Some technologies sometimes require a certificate to connect to the server. For example when working with HTTPS, SSH, SFTP, FTPS, SMTP servers, etc.

Java needs to have these certificates in the truststore, and then Stambia DI Runtime will be able to connect.

CREATING A CERTIFICATE

If you need to configure Stambia for publishing a service with SSL, then maybe you need to create a certificate.

The usual recommendation is to get a certificate from a Certification Authority, especially when the service is publicly exposed and/or critical. Other use cases (such as SSL communication within the company local network, or test environments) can be satisfied with a self-signed certificate.

Here is how to create a self-signed certificate using Java keytool.

 

Creating the certificate and registering it in the Java installation:

D:\apps\java\jre1.8.0_151_64\bin>keytool.exe -genkey -keyalg RSA -alias MyCertificate -keystore keystore.jks -storepass changeit -validity 365 -keysize 2048
What is your first and last name?
[Unknown]: myserver.domain.com
What is the name of your organizational unit?
[Unknown]: companyName
What is the name of your organization?
[Unknown]: companyName
What is the name of your City or Locality?
[Unknown]: Somewhere
What is the name of your State or Province?
[Unknown]: Somewhere
What is the two-letter country code for this unit?
[Unknown]: FR
Is CN=myserver.domain.com, OU=companyName, O=companyName, L=Somewhere, ST=Somewhere, C=FR correct?
  [no]:  yes

Enter key password for <MyCertificate>
(RETURN if same as keystore password):
Re-enter new password:

 

 

Viewing the certificates installed in the Java keystore:

D:\apps\java\jre1.8.0_151_64\bin>keytool -list -v -keystore keystore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: mycertificate
Creation date: 12-Feb-2019
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=myserver.domain.com, OU=companyName, O=companyName, L=Somewhere, ST=Somewhere, C=FR
Issuer: CN=myserver.domain.com, OU=companyName, O=companyName, L=Somewhere, ST=Somewhere, C=FR
Serial number: 2165da64
Valid from: Tue Feb 12 12:13:40 CET 2019 until: Wed Feb 12 12:13:40 CET 2020
Certificate fingerprints:
MD5: 31:DD:93:B9:51:CA:6F:64:08:57:0F:60:ED:F4:C5:7D
SHA1: E1:2F:94:67:4C:9D:39:03:82:9B:69:1E:2B:5D:8E:2E:6C:FB:BA:D5
SHA256: C7:AD:21:DD:0B:7D:0A:7D:A9:CB:FB:14:7B:54:EF:E4:19:FA:45:1D:27:B2:75:EE:AB:01:11:5A:02:DA:44:68
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 2A 4A F3 6F 7C 70 E2 C4 41 5F 12 BC 24 D9 FB 7D *J.o.p..A_..$...
0010: 98 78 8D 73 .x.s
]
]

*******************************************
*******************************************

 

 

Exporting the certificate:

D:\apps\java\jre1.8.0_151_64\bin>keytool -certreq -alias MyCertificate -keystore keystore.jks -file MyCertificate.csr

Enter keystore password:

D:\apps\java\jre1.8.0_151_64\bin>dir MyCertificate.csr
Volume in drive D is Data
 Volume Serial Number is 2891-91F0

 Directory of D:\apps\java\jre1.8.0_151_64\bin

12/02/2019  12:25             1,128 MyCertificate.csr
1 File(s) 1,128 bytes
               0 Dir(s)  91,272,257,536 bytes free

 

Viewing the certificate content:

D:\apps\java\jre1.8.0_151_64\bin>type MyCertificate.csr
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC9OKNVdwCAQAwfzELMAkGA1UEBhMCRlIxEjAQBgNVBAgTCVNvbWV3aGVyZTES
MBAGA1UEBxMJU29tZXdoZXJlMRQwEgYDVQQKEwtjb21wYW55TmFtZTEUMBIGA1UE
CxMLY29tcGFueU5hbWUxHDAaBgNPTGSTE215c2VydmVyLmRvbWFpbi5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqIv1uYxujXBqSwMBx8HsObWbo
VIoeKabEgM3UmwRKcmFp0HTNvApsqu/hibVxDAui5mWYKRa9pQCjrXSbsKpaYuw4
z9AI9O71wV1ip7wVilXlOkwvd6X25vkjBFMjBMDlEEPo+nAm+e+yl7JsIr6a6svp
3ueXPl18TV5VyrAAVSuXGCdIW9/pHYgPJULmA8QvGhcqGnPYLRsCHOwGOUDMV/xG
TE/cJoRtLvRpMS3zen92EwGrl37SHplmwEWuiR4L/RN2KR1KB+BOTacUFpDHWuOx
wgmwM6zEYMjBzKvHA1+UAQT5YfG1pg2KWfvwki22Jtub/vBT8vdquXbV8z05AgMB
AAGgMDAuBgkqhkiG9w0BCQ4xITAfMB0GA1UdDgQWBBQqSvNvfHDixEFfErwk2ft9
mHiNczANBgkqhkiG9w0BAQsFAAOCAQEANljQi0YvYjHJFpfEcdC4UnbiGqxXEHBq
VXoHP8eAh5LcdgjkFZKs2f/2Z+3vkbVH/e1DamtqKC9xNV3NBRd8GbTFCTSWvIbi
f2S8abtw3mkOvu9B1gS3aWL7PpWA7sV8O2pGDd/gfMqjsjldKDWwwAeXjZqwJgAr
a9gAiaL4VBJEKPPfURf9eRqicAJkXvlZXTx5eyFvgYAz4vN+dkN/FRZ0eZoPUrkw
N6WQhxSg+Ri2m6ada+caF6TKCrP1z9M/nxfh7Fix/KSbnwGy7PH36q/rNxmll2/+
ojX/c0AYDdPBRyefi9hI9deDgCOFmXR2jOumpQwQl/EeYBZ67BkxVQ==
-----END NEW CERTIFICATE REQUEST-----

 

GETTING AN EXISTING CERTIFICATE

You will need a certificate file (extension is usually .cer or .crt or .csr). This must be done out of Stambia DI.

