SSL Certificate and Keys problem in Webmethods

URGENT help is much appreciated…

OurCompany created a private key for raising a CSR and sent it to PartnerCompany. PartnerCompany came back to us with a p12 certificate, pfx file. Now, we used openssl to extract the private key and the certificate from the p12 keystore and placed these two files in some folder to be used by webMethods.

At the same time, we did install these certificates in our IE browser and tried to connect to PartnerCompany via a HTTPS request. We did receive a OK status back. In addition, we looked at the certificate provided by them during the SSL handshake and save a copy of the certificate with us.

We checked the certificate chain from their certificate and since it was signed by Verisign, we exported the corresponding
root CA certificates from our IE and placed them safely in $IS-ROOT/config/certs/cas folder.

The certificate chain in their certificate and ours is different but thats obvious and makes sense anyways.

On the webMethods Admin console, under Security > Certificates link, the “CA Certificate Directory” for the “Trusted
Certificates” was set to $IS-ROOT/config/certs/cas.

Created a test service just trying to connect to PartnerCompany via public.client:http service. Before the invocation of this service, we used public.security:setKeyAndChain for us to be able to provide our certificates during SSL handshake. Running this service brought out - “Server certificate reject by chain verifier” exception.
FAILED

Although we had PartnerCompany’s chain certificates in our trusted keystore and set, we still thought its a worth a try placing our
certificate’s chain (PartnerCompany being CA for our certificates) in the same folder. Same Error.
FAILED

On the admin console, we set
Server’s Signed Certificate (under Outbound SSL Certificates) = path to our signed certificate
Signing CA’s Certificate = PartnerCompany’s Root CA Certificate
Server’s Private Key = Our private key in DER format.
we got SSLException while handshaking: Peer sent alert: Alert Fatal: bad certificate
We tried setting PartnerCompany’s intermediate CA certificate in Signing CA’s Certificate, but no luck.
We used Certificate tool kit to convert the chain certificates in DER format and placing them correctly.

We’ve tried various combinations of setting our extended field settings but currently we have:
watt.net.ssl.client.handshake.minVersion=sslv3
watt.net.ssl.client.handshake.maxVersion=sslv3
watt.security.ssl.ignoreExpiredChains=true
watt.security.ssl.cacheClientSessions=false
watt.security.cert.wmChainVerifier.trustByDefault=true
watt.ssl.iaik.debug=true
watt.net.ssl.debug=true
watt.security.ssl.client.ignoreEmptyAuthoritiesList=true

Although, we don’t see the SSL Logging in any of our log files.

This morning, removed everything back to how it was and from the p12 certificate, we exported the certificate and key using
Openssl command in PEM format. Converted PEM to DER format using the same openssl tool:
to convert a private key from PEM to DER format:
openssl rsa -in userkey.pem -out userkey.der -outform DER
to convert a certifcate from PEM to DER format:
openssl x509 -in cert.pem -out cert.der -outform DER
All the chain certificates (our’s and PartnerCompanys) were converted to DER format using Certificate Took Kit and placed in the
$IS-ROOT/config/certs/cas folder. Tried running the service with/without setKeyAndChain step. Either the service goes in
infinite waiting time resulting in - read timed out. Or, “Peer Sent Alert: bad certificate”.

Configuration on our system:
Product webMethods Integration Server
Version 6.1
Updates TNS_6-1_Fix15
TNS_6-1_Fix10
TNS_6-1_Fix5
TNS_6-1_Fix12
TNS_6-1_Fix18
TNS_6-1_Fix2
IS_6-1_SP2_Audit_Fix1
IS_6-1_SP2_Flow_Fix1
IS_6-1_SP2_Core_Fix6
IS_6-1_SP2_XA_Fix2
IS_6-1_SP2
IS_6-1_SP1_Fix116
IS_6-1_SP1_Fix85
IS_6-1_SP1_Fix106

Build Number 132
SSL Strong (128-bit)
Java Version 1.4.2.05 (48.0)
OS HP-UX
OS Platform PA_RISC2.0
OS Version B.11.11

Let me know, if I haven;t provided any info that I should have…

When extacting from the p17 file, did you use the certificate toolkit and convert their public key to DER format?

Actually the file we have is a pfx file - p12 format.

Also, we converted all the chain CA certificates from CER to DER using certificate tool kit.
But the extraction of (certificate and key) from the p12 file was done using openssl commands. Certificate tool kit does not have that option.

Enable SSL debugging and repeat your test to see if the more detailed logging sheds light on the issue.

