Eg :-
Default :
https://localhost:9443/portal/gadgets/intro-gadget-2/intro-gadget-2.xml
Updated :
https://10.100.0.128:9443/portal/gadgets/intro-gadget-2/intro-gadget-2.xml
or
https://ues.udara.me/portal/gadgets/intro-gadget-2/intro-gadget-2.xml
Detailed error: 500 javax.net.ssl.SSLException: hostname in certificate didn't match: <10.100.1.128> != <localhost> shindig.js:9By default all WSO2 products shipped with a self signed certificate for the domain localhost, to overcome this issue you have to create and add a certificate for your IP/Domain name.
1. Lets assume you need to add a self signed certificate for your IP address(10.100.0.128), run following command and provide information when required, here I'm using wso2carbon as my keystore password so I don't have to do any configuration changes.
keytool -genkey -alias ues -keyalg RSA -keystore ues.jks -keysize 2048
Note :- I have created ues.jks within /home/udara/key/ directory and you have to provide your IP or domain name as your first and last name (CN).
udara@thinkPad:~/key$ keytool -genkey -alias ues -keyalg RSA -keystore ues.jks -keysize 2048
Enter keystore password: wso2carbon
Re-enter new password: wso2carbon
What is your first and last name?
[Unknown]: 10.100.0.128
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]: WSO2
What is the name of your City or Locality?
[Unknown]: Mountain View
What is the name of your State or Province?
[Unknown]: CA
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=10.100.0.128, OU=Unknown, O=WSO2, L=Mountain View, ST=CA, C=US correct?
[no]: yes
Enter key password for <wso2carbon>
(RETURN if same as keystore password): wso2carbon
Re-enter new password: wso2carbon
2.Take a back-up of the current <UES_HOME>/repository/resources/security/ directory.
3.Run following command within <UES_HOME>/repository/resources/security/ directory to import your certificate into wso2carbon.jks.
Since I have created my ues.jks inside /home/udara/key/ directory in step-1,
udara@thinkPad:/wso2/support/workspace/wso2ues-1.0.0/repository/resources/security$ keytool -importkeystore -srckeystore /home/udara/key/ues.jks -destkeystore wso2carbon.jks -srcstoretype jks -deststoretype jks -srcstorepass wso2carbon -deststorepass wso2carbon4. Since we can't have two different private keys, lets delete the previous one.
Entry for alias ues successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
udara@thinkPad:/wso2/support/workspace/wso2ues-1.0.0/repository/resources/security$ keytool -delete -alias wso2carbon -keystore wso2carbon.jks -storepass wso2carbon5. Lets export our public key from wso2carbon.jks and import it in to the client-truststore.jks.
I) Export public key from wso2carbon.jks as test.cer.
udara@thinkPad:/wso2/support/workspace/wso2ues-1.0.0/repository/resources/security$ keytool -export -keystore ues.jks -alias ues -file test.cerII) Import public certificate test.cer into client-truststore.jks.
Enter keystore password:
Certificate stored in file <test.cer>
udara@thinkPad:/wso2/support/workspace/wso2ues-1.0.0/repository/resources/security$ keytool -import -alias ues -file test.cer -keystore client-truststore.jks6. Since we have updated the key store alias from wso2carbon to ues, we have to modify this in few configs to make SSO works.
Enter keystore password:
Owner: CN=10.100.0.128, OU=Unknown, O=WSO2, L=Mountain View, ST=CA, C=US
Issuer: CN=10.100.0.128, OU=Unknown, O=WSO2, L=Mountain View, ST=CA, C=US
Serial number: 4a460fad
Valid from: Tue Apr 08 11:49:26 IST 2014 until: Mon Jul 07 11:49:26 IST 2014
Certificate fingerprints:
MD5: 54:CD:B8:CD:7D:3D:B5:29:2B:A4:45:61:18:C9:5A:59
SHA1: 53:03:B5:6D:32:D2:07:33:0D:49:7A:37:32:C7:13:DA:4E:29:60:28
SHA256: C5:23:6D:09:F3:97:45:3A:F8:19:A1:F9:14:18:DE:BC:F3:C7:C9:C1:FF:0E:D9:E6:94:EF:DA:A3:6D:79:36:B9
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 92 70 EA 1B 80 6B F8 07 84 0A D9 B0 FE 52 A3 41 .p...k.......R.A
0010: C0 DA B0 17 ....
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
Update <UES_HOME>repository/conf/carbon.xml,
<KeyStore>If we take portal jaggery app(<UES_HOME>/repository/deployment/server/jaggeryapps/portal),
<!-- Keystore file location-->
<Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location>
<!-- Keystore type (JKS/PKCS12 etc.)-->
<Type>JKS</Type>
<!-- Keystore password-->
<Password>wso2carbon</Password>
<!-- Private Key alias-->
<KeyAlias>ues</KeyAlias>
<!-- Private Key password-->
<KeyPassword>wso2carbon</KeyPassword>
</KeyStore>
Update ssoConfiguration section in portal.json as follows,
"ssoConfiguration" : {You have to made the above update in all other jaggery apps within the <UES_HOME>/repository/deployment/server/jaggeryapps/ directory.
"enabled" : true,
"issuer" : "portal",
"identityProviderURL" : "%https.host%/sso/samlsso.jag",
"keyStorePassword" : "wso2carbon",
"identityAlias" : "ues",
"responseSigningEnabled" : "true",
"keyStoreName" : "/repository/resources/security/wso2carbon.jks",
"storeAcs" : "%https.host%/store/sso.jag",
"portalAcs" : "%https.host%/portal/sso.jag",
"appAcsHost" : "%https.host%"
}
ssoConfiguration = {
"enabled": true,
"issuer": "{{appName}}",
"identityProviderURL": config.ssoConfiguration.identityProviderURL,
"keyStorePassword": "wso2carbon",
"identityAlias": "ues",
"responseSigningEnabled": "true",
"keyStoreName": "/repository/resources/security/wso2carbon.jks"
}
7. Restart WSO2 UES server.
If you browse Home>Configure>Key Stores>View Key Store, you can see the certificate of the private key section as follows.
By providing your IP address or domain name as the first and last name in step 1, you can overcome this host-name mismatch issue while loading UES gadgets.
You can refer this article[1] which explains how to create and add CA signed certificate to any Carbon product.
[1] . http://wso2.com/library/knowledge-base/2011/08/adding-ca-certificate-authority-signed-certificate-wso2-products/
Hello,
ReplyDeleteThanks for the article.
i downloaded and installed three components from Analytics range: Data Analytics Server, Complex Event Processor and Machine Learner.
When I wanted to run Smart Home sample, I got below errors in browser console:
"Failed to preload gadget https://10.173.132.71:9443/portal/store/carbon.super/gadget/Usage_-_Cities/index.xml." container:open-views:opensearch:rpc:xmlutil:pubsub-2.js:237:7
Detailed error: 500 javax.net.ssl.SSLException: hostname in certificate didn't match: <10.173.132.71> !=
I understand that it is a certificate error so I followed the guidelines you providedon this page; but I am still getting the same errors.
Can you provide help about how to proceed please?
Thanks.
I have followed your post exactly and done all the changes as same but still when i login to portal i get hostname in certificate didn't match: !=
ReplyDelete