0

I'm going crazy to make operative my CEP server. I need to import a trusted certificate to CEP for HTTPS connections. I followed the steps at https://docs.wso2.com/display/CEP400/Setting+up+Keystores, but the procedures seems obsolete (the latter) or incomplete (the former). For example, the first one describes the configuration files modifications, but I am not able to find secret-conf.properties file. Where can I find a rigorous step-by-step procedure to import a trusted certificate into CEP?

Just an update I imported successfully the trusted certificate into the client-truststore.jks file, but the keystore I see on the key store management page is wso2carbon.jks, because:

  • wso2carbon.jks: This keystore contains a key pair and is used by default in your Carbon server for all of the purposes explained above.
  • client-truststore.jks: This is the default trust store, which contains the trusted certificates of the keystore used in SSL communication.

So it is not enough to modify the client-truststore.jks file but it is needed to update the wso2carbon.jks file with the new certificate, too. For this reason, the given solution is not complete.

It Works but... I did it and the certificate was added. Now I have to modify the carbon configuration because it is configured as localhost. How can I do that? Thanks

Other update I found my mistake following the procedure. Now I am at a point where a receive this error when I modify the carbon.xml file:

[Fatal Error] :1:250: Character reference "&#19" is an invalid XML character.
ERROR {org.wso2.carbon.ndatasource.core.DataSourceRepository} -  Error in        loading RDBMS configuration: Error in building Document
org.wso2.carbon.ndatasource.common.DataSourceException: Error in loading RDBMS configuration: Error in building Document
at    org.wso2.carbon.ndatasource.rdbms.RDBMSDataSourceReader.loadConfig(RDBMSDataSourceReader.java:48)
at   org.wso2.carbon.ndatasource.rdbms.RDBMSDataSourceReader.createDataSource(RDBMSDataSourceReader.java:59)

I noted the error appears when I write the private key into the XML file so I think it is a character escaping problem.

I think to be very close to the solution. Just a little step.

Thanks

Michele

Community
  • 1
  • 1
Michele de Rosa
  • 11
  • 4
  • What were the modifications you did? AFAIK you have to only change the carbon configurations if you are changing the key store of the carbon server it self. But not when importing trusted certificates. – Sajith Eshan Mar 03 '16 at 16:50
  • I imported my certificate into the file you adviced me but when I invoke the receiver from the browser via HTTPS, the localhost certificate is returned. I forgot to mention that my server is behind a router. There is a NAT rule between LAN and public IP, so I invoke the CEP service through the public IP and the request is redirected to the CEP server. – Michele de Rosa Mar 03 '16 at 18:13
  • This is because wso2carbon.jks is used as the carbon server certificate. What's shown in the browser is the certificate of the Server. If you wish to change the certificate of the carbon server you can follow this http://hasini-gunasinghe.blogspot.com/2011/12/installing-new-keystore-into-wso2.html – Sajith Eshan Mar 03 '16 at 18:58

1 Answers1

0

All you need to do is import the certificate to the client-truststore.jks located in /repository/resources/security and restart the CEP server.

You can use the following command to import the certificate

keytool -import -file <Path to your cert> -keystore client-truststore.jks -storepass wso2carbon

All carbon servers including WSO2 CEP uses client-truststore.jks (in default setting) to store the trusted certificates.

You can refer https://udaraliyanage.wordpress.com/2014/06/16/add-a-ca-certificate-to-wso2-truststore/ for more info.

It's NOT required to import the certificate to wso2carbon.jks, it's used by carbon server for it's encryption. When a SSL connection is made carbon server will only look at the client-truststore.jks for tusted certificates

Sajith Eshan
  • 696
  • 4
  • 17
  • Thanks a lot for your reply. And about the wso2carbon.jks? I imported my certificate into client-truststore.jks, but I think that it is needed to import the CA certificate into wso2carbon.jks if there is a newer CA. Is it correct? Thanks again. – Michele de Rosa Mar 02 '16 at 14:08
  • it's not required to import it to the wso2carbon.jks. It's used by Carbon server for it's encryption and it's not for the purposes of storing trusted certificates. – Sajith Eshan Mar 02 '16 at 17:05
  • Doesn't work yet. Please, see the addition at my questions. – Michele de Rosa Mar 04 '16 at 12:42
  • Finally I solved the problem and the certificate is imported into CEP. I will post a guide useful for others, I hope. – Michele de Rosa Mar 10 '16 at 12:56