How do I configure Servoy SSL?

Frequently asked questions. Look here before posting questions. If you don't find an answer here you can post your question to the most appropriate forum.

How do I configure Servoy SSL?

Postby Jan Blok » Tue May 27, 2008 11:26 am

Servoy supports 128 bit SSL (Secure Socket Layer) to secure all data traveling between Servoy Server and a Servoy Client. A Servoy Server SSL supports 2 types of certificates:
    1) Truststore Used to verify that a client is operating legitimately on behalf of a specified user.
    2) Keystore Used to provide clients with "proof" that a server is operating legitimately based on a specified domain.
Truststores and Keystores are stored on disk as encrypted files.

To use Servoy together with SSL, the basic steps are:
1: Create a keystore with a signed and trusted certificate
    - Create a keystore using the command line utility "Keytool".
    - Create a "Certificate Signing Request" (CSR)
    - Authenticate the CSR, for example with "instantSSL".
    - Import the signed certificate (+ any required intermediate certificate) into your keystore.
2: Add the signed and trusted keystore to Servoy Server.

Detailed description:
1) Create a keystore with a signed and trusted certificate.
a) First create a keystore using the command line utility "Keytool". Enter the command:
Code: Select all
keytool -genkey -alias sslkey -keyalg RSA -keystore servoy.ks -validity 360
    NOTE: keytool is a commandline tool that ships with your Java SDK
    NOTE: you can make the alias (sslkey) whatever you want, but it's important to remember for later steps
    NOTE: you can call the keystore file (servoy.ks) whatever you want
    NOTE: you can make the validity (in days) whatever you want
b) Enter a keystore password (whatever you want, but remember it for later use)
c) Now keytool asks for your first and last name. Enter the Fully Qualified Domain Name of the host that Servoy Server is running on. For example: www.mycompany.com
d) Fill in something relevant for the rest of the fields.
e) Enter the password for this key. Use the same password as in step a. You can also just press return (the same password will be used automatically then).

f) Next create a "Certificate Signing Request" (CSR) using the following command:
Code: Select all
keytool -certreq -alias sslkey -keyalg RSA -file servoy.csr -keystore servoy.ks

g) MAKE A BACKUP COPY OF THE KEYSTORE AND CSR FILES. IF YOU LOSE THEM OR ACCIDENTALLY DESTROY THEM YOU WILL HAVE PAID FOR NOTHING

Next step is to authenticate the CSR. This can be done with any third party you'd like. This example uses http://www.instantssl.com
h) Browse to http://www.instantssl.com
i1) Click Instant SSL button (top right, under Free SSL), or click Free SSL to test all this first before paying for it.
i2) If you chose Instant SSL select your duration (1, 2, or 3 years)
    NOTE: Make sure the validity is shorter than the validity you chose when creating the keystore, otherwise you are paying for more that you will get!!!
j) Copy the contents of the servoy.csr file into the form where it says to copy your CSR to.
k) Select OTHER for the software used to generate it.
l) Deselect all the checks of step 4 on the web page (newsletters and other stuff).
m) Fill in the rest and follow this instructions (corporate details, etc.).

After completing all the steps, you will receive an email from InstantSSL with all the required info to continue.

When you have received the information from your SSL supplier, you need to import the signed certificate (+ any required intermediate certificate) into your keystore.
n) Import the signed .crt file which you received from Instant SSL into your keystore, using the following code:
Code: Select all
keytool -import -alias sslkey -keystore servoy.ks -trustcacerts -file servoy.crt

o) Type the correct password and trust the certificate.

After this command, a message error can be trown sometimes by keytool, with a message that says that a chain of trust could not be established for the given certificate reply. This error appears when the reply is in form of a chain of certificates (PKCS#7 format). The keytool needs to "read" this chain from the first parent of the certificate reply up to the CA root (which will trusted or not, depending on the presence of this CA root into the cacerts file or the presence of the "-trustcacerts" argument). A fix that always works:

a) note all the "parents" of the response certificate in order (from the first parent to the CA root) - you can see them in windows by opening the .crt file (e.g. servoy.crt) and see the certification path (a "tree" with all the "parents")
b) open the certificate in an editor - let's call it target certificate
c) for each parent in the parent's list (taken from the "first" parent up to the CA root)
* add its content into the target certificate's file at the _beginning_ of the file; the content is from "----BEGIN CERTIFICATE---" to "---END CERTIFICATE----" (new lines are allowed between certificates' content)
d) run the command again: keytool -import -alias sslkey -keystore servoy.ks -trustcacerts -file servoy.crt

NOTE: each certificate is viewable as text encoded Base64
NOTE: this is need in order to make the certificate file conformant to PKCS#7 format; this can be done also in other ways, by adding the CA root into the keystore with the keytool command, but it will not work all the times, and if it works, the result is the same as using the above described solution.

