sec_error_bad_signature for FireFox3.0.3
It has been a known issue for SSL certificate algorithm issue when FireFox3.0.3 is used for Jazz web. Could you please provide instructions how to generate SSL certificate using RSA algorithm? Thanks.
|
10 answers
|
There is some documentation about how to handle security certificates in
the product documentation: https://jazz.net/help/rational-team-concert/1.0.1/index.jsp?topic=/com.ibm.team.install.doc/topics/c_server_certificates.html - Matt Lavin Jazz Server Team On Mon, 2008-12-15 at 13:58 +0000, yanli wrote: Any comment on this one please? |
Thanks, Matt.
It seems that the page you mentioned has not changed since the RTC Beta time. If I understand correctly, it asks users to create a data store of the type "CMS". However, the following message was displayed while I tried to create a new ketstore in iKeyMan. Any commet please? What type of keystore should be created from IKeyMan (CMS, JKS, etc.)? Thanks. FYI, I tried this on RTC Beta, RTC 1.0, and 1.0.1 on different Windows machines. The same error message was displayed. "The CMS Java native library was not found. Please make sure that SSL component required by your product is installed and the library path is defined correctly......." |
I'm not entirely sure I understand what you are trying to do. With RTC
we ship a pre-built Tomcat server that has already configured a self signed SSL certificate, and WAS comes with a self signed certificate as well. Using a self signed certificate will lead to some warning dialogs in browsers, because you can't be 100% sure about the identity of a server when using self signed certificates. If you are not happy using the self signed certificate, you would need to purchase a signed certificate for your servers domain name from a certificate authority and install that certificate into the server. Installing the certificate into the server would be different steps depending on whether you are using Tomcat or WAS. Are you saying that the pre-build self signed certificate that we include in Tomcat is not working for you, or are you saying you want to purchase and install an 'official' SSL certificate? - Matt Lavin Jazz Server Team On Fri, 2008-12-26 at 16:27 +0000, yanli wrote: Thanks, Matt. |
Thanks, Matt.
The self-signed certificate is for 'localhost' which is not usually used for productiion servers. In production, you can expect clients using all kinds of fully qualified domain names and all kinds of DNS names for Jazz web servers. Using the prepackaged certificate will display security warning in borwsers and this is not acceptable at least for our production environments. We need a procedure to generate certificate for a specific server (e.g. jazz1001.ibmclients.com). We are using Tomcat. Jazz document (https://jazz.net/help/rational-team-concert/1.0.1/index.jsp?topic=/com.ibm.team.install.doc/topics/c_server_certificates.html) points users to use iKeyman to generate the certificate. Could you please comment on 1) what type of key store should be created in iKeyman (CMS, JKS, etc.) 2) after creating the key store database from iKeyman, I'm not expecting problems for us to create proper certificate request file for an 'official' certificate and then to obtain the certificate. 3) after the certificate is issued, what actions should be taken? Where to import it? |
I just looked at the keystore that we ship with Tomcat and it appears to
be a JKS style keystore. After the certificate is issued, I believe you will want to import the signature, (or the newly signed key) into your keystore so that the server can use it to prove it's identity to clients. - Matt Lavin Jazz Server Team On Fri, 2009-01-02 at 17:47 +0000, yanli wrote: Thanks, Matt. |
Thanks, Matt.
This is what I have done. 1. create a new JKS key store using iKeyMan 2. created a certificate request file and submitted the certificate request. 3. imported signers' certificate first 4. imported (accepted) the new certificate 5. copied the updated JKS file into the Jazz server tomcat directory 6. update the server.xml file with the JKS file name and password (replaced the default ibm key store file) 7. restarted jazz server. However, the signers' certificates do not show up in IE and thus, a certificate warning is displayed. Somehow, the same URL worked fine in FireFox. Any further comments please? Thanks. |
You mention that you submitted the certificate request, and that you
imported the signed certificate. Which authority signed your certificate? Is it possible that Firefox includes the signers certificate out of the box but IE does not? - Matt Lavin Jazz Server Team On Tue, 2009-01-27 at 07:47 +0000, yanli wrote: > 5. copied the updated JKS file into the Jazz server tomcat directory |
Thanks, Matt.
It is unlikely that FF contains the certificates. In our case, the Jazz server certificate is signed by three hierachical signers and ne of them is specific to our company: valicert_class3_root (signes the next one) ...RSA Public Root CA v1 (signes the next one) ......MyCompany Application Server CA (signes the next one) .........Jazz server certificate |
If your certificate is not signed by a 'real' authority, or if the root
certificates are not imported into the browsers, then I would expect a warning on both IE and Firefox. I'm not sure why Firefox would allow the certificate without a warning. - Matt Lavin Jazz Server Team On Tue, 2009-01-27 at 16:57 +0000, yanli wrote: Thanks, Matt. |
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.