Certificates does not work on WM9 while working on WM7

Hi All,

I have an issue integrating some web service from WM7 to WM9. The web service consumer requires the certificate file while sending the request.

WM7 Configuration
IS - define path of Trusted Certificates in IS–>Security–>Edit Certificates Settings --> CA Certificate Directory=config\security\cert\cas\

On Developer - in consumer we added a flow service before calling soap client

  • pub.security.setKeyAndChain which we could locate privateKey (privatekey.der) and certFiles (cer1.der,cer2.der). Note that the certificates in full path.
  • pub.client.soapClient which just send request out and it’s working fine

However, in WM9 the service pub.security.setKeyAndChain is deprecated and we are recommended to use pub.security.keystore.setKeyAndChain. So we made a few configuration on IS
IS - define KeyStore by going to IS–>Security --> Create Keystore Alias and Create Truststore Alias named “myKeyStore” for both Keystore alias and Truststore alias.

On Developer - in the same service of WSC we use

  • pub.security.setKeyAndChain which set KeystoreAlias=myKeyStore and keyalias=mykeystore (get it while creating keystore)
  • pub.client.soapClient which just send request out but we received the error…

org.apache.axis2.AxisFault: Error in obtaining a token

I’d like to know what configurations i missed setting. If you have any ideas, please help me out.

Thank you very much,
Note

Hi Note,

I am facing the same issue. I was advised to do the same. Could you tell me how you imported the private certificate to the key-store?
Could you explain in detail about the configuration you did to accommodate the changes?

If you have private key & signed certificate, you need to use open SSL tool (check command in documentation)to create keypair(pks12)

Now use portcele/keystore to create IS keystore & trust store

Key store should contain keypair & Trust store should contain all CA’s

Import them to IS and start creating SSL

Thanks
Sai.

Here are the steps. This creates a PKCS#12 format file. The resulting file (mykey.p12) can be used to create a keystore alias.

Convert binary format key/cert to PEM/text format:

$ openssl pkcs8 -in privatekey.der -inform DER -nocrypt -out privatekey.pem
$ openssl x509 -in cert.der -inform DER -out cert.pem
$ openssl x509 -in cacert.der -inform DER -out cacert.pem

Assemble into PKCS#12 file:

$ openssl pkcs12 -export -in cert.pem -inkey privatekey.pem
-CAfile cacert.pem -name “mykey” -out mykey.p12
Enter Export Password:
Verifying - Enter Export Password:

In webmethods 8.0.1
pub.security:setKeyAndChain
Input for the above service is “privKeyFile” and “certFiles”.

In webMethods 9.5
pub.security.keystore:setKeyAndChain
Input for the above service is “keyStoreAlias” and “keyAlias”

Since pub.security:setKeyAndChain is deprecated in 9.5, I am planning to use “pub.security.keystore:setKeyAndChain”

Thank you Sai and Tbond for the reply. its really appreciated.

./keytool -genkey -keyalg RSA -keysize 2048 -sigalg SHA1withRSA -dname “cn= XXXXXXX, o=Telenor, c=SE” -alias XXXXXXX -keystore keystoreDev -keypass XXXXXXX -storepass XXXXXXX -validity 2190

Used the about command to create KeyStore. Using the above command, I have created empty Keystore.

Now i have three files named privatekey.der, client.der and ca.der.

Need to convert these .der in to .pem format and import to keystore. this is my understanding. Could someone comment on the steps?

Hi Lance,

I have the same thing, privatekey.der, certificate.cer, and ca_certificate.der. I’ve done converted .der to .pem file and added them to the keystore. However, I still have the same error.

So, I was trying to check if my keystore does contain all of the key and certs convertion or not.

I used pub.securirty.keystore:getKeyAndChain. The output of this service is privateKey and certficates that used in pub.security:setKeyAndChain in WM7 but they are in byte array. After that I’ve tried to use pub.security:setKeyAndChainFromByes. It failed because the privateKey is java interface of java.io.Serializable
So, I am pretty confident that my keystore contains everything that needed.