See this post for details.

UPDATE: Ah, I see know that ssl debugging was introduced in IS 6.5. Can you use OpenSSL’s https client to test the cert chain?

Mark

Thanks Mark,

   We did try those extended fields but we got to know that 6.1 does not support ssl debug log.....in addition, we recieved a debug patch from webmethods but that didn't help either....cause offcourse 6.1!!

Tried, openssl s_client -connect remoteServer:443 -verify …
but somehow connection refused with error code 239. We tried connecting to our server - it was the same case.

Prob. we need to be asking this from the Networks Security team - why can’t we use openssl connect!! In my first post u can find the extended fields listed.

Actually our network’s guy who created the key used 2048 bit keys to request a certificate while every other certificate say, our client and chain CA certificates are 1024 bit encrypted. Any idea, if this could be a problem?

Thanks,

[FONT=Helv][SIZE=2]Hey Guys,

  We did solve our problem after nearly 2 weeks of struggle and even when support from webMethods was not able to understand whats causing this to not work. I thought of sharing our solution with everyone just so noone else has to scratch their heads off with nails.

Solution:Basically we installed 6.5 on a fresh machine and added extended settings like we did earlier on.[/size][/font]

This time, we added the complete path (from root) to the certificates and the directory on the admin console for: Outbound SSL Certificates and Trusted Certificates.

Also this time, we did not use WmPublic/pub.security:setKeyAndChain service. It was just a simple WmPublic/pub.client:http call.

Since this one was 6.5 and with the SSL Debug patch updated, we could see the logs when we started wm server on the unix console - ./server.sh. The logs were seen when we ran our sample test service.

And there we found out the service does hang but the handshake is done successfully. Earlier we had exactly the similar thing in 6.1 but there was no way of knowing what was going on backstage - it was just a hung up screen and then “read timed out”. Although, It was hanging because of some issue with our partner and we did solve that one too. Finally we have everything in place. Thanks for your inputs.

Hi All,

We used Java Key Store to create a private key (.jks file) and csr file. We sent it to Verisign and sent the digital certificates in a email.

From reading the docs and forum, I can understand that I have to use wM toolkit (6.5) to generate the .DER files and then configure in wMAdmin page, etc…

But my question is :

1. Should I convert this .jks file also to .der file, as it is my private key? Or is this something different?
2. If No, then what is the ‘private key’ mentioned in the document? I belieeve I need this file in IS filesystem or the TN profile configuration for the SSL handshake.

Please advise. Thanks. Sue

Please could someone help with the previous post regarding the private key.

Meanwhile I did these

1. I used toolkit to create cert.der from the Verisign email and placed in ./IS/config folder. Then went to Security → Certificates → Outbound SSL → Server Signed Certificate → gave as config/cert.der. Plus I sent this to my trading partner.
   → Is this correct, did I miss something??
   → And do I need to do this in my RI also or only in TN is enough??

2. Now what about cacert.der? The toolkit did not prompt for it. So according to the pdf, I imported it from IS certificate…it says "double click your converted certificate file,Select the Certification Path tab. If the CA certificate is available, it will appear above your certificate in the path. Double click this file and copy the CA certificate to a file with the der extension" BUT when I tried to copy to a file it gave options for only .CER and .P7B.
   → Shall I first do cacert.cer and then use toolkit for cacert.der?
   → Should I sent this also to my trading partner?

3. My trading partner sent me his cert.cer I converted it to cert.der and placed in .IS\config\certs\ca. Then Then went to Security → Certificates → Trusted Certificate → gave as config/certs/ca
   -> Is this correct, OR does this folder meant My ca certs?

Apologies for asking someone to check each of my steps as above. But I do not want to end up in some silly mistakes as this is my first SSL test. Quick help will be much appreciated.

Thanks

Hi ,
Any one can help me how we encrypt the xml and digitally sign. we have to use client certification.I want to use the pub.client:http service .Is it possible to use that one service if we have to use client certification and encryption…

The wm version is 6.5

Thanks in advance

Hi Abishek - I’d suggest you first read up on SSL / TLS protocol. You can find a good overview at: [url]http://en.wikipedia.org/wiki/Transport_Layer_Security[/url]. I’m sure wM has tons of documentation on how to secure your IS for incoming and outbound SSL traffic as well.

Once you have some background, you can ask a more direct question / request to this forum. The way you posted your question is really generic.

One thing I’ll offer up is that SSL communication is more about configurations on both the client and server; and not too much about a specific wM built-in service.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.