sec_error_bad_signature for FireFox3.0.3
10 answers
There is some documentation about how to handle security certificates in
the product documentation:
https://jazz.net/help/rational-team-concert/1.0.1/index.jsp?topic=/com.ibm.team.install.doc/topics/c_server_certificates.html
-
Matt Lavin
Jazz Server Team
On Mon, 2008-12-15 at 13:58 +0000, yanli wrote:
the product documentation:
https://jazz.net/help/rational-team-concert/1.0.1/index.jsp?topic=/com.ibm.team.install.doc/topics/c_server_certificates.html
-
Matt Lavin
Jazz Server Team
On Mon, 2008-12-15 at 13:58 +0000, yanli wrote:
Any comment on this one please?
Thanks, Matt.
It seems that the page you mentioned has not changed since the RTC Beta time. If I understand correctly, it asks users to create a data store of the type "CMS". However, the following message was displayed while I tried to create a new ketstore in iKeyMan. Any commet please? What type of keystore should be created from IKeyMan (CMS, JKS, etc.)? Thanks.
FYI, I tried this on RTC Beta, RTC 1.0, and 1.0.1 on different Windows machines. The same error message was displayed.
"The CMS Java native library was not found. Please make sure that SSL component required by your product is installed and the library path is defined correctly......."
It seems that the page you mentioned has not changed since the RTC Beta time. If I understand correctly, it asks users to create a data store of the type "CMS". However, the following message was displayed while I tried to create a new ketstore in iKeyMan. Any commet please? What type of keystore should be created from IKeyMan (CMS, JKS, etc.)? Thanks.
FYI, I tried this on RTC Beta, RTC 1.0, and 1.0.1 on different Windows machines. The same error message was displayed.
"The CMS Java native library was not found. Please make sure that SSL component required by your product is installed and the library path is defined correctly......."
I'm not entirely sure I understand what you are trying to do. With RTC
we ship a pre-built Tomcat server that has already configured a self
signed SSL certificate, and WAS comes with a self signed certificate as
well. Using a self signed certificate will lead to some warning dialogs
in browsers, because you can't be 100% sure about the identity of a
server when using self signed certificates.
If you are not happy using the self signed certificate, you would need
to purchase a signed certificate for your servers domain name from a
certificate authority and install that certificate into the server.
Installing the certificate into the server would be different steps
depending on whether you are using Tomcat or WAS.
Are you saying that the pre-build self signed certificate that we
include in Tomcat is not working for you, or are you saying you want to
purchase and install an 'official' SSL certificate?
-
Matt Lavin
Jazz Server Team
On Fri, 2008-12-26 at 16:27 +0000, yanli wrote:
we ship a pre-built Tomcat server that has already configured a self
signed SSL certificate, and WAS comes with a self signed certificate as
well. Using a self signed certificate will lead to some warning dialogs
in browsers, because you can't be 100% sure about the identity of a
server when using self signed certificates.
If you are not happy using the self signed certificate, you would need
to purchase a signed certificate for your servers domain name from a
certificate authority and install that certificate into the server.
Installing the certificate into the server would be different steps
depending on whether you are using Tomcat or WAS.
Are you saying that the pre-build self signed certificate that we
include in Tomcat is not working for you, or are you saying you want to
purchase and install an 'official' SSL certificate?
-
Matt Lavin
Jazz Server Team
On Fri, 2008-12-26 at 16:27 +0000, yanli wrote:
Thanks, Matt.
It seems that the page you mentioned has not changed since the RTC
Beta time. If I understand correctly, it asks users to create a data
store of the type "CMS". However, the following message was
displayed while I tried to create a new ketstore in iKeyMan. Any
commet please? What type of keystore should be created from IKeyMan
(CMS, JKS, etc.)? Thanks.
FYI, I tried this on RTC Beta, RTC 1.0, and 1.0.1 on different Windows
machines. The same error message was displayed.
"The CMS Java native library was not found. Please make sure
that SSL component required by your product is installed and the
library path is defined correctly......."
Thanks, Matt.
The self-signed certificate is for 'localhost' which is not usually used for productiion servers. In production, you can expect clients using all kinds of fully qualified domain names and all kinds of DNS names for Jazz web servers. Using the prepackaged certificate will display security warning in borwsers and this is not acceptable at least for our production environments. We need a procedure to generate certificate for a specific server (e.g. jazz1001.ibmclients.com).
We are using Tomcat. Jazz document (https://jazz.net/help/rational-team-concert/1.0.1/index.jsp?topic=/com.ibm.team.install.doc/topics/c_server_certificates.html) points users to use iKeyman to generate the certificate. Could you please comment on
1) what type of key store should be created in iKeyman (CMS, JKS, etc.)
2) after creating the key store database from iKeyman, I'm not expecting problems for us to create proper certificate request file for an 'official' certificate and then to obtain the certificate.
3) after the certificate is issued, what actions should be taken? Where to import it?
The self-signed certificate is for 'localhost' which is not usually used for productiion servers. In production, you can expect clients using all kinds of fully qualified domain names and all kinds of DNS names for Jazz web servers. Using the prepackaged certificate will display security warning in borwsers and this is not acceptable at least for our production environments. We need a procedure to generate certificate for a specific server (e.g. jazz1001.ibmclients.com).
