How to test HTTPS rest from command line - linux

I'm having a problem I can't seem to solve on my own:
I have to request RESTful services but the RESTful services use HTTPs protocol.
I've created the client and it is deployed in WebLogic
I've downloaded the certificate using the browser and I've installed it in JAVA using the following command (In my linux server):
"keytool -import -alias myalias -keystore /jdk1.8.0_101/jre/lib/security/cacerts -file certificado.com.crt"
I need to test that it works...
First, How can I test the RESTful services from command line?
Second, Do I need to install the certificate in WebLogic? If yes, How can I do it?
JAVA: jdk1.8.0_101
WebLogic: 12.1.3.0.0

The certificate must be installed on the system that's making the request. It's not about weblogic, it's about the local sertificate vault of the machine. You don't need to install the certificate on weblogic. You may want to take a look at this.
Then you can use wget or curl, just keep in mind that wget just makes get requests while curl do all types of requests.

Related

Azure Linux web app: change OpenSSL default security level?

In my Azure Linux web app, I'm trying to perform an API call to an external provider, with a certificate. That call fails, while it's working fine when deploying the same code on a Windows app service plan. The equivalent cURL command line is:
curl --cert-type p12 --cert /var/ssl/private/THUMBPRINT.p12 -X POST https://www.example.com
The call fails with the following error:
curl: (58) could not load PKCS12 client certificate, OpenSSL error error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
The issue is caused by OpenSSL 1.1.1d, which by defaults requires a security level of 2, and my certificate is signed with SHA1 with RSA encryption:
openssl pkcs12 -in THUMBPRINT.p12 -nodes | openssl x509 -noout -text | grep 'Signature Algorithm'
Signature Algorithm: sha1WithRSAEncryption
Signature Algorithm: sha1WithRSAEncryption
On a normal Linux VM, I could edit /etc/ssl/openssl/cnf to change
CipherString = DEFAULT#SECLEVEL=2
to security level 1, but on an Azure Linux web app, the changes I make to that file are not persisted..
So my question is: how do I change the OpenSSL security level on an Azure web app? Or is there a better way to allow the use of my weak certificate?
Note: I'm not the issuer of the certificate, so I can't regenerate it myself. I'll check with the issuer if they can regenerate it, but in the meantime I'd like to proceed if possible :)
A call with Microsoft support led me to a solution. It's possible to run a script whenever the web app container starts, which means it's possible to edit the openssl.cnf file before the dotnet app in launched.
To do this, navigate to the Configuration blade of your Linux web app, then General settings, then Startup command:
The Startup command is a command that's ran when the container starts. You can do what you want, but it HAS to launch your app, because it's no longer done automatically.
You can SSH to your Linux web app, and edit that custom_startup.sh file:
#!/usr/sh
# allow weak certificates (certificate signed with SHA1)
# by downgrading OpenSSL security level from 2 to 1
sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /etc/ssl/openssl.cnf
# run the dotnet website
cd /home/site/wwwroot
dotnet APPLICATION_DLL_NAME.dll
The relevant doc can be found here: https://learn.microsoft.com/en-us/azure/app-service/containers/app-service-linux-faq#built-in-images
Note however that the Startup command is not working for Azure Functions (at the time of writing May 19th, 2020). I've opened an issue on Github.
To work around this, I ended up creating custom Docker images:
Dockerfile for a webapp:
FROM mcr.microsoft.com/appsvc/dotnetcore:3.1-latest_20200502.1
# allow weak certificates (certificate signed with SHA1)
# by downgrading OpenSSL security level from 2 to 1
RUN sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /etc/ssl/openssl.cnf
Dockerfile for an Azure function:
FROM mcr.microsoft.com/azure-functions/dotnet:3.0.13614-appservice
# allow weak certificates (certificate signed with SHA1)
# by downgrading OpenSSL security level from 2 to 1
RUN sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /etc/ssl/openssl.cnf

Can you use a keytab generated on Windows from Linux?

