Where is the local private key specified on a thread?

Clovertech Forums Cloverleaf Where is the local private key specified on a thread?

  • Creator
    Topic
  • #117989
    Tom Patton
    Participant

      Hi,

      I’ve created a TLS1.2 connection to AWS.  I’ve been given their cert and that gets loaded ok.  But the AWS side requests our cert and my side is not providing it (according to their logs).

      These are both private certs.  I’ve specified mine in the private key and password sections, but I get the error that it is unable to load Private Key from file.

      This is a .der file I created using the create private key function in clover.  I do have the secure messaging add on.

      Any thoughts are greatly appreciated!!

    Viewing 5 reply threads
    • Author
      Replies
      • #117990
        Jim Kosloskey
        Participant

          I don’t have a lot of experience with this but it is possible your Certificate needs to reside in the keystore file. You may need to execute keytool from the command line.

          Here is an example using cert file as input but I think it can also work with der files. Your institution’s security folks may be able to help.

          keytool -importcert -file xxx.der -keystore keystore.jks -alias “Alias”

           

          email: jim.kosloskey@jim-kosloskey.com 29+ years Cloverleaf, 59 years IT - old fart.

        • #117995
          Tom Patton
          Participant

            Thank you Jim – this was extremely helpful!

            Using keytool I pulled the cert into the .jks file in /home/hci, but it still doesn’t seem to present the cert to the other side.

            This is a client ssl connection – where the other side is expecting to receive their cert from us (that works with the cert file entry), then asks for our cert on our machine that we also shared with them.

            It appears Clover doesn’t send the cert.  Maybe it has to do with this log entry:

            __cSocket: >>>> Set SSL Client to Verify NONE…

            I’m baffled too – this seems to be a clover thread / AIX setup thing, but your thoughts were helpful – b/c the .jks wasn’t setup yet…

             

          • #117996
            Jim Kosloskey
            Participant

              What did you select in the Protocol Security Settings?

              I think your choices are ClientAnon Client and ClientAuth. I suspect you want Client.

              If you would like to interact off-line on this I will try to assist – email me.

               

              email: jim.kosloskey@jim-kosloskey.com 29+ years Cloverleaf, 59 years IT - old fart.

            • #118013
              Tom Patton
              Participant

                Update – I opened a ticket with support on this and they forwarded to development.

                Development suggested using tcp/ip rather than pdl.  This didn’t work either.

                Support then indicated it was new config and to contact account rep for consulting services.

                Will update with an answer once found, but the key issue is why clover doesn’t send my cert when requested?

                • #118030
                  Rob Lindsey
                  Participant

                    I could not figure out how to get a thread to do this with an AWS S3 Bucket so we ended up installing the AWS S3 toolset on our Cloverleaf servers.  Then we wrote a Shell Script to call the S3 commands to put data to an S3 bucket.

                    Not sure if that will help you out or not.

                • #118111
                  Tom Patton
                  Participant

                    Update – thanks to Viken Ohannessian and James McPheron – my errors have been corrected.

                    Things I missed:

                    • The CA path and file do not need to be from a CA.  Put in the path to the file and the filename for the cert you get from your trading partner
                    • The public key and private key MUST MATCH.  And they must be generated from the same keystore entry.  We created a keystore entry with Portecle or Keystore explorer and then exported the public and private keys into pkcs12 files
                    • We then converted the pkcs12 keys into pem files (Clover TLS needs pem), using openssl commands

                    I hope that helps…

                  • #118115
                    Charlie Bursell
                    Participant

                      Glad you could get Viken and James to do something meaningful! 🙂

                       

                  Viewing 5 reply threads
                  • You must be logged in to reply to this topic.