subject:"Jetty over HTTPS"

Re: Jetty over HTTPS

2017-08-21 Thread Carl Wilson

Hi Dustin,

When you obtain a signed certificate, there is an associated CSR that is 
generated against which the authority provides the certificate.  These are tied 
to public/private keys, so the certificate needs to be imported back to where 
the keys are and where the CSR was generated from to complete the signing chain 
(using the same alias that you created the CSR against).

You then need to either convert use this keystore or convert to a Java based 
keystore.

Without the keys and full chain, Java (Jetty) will not present the certificate 
- so you need to export the full cert chain and keys or if you have these 
convert to a Java keystore.





--



Kind Regards,



Carl Wilson





From: Action Request System discussion list(ARSList) 
[mailto:arslist@ARSLIST.ORG] On Behalf Of Fawver, Dustin
Sent: 21 August 2017 16:57
To: arslist@ARSLIST.ORG
Subject: Re: Jetty over HTTPS



**

Carl,



I still am not doing something correctly.  I deleted the keystore and used the 
import command to import each of the three .crt files into a new one.  After 
restarting the AR System service, I can see that it’s listening on the port.  I 
still get the message that the server unexpectedly closed the connection.  Do 
you have any idea what part I may have left out?

Thanks!

Dustin Fawver

Sr. Help Desk Technician

Information Technology Services



P: 423-439-4648

itsh...@etsu.edu

 <http://www.etsu.edu/helpdesk>



From: Action Request System discussion list(ARSList) 
[mailto:arslist@ARSLIST.ORG] On Behalf Of Carl Wilson
Sent: Monday, August 21, 2017 3:44 AM
To: arslist@ARSLIST.ORG
Subject: Re: Jetty over HTTPS



*** EXTERNAL EMAIL *** This email does NOT originate from an ETSU person or 
service. Please exercise caution when handling e-mails from external sources. 
If this e-mail is unsolicited and requires you to take immediate action, 
appears to be forged or is PHISHING for information, please contact the ITS 
Help Desk at, 423-439-4648. ETSU internal and official messages never include a 
disclaimer.

**

Hi Justin,

Jetty requires that you have the full cert chain installed in the keystore(s) 
that you are using, or it will not start correctly and present the certificate 
(as it uses Java which requires all elements for the certificates to be 
present).

So, you need to install the full certificate chain (root, intermediate, server) 
as a single chained file (p7b or similar), or convert the certificate chain and 
keys to a keystore file if say in a p12 format.

BMC instructions are not the best for actually stating this, and are geared 
more towards a single self signed certificate (not an authority chained cert).



Here is a section from a configuration document I wrote for Service Broker, but 
the concept is the same:


1.1   Configuring Jetty (Service Broker)


To implement SSL configuration on Service Broker, you need to update the 
“jetty-http.xml” file on the Remedy Service Broker system – located in 
…/jetty/etc/jetty-http.xml.

 
<https://docs.bmc.com/docs/display/myitsb33/Configuring+access+to+the+MyIT+Service+Broker+server+over+SSL>
 
https://docs.bmc.com/docs/display/myitsb33/Configuring+access+to+the+MyIT+Service+Broker+server+over+SSL

Point to the location of the keystore that contains the Signed Certificate and 
keys (public/private).  You can generate a new keystore / keys / certificate 
for a Self Signed Certificate, or convert and existing file to a Java “.jks” 
keystore.

You may receive a file in the “.pfx” format (Windows, containing certificate(s) 
and keys) which you can convert to a Java “.jks” keystore using keytool or 
another program.   You may also wish to change the alias and store passwords 
for use with your application to standardise.

You can also choose to update the port that Service Broker uses for SSL to a 
standard port e.g. 443 or 8443.

Note:  If Jetty cannot find all required parts associated with the certificate 
(keys, certificate – including all certificates in the chain), the application 
will not start.

Sample: jetty-http.xml



















C:/keystore/keystore

OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v

OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v

C:/truststore/cacerts

OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v





TLS_DHE_RSA.*

TLS_ECDHE.*









SSL_RSA_WITH_DES_CBC_SHA

SSL_DHE_RSA_WITH_DES_CBC_SHA

SSL_DHE_DSS_WITH_DES_CBC_SHA

SSL_RSA_EXPORT_WITH_RC4_40_MD5

SSL_RSA_EXPORT_WITH_DES40_CBC_SHA

SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA

SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA

.*NULL.*

.*RC4.*

.*MD5.*

.*DES.*

.*DSS.*

.*_DHE_RSA_.*









SSL

SSLv2

SSLv2Hello

Re: Jetty over HTTPS

2017-08-21 Thread Fawver, Dustin

Carl,

I still am not doing something correctly.  I deleted the keystore and used the 
import command to import each of the three .crt files into a new one.  After 
restarting the AR System service, I can see that it’s listening on the port.  I 
still get the message that the server unexpectedly closed the connection.  Do 
you have any idea what part I may have left out?
Thanks!
Dustin Fawver
Sr. Help Desk Technician
Information Technology Services

