As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.

Importing External Site's Certificate

If you have ThreadFix set up to connect to an external integration via HTTPS, you may need to import the server's certificate into the ThreadFix server's Java keystore, even if you're not running Tomcat over HTTPS. Otherwise you may receive a, "...SunCertPathBuilderException: unable to find valid certification path to requested target..." error.

Example when connecting to AppScan Enterprise:



Obtain Cert

To import the site's cert, you'll first-of-all need the cert, which you can obtain several ways...

Using Chrome

  1. Navigate to the site via the Chrome browser

  2. Right-click within the page and select "Inspect"

  3. Go to the "Security" tab and click the "View certificate" button

  4. Go to the "Details" tab and click the "Copy to File" button

  5. Select Base64

  6. Save the .cer file wherever desired.

...More info here.

Using OpenSSL

You can use the following command on a headless server:

openssl s_client -connect ${HOST}:${PORT} > certfile

Root Certificate Authorities (CAs)

For some root or intermediate CAs the steps may vary. E.g., on an Active Directory Certificate Services server, the root CA may be found at http://<host-name>/certsrv/certcarc.asp, and you can download the .cer file with the text "Download CA certificate".

Root CAs will allow ThreadFix to talk to all sites with certificates pointing to the root CA. So if your company has a root CA that all of its internal servers use, import that root CA to the Java keystore with the steps below, and ThreadFix shouldn't have a cert trust issue for any of your servers.



Import Cert

After you have the cert, you can run the following command to import it into your trust store:

keytool -importcert -file certificate.cer -keystore /path/to/keystore -alias <alias>



The default path Tomcat uses for the trust store: JAVA_HOME--> lib---> security--> cacerts

On CentOS, the default path is: ./usr/java/jdk<VERSION>/jre/lib/security/cacerts

The default password for the Java keystore is:   changeit

Examples:

  • Windows: "%JAVA_HOME%\lib\security\cacerts"

  • LINUX: /<path of installed jre>/lib/security/cacerts


Restart Tomcat

After importing the cert, you'll need to restart Tomcat. If the restart is insufficient, you may need to specify where your trust store is by adding these parameters to your Tomcat startup:

-Djavax.net.ssl.trustStore=</path/to/trustStore>
-Djavax.net.ssl.trustStorePassword=<trustStore_password>

*NIX

  • Edit file "tomcat.service"

  • Modify line:

Windows



www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.