Symantec IGA

  • 1.  How to put IdM User Console 12.6.7 with HTTPS (cert signed by MS CA)?

    Posted Jul 04, 2017 04:33 PM

    Hi experts,

     

    we are dealing a issue here, because our goal is to setup IDM User Console over HTTPS. App server is JBoss eap 6.3.

     

    Following JBoss documentation, we create a key and make the csr request, so a CA from our client (Microsoft CA) signed the cert. Chain has an intermediate certificate, so in fact there are 3 (idm server certificate, intermediate and root).

     

    Doing that, we can not access HTTPS site. On Wireshark, we see that browsers performs its client hello in the correct way, but server responds with a ssl handshake failure (no details on ssl record, neither on JBoss log -also we set javax.net.debug=all, and no error regarding handshake is seen on JBoss server.log).

     

    On the other hand, we tried with a self signed certificate (both first scenario certificate and the self signed one were made in the same way, using keytool command). Using a keystore with self signed certificate, https connection works fine, but of course we need to do it with a certificate signed by a local CA here.

     

    In all cases, alias is always "tomcat".

     

    Do some of you face this issue with JBoss? I think that perhaps it could be the MS Certificate Template with which the certificate is signed can be the cause, I am still investigating and doing more tests.

     

    Thanks a lot.



  • 2.  Re: How to put IdM User Console 12.6.7 with HTTPS (cert signed by MS CA)?
    Best Answer

    Broadcom Employee
    Posted Jul 05, 2017 10:06 AM

    Hi.

     

    Did you make sure the JVM (Java Virtual Machine) includes the correct cert for jboss?

    I guess you did. If not, please give that a closer look. If you did try that then I'll suggest you open a support case so that we can ask you for logs, screen shots and work more closely on this.

     

    It may be that a configuration file inside jboss also needs to specify that SSL port etc.. 

     

    Thanks,

    Sagi



  • 3.  Re: How to put IdM User Console 12.6.7 with HTTPS (cert signed by MS CA)?

    Posted Jul 06, 2017 09:40 AM

    Hi Sagi thank you very much for your response.

     

    I will let this week to see if I can resolve this issue, if not, I will tell client to open a case.

     

    It is weird, I do the same in an own lab and same thing happens. Most strange is that if I import a self signed certificate on a keystore, without changing any configuration on JBoss side, HTTPS works perfectly. In the other way, as on our client's environment, if I generate a key into a keystore, create csr request and sign it with a MS Cert. Authority, this issue happens as well on the client's environment. JBoss logs nothing at all about this. Using wireshark, I see that browsers send its Hello Client record ok, and server returns an ssl alert record. Both certificates are generated with keytool in the same way, only difference is that the working one is self signed and the other one is signed by a MS CA (in my lab I have an AD 2k12 with Certificate Server role). There is not much to do with the MS CA, I paste CSR file and issue it (only variable parameter is the mandatory template I have to choose, so that's why I am suspecting that this can be where the problem is). Now I will make some tests enabling handshake debugging on the JVM Jboss uses. JBoss is in fact in a ootb install, and the only file we configured is standalone-full.xml with this lines, which work fine for a self signed but not for a MS CA issued cert:

     

    <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
    <ssl name="idmtest" certificate-key-file="C:\jboss-eap-6.3\standalone\configuration\idm5.keystore" password="Manager1" />
    </connector>


  • 4.  Re: How to put IdM User Console 12.6.7 with HTTPS (cert signed by MS CA)?

    Posted Jul 11, 2017 03:42 AM

    Actually I have opened a case for that before, but CA replied below:

     

    >The certificate is not related or depends on CA products, e.g Identity Manager. It is about SSL configuration on Wildfly (a third-party product).

     

    >We will try to assist you as much as we can, but I would like to set the expectation that it does not cover under support's scope of work as we don't have expertise on third-party products.

     

    So, I suggest you to read online articles rather than opening a case. It doesn't help at all.



  • 5.  Re: How to put IdM User Console 12.6.7 with HTTPS (cert signed by MS CA)?

    Posted Jul 12, 2017 10:32 AM

    Hi LamCC, I see that it will be a hard work. I am running out of clues at now. This is my mail julian.sosa@secwaze.com please feel free to contact me, if I find something I will let you know. Thanks for your reply.



  • 6.  Re: How to put IdM User Console 12.6.7 with HTTPS (cert signed by MS CA)?

    Posted Jul 12, 2017 09:55 PM

    See if the below links can help

     

    SSL setup guide - WildFly 8 - Project Documentation Editor 

    SSL with WildFly 8 and Undertow 

    Configuring SSL in Wildfly 8/9/10 | Real Life Java 

    Enable SSL on Wildfly 8.2.1 

    SSL Certificate Installation - Java Based Web Servers 

    SSL Certificate CSR Creation - Java Server 

     

    I have to reference to the above to enable https with IDM

    Ironic that a security product doesn't by default restricted to use https, I can capture the password sent in plain text when resetting password via IDM at the beginning and CA just tell me it is a third-party software issue and non of their business. 



  • 7.  Re: How to put IdM User Console 12.6.7 with HTTPS (cert signed by MS CA)?

    Posted Sep 07, 2017 02:22 PM

    Hi LamCC, do you have any luck? As you said, I have no luck with support. Still working with self-cert certificates but not with MS CA signed ones..



  • 8.  Re: How to put IdM User Console 12.6.7 with HTTPS (cert signed by MS CA)?

    Posted Jul 11, 2017 03:25 AM

    Here is what I performed in Wildfly 8 with IDM 14

    1. keytool -genkey -alias localhost -keyalg RSA -keystore C:\wildfly\standalone\configuration\keystore.jks -keysize 2048

    2. keytool -certreq -alias localhost -keyalg RSA -file name.csr -keystore C:\wildfly\standalone\configuration\keystore.jks

    3. keytool -import -trustcacerts -alias localhost -file name.p7b -keystore C:\wildfly\standalone\configuration\keystore.jks

     

    4. 

    In standalone-full.xml

    1. Add

                <security-realm name="SslRealm">

                    <server-identities>

                        <ssl>

                            <keystore path="keystore.jks" relative-to="jboss.server.config.dir" keystore-password="[Password]"/>

                        </ssl>

                    </server-identities>

                </security-realm>

     

       after <security-realms>

     

    2. Add

    <https-listener name="default-ssl"  socket-binding="https"   security-realm="SslRealm"/>


     after

    <server name="default-server">

     

     

    Then access via port 8443