Welcome to the new Parasoft forums! We hope you will enjoy the site and try out some of the new features, like sharing an idea you may have for one of our products or following a category.

SSL Proxy Setup Error

caeporto
caeporto Posts: 8
edited November 2019 in Virtualize

Disclaimer:

I have mistakenly posted the exact same question below a few days ago on the SOATest forum. But since we couldn't reach a solution as recommended by Benken I'm posting this here. Here's the link to our discussion so far: https://forums.parasoft.com/discussion/4687/virtualize-enable-ssl-proxy#latest

Hey everyone,

I'm currently experiencing a problem related to the SSL setup required for my Virtualize proxy to work.
I developed an Android app that connects to a node.js server in the cloud, I've generated a self signed certificate and I have already tested the SSL connection between the app and the server, it works perfectly. Now I'd like to deploy a Virtualize proxy between them, I generated a keystore.p12 from my private key and certificate and setup a http listener to use the .p12 file:

So far so good.

The problem happens when I setup my proxy connection with the http listener:

When I try to deploy the proxy this error occurs:

Does anyone know what this is about?

Comments

  • williammccusker
    williammccusker Posts: 672 ✭✭✭

    Hi,
    I looked at the like to the other thread and reviewed to get an idea of what has been tried so far. It sounds like the key store has both the public and the private key. Is the password for the private key the same as for the keystore? Can you try without the password on the private key so that only the keystore has a password?

  • caeporto
    caeporto Posts: 8

    Hi william,

    I tried something similar to what you're suggesting, I followed this tutorial: https://serverfault.com/questions/515833/how-to-remove-private-key-password-from-pkcs12-container

    Long story short, I'm able to remove the password from the private key, but the problem is (so far as I understand) that when generating the pkcs12 file using the -export flag a password is always required, and that password will be prompted for both the certificate and the private key regardless.

  • williammccusker
    williammccusker Posts: 672 ✭✭✭

    Hi,

    So the linked answer did not work? In one comment it says that when prompted for password you should "Just press [return] twice for no password"

    In your case following that procedure didn't work?

  • caeporto
    caeporto Posts: 8

    Yeah, that comment is actually mistaken, when pressing [return] the password actually becomes an empty string, not the case that password doesn't exist anymore.

  • benken_parasoft
    benken_parasoft Posts: 1,307 ✭✭✭
    edited November 2019

    I kind of remember the password for the keystore having to match the password for the private key, a requirement for JSSE I think. I think they just have to match, whether that's empty string or something else.

  • caeporto
    caeporto Posts: 8

    Hmmm, both the self signed certificate and the private key that I generated in the server are without passwords, that way nginx can use them without any interference.
    For reference, I used this command to create both of them:
    sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out certificate.crt
    The only time a password was required was when the pkcs12 file was generated.

  • caeporto
    caeporto Posts: 8

    Hey everyone,

    I finally resolved my issue, after a lot of trial-and-error attempts.
    In case someone stumbles across the same problem, I'll detail what I did below. There are 2 key changes I made:

    1. Generated the keystore again with an alias name:
      The first error, related to an alias name:

      Apparently Virtualize was complaining that the keystore (p12 file) generated did not have an alias, this was easily resolved by generating the keystore again with an extra flag -name:
      openssl pkcs12 -export -out keystore.p12 -inkey private.key -in certificate.crt-name meteor_keystore
      With the command above I was able to generate a keystore with an alias name of meteor_keystore, now my proxy setup screen looks like this:

    2. Generated a new trust store aside from cacerts:
      Solving the previous issue then generated the following error related to the trust store:

      This error is probably related to a missing trust anchor or a missing root certificate where the chain of trust can be derived from. In my case since I have a self signed certificate, this could be solved by simply adding the certificate to the default trust store provided by Parasoft (cacerts file) or by providing a new trust store with the self signed certificate (which I did).
      I extracted the self signed certificate from the keystore:
      openssl pkcs12 -in meteor_keystore.p12 -clcerts -nokeys -out meteor_certificate.crt
      The command above actually extracts any certificates that are inside the p12 file, so if there's more certificates you should extract to a PEM file:
      openssl pkcs12 -in meteor_keystore.p12 -clcerts -nokeys -out meteor_certificate.pem
      after that I generated a new trust store as well as added the self signed certificate in the same command using keytool:
      keytool -import -file meteor_certificate.crt -alias meteor_ca -keystore meteor_truststore
      It is important to emphasize that the format of the generated trust store is JKS.
      After setting up the trust store with a password my proxy setup screen looks like this:

      With these changes I was able to validate the trust store as well as deploy and use the proxy.

    Thanks for the help Benken and William.

  • williammccusker
    williammccusker Posts: 672 ✭✭✭

    Hi,
    I am glad that you were able to resolve the issue!