Skip to main content

Creating a keystore and truststore for a web service

23 replies [Last post]
waynetg
Offline
Joined: 2007-06-04

Hi all

I have found plenty information regarding configuring webservices to use keystores but not much on creating your own. I have used the following commands to create my keystore truststore pair.

keytool -genkeypair -alias xws-security-server -keysize 1024 -keyalg RSA -keystore server.jks
keytool -genkeypair -alias xws-security-client -keysize 1024 -keyalg RSA -keystore clientstore.jks
keytool -exportcert -alias xws-security-server -keystore server.jks -file server.crt
keytool -importcert -alias xws-security-server -file server.crt -keystore clientstore.jks

When I implement it I get the following error.

Added addressing feature "javax.xml.ws.soap.AddressingFeature@72fc1f0e" to port "com.sun.xml.ws.model.wsdl.WSDLPortImpl@19f8b008"
JMAC: In PrivateKeyCallback Processor
WSS1913: Key used to decrypt EncryptedKey cannot be null
WSS1927: Error occured while decrypting EncryptedKey
WSITPVD0035: Error in Verifying Security in Inbound Message.
com.sun.xml.wss.impl.WssSoapFaultException: WSS1927: Error occured while decrypting EncryptedKey

Any ideas what I'm doing wrong?

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
mpachis
Offline
Joined: 2003-07-14

HI,

I have discovered you do not need to use OpenSSL if you make sure your keystore password matches the Glassfish password.

I have attached a script that uses only keytool to create a keystore, import it into the Glassfish keystore, and create a client certificate, which you can hand off to a third party to access your service. In my case I have a vendor using .net and my generated certificate to access my secure Java web service.

Aleksandras Novikovas

Hi,

Problem with your script is that keytool is not able to create
certificates v3 extentions needed to use with WSIT (web services
security).

-
Aleksandras Novikovas

E-mail: an@systemtier.com

On Sat, 2009-05-30 at 18:21 -0700, glassfish@javadesktop.org wrote:
> HI,
>
> I have discovered you do not need to use OpenSSL if you make sure your keystore password matches the Glassfish password.
>
> I have attached a script that uses only keytool to create a keystore, import it into the Glassfish keystore, and create a client certificate, which you can hand off to a third party to access your service. In my case I have a vendor using .net and my generated certificate to access my secure Java web service.
> [Message sent by forum member 'mpachis' (mpachis)]
>
> http://forums.java.net/jive/thread.jspa?messageID=348530
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
> For additional commands, e-mail: users-help@glassfish.dev.java.net
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net

kumarjayanti
Offline
Joined: 2003-12-10

Using JDK 6 Keytool would create V3 certs. Also note that you do not need certs with KeyIdentifier Extension in general. You can modify the X509Token policy in your WSDL to have an child assertion and then you no longer need the KeyIdentifier extension.

If you are using NB 6.5 it automatically generates the above child assertion.

mpachis
Offline
Joined: 2003-07-14

> I have to import the service key into the servers keystore to get this to work. <

I just noticed this statement. Do I have to do this first with the copyv3 zip file first?

waynetg
Offline
Joined: 2007-06-04

No idea. I did do it first but I don't know if it is necessary when your putting your own key in the keystore.

Aleksandras Novikovas

Hi All,

If you want to use secure web services - you have to create your own
certificates. (copyv3.zip is provided only for testing purposes)

You have to install OpenSSL.

Untar-gzip ca.tgz file into your home directory - it is where your CA
will be stored. Now it is empty structure - does not even contain CA
private/public keys. It contains openssl.cnf - CA configuration which
will be used for creating and signing keys.

Edit script gen.sh - change passwords, d-names (note that d-name for CA
and for java key stores are in different forms because CA keys are
generated by OpenSSL and java keys are generated by keytool), number of
days how long certificates will be valid.

Run script ./gen.sh

In your home directory it will create directory keystore.

keystore/server/ - contains files which you will have to copy into
$AS_HOME/domains/domain1/config/ (make copy of original files - just in
case ;) )
You will have to restart application server.

keystore/client/ - contains files which will be used by web service
clients - copy these files into client's META-INF directory.

After you create Web Service (in NetBeans) (and set default security
values) - you have to open wsit-* XML file (found in WEB-INF directory),
find policy responsible for security and change it to (do not change
policy name - copy only inner part ()) - remember to
change value of storepass parameter:















































wspp:visibility="private"
alias="xws-security-server"
storepass="changeit_WS_server"
type="JKS"
location="keystore.jks"
/>
wspp:visibility="private"
peeralias="xws-security-client"
storepass="changeit_WS_server"
type="JKS"
location="cacerts.jks"
/>


After you generate web service client (and set default security values)
you have to open wsit client file (found in META-INF directory), find
policy responsible for security and change it with (do not change policy
name - copy only inner part ()) - remember to change
value of storepass parameter:








wspp:visibility="private"
peeralias="xws-security-server"
storepass="changeit_WS_client"
type="JKS"
location="cacerts.jks"
/>
wspp:visibility="private"
alias="xws-security-client"
storepass="changeit_WS_client"
type="JKS"
location="keystore.jks"
/>


Now you are using your own server and client certificates ;)

-
Aleksandras Novikovas

E-mail: an@systemtier.com

On Fri, 2009-05-08 at 00:28 -0700, glassfish@javadesktop.org wrote:
> No idea. I did do it first but I don't know if it is necessary when your putting your own key in the keystore.
> [Message sent by forum member 'waynetg' (waynetg)]
>
> http://forums.java.net/jive/thread.jspa?messageID=345496
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
> For additional commands, e-mail: users-help@glassfish.dev.java.net
>
[ca.tgz]
[gen.sh]
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net

waynetg
Offline
Joined: 2007-06-04

Thanks Aleksandras

Thats a good script. I hope it will go live somewhere useful.
So as far as I can tell the expected behaviour is to use your glassfish server keystore as the server keystore. That explains my problem and should be stated clearer in the docs/blogs that address this issue. I'm not sure it completely makes sense in the context of multiple services running on one server, I would've thought having separate server keystores would be ideal.

kumarjayanti
Offline
Joined: 2003-12-10

Hi Again,

Full stack trace please....

