Security

How do I convert a public key into a .cer, .der or .p7b file?

Some trading partners may issue a public certificate in a .txt format and do not communicate what certificate type it is.  One simple way to get the certificate into the format you require is it import the .txt file into Google Chrome then export it as the format you desire.

How do you execute a BridgeGate HTTP workflow using Portal User Authentication?

Our clients Authenticate and execute BridgeGateHTTP workflows using the Portal User Name and Password (over HTTPS ) two different ways.

First, and less common, they include the respectful key/value pairs in the URL &userName=[USER]&password=[PWD]. 

Second, they include HTTP header values as seen in the screen shot below.

The portal user must have BridgeGateHTTP Protocol security set.  If the Get Data is set to ‘Authenticate’ checked, it will require the Portal username/password.  If Authenticate is not checked, it will execute the workflow with no portal login validation.

If the BridgeGateHTTP workflow is set to authenticate and the credentials are not included, incorrect, or does not have the appropriate security permissions (BridgeGateHTTP) the client will receive a 403 error.

HTTP Status 403 – Authentication Credentials not found

HTTP Status 403 – Incorrect Login and/or Password

After upgrading Java I can’t connect to https that use SHA1

Oracle’s latest java updates won’t let you connect to https sites whose certificates use SHA1.  The fix is to modify the file called:
java_home/jre/lib/security/java.security
Edit the line:
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
to
jdk.certpath.disabledAlgorithms=MD2, MD5, \
i.e: Remove the part: “SHA1 jdkCA & usage TLSServer, “:

How do you Import a P12 (i.e.: PKCS12) Certificate Chain into a BridgeGate Java KeyStore (JKS)

*******************************************

Importing a P12 (i.e.: PKCS12) Certificate Chain into a BridgeGate Java KeyStore (JKS)

*******************************************

Keytool path:   C:\bridgegate\java\bin\keytool.exe

Openssl path:   C:\bridgegate\utils\openssl\openssl.exe

P12 Certificate Chain:  C:\data\cert\Bridgegate_HUBCertificates.p12

BG Staging JSK KeyStore:        C:\data\cert\bridgegate.jks

 

*** Note:  The Alias used in the JKS does not need to match the Common Name (CN) of the Client System Key.  The more important thing is that the BridgeGate Java KeyStore (JKS) does not contain duplicate aliases.  ***

 

1) List and verify P12 Certificate Chain contents:

c:\bridgegate\java\bin>keytool -v -list -storetype pkcs12 -keystore C:\data\cert\Bridgegate_HUBCertificates.p12

Enter keystore password:

 

*****************  WARNING WARNING WARNING  *****************

* The integrity of the information stored in your keystore  *

* has NOT been verified!  In order to verify its integrity, *

* you must provide your keystore password.                  *

*****************  WARNING WARNING WARNING  *****************

Keystore type: PKCS12

Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: Bridgegate_HUB

Creation date: Jul 11, 2014

Entry type: SecretKeyEntry

 

2) IF the P12 Certificate Chain file is not password locked, you will need to recreate is with a password:

*** Export you current certificate to a password less pem type.  Note:  Leave the ‘Import Password’ field empty in this step.

c:\bridgegate\utils\openssl>openssl pkcs12 -in C:\data\cert\Bridgegate_HUBCertificates.p12 -out C:\data\cert\export.tmp.pem -nodes

Enter Import Password:

MAC verified OK

*** Convert the password less pem to a new pfx file with password:

C:\bridgegate\utils\openssl>openssl pkcs12 -export -in C:\data\cert\export.tmp.pem -out C:\data\cert\Bridgegate_HUBCertificates.locked.p12 -name “Bridgegate_HUB”

Loading ‘screen’ into random state – done

Enter Export Password:

Verifying – Enter Export Password:

 

3) Confirm Alias name is new password locked P12 Certificate Chain.  Step 2 creates alias based on -name argument, if this is left out, the alias name can be “1”.

*** Confirm Chain length of 3 and the Owner/Issuer of each Certificate are in the proper order.  ****

c:\bridgegate\java\bin>keytool -v -list -storetype pkcs12 -keystore C:\data\cert\Bridgegate_HUBCertificates.locked.p12

Enter keystore password: ******

Keystore type: PKCS12

Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: bridgegate_hub

Creation date: Jul 14, 2014

Entry type: PrivateKeyEntry

Certificate chain length: 3

Certificate[1]:

Owner: CN=Bridgegate_HUB ClientSystem, OU=IT, O=ICA, L=Nashville, ST=TN, C=US

Issuer: CN=uat CA, OU=IT, O=ICA, L=Nashville, ST=TN, C=US

.