2) Add the signed and trusted keystore to Servoy Server.
Copy this keystore file (servoy.ks) to a location on the machine which runs Servoy Server. In the admin pages select Network Settings, and fill in the correct location for the SSLKeystorePath and the correct password for the SSLKeystorePassword.

Restart the server.

NOTE:

YOUR KEYSTORE CONTAINS VERY SENSITIVE INFORMATION!! IF THIS INFORMATION IS COMPROMISED PEOPLE CAN DO ALL KINDS OF NASTY STUFF SUCH AS LISTEN IN ON AND MODIFY YOUR SUPPOSEDLY ENCRYPTED INFORMATION. IF YOU EVEN FIND OUT THAT THIS HAS HAPPENED (WHICH IS A BEST CASE SCENARIO) YOU WILL HAVE TO REVOKE THE CERTIFICATE AND PURCHASE A NEW ONE.

IF YOU LOSE OR ACCIDENTALLY DESTROY YOUR KEYSTORE, YOU WILL ALSO HAVE TO PURCHASE A NEW CERTIFICATE. MAKE PROPER BACKUPS AT ALL TIMES AND MAKE SURE ONLY AUTHORIZED PERSONNEL HAS ACCESS TO THESE BACKUPS!!
Jan Blok
Servoy
Jan Blok
 
Posts: 2684
Joined: Mon Jun 23, 2003 11:15 am
Location: Amsterdam

Re: How do I configure Servoy SSL?

Postby martinh » Thu Jul 29, 2010 11:23 am

The csr created by the commandline

keytool -genkey -alias sslkey -keyalg RSA -keystore servoy.ks -validity 360

is not accepted anymore by Thawte (probably due to the stronger algorithms they use now)
You must add the following argument now: -keysize 2048

So the new keytool command must be:

keytool -genkey -alias sslkey -keyalg RSA -keysize 2048 -keystore servoy.ks -validity 360

Please change also the wiki page(s)
martinh
 
Posts: 857
Joined: Wed May 09, 2007 5:34 pm
Location: Belgium

Re: How do I configure Servoy SSL?

Postby Ruben79 » Fri Apr 12, 2013 5:16 pm

Can you please explain in detail how this works?
---------------
After this command, a message error can be trown sometimes by keytool, with a message that says that a chain of trust could not be established for the given certificate reply. This error appears when the reply is in form of a chain of certificates (PKCS#7 format). The keytool needs to "read" this chain from the first parent of the certificate reply up to the CA root (which will trusted or not, depending on the presence of this CA root into the cacerts file or the presence of the "-trustcacerts" argument). A fix that always works:

a) note all the "parents" of the response certificate in order (from the first parent to the CA root) - you can see them in windows by opening the .crt file (e.g. servoy.crt) and see the certification path (a "tree" with all the "parents")
b) open the certificate in an editor - let's call it target certificate
c) for each parent in the parent's list (taken from the "first" parent up to the CA root)
* add its content into the target certificate's file at the _beginning_ of the file; the content is from "----BEGIN CERTIFICATE---" to "---END CERTIFICATE----" (new lines are allowed between certificates' content)
---------------
I tried this:

RapidSSL CA
GeoTrust Global CA
-----BEGIN CERTIFICATE-----
base64stuff

GeoTrust Global CA
RapidSSL CA
-----BEGIN CERTIFICATE-----
base64stuff

both give this error:
keytool error: java.security.cert.CertificateParsingException: invalid DER-encoded certificate data

Could you specify how this should look?
User avatar
Ruben79
 
Posts: 85
Joined: Wed Apr 18, 2007 12:43 pm

Re: How do I configure Servoy SSL?

Postby Ruben79 » Fri Apr 12, 2013 5:19 pm

Sorry I can't edit my post in this forum nor put images in.
This is a screenshot of the chain: http://screencast.com/t/Rc6mlSctL
User avatar
Ruben79
 
Posts: 85
Joined: Wed Apr 18, 2007 12:43 pm

Re: How do I configure Servoy SSL?

Postby Ruben79 » Fri Apr 12, 2013 5:45 pm

Sorry I figured out I had to export the certificates themselves, and not just the name.
So I got the keystore imported.
User avatar
Ruben79
 
Posts: 85
Joined: Wed Apr 18, 2007 12:43 pm


Return to FAQ

Who is online

Users browsing this forum: No registered users and 1 guest