Adobe Experience Manager Sites & More

KRenuka · 5/8/24

Hello

I'm trying to upload idp certificate in global trust store to configure SSO in aem 6.5 author using curl command. I copied the cert in a directory in Amazon Linux server and tried running few curl commands in the same directory to upload cert but the commands are not working.

Facing issues with ipd cert upload using curl cmd other curl commands for integrating SSO, installing aem, replication agants curl is working fine.

Can you please help me in knowing the curl command for idp certificate upload?

Thanks in advance.

Madhur-Madan · 5/9/24

Hi @KRenuka ,
You can try the following steps below

With Basic Authentication:

If your AEM instance requires basic authentication (username and password), you can use the following curl command:
```
curl -u admin:admin -F "certificate=@/path/to/idp_certificate.crt" -F "alias=my_idp_cert" http://localhost:4502/libs/granite/security/truststore.json
```
1. Replace admin:admin with your AEM admin credentials.
2. Adjust the path to your IDP certificate file (idp_certificate.crt).
3. Set a unique alias for your certificate (e.g., my_idp_cert).
4. Modify the AEM instance URL (http://localhost:4502) as needed.

With Client Certificate Authentication:

If your AEM instance uses client certificate authentication, you’ll need to provide both the client certificate and key.
The --cert option specifies the client certificate, and the --key option specifies the private key associated with the certificate.
Example:
```
curl -v --cert /path/to/client_cert.pem --key /path/to/client_key.pem --pass my_password -F "certificate=@/path/to/idp_certificate.crt" -F "alias=my_idp_cert" https://localhost:4502/libs/granite/security/truststore.json
```
1. Replace /path/to/client_cert.pem and /path/to/client_key.pem with the actual paths to your client certificate and key files.
2. Set the correct password for the private key (my_password).
3. Adjust the AEM instance URL (https://localhost:4502) as needed.

Thanks,
Madhur

KRenuka · 5/9/24

Thanks for the response Madhur.

I am using Basic AUthentication and when I try below curl cmd with my credentials and values, I am getting below error in console

ERROR:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head><title>500 Cannot adapt to user from path [/libs/granite/security/truststore.json]</title></head>
<body>
<h1>Cannot adapt to user from path [/libs/granite/security/truststore.json]</h1>
<p>Cannot serve request to /libs/granite/security/truststore.json on this server</p>

<hr>
<address>Apache Sling</address>
</body>
</html>

curl -u admin:admin -F "certificate=@/path/to/idp_certificate.crt" -F "alias=my_idp_cert" http://localhost:4502/libs/granite/security/truststore.json

Madhur-Madan · 5/10/24

Hi @KRenuka ,
There are several reasons which could generate the error. You can try the below mentioned steps to debug.

Verify that the URL path is correct. Make sure that /libs/granite/security/truststore.json exists in your AEM instance.
You can manually check this by navigating to http://localhost:4502/libs/granite/security/truststore.json in your web browser.
Confirm that the user account (admin in your case) has the necessary permissions to upload certificates to the truststore.
Also check if the user has the appropriate permissions for the /libs/granite/security/truststore.json resource.

To debug further, try using the -v option with curl to get verbose output. This will show additional details about the request and response.

curl -v -u admin:admin -F "certificate=@/path/to/idp_certificate.crt" -F "alias=my_idp_cert" http://localhost:4502/libs/granite/security/truststore.json

Check the AEM logs for any relevant error messages related to truststore operations.

Replace placeholders like /path/to/idp_certificate.crt and my_idp_cert with the actual values.

