Release notes

Version Date Summary

0.1.0

31 july 2015

Initial release of the document

Introduction

This document contains a summarized setting up SSL for SoapUI and Java (SpringBoot) to Carpago

References

Some useful documents
  • The Carpago Security Guide (see Confluence)

    • In fact al the detailsteps below are also mentioned in this document

Requirements

  • OpenSSL should be installed

  • Java keytool should be installed

    • Is part of the Java SDK

Installation of the received crt / pem and key files

PEM to PKCS12 Conversion

The conversion examples have the precondition, that you have opened your command line, and changed to the directory where the certificates and your private key are located. Please ensure that you have obtained the Carpago Root certificate (CarpagoCA.crt) from Carpago support before you proceed with this manual. The root certificate needs to be placed in the same folder you are using to generate your own certificate request.

openssl pkcs12 -export -in ./carpago.crt -inkey ./my_private.key -out carpago_eu.p12

The openssl tool will ask for password and confirmation (I used 'carpago2015' of course without the quotes )

PKCS12 to JKS Conversion

create a keystore

keytool -importkeystore -deststorepass carpago2015 -destkeypass carpago2015 -destkeystore project-carpago-keystore.jks -srckeystore carpago_eu.p12 -srcstoretype PKCS12 -srcstorepass carpago2015 -alias 1

A Java Keystore is able to contain a complete SSL/TLS configuration – it can consist of your certificate, your private key, your certificate chain and can also contain trusted CA Certificates. Java Keystores are manipulated with the Java Keytool. The JKS format is needed to configure SoapUI with SSL/TLS Client Authentication. If you didn’t do this yet you need to convert your Certificate + Certificate Chain + Private Key into a PKCS12 File before following this chapter.

Importing the Trusted CA for Backend Certificate validation:
keytool -import -alias CarpagoCA -keystore project-carpago-keystore.jks -trustcacerts -file project_ca.pem

NB: remember the password (carpago2015) and type yes when you trust the cert. The issuer of the certificate is mentioned in the top of the screen

Installing the SSL stuff in SoapUI

Steps
  • STart soapUI

  • Create a new SOAP project

    • Give it a name

    • choose the wsdl (src/main/resources/…​)

  • When the project created

    • rightclick / show project view /

    • Tab to WS security Configurations

    • Tab keystores

    • add the keystore created during the steps in the previous steps

  • Back in the project

    • Create a new request

    • Click the request

    • Below left click "SSL Keystore"

    • Select your keystore (project-carpago-keystore.jks)

Optional additional steps

  1. To show the contents of a keystore

keytool -list -keystore project-carpago-keystore.jks

which should now show two entries

Implement the SSL certificates in Java

Change WSDL’s since they contain an invalid endpoint url

Change WSDL’s since they contain an invalid endpoint url

Change this - in eRoamingAuthorization_V1.2_service-definition.wsdl (and analog to your other wsdls)

 <wsdlsoap:address location="http://10.8.209.62:8000/ibis/ws/eRoamingAuthorization_V1.2"/>
to this
<wsdlsoap:address location="https://service-qa.project.com/ibis/ws/eRoamingAuthorization_V1.2"/>

Implement a SSLSecurityHelper class

Implement a SSLSecurityHelper class which helps in creating a clientFactory with trustStore and keyStore

Add this to a (newly) created method in SSLSecurityHelper

public final class SSLSecurityHelper {

	private static final String TRUST_STORE_TYPE = "JKS";

	public static final String trustStoreLocation = "/home/rloman/wip/carpago/certs-from-dennis/project-ca-truststore.jks";
	public static final String keyStoreLocation = "/home/rloman/wip/carpago/certs-from-dennis/project-carpago-keystore.jks";

	private SSLSecurityHelper() {
	}

	public static SSLContext createSSLContextWithKeyStore() throws GeneralSecurityException {

		// samen pass used for trustStorePassword in this trivial case
		final String keyStorePassword = "carpago2015"; //this.environment.getProperty(PROPERTY_NAME_SECURITY_WHITELIST_KEYSTORE_PASSWORD);