From what i see, you have generated self-signed certs. In this case one step that is missing is that the client.crt should also be imported into server.jks

But what is likely happening in the scenario you are trying is that the client/server has encrypted the message using the public-key of the other party. But when the message needs to be decrypted by the recipient of the message, somehow the keystore of the recipient only has a TrustedCertEntry and not a KeyEntry (private key is required for decryption).

waynetg
Offline
Joined: 2007-06-04

I thought I sent this hours ago. woops!

Thanks, again...

I've added the server log. I was hoping this was going to be incredibly simple.

I've been fiddling around with the default stuff and it seems I have been going about this the wrong way. This seems to be all that is need for symmetric key authentication. Only problem is it still doesn't work, maybe I need to sign something somewhere. My keys do look a bit different to the default ones.

keytool -genkeypair -alias xws-security-server -keysize 1024 -keyalg RSA -keystore server.jks -storepass changeit -dname "CN=xws-security-server, OU=test, O=test, L=test, S=test, C=test"
keytool -exportcert -alias xws-security-server -keystore server.jks -file server.crt
keytool -importcert -alias xws-security-server -file server.crt -keystore client.jks

kumarjayanti
Offline
Joined: 2003-12-10

Can't see server.log

Can you make sure you have assertion under the X509Token assertion.

This is because the certs you generated most likely do not have the KeyIdentifier Extension in them.

waynetg
Offline
Joined: 2007-06-04

Its there:






Yes, the KeyIdentifier Extension seems to be missing. I can't seem, to see a way to get keytool to make it. Do I have to use a 3rd party app?

kumarjayanti
Offline
Joined: 2003-12-10

use openssl.

But the KeyIdentifier is not a requirement in your case since you have RequireIssuerSerial. There must be some other problem.

waynetg
Offline
Joined: 2007-06-04

Trying again with the server.log

I've messed around a bit with openssl to do this. I have no idea.

waynetg
Offline
Joined: 2007-06-04

Ok, I've established that the problem lies in the server keystore creation. I used the default keystore, exported the cert the same way as mentioned above and created the truststore also as above. I pointed my client at the new truststore and it works. As such the problem must lie in this statement.

keytool -genkeypair -alias xws-security-server -keysize 1024 -keyalg RSA -keystore server.jks -storepass changeit -dname "CN=xws-security-server, OU=test, O=test, L=test, S=test, C=test"

I'm upgrading my jdk to 1.6.12 as soon as gentoo lets me but I'm not sure that'll fix the problem. Any more ideas?

waynetg
Offline
Joined: 2007-06-04

Bump

Maybe I should post a bug. I can't be the only person having this problem.

mpachis
Offline
Joined: 2003-07-14

Hi,

Did you ever resolve this issue? I'm trying to do the same thing in NetBeans and getting the same error you did.

waynetg
Offline
Joined: 2007-06-04

No, but I'm STILL working on it. This is a good guide for creating compliant keys using openssl ->
http://www.jroller.com/gmazza/date/20080805

My next thought is that since I can't squeeze a FileNotFoundException out of the server is that it isn't getting that far. I'm going to drop the key size down to 128bit and see if that works. Then I'm going to poke around the source code and find out where the errors are coming from. I'm atttaching the full error and stack trace for interest.

waynetg
Offline
Joined: 2007-06-04

Quick question.

Do the keys generated for the custom key store have to be registered or signed by a key in the servers main keystore?

waynetg
Offline
Joined: 2007-06-04

SUCCESS!!!!

Well partial success at least.... I can now make my own certs the certs work 100%, I just don't like the way I had to make it work.

I have to import the service key into the servers keystore to get this to work. The idea came from the fact that you need to import the v3 certs into glassfish to get the whole system to work.

This causes 2 problems:
1) I have to restart the server every time I add a key.
2) the key password has to be changeit/(the servers keystore password) or the server won't start.

I have attached the script I use to do this. Any one keen on having a look to validate my findings and maybe help with a work around?

thanhtien501
Offline
Joined: 2011-01-20

Dear waynetg
Now i get stuck in this problem.
I can not create a keystore or add a record in the existed keystore (the default keystore in Glashfish). I pay attention that there is no extension section. and i use the openssl in order to create a keystore with extension section. but i still meet the problem: the keystore does not work as i am expected,
you said that "I have attached the script I use to do this" so where is your sript? please help me
Thank you so much

mpachis
Offline
Joined: 2003-07-14

Great, you are persistent.

However when I imported service.p12 succefully into keystore.jks Glassfish will not start getting this error "java.security.UnrecoverableKeyException: Cannot recover key". If I remove the key it starts normally.

Did you experience this?

waynetg
Offline
Joined: 2007-06-04

Yes, you need the key password to match the keystore password for keystore.jks.

mpachis
Offline
Joined: 2003-07-14

Duh on me. That is what you said in your post.

I used your script to accomplish the same thing in Windows and it is now working.

You are correct that there is a limitation that the keystore and key passwords must be the same or Glassfish will fail to start. Here is a blog that explains the situation and how to change the password.

http://weblogs.java.net/blog/kumarjayanti/archive/2007/11/ssl_and_crl_ch...