup production like environment for testing.

Would you please clarify me the followings:
1. I installed certificate into web server. Let's say uat.webserver.com
2. Does it require to export this (web server)certificate into app server or not? if so, should i change flag attributes?
3. I dont have certificate on app server. should I generate self-signed certificate? if so, the host name would be uat.appserver.com. do i need to change flags?
4. If step 3 is required, should i export this certificate into web server.

No, you don't need to touch web server certificate UNLESS you have configured client auth on the application server which I guess is not the case. Yes, install a self-signed certificate on the application server. Yes, install the application server certificate into the web server NSS db with the right trust flags and restart the web server.

I have resolved yesterday itself. I did exactly what you mentioned here.

I really appreciate for all your support and patience.

1. I have received a certificate from our client. I have added an entry into keystore.jks and then imported into webserver using the web admin command like wadm>migrate-jks-keycert. Is that right approach or should place these entry into application server too? We have sent our certificate to the client. We have written a java client to test handshake between our server and client machine.Could you please advise on this?

2. In order to test verisign payment gateway through our uat environment what are the necessary steps are required. should I take certificates from the production along with verisign.jar? Please light on this.

Unfortunately my server was down because of this error appeared in errors log.

failure (24446): for host x.x.x.x trying to GET /../respective page, service-http reports: HTTP7758: error sending request (IO timeout error)

Please throw some light on this.

Do you get this error on reverse proxy server error logs? why is it timing out? Is the origin server down? Are all request to /../respective page supposed to be served by origin server?

[Here is a link to blog about enabling client authentication in reverse proxy and origin server in Sun Web Server 7.0|http://blogs.sun.com/meena/entry/enabling_client_certificate_authentication_in]. Its easy.

and a blog about trust flags [http://blogs.sun.com/meena/entry/notes_about_trust_flags]