We are using Tomcat. Jazz document (https://jazz.net/help/rational-team-concert/1.0.1/index.jsp?topic=/com.ibm.team.install.doc/topics/c_server_certificates.html) points users to use iKeyman to generate the certificate. Could you please comment on
1) what type of key store should be created in iKeyman (CMS, JKS, etc.)
2) after creating the key store database from iKeyman, I'm not expecting problems for us to create proper certificate request file for an 'official' certificate and then to obtain the certificate.
3) after the certificate is issued, what actions should be taken? Where to import it?
I just looked at the keystore that we ship with Tomcat and it appears to
be a JKS style keystore. After the certificate is issued, I believe you
will want to import the signature, (or the newly signed key) into your
keystore so that the server can use it to prove it's identity to
clients.
-
Matt Lavin
Jazz Server Team
On Fri, 2009-01-02 at 17:47 +0000, yanli wrote:
be a JKS style keystore. After the certificate is issued, I believe you
will want to import the signature, (or the newly signed key) into your
keystore so that the server can use it to prove it's identity to
clients.
-
Matt Lavin
Jazz Server Team
On Fri, 2009-01-02 at 17:47 +0000, yanli wrote:
Thanks, Matt.
The self-signed certificate is for 'localhost' which is not usually
used for productiion servers. In production, you can expect clients
using all kinds of fully qualified domain names and all kinds of DNS
names for Jazz web servers. Using the prepackaged certificate will
display security warning in borwsers and this is not acceptable at
least for our production environments. We need a procedure to
generate certificate for a specific server (e.g.
jazz1001.ibmclients.com).
We are using Tomcat. Jazz document
(https://jazz.net/help/rational-team-concert/1.0.1/index.jsp?topic=/com.ibm.team.install.doc/topics/c_server_certificates.html)
points users to use iKeyman to generate the certificate. Could you
please comment on
1) what type of key store should be created in iKeyman (CMS, JKS,
etc.)
2) after creating the key store database from iKeyman, I'm not
expecting problems for us to create proper certificate request file
for an 'official' certificate and then to obtain the certificate.
3) after the certificate is issued, what actions should be taken?
Where to import it?
Thanks, Matt.
This is what I have done.
1. create a new JKS key store using iKeyMan
2. created a certificate request file and submitted the certificate request.
3. imported signers' certificate first
4. imported (accepted) the new certificate
5. copied the updated JKS file into the Jazz server tomcat directory
6. update the server.xml file with the JKS file name and password (replaced the default ibm key store file)
7. restarted jazz server.
However, the signers' certificates do not show up in IE and thus, a certificate warning is displayed.
Somehow, the same URL worked fine in FireFox.
Any further comments please? Thanks.
This is what I have done.
1. create a new JKS key store using iKeyMan
2. created a certificate request file and submitted the certificate request.
3. imported signers' certificate first
4. imported (accepted) the new certificate
5. copied the updated JKS file into the Jazz server tomcat directory
6. update the server.xml file with the JKS file name and password (replaced the default ibm key store file)
7. restarted jazz server.
However, the signers' certificates do not show up in IE and thus, a certificate warning is displayed.
Somehow, the same URL worked fine in FireFox.
Any further comments please? Thanks.
You mention that you submitted the certificate request, and that you
imported the signed certificate. Which authority signed your
certificate? Is it possible that Firefox includes the signers
certificate out of the box but IE does not?
-
Matt Lavin
Jazz Server Team
On Tue, 2009-01-27 at 07:47 +0000, yanli wrote:
> 5. copied the updated JKS file into the Jazz server tomcat directory
imported the signed certificate. Which authority signed your
certificate? Is it possible that Firefox includes the signers
certificate out of the box but IE does not?
-
Matt Lavin
Jazz Server Team
On Tue, 2009-01-27 at 07:47 +0000, yanli wrote:
> 5. copied the updated JKS file into the Jazz server tomcat directory
Thanks, Matt.
It is unlikely that FF contains the certificates. In our case, the Jazz server certificate is signed by three hierachical signers and ne of them is specific to our company:
valicert_class3_root (signes the next one)
...RSA Public Root CA v1 (signes the next one)
......MyCompany Application Server CA (signes the next one)
.........Jazz server certificate
It is unlikely that FF contains the certificates. In our case, the Jazz server certificate is signed by three hierachical signers and ne of them is specific to our company:
valicert_class3_root (signes the next one)
...RSA Public Root CA v1 (signes the next one)
......MyCompany Application Server CA (signes the next one)
.........Jazz server certificate
If your certificate is not signed by a 'real' authority, or if the root
certificates are not imported into the browsers, then I would expect a
warning on both IE and Firefox. I'm not sure why Firefox would allow
the certificate without a warning.
-
Matt Lavin
Jazz Server Team
On Tue, 2009-01-27 at 16:57 +0000, yanli wrote:
certificates are not imported into the browsers, then I would expect a
warning on both IE and Firefox. I'm not sure why Firefox would allow
the certificate without a warning.
-
Matt Lavin
Jazz Server Team
On Tue, 2009-01-27 at 16:57 +0000, yanli wrote:
Thanks, Matt.
It is unlikely that FF contains the certificates. In our case, the
Jazz server certificate is signed by three hierachical signers and ne
of them is specific to our company:
valicert_class3_root (signes the next one)
..RSA Public Root CA v1 (signes the next one)
.....MyCompany Application Server CA (signes the next one)
........Jazz server certificate