Pedro Jorge Pereira Lopes

Pedrolopes.net

Bioinformatics Research & Development
Computer Science PhD Student

Rua Jose Pinto Bastos, N. 11, 1. Dir

3830 –205 Ilhavo
Aveiro
Portugal

+351964725284

GMail

HTTP Secure Connection with WSO2 WSAS

Posted by on Wednesday, November 18, 2009 · Leave a Comment 

At the UA.PT Bioinformatics research group we were required to implement a secure web services provider for the eu-ADR project.

For the service provider module we picked the WSO2 WSAS framework, which implements various methods of security, including WS-Security over HTTPS (what we wanted in the beginning).

Being inside a public institution, we need to request a certificate to our university computational centre. After the creation of the certificate request and our keystore we sent the details to them and they dealt with VeriSign to provide us our certificate. And this is were the problems started…

VeriSign only provided us a .PEM file containing our private key and another two files (the root key and the educational authority key). All of them were .PEM files.

Following the majority of online available Java tutorials, we simply need to add the root to the keystore and then add our certificate response to the keystore. Obvioulsy, this method alone did not work.

The certificate was correctly read, however, when it was added to the keystore, some modifications occurred without any warning. The Issuer changed, the serial number changed and even the availability dates changed! The result, we had a secure HTTP connection but it wasn’t provided by a trusted authority. It was like the certificate was being self-signed when it was imported to the keystore!

After lots and lots of ours dealing with WSO2 WSAS, Java and Tomcat configurations we couldn’t manage to provide a trusted secure connection. Every single method worked with no errors, but the outcome was an untrusted certificate.

The solution? GUI. Yes. I know. I prefer command line stuff as well. But only using they Keytool IUI I was able to view the keystore contents and to import the certificate provided by VeriSign. Which resulted in an error. A straightforward error. That private key alone was not enough. The .PEM file was not enough. A .P7B file was required. Good sign!

Next, just searched for an online .PEM to .P7B converter. Found one. Converted, and during the conversion, it asked for all the chain certificates: I added the root and the educational to the package. Converted.

Final step now. Downloaded the file and used the Keytool IUI to import the certificate to the keystore, replacing the original alias. Then just needed to reconfigure the WSO2 server, restart it and… voilá!

HTTPS trusted connection online!

What I have learned: GUI tools are always better than command line tools, individual .PEM certificates are a bunch of crap and, above all, never give up from solving any problem, no matter how difficult and complex it looks.

Filed under Development · Tagged with , , , , , , ,