Loading Certificate Keystore provided by a Bank (Westpac)

Hi,
I’ve downloaded the certificates and Keystore from Westpac and I’m having trouble loading the Keystore into the Admin UI. Would anyone have experience with loading Keystore from Westpac ?? The error that I’m getting is…

“Error: cannot load the keystore for alias 'wibs’. Details: attempt to initialize keystore using location(/u01/app/webMethods8_dev/IntegrationServer/config/security/keystore/********_WIBS-STP_Support_887585504.jks) failed.”

Any help is appreciated

Cheers,
David

Is it the first time you are configuring the keystore on 8.x servers?

What difference you see load it from westpac?

Are you running keytool from the IS config?

HTH,
RMG

Hi,
The Bank offers 2 different certificates (.pem & .pfx) and a KeyStore (.jks). Initially, I converted the .pem certificate file to .der and created a new KeyStore using keytool and that loaded into the Admin UI Okay. Was subsequently told by the Bank’s Integration Team (Qvalent) to use the KeyStore file (.jks) provided by them to connect with their end-points. I haven’t converted anything in the KeyStore and I am unaware of what format the certificates within the KeyStore (.jks) are. Can webMethods Admin tool load KeyStores containing certificates that are not in .der format ??

 It is this KeyStore that was provided by the Bank that is giving me grief while trying to load into the Admin UI (Security/KeyStore/Create Keystore Alias).  I realise that the installed patches here are somewhat behind so that may have something to do with it as well, but, I don't know.

Software
Product webMethods Integration Server
Version 8.0.1.0
Updates IS_8.0_SP1_Core_Fix14
IS_8-0_SP1
TNS_8.0_SP1_Fix6

Build Number 209
SSL Strong (128-bit)

 Any assistance is always gratefully appreciated.

Cheers,
David

Hi,
OK, after a bit of discussion with the Bank, they’ve provided the CA, PrivateKey & PublicKey in .DER encode format. I can load the CA & Public Key into a KeyStore, but, I can’t add the PrivateKey. So what do I do with the PrivateKey ??

Any help is gratefull appreciated…

Cheers,
David

Hi David,

IS server private key is placed in keystore and public keys, CA Certs etc are placed in trust store

Keystore & Truststore can be created by using keytool command or by using Third party GUI providers such as Portcele, Open SSL etc

Note: If customer hasn’t given trusted CA Certs, You need to import them to Designer also

Thanks
Sai

Yes I would say Third party GUI providers such as Portcele, Open SSL are good tools to configure with:

Hi,
I’ve discovered that SSL Debugging had been on and the problem seems to be that it can’t find a client certificate to send to the Bank during the Handshake.

ssl_debug(13): Received server_hello_done handshake message.
ssl_debug(13): No client certificate available, sending empty certificate message.
ssl_debug(13): Sending client_key_exchange handshake message (2048 bit)…

I’ve confirmed with the bank that the Certs they had provided are to be loaded into the KeyStore and not the TrustStore, as the Certs have been self-signed or something.

Viewing the Keystore (which is loaded into the IS) in Portecle, I can see the Key, Cert & Root.

In Debug mode, the service “getKeyAndChain” completes successfully and finds the privateKey and certChain for the keyStoreAlias and keyAlias.

Question… How does the “privateKey” and 'certChain" work when they are not passed into the subsequent SOAP call ??

If I understand correctly, the bank provided you a full cert chain & private key for your system. So, this cert will be used as the “client system certs” for authentication.
the JKS file should contain the full cert chain & private key to serve this purpose.

If you have the Der file and the private key in pem format, load it into a new jks store with tool like Key Store explorer.
load this jks on Admin UI as a KeyStore.
Then, you can use it when you config your WS endpoint.

your lastest error suggest you don’t have the private key loaded in your keyStore.

Hi,
I’ve also noticed a discrepency between the /auth input parms for the Consumer Web Service that was generated from the WSDL provided by the Bank and the /auth input parms for WmPublic/pub.client:soapClient…

Parms for /auth in Consumer WS “DownloadFiles_downloadFiles”

<?xml version="1.0"?> [b][color=red] [/color][/b]

Parms for /auth in WmPublic/pub.client:soapClient

<?xml version="1.0"?> [b][color=red] [/color][/b]

This is what I was referring to in my question above…

Hi David,

Could you please suggest me how to able the debugging ssl on webMethods?
Or how did you do it? I would like to check that as well.

Thanks,
Note

Enable logging level @ IS Admin Settings > Logging

  1. Server
  2. Security