Thursday, 14 January 2016

WebSphere Liberty Profile - Tinkering with SSL TLS

I went through this process last evening, and thought that sharing it MIGHT be of interest :-)

Check What's Installed

/opt/IBM/InstallationManager/eclipse/tools/imcl listInstalledPackages

com.ibm.cic.agent_1.8.2000.20150303_1526
com.ibm.websphere.liberty.v85_8.5.5000.20130514_1313

Create a WLP Server

/opt/IBM/WebSphere/Liberty/bin/server create davehay

Server davehay created.

Create a SSL Keystore and Self-Signed Certificate

/opt/IBM/WebSphere/Liberty/bin/securityUtility createSSLCertificate --server=davehay --password=passw0rd --validity=365

Creating keystore /opt/IBM/WebSphere/Liberty/usr/servers/davehay/resources/security/key.jks

Created SSL certificate for server davehay

Add the following lines to the server.xml to enable SSL:

    <featureManager>
        <feature>ssl-1.0</feature>
    </featureManager>
    <keyStore id="defaultKeyStore" password="{xor}Lz4sLChvLTs=" />

Add SSL support to Server Configuration

vi /opt/IBM/WebSphere/Liberty/usr/servers/davehay/server.xml 

Append: -

    <featureManager>
                  <feature>ssl-1.0</feature>
    </featureManager>
    <keyStore id="defaultKeyStore" password="{xor}Lz4sLChvLTs=" />

Update Server Configuration to reflect hostname

vi /opt/IBM/WebSphere/Liberty/usr/servers/davehay/server.xml 

Change: -

    <httpEndpoint id="defaultHttpEndpoint"
                  host="localhost"
                  httpPort="9080"
                  httpsPort="9443" />

to: -

    <httpEndpoint id="defaultHttpEndpoint"
                  host="mta2015a.uk.ibm.com"
                  httpPort="9080"
                  httpsPort="9443" />

Start WLP Server

/opt/IBM/WebSphere/Liberty/bin/server start davehay

Starting server davehay.
Server davehay started with process ID 3962.

Test Connectivity ( via HTTP )

From Linux


--2016-01-13 19:22:37--  http://mta2015a.uk.ibm.com:9080/
Resolving mta2015a.uk.ibm.com... 192.168.153.128
Connecting to mta2015a.uk.ibm.com|192.168.153.128|:9080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4725 (4.6K)
Saving to: `index.html'

100%[==================================================================================================================================================================>] 4,725       --.-K/s   in 0s      

2016-01-13 19:22:37 (625 MB/s) - `index.html' saved [4725/4725]

wget --no-check-certificate https://mta2015a.uk.ibm.com:9443/

--2016-01-13 19:24:54--  https://mta2015a.uk.ibm.com:9443/
Resolving mta2015a.uk.ibm.com... 192.168.153.128
Connecting to mta2015a.uk.ibm.com|192.168.153.128|:9443... connected.
WARNING: cannot verify mta2015a.uk.ibm.com's certificate, issued by `/C=us/O=ibm/OU=davehay/CN=localhost':
  Self-signed certificate encountered.
    WARNING: certificate common name `localhost' doesn't match requested host name `mta2015a.uk.ibm.com'.
HTTP request sent, awaiting response... 200 OK
Length: 4725 (4.6K)
Saving to: `index.html.2'

100%[==================================================================================================================================================================>] 4,725       --.-K/s   in 0s      

2016-01-13 19:24:54 (1.01 GB/s) - `index.html.2' saved [4725/4725]

List Content of Keystore

keytool -list -v -keystore /opt/IBM/WebSphere/Liberty/usr/servers/davehay/resources/security/key.jks -storepass passw0rd

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: default
Creation date: 13-Jan-2016
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost, OU=davehay, O=ibm, C=us
Issuer: CN=localhost, OU=davehay, O=ibm, C=us
Serial number: 3559914d
Valid from: Wed Jan 13 19:06:46 GMT 2016 until: Thu Jan 12 19:06:46 GMT 2017
Certificate fingerprints:
MD5:  6D:26:90:BA:50:1C:3B:8B:28:73:C0:68:F0:16:AA:13
SHA1: 41:75:D6:93:20:BA:10:EB:F3:FE:B9:20:91:48:45:BC:8D:50:3E:FA
SHA256: FA:94:A3:3A:55:99:2F:80:98:85:A1:09:C8:F8:6F:BC:C1:5A:7D:C2:53:03:C4:4F:9D:A1:2E:D9:6B:3D:36:2D
Signature algorithm name: SHA1withRSA
Version: 3

Create New Self-Signed Certificate

/opt/IBM/WebSphere/AppServer/java/jre/bin/keytool -genkey -alias selfsigned -keystore /opt/IBM/WebSphere/Liberty/usr/servers/davehay/resources/security/key.jks -storepass passw0rd -validity 360 -keysize 2048 -dname CN=mta2015a.uk.ibm.com,DC=UK,DC=IBM,DC=COM -sigAlg SHA256withRSA -keyAlg RSA

