openssl pkcs12 -export -in ./carpago.crt -inkey ./my_private.key -out carpago_eu.p12
Version | Date | Summary |
---|---|---|
0.1.0 |
31 july 2015 |
Initial release of the document |
This document contains a summarized setting up SSL for SoapUI and Java (SpringBoot) to Carpago
The Carpago Security Guide (see Confluence)
In fact al the detailsteps below are also mentioned in this document
OpenSSL should be installed
Java keytool should be installed
Is part of the Java SDK
The conversion examples have the precondition, that you have opened your command line, and changed to the directory where the certificates and your private key are located. Please ensure that you have obtained the Carpago Root certificate (CarpagoCA.crt) from Carpago support before you proceed with this manual. The root certificate needs to be placed in the same folder you are using to generate your own certificate request.
openssl pkcs12 -export -in ./carpago.crt -inkey ./my_private.key -out carpago_eu.p12
The openssl tool will ask for password and confirmation (I used 'carpago2015' of course without the quotes )
create a keystore
keytool -importkeystore -deststorepass carpago2015 -destkeypass carpago2015 -destkeystore project-carpago-keystore.jks -srckeystore carpago_eu.p12 -srcstoretype PKCS12 -srcstorepass carpago2015 -alias 1
A Java Keystore is able to contain a complete SSL/TLS configuration – it can consist of your certificate, your private key, your certificate chain and can also contain trusted CA Certificates. Java Keystores are manipulated with the Java Keytool. The JKS format is needed to configure SoapUI with SSL/TLS Client Authentication. If you didn’t do this yet you need to convert your Certificate + Certificate Chain + Private Key into a PKCS12 File before following this chapter.
keytool -import -alias CarpagoCA -keystore project-carpago-keystore.jks -trustcacerts -file project_ca.pem
NB: remember the password (carpago2015) and type yes when you trust the cert. The issuer of the certificate is mentioned in the top of the screen
STart soapUI
Create a new SOAP project
Give it a name
choose the wsdl (src/main/resources/…)
When the project created
rightclick / show project view /
Tab to WS security Configurations
Tab keystores
add the keystore created during the steps in the previous steps
Back in the project
Create a new request
Click the request
Below left click "SSL Keystore"
Select your keystore (project-carpago-keystore.jks)
To show the contents of a keystore
keytool -list -keystore project-carpago-keystore.jks
which should now show two entries
Change this - in eRoamingAuthorization_V1.2_service-definition.wsdl (and analog to your other wsdls)
<wsdlsoap:address location="http://10.8.209.62:8000/ibis/ws/eRoamingAuthorization_V1.2"/>
<wsdlsoap:address location="https://service-qa.project.com/ibis/ws/eRoamingAuthorization_V1.2"/>
Add this to a (newly) created method in SSLSecurityHelper
public final class SSLSecurityHelper {
private static final String TRUST_STORE_TYPE = "JKS";
public static final String trustStoreLocation = "/home/rloman/wip/carpago/certs-from-dennis/project-ca-truststore.jks";
public static final String keyStoreLocation = "/home/rloman/wip/carpago/certs-from-dennis/project-carpago-keystore.jks";
private SSLSecurityHelper() {
}
public static SSLContext createSSLContextWithKeyStore() throws GeneralSecurityException {
// samen pass used for trustStorePassword in this trivial case
final String keyStorePassword = "carpago2015"; //this.environment.getProperty(PROPERTY_NAME_SECURITY_WHITELIST_KEYSTORE_PASSWORD);
KeyStore trustStore = loadKeyStore(trustStoreLocation, TRUST_STORE_TYPE, keyStorePassword);
KeyStore keyStore = loadKeyStore(keyStoreLocation, TRUST_STORE_TYPE, keyStorePassword);
try {
return SSLContexts.custom().loadKeyMaterial(keyStore, keyStorePassword.toCharArray()).loadTrustMaterial(trustStore, new TrustSelfSignedStrategy()).build();
} catch (KeyManagementException | UnrecoverableKeyException | NoSuchAlgorithmException e) {
// log some errors
throw e;
}
}
@Bean
public ERoamingAuthorizationPortType eRoamingAuthorizationPortType() {
ERoamingAuthorizationPortType eRoamingAuthorizationService = new ERoamingAuthorizationV12().getERoamingAuthorizationV12Port();
setupTLS(eRoamingAuthorizationService);
return eRoamingAuthorizationService;
}
private static void setupTLS(ERoamingAuthorizationPortType eRoamingAuthorizationPortType) {
Client client = ClientProxy.getClient(eRoamingAuthorizationPortType);
HTTPConduit httpConduit = (HTTPConduit) client.getConduit();
TLSClientParameters tlsCP = new TLSClientParameters();
KeyManager[] myKeyManagers = getKeyManagers(SSLSecurityHelper.loadKeyStore(SSLSecurityHelper.keyStoreLocation, "JKS", "carpago2015"), "carpago2015");
tlsCP.setKeyManagers(myKeyManagers);
TrustManager[] myTrustStoreKeyManagers = getTrustManagers(SSLSecurityHelper.loadKeyStore(SSLSecurityHelper.trustStoreLocation, "JKS", "carpago2015"));
tlsCP.setTrustManagers(myTrustStoreKeyManagers);
httpConduit.setTlsClientParameters(tlsCP);
}
private static TrustManager[] getTrustManagers(KeyStore trustStore) throws NoSuchAlgorithmException, KeyStoreException {
String alg = KeyManagerFactory.getDefaultAlgorithm();
TrustManagerFactory fac = TrustManagerFactory.getInstance(alg);
fac.init(trustStore);
return fac.getTrustManagers();
}
private static KeyManager[] getKeyManagers(KeyStore keyStore, String keyPassword) throws GeneralSecurityException, IOException {
String alg = KeyManagerFactory.getDefaultAlgorithm();
char[] keyPass = keyPassword != null ? keyPassword.toCharArray() : null;
KeyManagerFactory fac = KeyManagerFactory.getInstance(alg);
fac.init(keyStore, keyPass);
return fac.getKeyManagers();
}
#! /bin/bash
openssl pkcs12 -export -in ./carpago.crt -inkey ./my_private.key -out carpago_eu.p12
# will ask for password and confirmation (I used 'carpago2015' of course without the quotes )
#create a keystore
keytool -importkeystore -deststorepass carpago2015 -destkeypass carpago2015 -destkeystore project-carpago-keystore.jks -srckeystore carpago_eu.p12 -srcstoretype PKCS12 -srcstorepass carpago2015 -alias 1
#add the certificate to the keystore for backend validation
# remember the password (carpago2015) and type yes when you trust the cert (look above; it mentions the author)
keytool -import -alias CarpagoCA -keystore project-carpago-keystore.jks -trustcacerts -file project_ca.pem
#now we are able to run soapUI using the following steps in soapui-setup.txt
#Optional:
#to show the contents of a keystore
keytool -list -keystore project-carpago-keystore.jks
#which should now show two entries
Happy coding!
{schrijver}
{e-mail}