		KeyStore trustStore = loadKeyStore(trustStoreLocation, TRUST_STORE_TYPE, keyStorePassword);

		KeyStore keyStore = loadKeyStore(keyStoreLocation, TRUST_STORE_TYPE, keyStorePassword);


		try {
			return SSLContexts.custom().loadKeyMaterial(keyStore, keyStorePassword.toCharArray()).loadTrustMaterial(trustStore, new TrustSelfSignedStrategy()).build();
		} catch (KeyManagementException | UnrecoverableKeyException | NoSuchAlgorithmException e) {
		// log some errors
			throw e;
		}
	}

Adapt the portType(eRoamingAuthorize)

Adapt the portType(eRoamingAuthorize) to used the previously created SSL connection settings - and add this to a Spring Boot Configuration file (in our case CarpagoConfiguration)
@Bean
public ERoamingAuthorizationPortType eRoamingAuthorizationPortType()  {

	ERoamingAuthorizationPortType eRoamingAuthorizationService = new ERoamingAuthorizationV12().getERoamingAuthorizationV12Port();

	setupTLS(eRoamingAuthorizationService);

	return eRoamingAuthorizationService;

}

private static void setupTLS(ERoamingAuthorizationPortType eRoamingAuthorizationPortType) {
	Client client = ClientProxy.getClient(eRoamingAuthorizationPortType);
	HTTPConduit httpConduit = (HTTPConduit) client.getConduit();


	TLSClientParameters tlsCP = new TLSClientParameters();
	KeyManager[] myKeyManagers = getKeyManagers(SSLSecurityHelper.loadKeyStore(SSLSecurityHelper.keyStoreLocation, "JKS", "carpago2015"), "carpago2015");
	tlsCP.setKeyManagers(myKeyManagers);

	TrustManager[] myTrustStoreKeyManagers = getTrustManagers(SSLSecurityHelper.loadKeyStore(SSLSecurityHelper.trustStoreLocation, "JKS", "carpago2015"));
	tlsCP.setTrustManagers(myTrustStoreKeyManagers);

	httpConduit.setTlsClientParameters(tlsCP);
}

private static TrustManager[] getTrustManagers(KeyStore trustStore) throws NoSuchAlgorithmException, KeyStoreException {
	String alg = KeyManagerFactory.getDefaultAlgorithm();
	TrustManagerFactory fac = TrustManagerFactory.getInstance(alg);
	fac.init(trustStore);
	return fac.getTrustManagers();
}

private static KeyManager[] getKeyManagers(KeyStore keyStore, String keyPassword) throws GeneralSecurityException, IOException {
	String alg = KeyManagerFactory.getDefaultAlgorithm();
	char[] keyPass = keyPassword != null ? keyPassword.toCharArray() : null;
	KeyManagerFactory fac = KeyManagerFactory.getInstance(alg);
	fac.init(keyStore, keyPass);
	return fac.getKeyManagers();
}

Resources

convert.sh - invokes all steps regarding crts (openssl and keytool)

convert.sh - invokes all steps regarding crts (openssl and keytool)
#! /bin/bash

openssl pkcs12 -export -in ./carpago.crt -inkey ./my_private.key -out carpago_eu.p12

# will ask for password and confirmation (I used 'carpago2015'  of course without the quotes )
#create a keystore
keytool -importkeystore -deststorepass carpago2015 -destkeypass carpago2015 -destkeystore project-carpago-keystore.jks -srckeystore carpago_eu.p12 -srcstoretype PKCS12 -srcstorepass carpago2015 -alias 1


#add the certificate to the keystore for backend validation
# remember the password (carpago2015) and type yes when you trust the cert (look above; it mentions the author)
keytool -import -alias CarpagoCA -keystore project-carpago-keystore.jks -trustcacerts -file project_ca.pem

#now we are able to run soapUI using the following steps in soapui-setup.txt


#Optional:
#to show the contents of a keystore
keytool -list -keystore project-carpago-keystore.jks
#which should now show two entries

Happy coding!

{schrijver}

{e-mail}