I am on Linux and I have a java web application container setup with kerberos. I need this java web application container setup so that it can authenticate with an IIS server protected by siteminder + kerberos.
So on Windows, I have generated a keytab file using
ktpass -out serviceaccount.keytab -princ serviceaccount#MYDOMAIN.COM -mapUser serviceaccount -mapOp set -pass YOUR_PASSWORD -crypto ALL -pType KRB5_NT_PRINCIPAL
So that gives me serviceaccount.keytab. Great.
But what about on Linux? Can I just use this keytab file that was generated? Or do I have to run this process again. Something like:
ktutil
addent -password -p serviceaccount#MYDOMAIN.COM -k 1 -e RC4-HMAC
- it will ask you for password of serviceaccount -
wkt serviceaccount.keytab
q
Is the keytab file generated on Windows platform independent? Or does one need to generate it again using linux ktutil?
There are a couple of flavors of Kerberos client tools.
Most common is MIT Kerberos, another one is Heimdal.
I haven't seen Heimdal being used anywhere on our Linux servers, but I know other folks are using it.
For example, when you install krb5-workstation yum package, that will bring MIT Kerberos and not Heimdal.
As long as you use the same flavor of Kerberos tools, keytab generated on Windows will work the same on Linux, and vice versa.

Can't start httpd service due to tampered or incorrect password

I am on linux Redhat OS. I was trying to import certificate using this command
keytool -importcert -alias 3dspace ...
as can be seen in the image below. But it doesn't allow to as it states that either the keystore was tampered or the password was incorrect.
To make matter worse, now I cant run the service httpd as well even though it was running prior to this problem. What can be the cause and how to solve them?
Thank you in advance.

How to Install SSL certificate in Linux Servers

I am trying to access https wcf web service from my application using monodevelop in Linux. The web service call is throwing the following exception
SendFailure (Error writing headers) at
System.Net.HttpWebRequest.EndGetRequestStream (IAsyncResult
asyncResult) [0x00043] in
/home/abuild/rpmbuild/BUILD/mono-3.4.0/mcs/class/System/System.Net/HttpWebRequest.cs:845
at
System.ServiceModel.Channels.HttpRequestChannel+c__AnonStorey1.<>m__0
(IAsyncResult r) [0x0001d] in
/home/abuild/rpmbuild/BUILD/mono-3.4.0/mcs/class/System.ServiceModel/System.ServiceModel.Channels/HttpRequestChannel.cs:219.
when I try to load the web service url using https, the Firefox browser is giving a warning:
"This connection is Untrusted"
The certificate(.cer) is generated using Visual Studio 2008 makecert utility.I tried to install certificate using the below commands
certmgr -add -c -m My MyCert.cer
certmgr -ssl https://myserver.com:1200/Monik/TestSvc
But it looks like the certificates are not configured properly. In some of the forums it saying that move the certificate to /etc/httpd/conf . But there is no such folder in my system
Please let me know what I am missing?
Mono handles certificates via mozroots so best thing in your case would probably be to run this:
sudo mozroots --import --machine --sync
sudo certmgr -ssl -m https://myserver.com:1200/Monik/TestSvc
First command will synchronise public root certificates. Second will ask you if you want to trust your server certificate which will be displayed to you after entering command. Type "yes".

Where is the default CA certs used in nodejs?

I'm connecting to a server whos cert is signed by my own CA, the ca's cert had installed into system's keychain.
connecting with openssl s_client -connect some.where says Verify return code: 0 (ok)
but i cant connect with nodejs's tls/https module, which fails with
Error: SELF_SIGNED_CERT_IN_CHAIN
but connecting to a normal server (i.e google.com:443) works fine.
seems that nodejs's openssl is not sharing same keychain with system's openssl.
but I cannt find where is it. i tried overide with SSL_CERT_DIR but not seemed working.
BTW: i can bypass the server verifying by setting NODE_TLS_REJECT_UNAUTHORIZED=0 , but that's not pretty enough ;)
Im using OSX 10.8.3 with OpenSSL 0.9.8r, node v0.9.8
The default root certificates are static and compiled into the node binary.
https://github.com/nodejs/node/blob/v4.2.0/src/node_root_certs.h
You can make node use the system's OpenSSL certificates. This is done by starting node via:
node --use-openssl-ca
See the docs for further information.
See this answer on how system certificates are extended for Debian and Ubuntu
If you're using the tls module (and it seems like you are) with tls.connect you can pass a ca param in the options that is an array of strings or buffers of certificates you want to trust.

Resources