Service Virtualization

One of our projects requested for a virtual service which is SSL-enabled.
Their front end (client) needs to talk SSL with the virtual service (server).

Since we are not allowed to use the DevTest internal certificate (in webreckey.ks), we have received one from the company itself. It contains a certificate chain (in .crt format) together with the private key (.key)

Reading through the DevTest documentation and from the community, this would require that I (server) need to provide the server certificate to the client, and that they need to add it in their truststore. (Please correct me if I'm wrong)

But on my side, I'm not sure to add what and where:

• Can i use the DevTest default keystore webreckey.ks to import my certificate?
• If yes, what do I actually need to put in their? I tried to import the whole chain, but it isnt working. I have tried it with Portecle.
• Does it only need the server certificate itself with the private key?
• Do I need to add something in the truststore?
• If yes, can i use the DevTest default truststore cacerts?
• If I cannot add the default keystore and truststore, are there any properties that i need to modify on the DevTest servers (Registry server, VSE server) or can I load this directly in the virtual service when creating via the wizard?

PS: I already checked the nice post https://communities.ca.com/docs/DOC-231172116-of-ssl-java-and-devtest, but I still require help on actually implementing it.

Not sure if I can offer the best answer, but if you only need 1-way SSL, supplying the JKS file in the Listen Step and enabling the Use SSL to Client should be sufficient. Optionally, you could roll the cert into the webreckeys, but I would do that after verifying that there are no issues with the keystore, and after taking a copy of webreckeys for recovery purposes.

What technique did you use to convert the .crt file to a JKS?  

For example, via  a utility like openssl to convert the .crt to a .p12, then use keytool to import the .p12 and create a .jks. 

What do you see when you CLICK the Verify option in the Listen step? Does your jks validate properly?

Also, what happens when you point to the location of the JKS and try a call from the client application?

If you are able to run the service in ITR mode, have the client send an HTTPS request after enabling debug so you can watch the handshake. Or, turn on SSL debugging via a vmoptions change.

Hello Davy,

If my understanding is correct, you want to enable your VSM to use SSL. Is that correct?

Which transport protocol is your virtual service using? HTTP?

If it is HTTP, you will be able to enable "Use SSL to Client" in the HTTP Listener step.

When you enable this option you will have the chance to Select a keystore file and password:

Specify your keystore, password and select "Verify" to validate the password.

Save the VSM and redeploy it.

That will enable 1-way SSL authentication with the VSM.

If you are facing more issues, please add more details regarding the error/exceptions you are facing.

Hope it helps.

Heloisa

Thank you both for your feedback, but I'm struggling with the setup of the keystore(s), so I'm not even close to the listen step yet.

What I have is the certificate (.crt) and the private key (.key).

The certificate file is actually a chain (root, intermediate and the server certificate).

I would like to know where I have to put what:

• Do I convert the whole chain to a .pk12 and load it in the webreckey keystore (will that work?) or do I need to create my own keystore and import the whole chain there from a .pk12?
• Do I have to split up the certificate chain and load root and intermediate in the cacerts or do I need to create a truststore for this or ...?

The more documentation I read about this, the more it confuses me to do it properly.

Once i got the keystore in place, I can indeed enable it in the listen step.

Thanks in advance.

Hi Davy,

Follow the steps below and see how it works for you:

   Using Portecle you can create a new keystore (JKS) - File/ New Keystore/ JKS.

   Then you can import the key - Tools/ Import Key Pair.

   Next Import the root cert -  Tools/ Import Trusted Certificate, and do the same for the intermediate and the server cert.

   Save the keystore file. 

After you create this JKS file, provide it in the VSM listener step and see how it works for you.

Heloisa

Hello Heloisa,

When I import the key into the keystore, it is asking for the password of the private key.

After providing the password, it then asks for a PKCS#12 keystore password (which i don't have).

When i enter the same password as for the private key (or when i leave it blank), I get a "could not read keypair..." error message.

Hello Davy,

not sure if you are still having this problem. 

Verify with the team that provided you the keys if they have the password.

Heloisa

Hi Heloisa,

Sorry for late feedback (just returned from holiday)

The issue has been resolved.

Thanks all for the help.

Greetings Konfu,

Hope you had a relaxing vacation.

Could you please help me understand, how the issue was resolved finally.

High level steps would be very helpful and appreciated.

We are also in similar situation.

Thanks in advance.

Hello Maddy,

During the time of posting the question our requirement was changed from one-way SSL to use two-way SSL. In order to set up the SSL-MA I have done the following (please note that I had to use my own certificate (certificate chain with root, intermediate and server certificate) instead of the default one provided by DevTest).

Tools used: openssl and Portecle.

Here are the steps I have done to achieve SSL-MA:

1. Create a keypair with openssl (needed to create the keystore later on)
   Command: openssl pkcs12 -export -inkey your_private_key.key -in your_server_certificate.pem -name your_name -out your keypair_name.p12
2. Create a keystore with Portecle
   1. Open Portecle and create a new JKS keystore
   2. Import the root certificate (click yes for new trust)
   3. Import the intermediate certificate
   4. Import the keypair from step 1
3. Adding server root, server intermediate certificates to cacerts with Portecle
4. Adding client root, client intermediate and client certificates to same cacerts with Portecle
5. Copy your modified cacerts to your DevTest instance (...\CA\DevTest\jre\lib\security)
6. Copy your keystore to your DevTest instance (wherever you want)
7. In the listen step of your VSM enable SSL and provide the location and password of your keystore

Hope it helps!

Greetings Konfu,

Thanks for the quick turnaround, much appreciated.

The steps are in detail, hope I do not come across any new issue, fingers crossed.

If there are new challenges, I shall post back.

Thanks again!!!