ACL setting of Broker 60

Hi,

We have a problem with ACL setting in 6.0

When I click on the ACL in the broker admin. I get the following error

message.

Error: you are not identified to the broker in this session. Set your

user name using the Broker Administrator’s Identity Settings and return

here.

WE DIDN’T CONFIGURE FOR SSL.

I used the awcert tool to generate the CSR and private key and used the trial version of Verisign to generate the response(text file).

The certificate is generated but doesn’t open.

Do i have to convert to DER fromat? if so how? is it using the Certificate tool kit ?

I tried doing that but it was of no use. Am i missing something?

Do i have to use openSSL ? is it free? Can anyone tell me the procedure?

I would really appreciate if somebody would help me.

Thanks,

Raghu

I am not exactly sure what you did in an effort to create a server certificate but…

The webMethods Certificate Toolkit is all you need to request a signed server certificate from a certificate authority. I know this works with Verisign and Entrust and I assume it works with many other Certificate Authorities as well.

The basic steps are:
Use the toolkit to generate a private key and generate a CSR file
Send the CSR to your favorite Certificate Authority. How to do this varies with each CA - The only constant seems to be is it unclear how.
Get back a signed server certificate from the Certificate Authority.
Use the certificate toolkit to convert the returned file into DER format

In the case of Verisign or Entrust (and probably many others) the returned file is in an ascii format called PEM. It may have an extension of cer. You can tell by editing the file with your favorite text editor. A file in the PEM format looks like:
-----BEGIN CERTIFICATE-----
<a >
-----END CERTIFICATE-----
The certificate toolkit is able to convert PEM to DER format

OpenSSL is free and is available @ http://www.openssl.org
If you will be running openSSL in the windows environment, a binary version for windows is available via http://www.openssl.org/related/binaries.html

This is a worthwhile tool to have available. OpenSSL is a command line tool whose documentation is fairly dense, at least to someone like me who does not know a whole lot about the innards of certificates. But it does seem to be able to do just about anything with certificates, including, I think, generating self-signed ones for testing.

Hi John,
Thanks for the response,
I generated CSR and converted into DER format but the certificate is not recognized and the private key file which is generated when clicked says it is an invalid security file

We didn’t configure for SSL . We are trying to set it now, but the main issue is with the identity settings of the broker.

Firstly Do we need to configure SSL to set the ACL of the broker in 6.01 and

Secondly Can we use the same certificate (that is the certificate genrated for the IS)to set up the SSL for the broker?

Is it necessary that we use the awcert tool to generate the certificate for the broker?

I am looking for solutions for this answers, But i am able to form only a vague idea

I would greatly appreciate if somebody would clarify these to me

I am not familiar with webMethods 6, the Broker or the awcert utility. We are just starting down the webMethods 6 road ourselves. Therefore I have no answers w/regard to any wM6 questions.

However, with regard to the private key you generated. You say the when you double-click it you get an “invalid certificate” message. That is normal. At least thats what I get and I know my private key files are valid.

I am still a little confused on the CSR situation. What I am reading is that you are generating a CSR and then attempting to convert the CSR file into DER format. That will not work. The CSR is only useful when sent to a Certificate Authority when requesting a signed public key certificate. The CA will respond back with a file that is your signed puclic key certificate. It is that file that is then converted into the DER format (or whatever format your application requires). The CSR itself is not directly converted to anything. At least I have no idea how one would do that.

The Broker\doc\BrokerAdministratorsGuide.pdf does discuss this stuff, although it does seem to be confusing, at least on a quick read.

Raghu,

To configure security on the Broker you do need to use the awcert utility to both request and install your certificate to get things working. It sounds like you initially tried to do that but couldn’t get it to work.

Did you take the result of the Verisign and use awcert to install the returned certificate? Basically did the response file look like “---- BEGIN REQUEST — and — END REQUEST —” with encrypted data in between?

Also, did you install the Verisign ca root as a trusted root in the awcert file you are trying to use?

We use our own internal Certificate Management System to generate our certs for the Broker, so I’m not fully familiar with the 3rd party process, but it should work in a similar fashion.

Steve

Thank you steve,

yes, i used awcert to install import the trusted root and finally certify but the certificate file doesn’t come up with any extension even after i certify.

What internal certificate management system do you use? Is it openssl?

We are interested in getting a certificate without using the 3rd party.

Can you help on how i can do this?

Do we have tools which generate certificates so that we can configure the broker for SSL ?(without going thru the certificate authority like verisign)

it would be very helpful if you can suggest me some ideas on how this can be done

Thanks
raghu

Raghu,

We are using an old version of Netscape Certificate Management System (4.1), it is now part of the Sun One Server suite of products, so I don’t know what it is called in its current incarnation.

I’m not sure if OpenSSL will work for you unless it can “sign” the certificate request you generate with awcert and deliver back a response for you. If OpenSSL has the tools to act like a CA (Certificate Authority) then you would do the following:

  1. create a CA root cert via OpenSSL
  2. import it into your awcert generated file
  3. use awcert “make-request” to request a cert
  4. use OpenSSL to sign the cert request (since it is acting as a CA)
  5. use awcert certify to certify the response from your OpenSSL CA
  6. use the certified request in the Broker SSL setup

If OpenSSL can’t play the role of a CA, then you will either have to use a 3rd-party CA or get Certificate Management System software to
act in this fashion.

Steve

OpenSSL instructions (from a message board post by Andrew Smith. I’m not sure of the original source).

When I was working with this previosly, I created a simple script to automate these tasks. I just had to supply the server name and it created the certs that I needed to deploy.