List Content of Keystore

keytool -list -v -keystore /opt/IBM/WebSphere/Liberty/usr/servers/davehay/resources/security/key.jks -storepass passw0rd

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: default
Creation date: 13-Jan-2016
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost, OU=davehay, O=ibm, C=us
Issuer: CN=localhost, OU=davehay, O=ibm, C=us
Serial number: 3559914d
Valid from: Wed Jan 13 19:06:46 GMT 2016 until: Thu Jan 12 19:06:46 GMT 2017
Certificate fingerprints:
MD5:  6D:26:90:BA:50:1C:3B:8B:28:73:C0:68:F0:16:AA:13
SHA1: 41:75:D6:93:20:BA:10:EB:F3:FE:B9:20:91:48:45:BC:8D:50:3E:FA
SHA256: FA:94:A3:3A:55:99:2F:80:98:85:A1:09:C8:F8:6F:BC:C1:5A:7D:C2:53:03:C4:4F:9D:A1:2E:D9:6B:3D:36:2D
Signature algorithm name: SHA1withRSA
Version: 3
Alias name: selfsigned
Creation date: 13-Jan-2016
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=mta2015a.uk.ibm.com, DC=UK, DC=IBM, DC=COM
Issuer: CN=mta2015a.uk.ibm.com, DC=UK, DC=IBM, DC=COM
Serial number: 5696bab3
Valid from: Wed Jan 13 20:59:31 GMT 2016 until: Sat Jan 07 20:59:31 GMT 2017
Certificate fingerprints:
MD5:  B4:9C:EC:1F:D3:82:88:5F:33:CB:26:63:A8:7F:65:4E
SHA1: 7C:21:43:87:32:3F:66:FE:E4:CA:06:7D:50:C6:F5:91:A4:41:02:40
SHA256: C5:0B:93:B1:64:F1:13:C2:A6:D7:9E:95:88:FE:80:7F:1F:8F:F5:3A:10:BE:93:0F:9C:9C:21:05:D0:06:70:FA
Signature algorithm name: SHA256withRSA
Version: 3

/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -list -db /opt/IBM/WebSphere/Liberty/usr/servers/davehay/resources/security/key.jks -pw passw0rd

Certificates in database /opt/IBM/WebSphere/Liberty/usr/servers/davehay/resources/security/key.jks:
   default
   selfsigned

Update Server Configuration to reflect new certificate

vi /opt/IBM/WebSphere/Liberty/usr/servers/davehay/server.xml 

Add/amend: -

    <sslDefault sslRef="defaultSSLSettings" />
    <ssl id="defaultSSLSettings"
         keyStoreRef="defaultKeyStore"
     serverKeyAlias="selfsigned" />
    <keyStore id="defaultKeyStore" 
         location="key.jks"
         type="jks"
         password="passw0rd" />

Stop WLP Server

/opt/IBM/WebSphere/Liberty/bin/server stop davehay

Stopping server davehay.
Server davehay stopped.

Start WLP Server

/opt/IBM/WebSphere/Liberty/bin/server start davehay

Starting server davehay.
Server davehay started with process ID 16945.

Test Connectivity ( via HTTPS )

From Linux

wget --no-check-certificate https://mta2015a.uk.ibm.com:9443/

--2016-01-13 20:51:53--  https://mta2015a.uk.ibm.com:9443/
Resolving mta2015a.uk.ibm.com... 192.168.153.128
Connecting to mta2015a.uk.ibm.com|192.168.153.128|:9443... connected.
WARNING: cannot verify mta2015a.uk.ibm.com's certificate, issued by `/DC=COM/DC=IBM/DC=UK/CN=mta2015a.uk.ibm.com':
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 200 OK
Length: 4725 (4.6K)
Saving to: `index.html.5'

100%[==================================================================================================================================================================>] 4,725       --.-K/s   in 0s      

2016-01-13 20:51:53 (416 MB/s) - `index.html.5' saved [4725/4725]

Inspect Self-Signed Certificate

openssl s_client -showcerts -connect mta2015a.uk.ibm.com:9443 </dev/null

Server certificate
subject=/DC=COM/DC=IBM/DC=UK/CN=mta2015a.uk.ibm.com
issuer=/DC=COM/DC=IBM/DC=UK/CN=mta2015a.uk.ibm.com
---
No client certificate CA names sent
Server Temp Key: DH, 768 bits
---
SSL handshake has read 1573 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES128-SHA256
    Session-ID: 5696BB3015905180F9175410E9B677F5F5F4B7BC7C7A4C0B3BA986AD0D48BD23
    Session-ID-ctx: 
    Master-Key: 06A29B8AAFC260B798511B29AAA52D3E876E75B897444E146DFA3DC5E50F4D29382E5E26E4EC8E5221E31084DA2B2F03
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1452718896
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)

No comments: