As soon as I import the first key with keytool into the wso2carbon.jks file (and I restart the service) my service already fails to launch properly and logs the following error:
TID: [0] [EMM] [2014-03-06 23:46:42,106] ERROR
{org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiverDS} - Can not
create and start Agent Server
{org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiverDS}
org.wso2.carbon.databridge.core.exception.DataBridgeException: Cannot start agent server
on port 7711
at
org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiver.startSecureEventTransmission(ThriftDataReceiver.java:129)
at org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiver.start(ThriftDataReceiver.java:101)
at org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiverDS.activate(ThriftDataReceiverDS.java:96)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.eclipse.equinox.internal.ds.model.ServiceComponent.activate(ServiceComponent.java:260)
at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.activate(ServiceComponentProp.java:146)
at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.build(ServiceComponentProp.java:347)
at org.eclipse.equinox.internal.ds.InstanceProcess.buildComponent(InstanceProcess.java:620)
at org.eclipse.equinox.internal.ds.InstanceProcess.buildComponents(InstanceProcess.java:197)
at org.eclipse.equinox.internal.ds.Resolver.getEligible(Resolver.java:343)
at org.eclipse.equinox.internal.ds.SCRManager.serviceChanged(SCRManager.java:222)
at org.eclipse.osgi.internal.serviceregistry.FilteredServiceListener.serviceChanged(FilteredServiceListener.java:107)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.dispatchEvent(BundleContextImpl.java:861)
at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230)
at org.eclipse.osgi.framework.eventmgr.ListenerQueue.dispatchEventSynchronous(ListenerQueue.java:148)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.publishServiceEventPrivileged(ServiceRegistry.java:819)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.publishServiceEvent(ServiceRegistry.java:771)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistrationImpl.register(ServiceRegistrationImpl.java:130)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.registerService(ServiceRegistry.java:214)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.registerService(BundleContextImpl.java:433)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.registerService(BundleContextImpl.java:451)
at org.wso2.carbon.core.init.CarbonServerManager.initializeCarbon(CarbonServerManager.java:517)
at org.wso2.carbon.core.init.CarbonServerManager.start(CarbonServerManager.java:219)
at org.wso2.carbon.core.internal.CarbonCoreServiceComponent.activate(CarbonCoreServiceComponent.java:77)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.eclipse.equinox.internal.ds.model.ServiceComponent.activate(ServiceComponent.java:260)
at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.activate(ServiceComponentProp.java:146)
at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.build(ServiceComponentProp.java:347)
at org.eclipse.equinox.internal.ds.InstanceProcess.buildComponent(InstanceProcess.java:620)
at org.eclipse.equinox.internal.ds.InstanceProcess.buildComponents(InstanceProcess.java:197)
at org.eclipse.equinox.internal.ds.Resolver.getEligible(Resolver.java:343)
at org.eclipse.equinox.internal.ds.SCRManager.serviceChanged(SCRManager.java:222)
at org.eclipse.osgi.internal.serviceregistry.FilteredServiceListener.serviceChanged(FilteredServiceListener.java:107)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.dispatchEvent(BundleContextImpl.java:861)
at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230)
at org.eclipse.osgi.framework.eventmgr.ListenerQueue.dispatchEventSynchronous(ListenerQueue.java:148)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.publishServiceEventPrivileged(ServiceRegistry.java:819)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.publishServiceEvent(ServiceRegistry.java:771)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistrationImpl.register(ServiceRegistrationImpl.java:130)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.registerService(ServiceRegistry.java:214)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.registerService(BundleContextImpl.java:433)
at org.eclipse.equinox.http.servlet.internal.Activator.registerHttpService(Activator.java:81)
at org.eclipse.equinox.http.servlet.internal.Activator.addProxyServlet(Activator.java:60)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.init(ProxyServlet.java:40)
at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.init(DelegationServlet.java:38)
at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1267)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1186)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1081)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5027)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5314)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1559)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1549)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
at java.util.concurrent.FutureTask.run(FutureTask.java:166)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:724)
Caused by: org.wso2.carbon.databridge.commons.exception.TransportException: Thrift transport exception occurred
at org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiver.startSecureEventTransmission(ThriftDataReceiver.java:150)
at org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiver.startSecureEventTransmission(ThriftDataReceiver.java:127)
... 63 more
Caused by: org.apache.thrift.transport.TTransportException: Error creating the transport
at org.apache.thrift.transport.TSSLTransportFactory.createSSLContext(TSSLTransportFactory.java:201)
at org.apache.thrift.transport.TSSLTransportFactory.getServerSocket(TSSLTransportFactory.java:102)
at org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiver.startSecureEventTransmission(ThriftDataReceiver.java:146)
... 64 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:138)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:55)
at java.security.KeyStore.getKey(KeyStore.java:792)
at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:131)
at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:68)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:259)
at org.apache.thrift.transport.TSSLTransportFactory.createSSLContext(TSSLTransportFactory.java:187)
... 66 more
I've tried to do all sorts of things with the certificates for weeks now but I failed to succeed to setup a completely running service.
Can anyone please help me through the certificate handling step by step, because following the manual apparently has no success for some reason.
Remark : I don't have an iOS certificate and I generated all my certificates with openSSL by following the wso2 manual.
I executed this command to generate this specific (KEYSTORE)p12 file for import in wso2carbon.jks.
Do I first need to manually delete all jks files in that folder, or should I import into the existing files for one?
What else might I be doing wrong?
Thanks for the support.
Based on your older questions I assume you are trying to configure the Android management part. Most of the certificate related stuff in the document is associated with iOS. If you want to try out the Android configuration you can skip most of the parts in that. Simply skip the CA/RA generations.
When configuring Android, only place you need a keystore is to configure the Android agent app. You can find the step by step configuration at Android client configurations. In this link it has pointed to the iOS CA generation since this step is already followed if you configure both iOS and Android. Otherwise you just have to execute these commands.
openssl genrsa -out <CA PRIVATE KEY> 4096
For example: openssl genrsa -out ca_private.key 4096
openssl req -new -key <CA PRIVATE KEY> -out <CA CSR>
For example: openssl req -new -key ca_private.key -out ca.csr
openssl x509 -req -days <DAYS> -in <CA CSR> -signkey <CA PRIVATE KEY> -out <CA CRT> -extensions v3_ca
For example: openssl x509 -req -days 365 -in ca.csr -signkey ca_private.key -out ca.crt -extensions v3_ca
openssl rsa -in <CA PRIVATE KEY> -text > <CA PRIVATE PEM>
For example: openssl rsa -in ca_private.key -text > ca_private.pem
openssl x509 -in <CA CRT> -out <CA CERT PEM>
For example: openssl x509 -in ca.crt -out ca_cert.pem
End of the following commands you should have a ca_cert.pem with you.
Now you need to export this ca file into pkcs12. Command is as follows.
openssl pkcs12 -export -out ca.p12 -inkey ca_private.pem -in ca_cert.pem -name "cacert"
Now you get the ca.p12 file.
Just exectue following command to create a keystore file.
keytool -importkeystore -srckeystore ca.p12 -srcstoretype PKCS12 -destkeystore wso2mobilemdm.jks
As mentioned in my other thread wso2-mdm-android-agent-issue you can either rename this to bks file format or you can use portecle to convert this to bks since Android expect you to make the keystore file in bouncycastle format. Then embed this bks as mentioned in the doc and recompile the Android agent code.
In order to start its better you clear everything and get a fresh WSO2 EMM zip file. Extract it and start from the scratch. From you log what I feel is your existing wso2carbon.jks is corrupted. When generating do not import your generated CA to it and use a new keystore file as I mentioned in the last step.
Hope this helps.
Try this,
First try connecting to the server with HTTP protocol. Simply change the SERVER_PORT to 9763 and SERVER_PROTOCOL to http:// in the CommonUtilities.java file in MDM Agent.
If it's successful, then check your BKS generation options, specially the host name. It is the only place where it can go wrong. Try above and let us know the result.
I struggled with this as well, but finally figured it out. I debugged the app, and found the BKS gets checked when you select the IP on the mobile device, and if it fails, it doesn't error out. This however mean the authentication is still not working, and you get the error when you input the next few screens before it even attempt to connect.To fix this, I did the following :-
Prepare a separate folder. DO NOT CREATE THE CERTS YET!
Copy the following files from your \repository\resources\security folder :-
client-truststore.jks
wso2carbon.jks
Since the jks files are in the temp folder now, also ensure to back them up
Run the above from Dilshan in order (use the examples, they work fine)
When prompted to Country etc, for your "Common name", make those your server IP address on your test environment. This is very important.
For the "Challenge password" after asking for "Common name" etc, leave it blank. Only on this one though!
All other password prompts, enter wso2carbon for simplicity sake
By following the above, the 3 JKS (A new one called wso2mobilemdm.jks is also present now) files will now be updated with the new certs. Copy them, and the *.p12 files back to \repository\resources\security
This takes care of the Server part. Just edit the mdm-config.xml under \repository\conf, and unlike the document, remember I made all the password uniform above to make it easier, so ensure they are set as wso2carbon. Ignore the iOS parts, juts the "Keystore section" needs to be completed.
Also, edit the sso-idp-config.xml, and change the ip addesses as needed.