My question to webMethods expert here is the same as this post. http://tech.forums.softwareag.com/techjforum/posts/list/51861.page
I’ve tried to set it in the message layer, it doesn’t work
I’ve tried to set it in the transportation layer, it doesn’t work
I’ve tried to set it in pub.security.keystore:setKeyAndChain, it doesn’t work.
They is always the error “Error in obtaining token”

As a web service consumer, I’ve also tried to create a truststore, but I don’t know how to use it.
Give me some advises, please.

Many thanks.
Note

Why do you need .pem format ie in text?

HTH,
RMG

I used these commands in 9.0 and it should work for all 9.x
You need openssl

Generate a Private Key:
openssl genrsa -des3 -out ./certificates/wm9/private_server.key 1024

Generate a Signing Request:
openssl req -new -key ./certificates/wm9/private_server.key -out ./certificates/wm9/signingrequest.csr

Remove the Passphrase from the Private Key:
cp ./certificates/wm9/private_server.key ./certificates/wm9/private_server.key.orig
openssl rsa -in ./certificates/wm9/private_server.key.orig -out ./certificates/wm9/private_server.key

Generate a Self-signed Certificate:
openssl x509 -req -days 365 -in ./certificates/wm9/signingrequest.csr -signkey ./certificates/wm9/private_server.key -out ./certificates/wm9/server.pem

Import the Certificate into a Java Keystore:
keytool -import -file ./certificates/wm9/server.pem -keystore ./certificates/wm9/server.jks -alias wmkey -trustcacerts

Package the PEM certificate and Private Key as PKCS#12 (PFX):
openssl pkcs12 -export -out ./certificates/wm9/certificate.pfx -inkey ./certificates/wm9/private_server.key -in ./certificates/wm9/server.pem

Import the Private Key and Public Certificate into the Java keystore:
set CLASSPATH=C:\SoftwareAG\MWS\lib\ext\jetty-util.jar;C:\SoftwareAG\MWS\lib\ext\jetty.jar
java org.mortbay.jetty.security.PKCS12Import ./certificates/wm9/certificate.pfx ./certificates/wm9/certificate.jks

Suresh Palanisamy

Hi All,

Thank you very much for sharing your knowledge with me and everyone.
I finally found the solution for this issue.

First, we need to have a Keystore file. I built a java program to test my keystore if we could actually send out the request via SSL.

Second, once we have keystore that it’s working. Here the configuration that I’ve made.

  • Put keystore on the WM IS and configure it on WM IS console -->Security --> Create Keystore Alias
  • Create WS Alias on WM IS console go to --> Settings --> Web Services --> Create Web Service Endpoint Alias
  • Fill in WS Alias details in
    - Web Service Endpoint Alias Properties:
    Transportation Type: HTTPS
    - HTTPS Transport Properties (optional)
    Proxy (https): You need to configure it on Security --> Proxy first
    Keystore: select your keystore
    KeystoreAlias: type the alias name

Third, go to WM Designer and to your WSDC. Select the tab “Binder” and set “Port Alias” from the 2nd step. If you do not see it, refresh the package first.

Forth, if you still have the same error “Error in obtaining token”, on the WSDC, set the properties “Pre-8.2 compatibility mode” to “True”. That made my consumer works. :smiley:

Hope this could be helpful to everyone.

Remark: I think you can also use keystore on auth->transportation->keystore/keystore alias if you don’t want to set up all those 2 and 3 but at least setting up the keystore alias on WM IS console. (I haven’t tried it, but i think it would work).

Or even change the SOAP version from 1.2 to 1.1 or vice versa would help.

Cheers,
Note

Hi Suresh,

I see you have used jetty-util.jar and jetty.jar files at last, when i check in our webmethods server i didn't find them, can you please help me where would i find these files, do they get shipped with default webmethods installation.

Regards
Sreeni