on 08-16-2016 4:47 PM
Hello All,
I configured tomcat https on BOBJ 4.2 , it works as expected except the certificate trusted warning when opening in the browser. I have valid wild card certificate for the domain. I imported it using the keytool . However, when i open the link, the browser still warns and when i check the certificate it is still using the privatekey certificate but not the trusted wildcard
Steps followed
1) Generated Keystore as per note 1648573 - when asked first name and last name , i used ABC (name changed)
2) changed server.xml file
https started working with warning
wildcard import process
1) got the wildcard.crt certificate ( wildcard entry name :123.com, issued by CA) ( names changed)
2) imported certificate using keytool (keytool -import -file wildcard.crt -alias wildcard -keystore -keystore) . The certifcate imported , but https still uses the same old privatekey entry certificate (i.e ABC, not 123.com)
3) Keytool list shows two enteries 1) privatekey 2) trustedentry
When i tried to import the wildcard card certificate to ssme alias generated in step 1 , it complains public keys in reply dont match keystore
Can someone please share the process followed in importing wildcards
Thanks
Karthik
Hi Karthik,
In a similar case scenario, we were given a PKCS#12 wildcard certificate (*.pfx file format). In order to use it with Tomcat we have followed the steps below:
< Connector
port="8443"
protocol="org.apache.coyote.http11.Http11Protocol"
URIEncoding="UTF-8"
SSLEnabled="true"
maxThreads="900"
scheme="https"
secure="true"
clientAuth="false"
sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"
keystoreFile="<CERTIFICATE_PATH>/wildcard_certificate.pfx"
keystorePass="CERTIFICATE_PASSWORD"
keystoreType="PKCS12"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
/>
Notes
Finally, you may find useful the following resources:
Title: Create a .pfx/.p12 certificate file using OpenSSL
URL: https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/
Title: Passwords - Why are plain text passwords in the config files?
URL: http://wiki.apache.org/tomcat/FAQ/Password
Thanks,
ilias
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ilias
Thanks a lot , this is what exactly i was looking for
No matter how many ways i import .crt wildcard, tomcat is still using the self-signed certificate it created at the time of keystore generation .
After converting to PCKS format, and pointing tomcat to use this keystore, it worked (i converted crt to PCKS12 using openssl )
Thanks a lot again
Thanks
Karthik
this has nothing to do with BOE/SAP products, it's the browser and your certificate. You should google the browser warning and see how to resolve it.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
you're not importing the certificate into BOBJ, you're using it in Tomcat to enable HTTPS.
HTTPS handshake is between Tomcat and the Browser (server/client) and it happens before any part of BOE is involved.
The part when browser thinks the certificate is not valid or not secured needs to be addressed via Tomcat/browser settings.
From BOE side - BOE mobile apps are not supported with wildcat certificates :
2215428 - Unable to connect to SAP BI Mobile App on Android O/S while using HTTPS connection
User | Count |
---|---|
101 | |
13 | |
13 | |
11 | |
11 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.