P: 423-439-4648
itsh...@etsu.edu
[itslogo]<http://www.etsu.edu/helpdesk>

From: Action Request System discussion list(ARSList) 
[mailto:arslist@ARSLIST.ORG] On Behalf Of Carl Wilson
Sent: Monday, August 21, 2017 3:44 AM
To: arslist@ARSLIST.ORG
Subject: Re: Jetty over HTTPS


*** EXTERNAL EMAIL *** This email does NOT originate from an ETSU person or 
service. Please exercise caution when handling e-mails from external sources. 
If this e-mail is unsolicited and requires you to take immediate action, 
appears to be forged or is PHISHING for information, please contact the ITS 
Help Desk at, 423-439-4648. ETSU internal and official messages never include a 
disclaimer.
**
Hi Justin,
Jetty requires that you have the full cert chain installed in the keystore(s) 
that you are using, or it will not start correctly and present the certificate 
(as it uses Java which requires all elements for the certificates to be 
present).
So, you need to install the full certificate chain (root, intermediate, server) 
as a single chained file (p7b or similar), or convert the certificate chain and 
keys to a keystore file if say in a p12 format.
BMC instructions are not the best for actually stating this, and are geared 
more towards a single self signed certificate (not an authority chained cert).

Here is a section from a configuration document I wrote for Service Broker, but 
the concept is the same:
1.1   Configuring Jetty (Service Broker)

To implement SSL configuration on Service Broker, you need to update the 
“jetty-http.xml” file on the Remedy Service Broker system – located in 
…/jetty/etc/jetty-http.xml.

https://docs.bmc.com/docs/display/myitsb33/Configuring+access+to+the+MyIT+Service+Broker+server+over+SSL

Point to the location of the keystore that contains the Signed Certificate and 
keys (public/private).  You can generate a new keystore / keys / certificate 
for a Self Signed Certificate, or convert and existing file to a Java “.jks” 
keystore.

You may receive a file in the “.pfx” format (Windows, containing certificate(s) 
and keys) which you can convert to a Java “.jks” keystore using keytool or 
another program.   You may also wish to change the alias and store passwords 
for use with your application to standardise.

You can also choose to update the port that Service Broker uses for SSL to a 
standard port e.g. 443 or 8443.

Note:  If Jetty cannot find all required parts associated with the certificate 
(keys, certificate – including all certificates in the chain), the application 
will not start.

Sample: jetty-http.xml









C:/keystore/keystore
OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v
OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v
C:/truststore/cacerts
OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v


TLS_DHE_RSA.*
TLS_ECDHE.*




SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
.*NULL.*
.*RC4.*
.*MD5.*
.*DES.*
.*DSS.*
.*_DHE_RSA_.*




SSL
SSLv2
SSLv2Hello
SSLv3







http/1.1













8443












--

Kind Regards,

Carl Wilson


From: Action Request System discussion list(ARSList) 
[mailto:arslist@ARSLIST.ORG] On Behalf Of Fawver, Dustin
Sent: 21 August 2017 03:54
To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG>
Subject: Jetty over HTTPS

**
Greetings, Listers!

I’ve been working on getting Jetty to run on my dev environment so that I can 
start working on REST calls.  I have ARS 9.1.02 installed.  In short, I can get 
it to run over HTTP if I make the proper mods in the jetty selector file.  When 
I configure it to run using HTTPS on port 9443 (or even the default 8443), I 
get a message that the server unexpectedly closed the connection.  Running 
“netstat –a” shows that the server is listening on the designated port.

I’ve been trying different things with the keytool prog

Re: Jetty over HTTPS

2017-08-21 Thread Carl Wilson

Hi Justin,

Jetty requires that you have the full cert chain installed in the keystore(s) 
that you are using, or it will not start correctly and present the certificate 
(as it uses Java which requires all elements for the certificates to be 
present).

So, you need to install the full certificate chain (root, intermediate, server) 
as a single chained file (p7b or similar), or convert the certificate chain and 
keys to a keystore file if say in a p12 format.

BMC instructions are not the best for actually stating this, and are geared 
more towards a single self signed certificate (not an authority chained cert).



Here is a section from a configuration document I wrote for Service Broker, but 
the concept is the same:


1.1  Configuring Jetty (Service Broker)


To implement SSL configuration on Service Broker, you need to update the 
“jetty-http.xml” file on the Remedy Service Broker system – located in 
…/jetty/etc/jetty-http.xml.

