$ openssl s_client -connect deimos.lab.evolveum.com:3636
CONNECTED(00000003)
depth=1 OU = Organizational CA, O = EXAMPLE-TREE
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/O=EXAMPLE-TREE/CN=deimos
i:/OU=Organizational CA/O=EXAMPLE-TREE
1 s:/OU=Organizational CA/O=EXAMPLE-TREE
i:/OU=Organizational CA/O=EXAMPLE-TREE
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLTCCBBWgAwIBAgIkAhwR/6b9fHPRsgM0dS4h3nlIxIQoUQDjdnEzC8MrAgJC
C3WvMA0GCSqGSIb3DQEBBQUAMDMxGjAYBgNVBAsTEU9yZ2FuaXphdGlvbmFsIENB
MRUwEwYDVQQKEwxFWEFNUExFLVRSRUUwHhcNMTQwNjA1MTEyNjQ3WhcNMTYwNjA0
MTEyNjQ3WjAoMRUwEwYDVQQKEwxFWEFNUExFLVRSRUUxDzANBgNVBAMTBmRlaW1v
czCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJO+X5vjQ/0WNWBOTvGw
+amQCQ22dVM9zfWXa5fhtBAuq5oYrnImmqnU0Xl2k0TfZjDgWcDrlh620ByNr/JV
mEGUoAqIsZijbIYsb3/4C97Y9AKL8KWA5/HOxAZw7My65ydy2Wg0sgYb2wX2EHm3
E4gkcNtw9Lf1eLxCwnRmbGjUrAjXlc2e8HbP9lfRjAysGVqfEsk/JRtXmLPOqW0Y
THjSp+j87OTDbFPwWPlWh/atx2/3Q/xN+kJOLx4M1PMCAp/kDzdVA0bVWm1m/RZx
lpRpF2lRtdJgwP897jFurJfpubSwE7IgqKUXdkSdESpnaL62xtFnFbtEKbcsv1iR
Zb0CAwEAAaOCAjIwggIuMB0GA1UdDgQWBBR9W+sIkHjmchbjgIcED+3VPBshHzAf
BgNVHSMEGDAWgBScoCWoSW3ygoqk23J+4DXdx6xWGTAPBgNVHREECDAGhwQKAgEP
MAsGA1UdDwQEAwIFoDCCAcwGC2CGSAGG+DcBCQQBBIIBuzCCAbcEAgEAAQH/Ex1O
b3ZlbGwgU2VjdXJpdHkgQXR0cmlidXRlKHRtKRZDaHR0cDovL2RldmVsb3Blci5u
b3ZlbGwuY29tL3JlcG9zaXRvcnkvYXR0cmlidXRlcy9jZXJ0YXR0cnNfdjEwLmh0
bTCCAUigGgEBADAIMAYCAQECAUYwCDAGAgEBAgEKAgFpoRoBAQAwCDAGAgEBAgEA
MAgwBgIBAQIBAAIBAKIGAgEXAQH/o4IBBKBYAgECAgIA/wIBAAMNAIAAAAAAAAAA
AAAAAAMJAIAAAAAAAAAAMBgwEAIBAAIIf/////////8BAQACBAbw30gwGDAQAgEA
Agh//////////wEBAAIEBvDfSKFYAgECAgIA/wIBAAMNAEAAAAAAAAAAAAAAAAMJ
AEAAAAAAAAAAMBgwEAIBAAIIf/////////8BAQACBBH/pv0wGDAQAgEAAgh/////
/////wEBAAIEEf+m/aJOMEwCAQICAQACAgD/Aw0AgAAAAAAAAAAAAAAAAwkAgAAA
AAAAAAAwEjAQAgEAAgh//////////wEBADASMBACAQACCH//////////AQEAMA0G
CSqGSIb3DQEBBQUAA4IBAQAF/LlSJUz6I4UuzYivJyhcG8S4inWCB/4AkTP2rvOj
iU7oZDKLUoLMZGP2mxgGYPp+nPNmN0NbFyuNoZiRmCBxvdVmABwKHHEZKCl8f+sn
pw2wXPKrrZWY2PtbpJ2V815T8pAuraS1Ko08N/MZlIiZOZZpcyjq6EOTrELuaX+q
tDFsCNZSfNKjqYMyrPEaYSSNIcBbWx2Ip170AA6rNqaOR5oo/N6Cw/f7GAhaon8V
3j/pLivirDLbHBmsRLjzTcaSFtdhYzWR5Xr0hGh0oVA9OaL9EZF+wtKd4yMwL0Jn
g9cH8n3kIjW+d4uFbCYY/K0YX1n7l8zMiSRuRzUz5a+w
-----END CERTIFICATE-----
subject=/O=EXAMPLE-TREE/CN=deimos
issuer=/OU=Organizational CA/O=EXAMPLE-TREE
---
No client certificate CA names sent
---
SSL handshake has read 2831 bytes and written 551 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 3D1D82E86E3F87CF4F5C61DF1A1C5061973B371C75EE089C1ED38FF5FAFC58F9
Session-ID-ctx:
Master-Key: A58639B7067B0169C626DB8B45BD50AAF12A50A2F09BA4FC5D0112CE40E74F5CA6BD941A0F86D744AA12AA1592F450A3
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1401979683
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
TLS Connections (Client Side)
Connectors, notification plugins and other parts of midPoint connect to external systems. Some of the connections are secured using SSL/TLS. In SSL/TLS connections the server side provides a certificate that needs to be validated on the client side. This means that midPoint needs to have a way how to check validity of the certificate provided by SSL/TLS server. MidPoint is using standard Java libraries to validate the certificate. Java security modules are using a truststore mechanism which is closely related to keystore. The truststore is a small database of trusted certificates. When a certificate needs to be validate Java libraries check if the certificate the authority that issues it is in the truststore.
The following procedure describes how to get server certificate into the trustore which makes it a trusted certificate.
Getting the Certificate
There are many tools to get a server certificate from SSL/TLS connection. We prefer to use opensource library OpenSSL (openssl library for windows can be downloaded here) . It has a nice s_client utility to do this:
The data between -----BEGIN CERTIFICATE-----
and -----END CERTIFICATE-----
is the server certificate.
Copy&paste the data into a separate file (including the boundary lines) and save it e.g. as servercert.pem
.
Import the certificate
Import the server certificate to a truststore using keytool utility:
keytool -keystore /opt/midpoint/var/keystore.jceks -storetype jceks -storepass changeit -import -alias servercert -trustcacerts -file servercert.pem
Restart midPoint and that’s it.
Notes
-
Make sure that the correct keystore/truststore is used. By default connectors use JVM keystore unless it is overriden by JVM options. See Keystore Configuration page for more details.
-
If an import of a .p7b formated certificate results in the following error: java.lang.Exception: Input not an X.509 certificate. You might try to convert the certificate to the .cer PEM format. This can be done using the following openssl command:
openssl pkcs7 -inform der -in mycert.p7b -out myconvertedcert.cer