Funny error message using t3s and 2 way SSL

javax.naming.CommunicationException: t3s://localhost:25001: Destination 0:0:0:0:0:0:0:1, 25001 unreachable; nested exception is:
        javax.net.ssl.SSLException: Received fatal alert: bad_certificate; No available router to destination 

but there was absolutely no issue with the localhost or the port or anything else... WebLogic was listening on all IPv4 and IPv6 addresses on 25001...
googling around I find:
http://middlewaremagic.com/weblogic/

If the Client keystore/truststore PATH is not valid, so check the path specified in “-Djavax.net.ssl.trustStore” (OR) if the client keystore does not include the WebLogic certificate imported in it then we may see the following kind of error: Destination 0:0:0:0:0:0:0:1, 7443 unreachable.; nested exception is: 
    javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure; [RJVM:000576]No available router to destination.; nested exception is: 
    java.rmi.ConnectException: [RJVM:000576]No available router to destination.

check that what you are using as trust store and identity store are valid, and that valid password and alias is provided....

JKS keystore password vs key password

Something for me confusing (I get confused quite easily) is the relation between a JKS keystore password and a key password.
Some facts:

• a .key file SHOULD always be protected by password.
• a .jks store SHOULD always be protected by password.
• not necessarily these 2 passwords should match

Once you have added a .key into a JKS, you can change the key's PW like this:

keytool -keypasswd -keystore keystore.jks -alias 

You can change the JKS PW like this:

keytool -storepasswd -new new_storepass -keystore keystore.jks

See also the excellent JKS guide and this very good FAQ
This is the keytool doc

JKS check expiration date

Use the -v option with the keytool -list command, and look at the "until" field:


keytool -keystore /opt/oracle/certs/acme.com.jks -v -list

Alias name: acme.com
Creation date: Jun 5, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=acme.com, O=acme acme SA, L=Paperopoli, ST=Duckland, C=DU
Issuer: CN=acme Issuing CA 01, DC=acme, DC=com
Serial number: 1fe97622099100001948
Valid from: Mon May 13 13:46:49 CEST 2013 until: Thu Apr 11 13:46:49 CEST 2015
Certificate fingerprints:
         MD5:  2B:97:58:CA:35:18:38:AA:BB:2D:C4:BA:81:56:AD:1E
         SHA1: E4:0D:DD:EE:1F:3E:2B:F7:07:FE:CC:C2:F2:55:05:E6:74:98:26:2A
         Signature algorithm name: SHA1withRSA
         Version: 3

WLST: certificate parsing exception PKIX

"The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object"

it turned out that I had to add to the WLST trust store (wlsTrust.jks) the root certificate of the CA certifying the Identity Store of the domain

and add this to wlst.sh :

export WLST_PROPERTIES="-Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=/opt/oracle/certs/wlsTrust.jks -Dweblogic.security.CustomTrustKeyStorePassPhrase=bla -Dweblogic.security.CustomTrustKeyStoreType=JKS"

keytool: export a private key + certificate to a PKCS12 store

I have a JKS store pippov2.dev.acme.com.jks contaning some trustedCert entries (caacme, caswisssign) and a private key (pippov2.dev.acme.com).

I want to be able to store separately the private key. Keytool allows you to export only to a PKCS12-type store:

keytool -importkeystore -srckeystore pippov2.dev.acme.com.jks -destkeystore new-store.p12 -deststoretype PKCS12

Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Problem importing entry for alias caacme: java.security.KeyStoreException: TrustedCertEntry not supported.
Entry for alias caacme not imported.
Do you want to quit the import process? [no]:
Problem importing entry for alias caswisssign: java.security.KeyStoreException: TrustedCertEntry not supported.
Entry for alias caswisssign not imported.
Do you want to quit the import process? [no]:
Enter key password for <pippov2.dev.acme.com>
Entry for alias pippov2.dev.acme.com successfully imported.
Import command completed: 1 entries successfully imported, 2 entries failed or cancelled

It's somtehing which take a LOOOOONG time, so be patient.

The file new-store.p12 is generated:

keytool -keystore new-store.p12 -list -storetype PKCS12

Enter keystore password:

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

pippov2.dev.acme.com, Oct 19, 2013, PrivateKeyEntry,
Certificate fingerprint (MD5): 46:A7:6C:E5:13:4C:2F:7B:65:10:42:B0:3B:A9:B1:23

Import an existing Private Key (.key file) into a JKS store

Sounds easy but it's not. I have an existing .key (private key) and .crt file (certificate for public key) and I want to import them into a JKS.

http://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i

The only way seems to go through an intermediate pkcs12 store, to be imported later in the JKS. So much fuss for a simple operation which should be natively supported.

http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.html

In fact, puppet JAVA_JKS module does this:

openssl pkcs12 -export -passout stdin -in /home/soa/jkstest/source/acme.com.crt -inkey /home/soa/jkstest/source/acme.com.key -name test4acme.com

when you ask him to import .crt and .key into a keystore:

    java_ks { "${nesoa2env}acme.com" :
        ensure       => latest,
        certificate  => "${certsFolder}acme.com.crt",
        private_key  => "${certsFolder}acme.com.key", 
        target       => "${targetJKS}",
        password     => "${identityPassword}",
        trustcacerts => false,
    }

JKS management made easy with Portecle

http://sourceforge.net/projects/portecle/?source=dlp

One of the irritating things about security is all those different options in the keytool command line. Portecle makes life a lot easier by managing ONE JKS.

Unfortunately I still need to find an application which can ease the pain of maintaining all the security-related artifacts in a complex organization - based on a DATABASE of certificates, JKS stores, private keys etc.

Display JKS content in Python (WLST)

from java.security import KeyStore
from java.security import MessageDigest
from java.io import FileInputStream


def hexify(bytes):
    hexDigits = ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F']
    buf = StringBuffer()
    for i in range(len(bytes)):
        buf.append(hexDigits[(bytes[i] & 0xf0) >> 4])
        buf.append(hexDigits[bytes[i] & 0x0f])
        if i < len(bytes) - 1:
            buf.append(':')
    return buf.toString()


filestore='myacme.jks'
password='111111'
ks = KeyStore.getInstance("JKS")
ks.load(FileInputStream(filestore), password)
md = MessageDigest.getInstance("MD5")

for item in ks.aliases():
 print "alias", item, "isCertificate", ks.isCertificateEntry(item)
 if ks.isCertificateEntry(item):
  print "isCertificate"
  cert = ks.getCertificate(item)
  der = cert.getEncoded()
  md.update(der)
  print hexify(md.digest())

Inspired by http://stackoverflow.com/questions/1270703/how-to-retrieve-compute-an-x509-certificates-thumbprint-in-java

Javadoc: MessageDigest , KeyStore, Certificate, Key

Display JKS content in Windows (keytool)

There is an excellent plugin for Eclipse:

http://keytool.sourceforge.net/

I was bored of running always the command line

keytool -keystore BLA -list