Hi Dustin, When you obtain a signed certificate, there is an associated CSR that is generated against which the authority provides the certificate. These are tied to public/private keys, so the certificate needs to be imported back to where the keys are and where the CSR was generated from to complete the signing chain (using the same alias that you created the CSR against).
You then need to either convert use this keystore or convert to a Java based keystore. Without the keys and full chain, Java (Jetty) will not present the certificate - so you need to export the full cert chain and keys or if you have these convert to a Java keystore. ---------------------------------------------- Kind Regards, Carl Wilson From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Fawver, Dustin Sent: 21 August 2017 16:57 To: arslist@ARSLIST.ORG Subject: Re: Jetty over HTTPS ** Carl, I still am not doing something correctly. I deleted the keystore and used the import command to import each of the three .crt files into a new one. After restarting the AR System service, I can see that it’s listening on the port. I still get the message that the server unexpectedly closed the connection. Do you have any idea what part I may have left out? Thanks! Dustin Fawver Sr. Help Desk Technician Information Technology Services P: 423-439-4648 itsh...@etsu.edu <http://www.etsu.edu/helpdesk> From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Carl Wilson Sent: Monday, August 21, 2017 3:44 AM To: arslist@ARSLIST.ORG Subject: Re: Jetty over HTTPS *** EXTERNAL EMAIL *** This email does NOT originate from an ETSU person or service. Please exercise caution when handling e-mails from external sources. If this e-mail is unsolicited and requires you to take immediate action, appears to be forged or is PHISHING for information, please contact the ITS Help Desk at, 423-439-4648. ETSU internal and official messages never include a disclaimer. ** Hi Justin, Jetty requires that you have the full cert chain installed in the keystore(s) that you are using, or it will not start correctly and present the certificate (as it uses Java which requires all elements for the certificates to be present). So, you need to install the full certificate chain (root, intermediate, server) as a single chained file (p7b or similar), or convert the certificate chain and keys to a keystore file if say in a p12 format. BMC instructions are not the best for actually stating this, and are geared more towards a single self signed certificate (not an authority chained cert). Here is a section from a configuration document I wrote for Service Broker, but the concept is the same: 1.1 Configuring Jetty (Service Broker) To implement SSL configuration on Service Broker, you need to update the “jetty-http.xml” file on the Remedy Service Broker system – located in …/jetty/etc/jetty-http.xml. <https://docs.bmc.com/docs/display/myitsb33/Configuring+access+to+the+MyIT+Service+Broker+server+over+SSL> https://docs.bmc.com/docs/display/myitsb33/Configuring+access+to+the+MyIT+Service+Broker+server+over+SSL Point to the location of the keystore that contains the Signed Certificate and keys (public/private). You can generate a new keystore / keys / certificate for a Self Signed Certificate, or convert and existing file to a Java “.jks” keystore. You may receive a file in the “.pfx” format (Windows, containing certificate(s) and keys) which you can convert to a Java “.jks” keystore using keytool or another program. You may also wish to change the alias and store passwords for use with your application to standardise. You can also choose to update the port that Service Broker uses for SSL to a standard port e.g. 443 or 8443. Note: If Jetty cannot find all required parts associated with the certificate (keys, certificate – including all certificates in the chain), the application will not start. Sample: jetty-http.xml <New id="httpsConfig" class="org.eclipse.jetty.server.HttpConfiguration"> <Call name="addCustomizer"> <Arg> <New class="org.eclipse.jetty.server.SecureRequestCustomizer" /> </Arg> </Call> </New> <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory"> <Set name="KeyStorePath">C:/keystore/keystore</Set> <Set name="KeyManagerPassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set> <Set name="KeyStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set> <Set name="TrustStorePath">C:/truststore/cacerts</Set> <Set name="TrustStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set> <Set name="IncludeCipherSuites"> <Array type="String"> <Item>TLS_DHE_RSA.*</Item> <Item>TLS_ECDHE.*</Item> </Array> </Set> <Set name="ExcludeCipherSuites"> <Array type="String"> <Item>SSL_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item> <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item> <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>.*NULL.*</Item> <Item>.*RC4.*</Item> <Item>.*MD5.*</Item> <Item>.*DES.*</Item> <Item>.*DSS.*</Item> <Item>.*_DHE_RSA_.*</Item> </Array> </Set> <Set name="ExcludeProtocols"> <Array type="java.lang.String"> <Item>SSL</Item> <Item>SSLv2</Item> <Item>SSLv2Hello</Item> <Item>SSLv3</Item> </Array> </Set> </New> <New id="sslConnectionFactory" class="org.eclipse.jetty.server.SslConnectionFactory"> <Arg name="sslContextFactory"> <Ref refid="sslContextFactory" /> </Arg> <Arg name="next">http/1.1</Arg> </New> <New id="sslConnector" class="org.eclipse.jetty.server.ServerConnector"> <Arg name="server"><Ref refid="Server" /></Arg> <Arg name="factories"> <Array type="org.eclipse.jetty.server.ConnectionFactory"> <Item><Ref refid="sslConnectionFactory" /></Item> <Item> <New class="org.eclipse.jetty.server.HttpConnectionFactory"> <Arg name="config"><Ref refid="httpsConfig" /></Arg> </New> </Item> </Array> </Arg> <Set name="port">8443</Set> </New> <Call name="setConnectors"> <Arg> <Array type="org.eclipse.jetty.server.ServerConnector"> <Item> <Ref refid="sslConnector" /> </Item> </Array> </Arg> </Call> ---------------------------------------------- Kind Regards, Carl Wilson From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Fawver, Dustin Sent: 21 August 2017 03:54 To: arslist@ARSLIST.ORG <mailto:arslist@ARSLIST.ORG> Subject: Jetty over HTTPS ** Greetings, Listers! I’ve been working on getting Jetty to run on my dev environment so that I can start working on REST calls. I have ARS 9.1.02 installed. In short, I can get it to run over HTTP if I make the proper mods in the jetty selector file. When I configure it to run using HTTPS on port 9443 (or even the default 8443), I get a message that the server unexpectedly closed the connection. Running “netstat –a” shows that the server is listening on the designated port. I’ve been trying different things with the keytool program. I have a GeoTrust signed cert available for me to use. I used the following command as outlined at https://docs.bmc.com/docs/ars91/configuring-the-rest-api-609071434.html C:\Program Files\BMC Software\ARSystem\jetty\etc>"\Program Files\Java\jre1.8.0_73\bin\keytool.exe" -import -trustcacerts -alias etsu.edu -file etsu.edu.crt -keystore keystore All of the required services (ARS, email, flashboards, Mid-Tier, Tomcat, etc) run on the same box. I hope this is not causing a conflict. Any help would be much appreciated. Thanks! Dustin Fawver Sr. Help Desk Technician Information Technology Services P: 423-439-4648 itsh...@etsu.edu <mailto:itsh...@etsu.edu> <http://www.etsu.edu/helpdesk> _ARSlist: "Where the Answers Are" and have been for 20 years_ <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> Virus-free. <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> www.avast.com _ARSlist: "Where the Answers Are" and have been for 20 years_ _ARSlist: "Where the Answers Are" and have been for 20 years_ --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