Certificate[2]:

Owner: CN=uat CA, OU=IT, O=ICA, L=Nashville, ST=TN, C=US

Issuer: CN=ICA Root CA, OU=IT, O=ICA, L=Nashville, ST=TN, C=US

.

Certificate[3]:

Owner: CN=ICA Root CA, OU=IT, O=ICA, L=Nashville, ST=TN, C=US

Issuer: CN=ICA Root CA, OU=IT, O=ICA, L=Nashville, ST=TN, C=US

 

4) Import the P12 Certificate Chain into your BridgeGate Java KeyStore (JKS).

**** Note: You can alter the Alias name with the -alias and -destalias arguments. ****

c:\bridgegate\java\bin>keytool -importkeystore -destkeystore C:\data\cert\bridgegate.jks -srckeystore C:\data\cert\Bridgegate_HUBCertificates.locked.p12-srcstoretype PKCS12

Enter destination keystore password:

Enter source keystore password:

Entry for alias Bridgegate_HUB successfully imported.

Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

 

5) Verify the JKS contains the new Certificate under the correct Alias.

*** WARNING: This password field is displayed on screen as clear text!  ***

c:\bridgegate\java\bin>keytool -v -list -storetype jks -keystore C:\data\cert\bridgegate.jks > c:\data\cert\out.txt

Enter keystore password:  *********

 

What are the password requirements for users

The BridgeGate users passwords have a minimum eight chars long with upper and lower case letters, numbers.    The user passwords are the same for portal, FTP, SSH, SFTP and all other related BridgeGate services the user has permissions to access.
Note: This can be replaced with using LDAP or other authentication systems.

How do you configure apache to act like a proxy for BridgeGate

For example:  If your bridgegate server is running on port 8081 and you want the external URL to be     http://dev.bridgegatehealth.com     You can create a Virtual Host in apache to act as a proxy

<VirtualHost *:80>
ProxyPreserveHost On
ProxyPass        “/” “http:// YOUR_INTERNAL_IP:8081/”
ProxyPassReverse “/” “http://YOUR_INTERNAL_IP:8081/”
ServerName dev.bridgegatehealth.com
</VirtualHost>

Many more options and details can be found on the httpd.apache.org website.

How do I install Cryptography Extensions

I was able to make the connection by installing the Java Cryptography Extensions (JCE) Unlimited Strength Jurisdiction Policy files.  

These files are not included in the standard Java deployments to comply with US export rules.  However, they can be downloaded from the Oracle site at the following URL: 

http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-java-plat-419418.html#jce_policy-6-oth-JPR

The zip file downloaded will contain two .jar files (local_policy.jar and US_export_policy.jar).  These files must be copied to the BridgeGate installations.   

Workbench: 

  C:\bgworkbench\java\jre\lib\security

Server: 

  C:\bridgegate\java\jre\lib\security

(Replace C: with the install drive for the software)

There should be files with the same names already in those directories — just overwrite the files that are there.  The server/workbench will have to be stopped to replace the files. 

If you have any questions, feel free to call me at (904)739-0300 x221. I will be happy to guide you through the steps. 

How do I set the Session Timeout in BridgeGate

In BridgeGate Version 7 and 8, you can alter the file server/conf/web.xml: 

<!-- ==================== Default Session Configuration ================= -->
<!-- You can set the default session timeout (in minutes) for all newly   -->
<!-- created sessions by modifying the value below.                       -->
  <session-config>
      <session-timeout>30</session-timeout>
  </session-config>

The same setting exists in 6.0, but the file is jboss/server/bridgegate/system/jbossweb-tomcat55.sar/conf/web.xml

View full Server Config docs

How do I disable SSL3 in BridgeGate

Disabling SSL3 in BridgeGate  should be pretty straightforward.  The server/conf/server.xml file contains a block that describes the SSL port configuration. Specifically, there is a setting that indicates the protocol, which by default reads sslProtocol=”TLS”.  Apparently, this is not entirely true,because it will roll back to SSL3.  

