Hi Justin, Jetty requires that you have the full cert chain installed in the keystore(s) that you are using, or it will not start correctly and present the certificate (as it uses Java which requires all elements for the certificates to be present).
So, you need to install the full certificate chain (root, intermediate, server) as a single chained file (p7b or similar), or convert the certificate chain and keys to a keystore file if say in a p12 format. BMC instructions are not the best for actually stating this, and are geared more towards a single self signed certificate (not an authority chained cert). Here is a section from a configuration document I wrote for Service Broker, but the concept is the same: 1.1 Configuring Jetty (Service Broker) To implement SSL configuration on Service Broker, you need to update the “jetty-http.xml” file on the Remedy Service Broker system – located in …/jetty/etc/jetty-http.xml. <https://docs.bmc.com/docs/display/myitsb33/Configuring+access+to+the+MyIT+Service+Broker+server+over+SSL> https://docs.bmc.com/docs/display/myitsb33/Configuring+access+to+the+MyIT+Service+Broker+server+over+SSL Point to the location of the keystore that contains the Signed Certificate and keys (public/private). You can generate a new keystore / keys / certificate for a Self Signed Certificate, or convert and existing file to a Java “.jks” keystore. You may receive a file in the “.pfx” format (Windows, containing certificate(s) and keys) which you can convert to a Java “.jks” keystore using keytool or another program. You may also wish to change the alias and store passwords for use with your application to standardise. You can also choose to update the port that Service Broker uses for SSL to a standard port e.g. 443 or 8443. Note: If Jetty cannot find all required parts associated with the certificate (keys, certificate – including all certificates in the chain), the application will not start. Sample: jetty-http.xml <New id="httpsConfig" class="org.eclipse.jetty.server.HttpConfiguration"> <Call name="addCustomizer"> <Arg> <New class="org.eclipse.jetty.server.SecureRequestCustomizer" /> </Arg> </Call> </New> <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory"> <Set name="KeyStorePath">C:/keystore/keystore</Set> <Set name="KeyManagerPassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set> <Set name="KeyStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set> <Set name="TrustStorePath">C:/truststore/cacerts</Set> <Set name="TrustStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set> <Set name="IncludeCipherSuites"> <Array type="String"> <Item>TLS_DHE_RSA.*</Item> <Item>TLS_ECDHE.*</Item> </Array> </Set> <Set name="ExcludeCipherSuites"> <Array type="String"> <Item>SSL_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item> <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item> <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>.*NULL.*</Item> <Item>.*RC4.*</Item> <Item>.*MD5.*</Item> <Item>.*DES.*</Item> <Item>.*DSS.*</Item> <Item>.*_DHE_RSA_.*</Item> </Array> </Set> <Set name="ExcludeProtocols"> <Array type="java.lang.String"> <Item>SSL</Item> <Item>SSLv2</Item> <Item>SSLv2Hello</Item> <Item>SSLv3</Item> </Array> </Set> </New> <New id="sslConnectionFactory" class="org.eclipse.jetty.server.SslConnectionFactory"> <Arg name="sslContextFactory"> <Ref refid="sslContextFactory" /> </Arg> <Arg name="next">http/1.1</Arg> </New> <New id="sslConnector" class="org.eclipse.jetty.server.ServerConnector"> <Arg name="server"><Ref refid="Server" /></Arg> <Arg name="factories"> <Array type="org.eclipse.jetty.server.ConnectionFactory"> <Item><Ref refid="sslConnectionFactory" /></Item> <Item> <New class="org.eclipse.jetty.server.HttpConnectionFactory"> <Arg name="config"><Ref refid="httpsConfig" /></Arg> </New> </Item> </Array> </Arg> <Set name="port">8443</Set> </New> <Call name="setConnectors"> <Arg> <Array type="org.eclipse.jetty.server.ServerConnector"> <Item> <Ref refid="sslConnector" /> </Item> </Array> </Arg> </Call> ---------------------------------------------- Kind Regards, Carl Wilson From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Fawver, Dustin Sent: 21 August 2017 03:54 To: arslist@ARSLIST.ORG Subject: Jetty over HTTPS ** Greetings, Listers! I’ve been working on getting Jetty to run on my dev environment so that I can start working on REST calls. I have ARS 9.1.02 installed. In short, I can get it to run over HTTP if I make the proper mods in the jetty selector file. When I configure it to run using HTTPS on port 9443 (or even the default 8443), I get a message that the server unexpectedly closed the connection. Running “netstat –a” shows that the server is listening on the designated port. I’ve been trying different things with the keytool program. I have a GeoTrust signed cert available for me to use. I used the following command as outlined at https://docs.bmc.com/docs/ars91/configuring-the-rest-api-609071434.html C:\Program Files\BMC Software\ARSystem\jetty\etc>"\Program Files\Java\jre1.8.0_73\bin\keytool.exe" -import -trustcacerts -alias etsu.edu -file etsu.edu.crt -keystore keystore All of the required services (ARS, email, flashboards, Mid-Tier, Tomcat, etc) run on the same box. I hope this is not causing a conflict. Any help would be much appreciated. Thanks! Dustin Fawver Sr. Help Desk Technician Information Technology Services P: 423-439-4648 itsh...@etsu.edu <mailto:itsh...@etsu.edu> <http://www.etsu.edu/helpdesk> _ARSlist: "Where the Answers Are" and have been for 20 years_ --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