Now, to the BKS. This part is just vaguely mentioned in the documents. Get bcprov-jdk15on-146.jar downloaded. Copy this to your current temp folder for simplicity sake. I tried the bcprov-jdk15on-150.jar but it didn't work for some reason.
Run this now within this folder (My Keytool path is messed up since I have multiple versions of Java running):-
"%JAVA_HOME%\bin\keytool" -importcert -trustcacerts -keystore emm_truststore.bks -storetype bks -storepass wso2carbon -file ca_cert.pem -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath ./bcprov-jdk15on-146.jar
This will now create the BKS file in the temp folder, with the other Certs. Copy this emm_truststore.bks now back to your agent folder under res/raw, overwriting it.
In the MDM project, also check for "public static String SENDER_ID =" in the config file when you change the IP address etc prior to exporting.
Clean the project, and rebuild it. Now you are ready to export. What I did was to copy the wso2mobilemdm.jks to the root of my android project, since it is already in the correct format to use. But you can export, and create a new key for this. Note, this is nothing to do with the BKS you created, this is to sign the apk to run on the device.
If you run this now it should work. You will see activity when you try to authenticate to the server.
Related
I've tried to install an instance on AWS using aws RDS as
my datasource through the mysql-connector-java-5.1.45-bin.jar
with jdbc url
jdbc:mysql://< instance>.< zone>.rds.amazonaws.com:3306/carbon_db
i've got an exception
com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failurecom.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failure
The last packet successfully received from the server was 7 milliseconds ago. The last packet sent successfully to the server was 7 milliseconds ago.
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at com.mysql.jdbc.Util.handleNewInstance(Util.java:425)
.
.
.
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
I've tried to run
keytool -importcert -keystore <keystore> -storepass <pass> -noprompt -file rds-combined-ca-bundle.pem
on cacerts.jks in JVM and client-trustore.jks inside WSO2 repository with no effect
This happens since the public certificate from your DB connection, is not trusted by the WSO2 Identity Server.
Since you have tried adding the certificate, verify whether this has been added properly.
Get the public certificate from your DB instance.
Go to the <IS_HOME>/repository/resources/security folder. Import the public certificate to the client-truststore.jks file. Use the command below.
keytool -importcert -file certificate.cer -keystore client-truststore.jks -alias "Alias"
Restart the wso2 IS instance and check if the issue still persists.
According to the MySQL connector documentation in [1], following JDBC URL parameters should be included into the JDBC url to enable the SSL communication between MySQL server and the wso2 server.
useSSL=true
requireSSL=true
clientCertificateKeyStoreUrl
clientCertificateKeyStorePassword
I was able to successfully create the secure connection between MySQL server and the wso2 server with the below JDBC URL.
jdbc:mysql://<HOST_NAME>:<PORT>/apimgtdb?useSSL=true&requireSSL=true&clientCertificateKeyStoreUrl=file:<WSO2_HOME>/repository/resources/security/client-truststore.jks&clientCertificateKeyStorePassword=wso2carbon
I have been supplied 4 files from AWS IOT:
CA.pem
AWS-private.pem.crt
private.pem.key
public.pem.key
I have tried a multitude of methods to get these to work with Android Studio and Kotlin to connect to an MQTT service and have now lost direction.
Firstly are there any command lines that I need to run on the certs and keys before I use ?
Do I need to use a keystore ?
If so should that keystore be bouncycastle or spongycastle ?
I have tried to create a keystore by running the keytool and creating
openssl pkcs12 -export -out ks.p12 -inkey -in my.pem -name mykeystore
but when I try to import like so
keytool -importkeystore -srckeystore ks.p12 -srcstoretype pkcs12 -destkeystore ks.bks -deststoretype BKS --provider org.bouncycastle.jce.provider.BouncyCastleProvider -–providerpath ~/Downloads/bcprov-jdk16-1.46.jar
I get this error
keytool error: java.security.KeyStoreException: Unrecognized keystore format: null
So I can't even get testing my Kotlin to see if the BKS works.
I'm attempting to set up TLS (SSL) with my domain hosted on AWS Bitnami so that users can access it over HTTPS. It is running on Apache Tomcat standalone and is not fronted by a LB.
To generate the Certificate Signing Request (CSR) I have:
sudo openssl genrsa -out /opt/bitnami/apache-tomcat/conf/server.key 2048
And entered all the correct information i.e. hostname in www.hostname.com format, then:
sudo openssl req -new -key /opt/bitnami/apache-tomcat/conf/server.key -out /opt/bitnami/apache2/conf/cert.csr
Following that I have copied to the .csr file contents to the CA (ssl.comodo.com) & saved the resulting files: .ca-bundle and .crt file.