To get around this, you must specify the enabled protocols.  You can set this using the sslEnabledProtocols setting in that block, as shown in this configuration:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false"
           sslProtocols = "TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
           keystoreFile="C:/certificates/keystore.jks"
           keystorePass="P@55w0rD"  />

This is slightly different in BridgeGate 6.  The sslEnabledProtocols configuration was added in Tomcat 7, but there is an undocumented similar setting for BG6.  In the jboss/server/bridgegate/system/jbossweb-tomcat55.sar/server.xml file, add the protocols option as in the following:

<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
<Connector port="8443" address="${jboss.bind.address}"
     maxThreads="300" strategy="ms" maxHttpHeaderSize="8192"
     emptySessionPath="true"
     scheme="https" secure="true" clientAuth="false" 
     keystoreFile="keystore.jks"
     keystorePass="password" sslProtocol = "TLS" protocols="TLSv1,TLSv1.1"/>

If you have openssl installed on your system, you can verify SSL3 is disabled by running the following: 

openssl s_client -ssl3 -connect  <host>:8443

While the following should work:

openssl s_client -tls1 -connect <host>:8443

How do I turn on debugging for SSL

Add the following to the bg_service.conf located in the \bridgegate\conf directory and restart the server.  Prepare yourself for lots of logging.

-Djavax.net.debug=all

How to protect against CD to Root on BridgeGate’s FTP Server

1) Create a dummy directory under the bridgegate\FTPServer directory. 

 I created mine as bridgegate\FTPServer\FauxRoot_DoNotDelete.

 2) Config bridgegate.xml to use this directory as the FTP root.

<FTP_SSH_CONFIG SERVER_PORT=”22″ SSH2_DSA_HOST_KEY=”” SSH2_DSA_HOST_KEY_PASSWORD=”” SSH2_RSA_HOST_KEY=”” SSH2_RSA_HOST_KEY_PASSWORD=”” VFS_ROOT=”C:\bridgegate\ftpserver\FauxRoot_DoNotDelete”/>

How do I use BridgeGate HTTP on demand

I was thinking it would be cool to use BridgeGate as a reporting tool.  To do that I would need to have the workflow executed on Demand with a URL which I know can be done?

The other think I didn’t know is if a variable could be entered as part of the url or could be promoted. 

 I.E.  A report that would be configured to run by different catalog code and the user would provide the code.

— Answer —

The easiest way would be setting up a WF with the BridgeGateHTTP Adapter with ‘Enable Workflow to be Executed as a Service’.

Create New In-Values with the ‘Add to Workflow Session’ selected to receive the values you want to receive into the Workflow.

The URL Preview will add the new URL parameter for use.

http://[SERVER_URL]/portal/executeworkflow?accountName=samples&wfGroupName=sample1&wfName=test_wf&catalog_code=[SESSION_VALUE]

http://localhost:8080/portal/executeworkflow?accountName=samples&wfGroupName=sample1&wfName=test_wf&catalog_code=123456

image002

Can I use a PPK file in BridgeGate

You can’t use a PPK file from BridgeGate.  The PPK is a PuTTY-(and related tools)-specific type of key. BridgeGate uses OpenSSH keys. You can export a .ppk file as an OpenSSH key from PuttyGen using the Conversions/Export OpenSSH Key menu option.

How do I import a P12 (i.e.: PKCS12) Certificate Chain into a BridgeGate Java KeyStore (JKS)

*******************************************

Importing a P12 (i.e.: PKCS12) Certificate Chain into a BridgeGate Java KeyStore (JKS)

*******************************************

Keytool path: C:\bridgegate\java\bin\keytool.exe

Openssl path: C:\bridgegate\utils\openssl\openssl.exe

P12 Certificate Chain: C:\data\cert\Bridgegate_HUBCertificates.p12  (Replace BridgeGate_HUBCertificates with your file)

BG Staging JSK KeyStore: C:\data\cert\bridgegate.jks

*** Note:  The Alias used in the JKS does not need to match the Common Name (CN) of the Client System Key.  The more important thing is that the BridgeGate Java KeyStore (JKS) does not contain duplicate aliases.  ***

1) List and verify P12 Certificate Chain contents:

c:\bridgegate\java\bin>keytool -v -list -storetype pkcs12 -keystore C:\data\cert\Bridgegate_HUBCertificates.p12

Enter keystore password:

*****************  WARNING WARNING WARNING  *****************

* The integrity of the information stored in your keystore  *

* has NOT been verified!  In order to verify its integrity, *

* you must provide your keystore password.                  *

*****************  WARNING WARNING WARNING  *****************

Keystore type: PKCS12

Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: Bridgegate_HUB

Creation date: Jul 11, 2014

Entry type: SecretKeyEntry

2) IF the P12 Certificate Chain file is not password locked, you will need to recreate is with a password:

*** Export you current certificate to a password less pem type.  Note:  Leave the ‘Import Password’ field empty in this step.

