certificate identity not verified

By: Nagarajan Viswanathan user 19 Mar 2015 at 11:21 a.m. CDT

7 Responses
Nagarajan Viswanathan gravatar
Dear Zico, This is with respect to your response below for my previous ticket regarding getting a CA signed certificate for gluu server community edition: I looked into the server.xml file that defines tomcat's port settings. It looks like below <Connector port="8443" address="localhost" protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" SSLEnabled="true" keystoreFile="/etc/certs/shibIDP.jks" keystoreType="JKS" keystorePass="************" truststoreFile="/etc/certs/shibIDP.jks" truststorePass="ZMPlk1z5Tc9o" truststoreType="JKS" truststoreAlgorithm="DelegateToApplication" sslImplementationName="edu.internet2.middleware.security.tomcat7.DelegateToApplicationJSSEImplementation"/> Does not this mean the tomcat is passing on shibIDP,jks and corresponding certificate for TLS? If this is the case I should be getting shibIDP.csr signed by CA right? Please let me know. Thanks a lot Nagarajan ---------------------- Hi Nagarajan, Comments are inline below: 1) To avoid this error in the browser do I need to generate a csr that is similar to the existing one(shibIDP.csr) No. get this signed by a central CA and and import them into the corresponding key store? Yes. Do I need to replace files like shibIDP.csr, shibIDP.crt? No. What is the use of other keystore and crt files those are there in etc/certs? httpd.key and httpd.crt: these are for your Gluu Server's apache cert. shibIDP.key and shibIDP.crt: these are for your Gluu Server's SAML part. As you are getting complain from your browser so you need to apply CA-signed cert in httpd.key and httpd.crt. Feel free to check this wiki. Let us know how it is going there. Kind regards, Zico
None
closed

Answers

By Mohib Zico staff 23 Mar 2015 at 5:26 a.m. CDT

Copy
Mohib Zico gravatar
Hi, I am sorry but can't understand your question. Can you please let me know why you re-created the ticket/the reason which is confusing you? Kind regards, Zico

By Nagarajan Viswanathan user 23 Mar 2015 at 5:56 a.m. CDT

Copy
Nagarajan Viswanathan gravatar
Hi Zico, I am still not clear how to avoid the certificate error in the browser. I understand that I have to replace the certificates with CA signed certificate in tomcat. The certificate that is provided to browser over https is by tomcat and where the vertificates are kept is present in the server.xml file in tomcat under CATALINA_HOME/conf directory. So I went through the server.xml file inside gluu-server's tomcat folder and found the text below indicating that the keystore used for the certificate is shibIDP.jks rather than httpd.jks as mentioned in your previous ticket. Please correct me if I am wrong. Below text is from server.xml file showing that for the connection over 8443 port it uses the certificate and keys from shibIDP.jks: <Connector port="8443" address="localhost" protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" SSLEnabled="true" keystoreFile="/etc/certs/shibIDP.jks" keystoreType="JKS" keystorePass="************" truststoreFile="/etc/certs/shibIDP.jks" truststorePass="ZMPlk1z5Tc9o" truststoreType="JKS" truststoreAlgorithm="DelegateToApplication" sslImplementationName="edu.internet2.middleware.security.tomcat7.DelegateToApplicationJSSEImplementation"/> Thanks Naga

By Mohib Zico staff 23 Mar 2015 at 6:04 a.m. CDT

Copy
Mohib Zico gravatar
Have you tried to update httpd.crt and httpd.key which is indicated in [this](http://www.gluu.org/docs/admin-guide/certificates/) doc?

By Nagarajan Viswanathan user 23 Mar 2015 at 6:14 a.m. CDT

Copy
Nagarajan Viswanathan gravatar
Thanks for the immediate response Zico. In the https section it talks about how to update certificates in the UI which is obsolete I guess.So we need to replace it manually. I just want to be sure before applying for the CA certificate. From that doc it is not clear which certificate is presented to browser over TLS (apache's (appserver's) or tomcat's (web server's) ?) and where is the configuration file for that? From the documentation from tomcat it looks like the server.xml file has configuration details for which certificate is presented to the browser over TLS https://tomcat.apache.org/tomcat-3.3-doc/tomcat-ssl-howto.html#s6 Sorry to trouble you, just trying to understand. Thanks Naga

By Mohib Zico staff 23 Mar 2015 at 10:25 a.m. CDT

Copy
Mohib Zico gravatar
>> In the https section it talks about how to update certificates in the UI which is obsolete I guess Yes, but check out the first section in this page... "If you're using the Gluu Server CE binaries".... >> From that doc it is not clear which certificate is presented.... Seems like we need to write a new page where it will describe all about certificates. Will do so. >> From the documentation from tomcat it looks like the server.xml file has configuration details for which certificate is presented to the browser over TLS... We have bunch of certificates here Gluu Server and our configurations are highly modified for one IDP system so generic documentation ( i.e. your provided tomcat one ) most probably won't help much. For now, here is what I can tell you: * asimba.crt, asimba.csr, asimba.key, asimba.key.orig, asimba.pkcs12 and asimbaIDP.jks: These are associated with Asimba Proxy Server. If you install SAML Proxy Server ( Asimba ) in your Gluu Server, you have to deal with these cert and key. * httpd.crt, httpd.csr, httpd.key, httpd.key.orig: These are SSL Apache related cert and key. Don't worry about CSR and .key.orig here if you want to update your Apache SSL cert. Just follow the doc which I provided you before. * opendj.crt: This cert is being used by Gluu Server's internal Gluu-LDAP. * oxauth-web-keys.json: This key is using by Gluu Server's OpenID Connect Server. * shibIDP.crt, shibIDP.csr, shibIDP.jks, shibIDP.key, shibIDP.key.orig, shibIDP.pkcs12: These are required if you use Gluu Server's Shibboleth SAML server for any kind of SAML transactions. >> Sorry to trouble you, just trying to understand. It's not trouble. In fact, feel free to throw question if you have anywhere; we would love to answer you. Have a great day!

By Nagarajan Viswanathan user 23 Mar 2015 at 10:37 a.m. CDT

Copy
Nagarajan Viswanathan gravatar
Thanks very much for the details answer Zico. Regards Naga

By Mohib Zico staff 26 Mar 2015 at 5:45 a.m. CDT

Copy
Mohib Zico gravatar
Hi Naga, I am closing this ticket for now. Please don't hesitate to open a new one if you any more question or confusion.

Post an answer