Archived
This forum has been archived. Please start a new discussion on GitHub.
Problems configuring IceSSL for Java
I'm having problems configuring IceSSL for Java. I'm following the RSA instructions in section 39.5.4 of the Ice manual exactly, but keep getting an exception when I run my client program. The .jks files provided by ZeroC in [ICE_HOME]/certs work fine. So it seems I'm doing something wrong when generating my own. Here's what I did:
I then reference the .jks files in my Ice properties file as directed in the manual:
However, when I run the client app, I get the following stack trace:
Any ideas?
thanks heaps,
chris
D:\ssl>keytool -genkey -keyalg rsa -keystore cpriv.jks -alias cpriv Enter keystore password: password What is your first and last name? [Unknown]: Christopher Bartley What is the name of your organizational unit? [Unknown]: Robotics Institute What is the name of your organization? [Unknown]: Carnegie Mellon University What is the name of your City or Locality? [Unknown]: Pittsburgh What is the name of your State or Province? [Unknown]: PA What is the two-letter country code for this unit? [Unknown]: US Is CN=Christopher Bartley, OU=Robotics Institute, O=Carnegie Mellon University, L=Pittsburgh, ST=PA, C=US correct? [no]: yes Enter key password for <cpriv> (RETURN if same as keystore password): D:\ssl>keytool -genkey -keyalg rsa -keystore spriv.jks -alias spriv Enter keystore password: password What is your first and last name? [Unknown]: Christopher Bartley What is the name of your organizational unit? [Unknown]: Robotics Institute What is the name of your organization? [Unknown]: Carnegie Mellon University What is the name of your City or Locality? [Unknown]: Pittsburgh What is the name of your State or Province? [Unknown]: PA What is the two-letter country code for this unit? [Unknown]: US Is CN=Christopher Bartley, OU=Robotics Institute, O=Carnegie Mellon University, L=Pittsburgh, ST=PA, C=US correct? [no]: yes Enter key password for <spriv> (RETURN if same as keystore password): D:\ssl>keytool -export -keystore spriv.jks -alias spriv -file cert.tmp Enter keystore password: password Certificate stored in file <cert.tmp> D:\ssl>keytool -import -keystore spub.jks -file cert.tmp Enter keystore password: password Owner: CN=Christopher Bartley, OU=Robotics Institute, O=Carnegie Mellon University, L=Pittsburgh, ST=PA, C=US Issuer: CN=Christopher Bartley, OU=Robotics Institute, O=Carnegie Mellon University, L=Pittsburgh, ST=PA, C=US Serial number: 43ecb169 Valid from: Fri Feb 10 10:29:45 EST 2006 until: Thu May 11 11:29:45 EDT 2006 Certificate fingerprints: MD5: AA:E3:1A:50:69:93:CE:51:1E:A9:CD:27:BF:01:7C:5D SHA1: 1D:D3:D2:11:FF:FD:25:82:92:91:B0:69:A2:1D:D5:ED:C6:48:06:74 Trust this certificate? [no]: yes Certificate was added to keystore D:\ssl>
I then reference the .jks files in my Ice properties file as directed in the manual:
Ice.Plugin.IceSSL=IceSSL.PluginFactory Ice.ThreadPerConnection=1 IceSSL.Client.Keystore=cpriv.jks IceSSL.Client.Password=password IceSSL.Client.Certs=spub.jks IceSSL.Server.Keystore=spriv.jks IceSSL.Server.Password=password IceSSL.Trace.Security=1
However, when I run the client app, I get the following stack trace:
[ RobotClient: Security: enabling ciphersuites for ssl socket local address = 128.2.211.7:1338 remote address = 128.2.211.7:10005: SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA ] Robot: Ice.SocketException error = 0 Ice.SocketException error = 0 at IceSSL.SslConnector.connect(SslConnector.java:252) at IceInternal.OutgoingConnectionFactory.create(OutgoingConnectionFactory.java:308) at IceInternal.DirectReference.getConnection(DirectReference.java:178) at Ice._ObjectDelM.setup(_ObjectDelM.java:257) at Ice.ObjectPrxHelperBase.__getDelegate(ObjectPrxHelperBase.java:700) at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:56) at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:44) at Glacier2.RouterPrxHelper.checkedCast(RouterPrxHelper.java:185) at edu.cmu.ri.mrpl.terk.robot.Robot.run(Robot.java:41) at Ice.Application.main(Application.java:71) at Ice.Application.main(Application.java:36) at edu.cmu.ri.mrpl.terk.robot.Robot.main(Robot.java:185) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:847) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038) at IceSSL.SslConnector.connect(SslConnector.java:213) ... 11 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145) at sun.security.validator.Validator.validate(Validator.java:203) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172) at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:840) ... 18 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216) ... 23 more
Any ideas?
thanks heaps,
chris
0
Comments
-
Hi Chris,
I tried to reproduce this error using the hello demo while following your instructions for generating the keystores, and everything worked fine. Then I looked closer at your exception stack trace and saw this line:
at Glacier2.RouterPrxHelper.checkedCast(RouterPrxHelper.java:185)
It looks like your client is attempting to connect to Glacier2 over SSL. Since Glacier2 is written in C++ (and therefore uses OpenSSL), you're going to need compatible certificates for both OpenSSL and JSSE.
The keystores included in the Ice for Java distribution were converted from the OpenSSL certificates and keys found in Ice for C++. This allows us to use C++ services such as Glacier2 and IceGrid over SSL from our Java tests and demos. The Java distribution includes the shell script certs/makecerts, which performs this conversion. I'd recommend taking a look at this script.
Hope that helps,
- Mark0 -
Hi Mark,It looks like your client is attempting to connect to Glacier2 over SSL. Since Glacier2 is written in C++ (and therefore uses OpenSSL), you're going to need compatible certificates for both OpenSSL and JSSE.
[sigh]...geeez do I feel dumb. That makes perfect sense. Glad it's friday--I'll try to be smarter next week.The Java distribution includes the shell script certs/makecerts, which performs this conversion.
Cool, I'll check it out. BTW, makecerts appears to only be included in the source distribution of Ice for Java 3.0.1. Might be nice to include it in the binary distro, too.
Thanks for all your help (and patience for when I'm being extra dumb).
chris
P.S. Thanks also for the great Dynamic Ice article in the latest Connections! The problem it solves sure looks familiar!0