Following that I have uploaded the files to the Tomcat directory and loaded them into the Java keystore:
keytool -import -trustcacerts -alias root -file www_domainname_com.ca-bundle -keystore KeyStore.jks
and the .crt:
keytool -import -trustcacerts -alias tomcat -file www_domainname_com.crt -keystore KeyStore.jks
Tomcat is configured to use this keystore with the following config in server.xml:
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" keystoreFile="/home/bitnami/KeyStore.jks" keystorePass="passwordhere" sslProtocol="TLS"/>
Then apache has been restarted. The browser errors that I receive are:
Chrome:
uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Firefox:
no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP
My thoughts
Based on this Stack Overflow question here I think this may have something to do with RSA - when I generate a new keystore with the -keyalg RSAparameter:
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA and point the Tomcat server.xml SSL config to that the site loads over HTTPS and I get warnings in the browser telling me that it is a self-signed certificate.
If you want to generate using OpenSSL, you must then convert the PRIVATE KEY AND certificate chain, not just the certificate(s) alone, to a Java-usable keystore, either PKCS12 or JKS.
If you want to generate using Java, you do use keytool -genkeypair -keyalg RSA (and before j7 add -keysize 2048), then you use Java keytool to generate the CSR which you give to the CA (Comodo), and you use Java keytool to import the new cert and its chain from the CA.
See the options at (my) https://stackoverflow.com/a/37423399/2868801 and several additional dupes linked there.
I am using Liberty 16.0.0.4
I am trying to call xxxx SOAP services, but i got the following errors
[ERROR ] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN CN=xxxx, was sent from the target host. The signer might need to be added to local trust store serverHome/resources/security/key.jks, located in SSL configuration alias defaultSSLConfig. The extended error message from the SSL handshake exception is: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I used next command to generate certificate
openssl s_client -connect xxxxURL:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > xxx.cert
Then injecting it into liberty jks default file with next command
keytool -import -trustcacerts -alias xxxSigner -file xxx.cert -keystore *pathToHomeServer/resources/security/key.jks* -storepass Liberty -storetype jks
Also this is my server.xml tags related to that
<featureManager>
<feature>webProfile-7.0</feature>
<feature>jaxb-2.2</feature>
<feature>concurrent-1.0</feature>
<feature>javaMail-1.5</feature>
<feature>localConnector-1.0</feature>
<feature>jaxws-2.2</feature>
<feature>apiDiscovery-1.0</feature>
<feature>ssl-1.0</feature>
</featureManager>
<keyStore id="defaultKeyStore" location="${server.config.dir}/resources/security/key.jks" password="{xor}EzY9Oi0rJg==" type="jks" />
<keyStore id="defaultTrustStore" location="${server.config.dir}/resources/security/key.jks" password="{xor}EzY9Oi0rJg==" type="jks" />
<sslDefault sslRef="defaultSSLConfig" />
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" sslProtocol="TLSv1.2"/>
<httpEndpoint id="defaultHttpEndpoint" httpPort="9080" httpsPort="9443">
<sslOptions sslRef="defaultSSLConfig"></sslOptions>
</httpEndpoint>
So what is the problem my side which
Not sure why your approach is not working, but another way to go about it is to use a browser to retrieve the certificate and then keytool to add it, as described here (see the 8/5/2015 comment at the bottom of the article): developer.ibm.com/wasdev/docs/single-sign-google-liberty
Does it work if you explicitly add the signer itself, shown at the bottom of the stack of certs when you append -showcerts to your openssl command?
I have my Java code deployed on Tomcat in AWS and in Tier 1, I have a load balancer configured with public and private key generated using following commands.
openssl genrsa -out server_privatekey.pem 1024
openssl req -new -key server_privatekey.pem -out server_certificate_csr.pem
openssl x509 -req -days 3650 -in server_certificate_csr.pem -signkey server_privatekey.pem -out server_certificate.pem
Now, the main difficulty I'm facing is as follows:
I have android app which calls this REST API's, now I want to call the API from Android, but that would require me to pass some form of authentication to server. I'm unable to understand what would that be. If anyone could point me to specific resource that would be really helpful.
(Note: I have already posted this question on the AWS forum but there is no reply yet: https://forums.aws.amazon.com/thread.jspa?threadID=64432).
I was able to call the REST API using HTTPS. At client side, I downloaded the certificate and generated the trust store from it using following command
keytool -importcert -keystore secure.ts -storepass 12345678 -file <cert>
and then while calling my REST API using URL command, I used following property.
System.setProperty("javax.net.ssl.trustStore", "<trust store path eg: secure.ts from above command>");
System.setProperty("javax.net.ssl.trustStorePassword", "12345678");