KRenuka · 5/10/24

@Madhur-Madan

I am able to access /libs/granite/security/truststore.json page with my user creds having admin access from gui and also using curl cmd.
curl -u admin:admin http://localhost:4502/libs/granite/security/truststore.json
But unable to update any values using the above cmd, getting below error
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head><title>500 Cannot adapt to user from path [/libs/granite/security/truststore.json]</title></head> <body>
<h1>Cannot adapt to user from path [/libs/granite/security/truststore.json]</h1> <p>Cannot serve request to /libs/granite/security/truststore.json on this server</p>
<hr>
<address>Apache Sling</address> </body>
And I am able to update the values for http://localhost:4502/libs/granite/security/content/truststore.json page but unable to update for actual page http://localhost:4502/libs/granite/security/truststore.json

Madhur-Madan · 5/13/24

Hi @KRenuka ,

That’s expected behavior. In AEM, the /libs/granite/security/content/truststore.json endpoint is designed for write operations, such as updating or adding certificates to the truststore.
On the other hand, the /libs/granite/security/truststore.json endpoint is typically used for read operations, like viewing the truststore.

So, if you’re trying to upload an Identity Provider (IdP) certificate to the global truststore in AEM to configure Single Sign-On (SSO), you should use the /libs/granite/security/content/truststore.json endpoint.

KRenuka · 5/13/24

@Madhur-Madan
I am able to update cert alias under /libs/granite/security/content/truststore.json using curl cmd but the certificate is not getting uploaded in trust store.

Unable to find cert details below:

Jon-Starling · 5/19/24

I am facing the same issue...

curl -k -s -u "admin:**********" -F "certificate=@/DevOps/Main/config-files/certs/sso/sso-certs/_.esso-uat.********.cer" -F "alias=admin" https://*******************/libs/granite/security/content/truststore.json

I get the response back...

<html>
<head>
<title>Content modified /libs/granite/security/content/truststore</title>
</head>
<body>
<h1>Content modified /libs/granite/security/content/truststore</h1>
<table>
<tbody>
<tr>
<td>Status</td>
<td><div id="Status">200</div></td>
</tr>
<tr>
<td>Message</td>
<td><div id="Message">OK</div></td>
</tr>
<tr>
<td>Location</td>
<td><a href="/libs/granite/security/content/truststore" id="Location">/libs/granite/security/content/truststore</a></td>
</tr>
<tr>
<td>Parent Location</td>
<td><a href="/libs/granite/security/content" id="ParentLocation">/libs/granite/security/content</a></td>
</tr>
<tr>
<td>Path</td>
<td><div id="Path">/libs/granite/security/content/truststore</div></td>
</tr>
<tr>
<td>Referer</td>
<td><div id="Referer"></div></td>
</tr>
<tr>
<td>ChangeLog</td>
<td><div id="ChangeLog"><pre>modified("/libs/granite/security/content/truststore/certificate/jcr:lastModified");<br/>modified("/libs/granite/security/content/truststore/certificate/jcr:mimeType");<br/>modified("/libs/granite/security/content/truststore/certificate/jcr:data");<br/>modified("/libs/granite/security/content/truststore/alias");<br/></pre></div></td>
</tr>
</tbody>
</table>
<p><a href="/libs/granite/security/content/truststore">Modified Resource</a></p>
<p><a href="/libs/granite/security/content">Parent of Modified Resource</a></p>
</body>
</html>

So it looks fine

But no cert when I go to the global trust store

Does it need a restart of the instance?

I do notice it doesn't seem to give the user to map to in the command - could that be the issue? I always have to map it to the admin user to make it work when I do it manually.

I tried to look at the payload when I do it manually and get this...

certificate: (binary)
userPath:
userPath@Delete:
:cq_csrf_token:
eyJleHAiOjE3MTYxMDE3MzcsImlhdCI6MTcxNjEwMTEzN30.7d6EENxcEF_bKETDrOh70DeZEIu7p5DutVtgPRvve50

I tried adding in as a real shot in the dark...

-F "userPath=" -F "userPath@Delete="

But nothing

When I go to the authentication service it has no keystore using the curl

when I do it manually it still does not have one where as in a current environment that works it shows one is there but no actual cert listed.

I have a command which does seem to create the global trust store but I was trying then to add a package with the certs and that was getting wiped out. Seems to be a dead end

kautuk_sahni · 5/16/24

@KRenuka Did you find the suggestions helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.