The server administrator can generally provide this certificate.

Other ways to get the certificate are:

  • HTTPS servers: point a web browser to the URL and export the Certificate (search internet for "how to export certificate using your_browser_name")
  • Using openssl command line
    > openssl s_client -connect <host>:<port> 
    CONNECTED(000001B0)
    [...]
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIAJHTCCAjkCBE3yCVIwDQYJKp87hvcNAQEFBQAwbTELMAkGA1UEBhMCRlIxDjAM
    BgNVBAgMBXJob25lMRIwEAYDVQQHDAlsb2NhbGhvc3QxEjAQBgNVBAoMCWxvY2Fs
    aG9zdDESMBAGA1UECwwJbG9jYWxob3N0MRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcN
    MTEwNj45FDwODUwMOIHMTIwNjA5MfTIwODUwWjBtMQswCQYDVQQGEwJGUjEOMAwG
    A1UECAwFcmhvbmUxEjAQBgNVBAcMCWxvY2FsaG9zdDESMBAGA1UECgwJbG9jYWxo
    b3N0MRIwEAYDVQQLDAlsb2NhbGhvc3QxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIw
    DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJtqhXrGNhWG8UpLS/gPN2NI0zSJ
    wMIyVNHwwOdg2Vj8R+Pbda+FX+DvDOGFRE3HWNgCw3WKN526c9p4EkCtr0K01Qc1
    GyXIuYagpzs/RrfkWFXoQ0pcTe9yilzlggYF0cYuweIGJCJMCzoyaupr4/Pd5N7K
    laDHyvVpGwNFLwfwNht6fToCfr7jZA8mp2OJ8VdqbhS7PoO2LSusN2ct0IhyXwFh
    YyjtFTslj8h6N5GSx/kMqUcEx+rbHslL1MTplgbG+X3S5oTIDqsgR0Il7W5IaBJl
    MyzyGMxPVi1U6auEouSpI+KYlRNO7EdTzod+hLn5H6SO8b7A9CEL67cw22UCAwEA
    ATANBgkqhkiG9w0BAQUFAA9k7zvjz851yH/hnGgwTTDCgaaZHzaOMuTq/DNLFDCL
    rYcDC1+yokwPicTJIUxPDQ/tYs51Ml0IDjz+j+0p44PDbonmMM+Axb4RJElzH66i
    tPGKqW2A8h5f9HJBiq5pRmLwqb2N5Gio8uPY3ncRaM9LbOvQ0A4VHTzy5PR+4w8t
    +hvuDDhSiD168nMljkyvXvlMJW8VlCgVBtq2ByFZA4s0xXSropqcIpIiwuWetnKp
    BnrTkZOAm/JsS8R2zE3n46sTo4Ej/on+7Z6524coS1ky9QXTQ21+TeXaO0xEOCUK
    AtHZbGYtCEEd3iI1eib3tuhssEJPyjXY9wkHV1rznx1r+fXHcA==
    -----END CERTIFICATE-----
    [...]
    
    
  • Copy the lines between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----", including these
  • Save these lines to a temporary "certificate.crt" file

IMPORTING THE CERTIFICATE INTO YOUR JAVA INSTALLATION

This is usually done with the keytool utility, included in your Java distribution.

Example 1: adding the certificate to the default truststore

<JAVA_HOME>/bin/keytool -import -alias <server_name> -keystore <JAVA_HOME>/jre/lib/security/cacerts -file certificate.crt

 

Example 2: creating a specific truststore

<JAVA_HOME>/bin/keytool -import -alias alias01 -file D:\data\certificate.crt -keystore d:\data\myKeyStore.jks
Enter new keyfile password :
Re-enter new password :
Owner : C=FR
Issuer : C=FR
Serial Number : 0
Valid from: Thu Sep 25 18:01:13 PDT 1997 until: Wed Dec 24 17:01:13 PDT 1997
Certificate Fingerprints:
         MD5:  C0:5B:B9:6F:63:1B:5E:70:4C:E3:A1:C6:0F:2B:58:68
         SHA1 : F8:44:F1:BC:9B:19:8A:FA:8A:58:D4:7C:AC:D3:16:B8:92:79:66:78
         SHA256 : F2:9D:89:02:55:4C:F5:77:E5:13:C7:5F:06:CF:0B:2C:F1:C6:04:4B:D5:1F:E4:E6:FD:9B:98:A1:F0:A3:F4:C7
Trust this certificate? [no] :  yes
Certificate added to keystore

 

Please consult your Java distribution's documentation for further details.

MAKING SURE THAT STAMBIA DI USES THE CERTIFICATE

When the certificate is installed in the default truststore of the Java installation, then Stambia DI will automatically use it.

When the certificate is installed in a specific location, you can specify the truststore on the Action by adding the following properties:

KEY_STORE: d:\data\myKeyStore.jks
KEY_STORE_TYPE: JKS
KEY_STORE_PASSWORD: <encrypted password>

Note: the password can be encrypted using the Runtime's encrypt <password> command.