0

Good day,

My web application need to connect to IBM third party to get some response. Thus, IBM give me a .p12 file which contain of client certificate.

At first I import this .p12 file into my existing CellDefaultKeyStore, and it will hit certificate chain error. 

com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
    java.security.cert.CertPathValidatorException: The certificate issued by xxx is not trusted; internal cause is: 
    java.security.cert.CertPathValidatorException: Certificate chaining error

Then I go import this .p12 file into NodeDefaultKeyStore, and surprisingly its work. My application able to call to the third party and get reponse code 200.

I am not understand how to explain to my client on this.

As my understanding, management scope in CellDefaultKeyStore is bigger because its in cell, NodeDefaultKeyStore should consider part of cell only, suppose CellDefaultKeyStore should work.

Anyone can advise on this?

Panadol Chong
  • 1,793
  • 13
  • 54
  • 119
  • I'm not quit understanding why adding why adding the cert to the Node keystone works. The error your getting is for trust, which suggest the certificate needs to be added to the CellDefaultTrustStore. In a ND environment CellDefaultTrustStore is used by all nodes. – Alaine Apr 29 '19 at 13:35
  • The client certificate identifies *you*, and goes in your KeyStore. This error you're seeing is typically that you're not yet trusting the *server's* full server certificate chain. This you address in a TrustStore. Two different stores for two different purposes. Cell-scoped stores (Trust or Key) should work just as well as Node-scoped ones – dbreaux Apr 29 '19 at 14:01
  • @Alaine, thats is my question, in a ND environment, CellDefaultTrustStore is used by all nodes, but not understand why add cert on it not work, but add to NodeDefaultKeyStore will work. – Panadol Chong Apr 30 '19 at 03:07
  • I have no explanation for why adding a cert to the node keystore would suddenly establish trust in your scenario. The keystore, normal, would not get setup in the TrustManagers. That gets into need to know configuration details and probably trace. I'd suggest opening a case to dig into the issue. – Alaine Apr 30 '19 at 13:01
  • Hi @Alaine, I just found that my solution is not stable, it will still causing the node status become `unknown`. I have post another question, can help to have a look? https://stackoverflow.com/questions/55922440/p12-file-work-in-firefox-restclient-but-not-work-in-websphere – Panadol Chong Apr 30 '19 at 13:52

1 Answers1

0

Just to shortly explain few concepts:

  • CellDefaultTrustStore - is store for signer certificates, for the servers that you connect to, to be trusted. It is shared by all the nodes and servers by default
  • NodeDefaultKeyStore - is store for private certs, so the certs that are used for client authentication. Each node by default has its own store and private cert to authenticate.
  • CellDefaultKeyStore - is store for private certs associated with the cell. Used by deployment manager, not nodes serving apps. It is NOT used by federated nodes.
  • NodeDefaultSSLSettings - this manages SSL config for the given node, you can check it. By default it is using NodeDefaultKeyStore (not CellDefaultKeyStore), and CellDefaultTrustStore

But back to your question. If you need to connect to some service using client certificate authentication, what you should do is:

  • create new keystore with cert from the p12 file
  • create new truststore with all signer certs required to connect to that service
  • create new SSL Config that will point to these stores
  • create Dynamic outbound endpoint SSL configuration settings, pointing to your ssl config, select correct client cert, and specify connection info in the form protocol,host,port

This configuration will be picked up when you will be doing outbound ssl connection that matches info you entered.

Gas
  • 17,601
  • 4
  • 46
  • 93
  • Hi @Gas, possible if I just do 1 thing which is just put into NodeDefaultKeyStore ? Because currently I found that its only work in Node1, but not in Node2, but I no have any error when I put it into Node2. Just my app2 in Node2 still hitting 403 forbidden. I try to search for the root cause but still cant get it. – Panadol Chong May 03 '19 at 03:06
  • @PanadolChong You can try. Remember that each node has its own NodeDefaultKeyStore, so maybe it doesnt work because you didnt add it to the NodeDefaultKeyStore for second node. – Gas May 04 '19 at 13:16