 
<https://docs.bmc.com/docs/display/myitsb33/Configuring+access+to+the+MyIT+Service+Broker+server+over+SSL>
 
https://docs.bmc.com/docs/display/myitsb33/Configuring+access+to+the+MyIT+Service+Broker+server+over+SSL

Point to the location of the keystore that contains the Signed Certificate and 
keys (public/private).  You can generate a new keystore / keys / certificate 
for a Self Signed Certificate, or convert and existing file to a Java “.jks” 
keystore.

You may receive a file in the “.pfx” format (Windows, containing certificate(s) 
and keys) which you can convert to a Java “.jks” keystore using keytool or 
another program.   You may also wish to change the alias and store passwords 
for use with your application to standardise.

You can also choose to update the port that Service Broker uses for SSL to a 
standard port e.g. 443 or 8443.

Note:  If Jetty cannot find all required parts associated with the certificate 
(keys, certificate – including all certificates in the chain), the application 
will not start.

Sample: jetty-http.xml



















C:/keystore/keystore

OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v

OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v

C:/truststore/cacerts

OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v





TLS_DHE_RSA.*

TLS_ECDHE.*









SSL_RSA_WITH_DES_CBC_SHA

SSL_DHE_RSA_WITH_DES_CBC_SHA

SSL_DHE_DSS_WITH_DES_CBC_SHA

SSL_RSA_EXPORT_WITH_RC4_40_MD5

SSL_RSA_EXPORT_WITH_DES40_CBC_SHA

SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA

SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA

.*NULL.*

.*RC4.*

.*MD5.*

.*DES.*

.*DSS.*

.*_DHE_RSA_.*









SSL

SSLv2

SSLv2Hello

SSLv3















http/1.1



























8443

























--



Kind Regards,



Carl Wilson





From: Action Request System discussion list(ARSList) 
[mailto:arslist@ARSLIST.ORG] On Behalf Of Fawver, Dustin
Sent: 21 August 2017 03:54
To: arslist@ARSLIST.ORG
Subject: Jetty over HTTPS



**

Greetings, Listers!



I’ve been working on getting Jetty to run on my dev environment so that I can 
start working on REST calls.  I have ARS 9.1.02 installed.  In short, I can get 
it to run over HTTP if I make the proper mods in the jetty selector file.  When 
I configure it to run using HTTPS on port 9443 (or even the default 8443), I 
get a message that the server unexpectedly closed the connection.  Running 
“netstat –a” shows that the server is listening on the designated port.



I’ve been trying different things with the keytool program.  I have a GeoTrust 
signed cert available for me to use.  I used the following command as outlined 
at https://docs.bmc.com/docs/ars91/configuring-the-rest-api-609071434.html



C:\Program Files\BMC Software\ARSystem\jetty\etc>"\Program 
Files\Java\jre1.8.0_73\bin\keytool.exe" -import -trustcacerts -alias etsu.edu 
-file etsu.edu.crt -keystore keystore



All of the required services (ARS, email, flashboards, Mid-Tier, Tomcat, etc) 
run on the same box.  I hope this is not causing a conflict.  Any help would be 
much appreciated.

Thanks!

Dustin Fawver

Sr. Help Desk Technician

Information Technology Services



P: 423-439-4648

itsh...@etsu.edu <mailto:itsh...@etsu.edu>

 <http://www.etsu.edu/helpdesk>



_ARSlist: "Where the Answers Are" and have been for 20 years_



---
This email has been checked for viruses by Avast antivirus

Jetty over HTTPS

2017-08-20 Thread Fawver, Dustin

Greetings, Listers!

I’ve been working on getting Jetty to run on my dev environment so that I can 
start working on REST calls.  I have ARS 9.1.02 installed.  In short, I can get 
it to run over HTTP if I make the proper mods in the jetty selector file.  When 
I configure it to run using HTTPS on port 9443 (or even the default 8443), I 
get a message that the server unexpectedly closed the connection.  Running 
“netstat –a” shows that the server is listening on the designated port.

I’ve been trying different things with the keytool program.  I have a GeoTrust 
signed cert available for me to use.  I used the following command as outlined 
at https://docs.bmc.com/docs/ars91/configuring-the-rest-api-609071434.html

C:\Program Files\BMC Software\ARSystem\jetty\etc>"\Program 
Files\Java\jre1.8.0_73\bin\keytool.exe" -import -trustcacerts -alias etsu.edu 
-file etsu.edu.crt -keystore keystore

All of the required services (ARS, email, flashboards, Mid-Tier, Tomcat, etc) 
run on the same box.  I hope this is not causing a conflict.  Any help would be 
much appreciated.
Thanks!
Dustin Fawver
Sr. Help Desk Technician
Information Technology Services

P: 423-439-4648
itsh...@etsu.edu
[itslogo]


___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
"Where the Answers Are, and have been for 20 years"

Re: Jetty over HTTPS

Re: Jetty over HTTPS

Re: Jetty over HTTPS

Jetty over HTTPS

4 matches

Site Navigation

Mail list logo

Footer information