Soap UI 5.2.3 is not able to send the certficate from the keystore. Below are my soapUI.vmoptions,please let me know if am missing.See below screen shot for your reference.
Please feel free to let me know if i could use any other soap UI version will switch to it.
-XX:MinHeapFreeRatio=20-XX:MaxHeapFreeRatio=40-Xms128m-Xmx1000m-Dsoapui.properties=soapui.properties-Dsoapui.home=C:\Program Files\SmartBear\SoapUI-5.2.1/bin-Dsoapui.ext.libraries=C:\Program Files\SmartBear\SoapUI-5.2.1/bin/ext-Dsoapui.ext.listeners=C:\Program Files\SmartBear\SoapUI-5.2.1/bin/listeners-Dsoapui.ext.actions=C:\Program Files\SmartBear\SoapUI-5.2.1/bin/actions-Dwsi.dir=C:\Program Files\SmartBear\SoapUI-5.2.1/wsi-test-tools-Djava.library.path=C:\Program Files\SmartBear\SoapUI-5.2.1/bin-Djava.util.Arrays.useLegacyMergeSort=true-splash:SoapUI-Spashscreen.png-Dsoapui.https.protocols=TLSv1.2
SoapUI can be a bith twitchy;
1) right after changing the certificate it sometimes does nto load the new one right away, you may need to close and re-open the applicaiton to get it to load
2) it will wait for an authentication challenge before sending the client credentials, unless you check the following box:
3) if your certificate/private key file or password is incorrect this would of course prevent it from being sent but should throw an error into the transaction log of SoapUI
It didn't really helped.The below are the screen shots for your reference what i have on my soap UI.
All see the error from the gate in screen shot 3.
Please let me know if i had missed any.
Ok, lets validate your keystore and try it in p12 format...
this will expoert the p12 from your jks:
keytool -importkeystore -srckeystore privatekeystore.jks -storepass KeystoreStorePassword -destkeystore private.p12 -deststoretype PKCS12 -deststorepass KeystoreStorePassword
This will extract the key file from your p12:
openssl pkcs12 -in private.p12 -clcerts -nodes -nocerts | openssl rsa > private.key
This will export your public cert from the p12:
openssl pkcs12 -in private.p12 -clcerts -nokeys -out public.cer
and these will generate hashes from the two (which should match):
openssl x509 -noout -modulus -in public.crt | openssl md5openssl rsa -noout -modulus -in private.key | openssl md5
If all that works then try using the p12 in soapui instead of the jks (the jks should work, but if all of those commainds work as expected then it looks like the certificate file is good).
Also, can you confirm that SSL is not being terminated before the gateway and that you are hitting the gateway on a port that allows client certificate authentication (port 9443 does not by default, but 8443 is set to 'optional').
I tried with p12 too getting same result. I will open a ticket would you mind if I mention assigning the ticket to you in the ticket?Because you were aware of the problem.
Enterprise Security Framework
8200 Dixie Road
Brampton, ON L6T 0C1
Off +1 (647) 747-9307 cell:4163192482
I'm not with CA anymore (I used to be a pro-services third party contractor, so technically I was never in thier support group). Hopefully this thread will get them to a solution for you faster.
If the gateway does not have it as a listed trusted CA then SOAPUI will not send through the client certificate. You need to import the signer CA certificate that the client used into the Manage Certificates and make sure that the option Sign Client Certificates is checked on the Options tab and it is set as a trust anchor on the Validation tab.
Director, CA Support
If you're sending the request through a loadbalancer to the API Gateway, confirm that the loadbalancer is not terminating SSL. If it is, that farm needs to be changed to pass-through. We beat our heads against a brick wall for weeks with this problem. I see that Ben mentioned SSL termination also - you definitely should check this.
Once you successfully test via SOAP UI, your next challenge will be to complete this test via the actual client (and not SOAP UI), but not expect the client to pass a self-signed cert in its request. We have an open case on that at the moment.
The gateway can accept a self-signed client certifiate if (as Stephen indicated) you import it to the trusted certificate store and mark it for signing client certifiates and as a trust anchor. This will cause it to be sent by the gateway in its trusted list during the ssl handshake so that the client knows its certifciate issuer (the client cert itself) is trusted by the gateway per TLS protocol specification.
cliff, you may also find this write-up reguarding ssl termination and source IP visibility interesting:
Appreciate your help in this regard.At this movement i wasn't coming from LB .Directly
hitting gateway over 8443 via soap ui.Would you like to have an webex?
Get Outlook for Android<https://aka.ms/ghei36>