c:\bridgegate\utils\openssl>openssl pkcs12 -in C:\data\cert\Bridgegate_HUBCertificates.p12 -out C:\data\cert\export.tmp.pem -nodes

Enter Import Password:

MAC verified OK

*** Convert the password less pem to a new pfx file with password:

c:\bridgegate\utils\openssl>openssl pkcs12 -export -in C:\data\cert\export.tmp.pem -out C:\data\cert\Bridgegate_HUBCertificates.locked.p12 -name “Bridgegate_HUB”

Loading ‘screen’ into random state – done

Enter Export Password:

Verifying – Enter Export Password:

3) Confirm Alias name is new password locked P12 Certificate Chain.  Step 2 creates alias based on -name argument, if this is left out, the alias name can be “1”.

*** Confirm Chain length of 3 and the Owner/Issuer of each Certificate are in the proper order.  ****

c:\bridgegate\java\bin>keytool -v -list -storetype pkcs12 -keystore C:\data\cert\Bridgegate_HUBCertificates.locked.p12

Enter keystore password: ******

Keystore type: PKCS12

Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: bridgegate_hub

Creation date: Jul 14, 2014

Entry type: PrivateKeyEntry

Certificate chain length: 3

Certificate[1]:

Owner: CN=Bridgegate_HUB ClientSystem, OU=IT, O=ICA, L=Nashville, ST=TN, C=US

Issuer: CN=uat CA, OU=IT, O=ICA, L=Nashville, ST=TN, C=US

.

.

.

Certificate[2]:

Owner: CN=uat CA, OU=IT, O=ICA, L=Nashville, ST=TN, C=US

Issuer: CN=ICA Root CA, OU=IT, O=ICA, L=Nashville, ST=TN, C=US

.

.

.

Certificate[3]:

Owner: CN=ICA Root CA, OU=IT, O=ICA, L=Nashville, ST=TN, C=US

Issuer: CN=ICA Root CA, OU=IT, O=ICA, L=Nashville, ST=TN, C=US

4) Import the P12 Certificate Chain into your BridgeGate Java KeyStore (JKS).

**** Note: You can alter the Alias name with the -alias and -destalias arguments. ****

c:\bridgegate\java\bin>keytool -importkeystore -destkeystore C:\data\cert\bridgegate.jks -srckeystore C:\data\cert\Bridgegate_HUBCertificates.locked.p12-srcstoretype PKCS12

Enter destination keystore password:

Enter source keystore password:

Entry for alias Bridgegate_HUB successfully imported.

Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

5) Verify the JKS contains the new Certificate under the correct Alias.

*** WARNING: This password field is displayed on screen as clear text!  ***

c:\bridgegate\java\bin>keytool -v -list -storetype jks -keystore C:\data\cert\bridgegate.jks > c:\data\cert\out.txt

Enter keystore password:  *********

How do I import a PEM formatted Certificate Chain into a BridgeGate KeyStore

*******************************************

Importing a PEM formatted Certificate Chain into a BridgeGate Java KeyStore (JKS)

*******************************************

Keytool path: C:\bridgegate\java\bin\keytool.exe

Openssl path: C:\bridgegate\utils\openssl\openssl.exe

Cert working location: C:\cert\

PEM Files:

Root CA Certificate: RootCACertificate.pem

Modality (intermediate) CA Certificate: prodCertificate

Client System Certificate: Bridgegate_HUB.pem   (Replace Bridgegate_HUB with your pem file)

Client System Key: Bridgegate_HUB.key  (Replace Bridgegate_HUB with your key file)

*** Note:  The Alias used in the JKS does not need to match the Common Name (CN) of the Client System Key.  The more important thing is that the BridgeGate Java KeyStore (JKS) does not contain duplicate aliases.  ***

1) Obtain the following PEM files.

– Root CA Certificate

– Modality (intermediate) CA Certificate

– Client System Certificate

– Client System Key (PK)

2) Get the Common Name (CN) for the Client System Key.

c:\bridgegate\utils\openssl>openssl x509 -in c:\cert\Bridgegate_HUB.pem -signkey C:\cert\Bridgegate_HUB.key -noout -issuer

Loading ‘screen’ into random state – done

Getting Private key

issuer= /C=US/ST=TN/L=Nashville/O=ICA/OU=IT/CN=Bridgegate_HUB ClientSystem

3)  Create a P12 Certificate Chain file.

