As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.
Importing External Site's Certificate
- Hector Ruiz (Unlicensed)
- Hruiz
- Nicholas Christiny (Unlicensed)
If you have ThreadFix set up to connect to an external integration via HTTPS, you may need to import the server's certificate into the ThreadFix server's Java keystore, even if you're not running Tomcat over HTTPS. Otherwise you may receive a, "...SunCertPathBuilderException: unable to find valid certification path to requested target..." error.
Example when connecting to AppScan Enterprise:
Obtain Cert
To import the site's cert, you'll first-of-all need the cert, which you can obtain several ways...
Using Chrome
Navigate to the site via the Chrome browser
Right-click within the page and select "Inspect"
Go to the "Security" tab and click the "View certificate" button
Go to the "Details" tab and click the "Copy to File" button
Select Base64
Save the .cer file wherever desired.
...More info here.
Using OpenSSL
You can use the following command on a headless server:
openssl s_client -connect ${HOST}:${PORT} > certfile
Root Certificate Authorities (CAs)
For some root or intermediate CAs the steps may vary. E.g., on an Active Directory Certificate Services server, the root CA may be found at http://<host-name>/certsrv/certcarc.asp, and you can download the .cer file with the text "Download CA certificate".
Root CAs will allow ThreadFix to talk to all sites with certificates pointing to the root CA. So if your company has a root CA that all of its internal servers use, import that root CA to the Java keystore with the steps below, and ThreadFix shouldn't have a cert trust issue for any of your servers.
Import Cert
After you have the cert, you can run the following command to import it into your trust store:
keytool -importcert -file certificate.cer -keystore /path/to/keystore -alias <alias>
The default path Tomcat uses for the trust store: JAVA_HOME--> lib---> security--> cacerts
On CentOS, the default path is:Â ./usr/java/jdk<VERSION>/jre/lib/security/cacerts
The default password for the Java keystore is:Â Â changeit
Examples:
Windows:
"%JAVA_HOME%\lib\security\cacerts"LINUX:
/<path of installed jre>/lib/security/cacerts
Restart Tomcat
After importing the cert, you'll need to restart Tomcat. If the restart is insufficient, you may need to specify where your trust store is by adding these parameters to your Tomcat startup:
-Djavax.net.ssl.trustStore=</path/to/trustStore> -Djavax.net.ssl.trustStorePassword=<trustStore_password>
*NIX
Edit file "tomcat.service"
Modify line:
Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Djavax.net.ssl.trustStore=</path/to/trustStore> -Djavax.net.ssl.trustStorePassword=<trustStore_password>'
Windows
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.