Useful Links:

OpenSSL Homepage:
http://www.openssl.org

OpenSSL Win32 Binary (Get this, only install the Toolkit Part):
http://www.opensa.org/download

Steps to Create a simple Root Certificate and Public Certificate

At a command prompt in a directory with openssl.exe in your PATH
and openssl.cfg in the same directory:

PART 1

  1. openssl md5 * > rand.dat
  2. openssl genrsa -rand rand.dat 1024 > cakey.pem
  3. openssl req -new -key cakey.pem -out cacsr.pem -config openssl.cfg
  4. openssl x509 -in cacsr.pem -out cacert.pem -req -signkey cakey.pem -days 365

At this point you have a key and certificate for a self-signed root CA.
Now you can use it to sign certificate requests.

(In the same directory as before)

  1. openssl genrsa -rand rand.dat 1024 > mykey.pem
  2. openssl req -new -key mykey.pem -out mycsr.pem -config openssl.cfg
    option 1 – 3) openssl x509 -in mycsr.pem -CA cacert.pem -CAkey
    cakey.pem -CAcreateserial -req -out mycert.pem -days 365
    option 2 – 3) openssl x509 -in mycsr.pem -CA cacert.pem -CAkey
    cakey.pem -CAserial serialfile.srl -req -out mycert.pem -days 365

Now you should be good to go. The following files can be used to configure an HTTPS listener for our software, Apache, IIS, or whatever. Note that conversion from PEM to DER may be required for certain software.

Main Files:

mykey.pem your public cert’s private key, PEM encoded
mycert.pem your public certificate, PEM encoded
cacert.pem your root certificate, PEM encoded

Leftover files:

mycsr.pem your certificate’s signing request
cacsr.pem your root certificate’s signing request
cakey.pem your root cert’s private key, needed for signing future certificates

Steps to Create a simple Self-Signed Certificate

At a command prompt in a directory with openssl.exe in your PATH
and openssl.cfg in the same directory:

  1. openssl md5 * > rand.dat
  • creates random seed
  1. openssl genrsa -rand rand.dat -des3 1024 > passwordkey.pem
  • generates private key (enter a passphrase)

2a) openssl rsa -in passwordkey.pem -out nopasswordkey.pem

  • removes passphrase from key (optional)
  1. openssl req -new -key nopasswordkey.pem -out csr.pem -config openssl.cfg
  • creates signing request (enter information as prompted)
  1. openssl x509 -in csr.pem -out cert.pem -req -signkey
    nopasswordkey.pem -days 365
  • creates signed certificate
  1. openssl x509 -inform PEM -in cert.pem -outform DER -out cert.der
  • converts your certificate to DER format
  1. openssl rsa -inform PEM -in nopasswordkey.pem -outform DER -out
    nopasswordkey.der
  • converts your key to DER format

You now have a key and a certificate in DER format. The certificate is its own CA and can be used as the CA Certificate when configuring a B2B HTTPS listener.

Steps for Creating PKCS12 Objects from a Certificate & Key

Note: you need these three files

I have tried using self-signed certificates to load and am having a problem error:
The password to certificate file ‘C:\webMethods\CertToolkit\mycert.der’ is
incorrect, or the file is a
certificate file at a higher level of security than is supported.

No Permission (109-1381): The password to certificate file
‘C:\webMethods\CertToolkit\mycert.der’ is incorrect, or the file is a
certificate file at a higher level of
security than is supported. (BrokerServerClient.getDNsFromCertFile-8337)

Has anyone used self-signed certificates? Please send me the procedure.
Thanks

We used Microsoft Certificate Server and they worked fine. We generated a der. 1024 certificate and all was well.

Note: Keep all the certs and request in a common place so that you can find them easier and KEEP THEM SAFE from others.

Our process was:

  1. Download the cert. server (Microsoft in this case) cert and save the .cer file to the webm server

  2. Generate a cert. request with awcert and paste it in the web-based cert server tool.

  3. Save the generated .cer file on the webm server (Microsoft Cert. Server admin must approve it for you first)

  4. We issued the awcert import-trust <webm> <passwd> -f <cert>

  5. Then we issued the awcert certify <webm> <passwd> -f <cert>

  6. Repeat Process for all certs (i.e. admin user cert, adapter cert, etc…)

Hope this helps.

Hi Eric,

The following link will give you detailed procedure on how to do it. i followed the same procedure and got a self signed certificate.

http://www.iona.com/support/docs/e2a/asp/5.0/corba/ssl/html/OpenSSL9.html#305154

Raghu

Hi Team,

Having problems with renewing the expired Broker Certificate.

I sent the Original (CSR)request to CA, got the new reply.

When I try to update the keystore file using “awcert certify”, the feebback says 'Receiving Certificates … Successfully received 1 certificates from “reply.txt” ’

But when I list the certificates using “awcert list”, it still shows the old expired certificate.

'…
Issuer DN = ‘OU=For VeriSign authorized testing only. No assurances ©V
S1997,OU=www.verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD.,O=“VeriSign, Inc”’
Status = EXPIRED

Has someone seen this before? How to solve this problem?

Regards,
Siva.

Thought someone might find this useful…

openSSL commands to get the modulus for private
and public key in order to verify that they are the same pair:

//Private Key

C:&#62; openssl pkcs8 -in <privatekeyname.der> -inform der -nocrypt | openssl rsa -modulus -noout

//Public Key
C:&#62; openssl x509 -in <publickeyname.der> -inform der -modulus -noout