Each of the Certificate files is a text file. Create a blank file named chain.tmp and copy-and-paste the following order: ‘Root CA Cert’, ‘Modality (intermediate) CA Certificate’ and ‘Client System Cert’ into one file.  Replace the CN from step 2 in the -name argument below.  Be sure to create a password at the ‘Export Password’ prompt.  A password is required for the keytool in a following step.

c:\bridgegate\utils\openssl>openssl pkcs12 -export -in C:\cert\chain.tmp -inkey C:\cert\Bridgegate_HUB.key -out C:\cert\Bridgegate_HUBCertificates.chain.p12 -name “Bridgegate_HUB”

Loading ‘screen’ into random state – done

Enter Export Password: ***********

Verifying – Enter Export Password: ***********

4)  Verify the contents of the new P12 Certificate Chain file.  Step 3 creates alias based on -name argument, if this is left out, the alias name will be something like”1″.

*** Confirm Chain length of 3 and the Owner/Issuer of each Certificate are in the propper order.  ****

c:\bridgegate\java\bin>keytool -v -list -storetype pkcs12 -keystore C:\cert\Bridgegate_HUBCertificates.chain.p12

Enter keystore password: ***********

.

.

.

.

Alias name: Bridgegate_HUB

Creation date: Jul 11, 2014

Entry type: PrivateKeyEntry

Certificate chain length: 3

Certificate[1]:

Owner: CN=Bridgegate_HUB ClientSystem, OU=IT, O=ICA, L=Nashville, ST=TN, C=US

Issuer: CN=uat CA, OU=IT, O=ICA, L=Nashville, ST=TN, C=US

.

.

.

.

Certificate[2]:

Owner: CN=uat CA, OU=IT, O=ICA, L=Nashville, ST=TN, C=US

Issuer: CN=ICA Root CA, OU=IT, O=ICA, L=Nashville, ST=TN, C=US

.

.

.

.

Certificate[3]:

Owner: CN=ICA Root CA, OU=IT, O=ICA, L=Nashville, ST=TN, C=US

Issuer: CN=ICA Root CA, OU=IT, O=ICA, L=Nashville, ST=TN, C=US

Issuer: CN=ICA Root CA, OU=IT, O=ICA, L=Nashville, ST=TN, C=US

.

.

.

.

5) Import the P12 Certificate Chain into your BridgeGate Java KeyStore (JKS).

**** Note: You can alter the Alias name with the -alias and -destalias arguments. ****

c:\bridgegate\java\bin>keytool -importkeystore -destkeystore C:\cert\bridgegate.jks-srckeystore C:\cert\Bridgegate_HUBCertificates.chain.p12 -srcstoretype PKCS12

Enter destination keystore password:

Enter source keystore password:

Entry for alias Bridgegate_HUB successfully imported.

Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

6) Verify the JKS contains the new Certificate under the correct Alias.

*** WARNING: This password field is displayed on screen as clear text!  ***

c:\bridgegate\java\bin>keytool -v -list -storetype jks -keystore C:\cert\bridgegate.jks> c:\cert\out.txt

Enter keystore password:  *********

How do I set https protocols

To enable TLSv1.2 to be used as the default, add the following to the bg_service.conf:

wrapper.java.additional.40=-Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1

What are the authentication types for BridgeGate Web Service

  • Authentication : This specifies whether Authentication should be performed and if so what type.
    • NONE : No authentication will be performed by this BridgeGate Web Service.
    • BASIC : Choosing BASIC will reveal inputs for user name and password. These values will be stored in the workflow for comparison against values provided in the request as follows:
      • The BridgeGate Web service will use the inbound SOAP header to identify the username and password to use for authentication.
      • BridgeGate will look for ‘Username’ and ‘Password’ in the SOAP header.
      • The Username field is assumed to be plain text.
      • The Password field is assumed to be base64 encoded.
    • BRIDGEGATE : The BridgeGate Web Service will authenticate the values provided in the request against the BridgeGate Users as follows:
      • The BridgeGate Web service will use the inbound SOAP header to identify the username and password to use for authentication.
      • BridgeGate will look for ‘Username’ and ‘Password’ in the SOAP header.
      • The Username field is assumed to be plain text.
      • The Password field is assumed to be base64 encoded.
      • The username and password will be authenticated against the BridgeGate Users and the Users must have BridgeGate Web Service portal permissions.

How do I verify my SSL passphrase is correct

To check the passphrase for a key is correct:

openssl rsa -check -in keyfilename

To change the passphrase for a key:

openssl rsa -des3 -in keyfilename -out newkeyfilename