Certificate Installation Question - Java (Newbie)

Technical questions relating to the iVeri WebService integration

Certificate Installation Question - Java (Newbie)

by StephenBooysen Fri May 13, 2016 7:06 am
Hi guys,

We recently had to renew a certificate, but I think the process will be the same for a new certificate.

Current setup
- Java
- Webservices implementation
- Ubuntu 15

We attempted to use the Iveri client (java) to renew the certificate. Unfortunately this timed out and the call center told me to rather use the portal to issue and retrieve the certificate.

I was able to to issue a new certificate. But from here it gets a bit vague and this is where the newbie thing comes in.

Please can you advise on the following steps on installing the certificate (new/renewed)

1. In then Nedsure Portal, navigate to the certificate that has been renewed and download all 3 (root, intermediate, p12)
2. Do we combine all the certificates using $ openssl pkcs12 -in elemxxx.Root .cert -out iveri.keys?
3. Is the intermediate certificate combined with the root certificate?
4. Is the p12 certificate combined with with root and intermediate?
5. After the combination of the certs do we use openssl above to generate a file called iVeri.keys? (case sensitive?)
6. Does the file only need to be copied to /usr/lib/jvm/{java version}/jre/lib/iveri/security/iVeri.keys?
7. Update the engineering to specify the new certificate id for the requests to Iveri

It appears, from the call center, that I dont have to use the iveryclient at all, including the installation of the certificate. Is this true?

Thanks guys, apologies for the low level questions but I want to ensure a repeatable stable process

Stephen Booysen
Posts
3
Joined
Fri Feb 26, 2016 9:26 am

Re: Certificate Installation Question - Java (Newbie)

by samora Mon May 16, 2016 11:22 am
What is the version of iVeri Client that you are making use of?

- Webservices implementation

Since you are making use of the iVeri Webservice, can you please confirm you service endpoint?
Posts
54
Joined
Thu Sep 17, 2015 3:29 pm

Re: Certificate Installation Question - Java (Newbie)

by StephenBooysen Mon May 16, 2016 12:24 pm
What is the version of iVeri Client that you are making use of?


The certificates were initially downloaded using iVeriClient243.jar on our QA servers but I believe that when using webservices the iVeriClient becomes irrelevant?

Since you are making use of the iVeri Webservice, can you please confirm you service endpoint?


https://portal.nedsecure.co.za/iVeriWeb ... rvice.asmx
Posts
3
Joined
Fri Feb 26, 2016 9:26 am

Re: Certificate Installation Question - Java (Newbie)

by samora Tue May 17, 2016 8:50 am
StephenBooysen wrote:
The certificates were initially downloaded using iVeriClient243.jar on our QA servers but I believe that when using webservices the iVeriClient becomes irrelevant?

https://portal.nedsecure.co.za/iVeriWeb ... rvice.asmx


Correct. You can request for a new certificate in Backoffice.
Posts
54
Joined
Thu Sep 17, 2015 3:29 pm

Re: Certificate Installation Question - Java (Newbie)

by StephenBooysen Tue May 17, 2016 11:03 am
Thanks that is great.

Can you please provide in detail the process of retrieving and the certificates and installing them on an ubuntu server?

Stephen
Posts
3
Joined
Fri Feb 26, 2016 9:26 am

Re: Certificate Installation Question - Java (Newbie)

by samora Tue May 17, 2016 1:59 pm
StephenBooysen wrote:Thanks that is great.

Can you please provide in detail the process of retrieving and the certificates and installing them on an ubuntu server?

Stephen


Stephan, there is no specific way of installing these certificates for webservices. You need to store it in a place where you can access it from your code, provided that you are pass it on the connection string.
Posts
54
Joined
Thu Sep 17, 2015 3:29 pm

Re: Certificate Installation Question - Java (Newbie)

by Stephen Wed May 25, 2016 1:05 am
Hi.

This should help you get your cerificate in order, I also had some trouble getting the certificates setup. This should answer your questions as well.

How to renew a cert using WebServices

  • Login to Backoffice.
  • click Enterprise-> Request.
  • Generate the certificate-ID, click Enterprise-> Request (please don't navigate away from this page after generating the ID till you submit the Certificate Signing Request).
  • OpenSSL
    • Add the path to openssl.exe command to the Path system variable and create a folder where you will be working from then navigate to the required folder before running the below OpenSSL command.
    • Run the following command in OpenSSL. NOTE: Use you own information when prompted for but make sure that when prompted for the Common Name you use the Certificate ID generated in Backoffice. I have also given an example below

      openssl req -out CSR.csr -new -newkey rsa:1024 -nodes -keyout privatekey.key

      Example Prompts
      Country Name (2 letter code) [AU]:ZA
      State or Province Name (full name) [Some-State]: Gauteng
      Locality Name (eg, city) []:Johannesburg
      Organization Name (eg, company) [Internet Widgits Pty Ltd]: Nedbank
      Organizational Unit Name (eg, section) []:Development
      Common Name (eg, YOUR name) []:{00000000-0000-0000-0000-000000000000} certificate id generated using BackOffice
      Email Address []: ….

      Please enter the following 'extra' attributes
      to be sent with your certificate request
      A challenge password []:
      An optional company name []:

  • paste the certificate signing request(the contents of the .csr file that can be viewed using a text editor) on the Backoffice page(Where you generated the certificate ID).
  • Click Submit.
  • Login to Backoffice again then click Enterprise-> Retrieve then download the xxxx-xxx-xxx-xxx.p7b and save it in the same working directory that you created above.
  • OpenSSL
    Run The following Commands in OpenSSL
    openssl pkcs7 -print_certs -in xxxx-xxx-xxx-xxx.p7b -out xxxx-xxx-xxx-xxx.cero
    Note: replace the 'xxxx-xxx-xxx-xxx.p7b' with the actual issued certificate file name.

    openssl pkcs12 -export -in xxxx-xxx-xxx-xxx.cero -inkey privateKey.key -out xxxx-xxx-xxx-xxx.pfx
    The above command will cause openssl to prompt you for the password to use export the private key along with the certificate. This password will be used when importing the certificate.
    Loading 'screen' into random state - done
    Enter Export Password:
    Verifying - Enter Export Password:
    openssl pkcs12 -in xxxx-xxx-xxx-xxx.pfx -out xxxx-xxx-xxx-xxx.pem -nodes
    The above command will cause openssl to prompt you for the password that you entered previously to export the certificate.

    Enter Import Password:
    MAC verified OK

  • Place this(xxxx-xxx-xxx-xxx.pem) certificate where you can reference it from your code(This could be the same directory as your payment page).
  • Now you should be able to use this .pem certificate on your integration.
Posts
11
Joined
Tue Mar 22, 2016 4:03 pm

Sort By

Jump To