SSL Problems
Hello,
I try to test the SSL connection, but I' getting some curious errors.
First my Test configuration:
Tester 1:
- m-e-c AS2 Built 7
- IP Address: 192.168.0.37
- http - Port: 8080
- https - Port: 8443
Tester 2:
- m-e-c AS2 Built 7
- IP Address: 192.168.0.13
- http - Port: 8080
- https - Port: 8443
To activate SSL I deleted the comment tags out of $MEC_HOME/jetty/etc/jetty.xml, which are related to the SSL options
So now, what is my Problem.
Both clients are started and ready. It is possible to send messages via HTTP.
To test the availablity I used a web browser and tried all possible URL's.
The computer Tester1 is able to access all four possible addresses: 192.168.0.13:8080, 192.168.0.13:8443, 192.168.0.37:8080 and 192.168.0.37:8443 via web browser. The m-e-c AS2 Servlet produces the expected output.
Tester2 got much more problems. Tester2 is just able to call his own HTTP URL and the HTTP URL of Tester1.
Neither it is possible to access the HTTPS URL of Tester2 nor of Tester1.
The curious thing is that it is possible to reach Tester2's servlet via HTTPS from Tester1's mashine, but Tester2 can't reach his own servlet via HTTPS.
So, after testing this for one day I've absolutly no clue where the error is located!
When I try to send files I got the following logs:
I changed the partner settings of m-e-c AS2 to HTTPS parameters and tried to send a file.
Tester1:
[9:50:41 AM] Processing the file "ebay_Template.htm" for the receiver "Tester2".
[9:50:41 AM] mec_as2-1151049041092-79274@as2_tester1_as2_tester2: Outgoing message signed using keystore alias "tester1".
[9:50:41 AM] mec_as2-1151049041092-79274@as2_tester1_as2_tester2: Outgoing message encrypted using keystore alias "tester2".
[9:50:41 AM] mec_as2-1151049041092-79274@as2_tester1_as2_tester2: Outgoing message created.
[9:50:42 AM] mec_as2-1151049041092-79274@as2_tester1_as2_tester2: Sending message to https://192.168.0.13:8443/mec_as2/HttpReceiver, async MDN requested.
[9:50:42 AM] mec_as2-1151049041092-79274@as2_tester1_as2_tester2: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[9:50:42 AM] mec_as2-1151049041092-79274@as2_tester1_as2_tester2: Connection problem, failed to transmit data.
[9:50:42 AM] mec_as2-1151049041092-79274@as2_tester1_as2_tester2: Message payload stored to "$MEC_HOME/messages/Tester2/error/AS2Message8582.as2".
[9:50:42 AM] mec_as2-1151049041092-79274@as2_tester1_as2_tester2: Raw outgoing message stored to "$MEC_HOME/messages/Tester2/error/raw/AS2Message8582.as2.raw".
Tester2:
[9:52:51 AM] Processing the file "Test1_backup.txt" for the receiver "Tester1".
[9:52:51 AM] mec_as2-1151049171788-38281@as2_tester2_as2_tester1: Outgoing message signed using keystore alias "tester2".
[9:52:52 AM] mec_as2-1151049171788-38281@as2_tester2_as2_tester1: Outgoing message encrypted using keystore alias "tester1".
[9:52:52 AM] mec_as2-1151049171788-38281@as2_tester2_as2_tester1: Outgoing message created.
[9:52:52 AM] mec_as2-1151049171788-38281@as2_tester2_as2_tester1: Sending message to https://192.168.0.37:8443/mec_as2/HttpReceiver, async MDN requested.
[9:52:57 AM] mec_as2-1151049171788-38281@as2_tester2_as2_tester1: The host did not accept the connection within timeout of 5000 ms
[9:52:57 AM] mec_as2-1151049171788-38281@as2_tester2_as2_tester1: Connection problem, failed to transmit data.
[9:52:57 AM] mec_as2-1151049171788-38281@as2_tester2_as2_tester1: Message payload stored to "c:\mecas2b6\messages\Tester1\error\AS2Message55344.as2".
[9:52:57 AM] mec_as2-1151049171788-38281@as2_tester2_as2_tester1: Raw outgoing message stored to "c:\mecas2b6\messages\Tester1\error\raw\AS2Message55344.as2.raw".
So I need your help!
If there are any open questions or I forgot to mention something, feel free to post your qeuestions and I try to answer soon.
Hello Heller,
thanks for your detailed description about enableing SSL.
The steps you described are the same steps I did last week before I opened this thread.
After checking the settings for the third time I tried an other browser on the Windows test computer, which wasn't able to connect to the servlets via HTTPS. It seams to be that the IE was not able to manage the self-signed certificates, but Firefox is. This are the points you regret not setting up the test computer by yourself.
So the connection problem is no longer present.
Now I'm getting the same error on both m-e-c as2 clients, when I try to send a file via HTTPs.
Both clients has the right password for the SSL keystore, the MDN-URL is set to the HTTPs-URL of the servlet and the Receipt-URL is set to the HTTPs-URL also.
So the error I'm getting is this:
[11:33:11 AM] Processing the file "email Konten.txt" for the receiver "Tester2".
[11:33:11 AM] mec_as2-1151314391190-37426@as2_tester1_as2_tester2: Outgoing message signed using keystore alias "tester1".
[11:33:11 AM] mec_as2-1151314391190-37426@as2_tester1_as2_tester2: Outgoing message encrypted using keystore alias "tester2".
[11:33:11 AM] mec_as2-1151314391190-37426@as2_tester1_as2_tester2: Outgoing message created.
[11:33:11 AM] mec_as2-1151314391190-37426@as2_tester1_as2_tester2: Sending message to https://192.168.0.13:8443/mec_as2/HttpReceiver, async MDN requested.
[11:33:11 AM] mec_as2-1151314391190-37426@as2_tester1_as2_tester2: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[11:33:12 AM] mec_as2-1151314391190-37426@as2_tester1_as2_tester2: Connection problem, failed to transmit data.
[11:33:12 AM] mec_as2-1151314391190-37426@as2_tester1_as2_tester2: Message payload stored to "$MEC_HOME/messages/Tester2/error/AS2Message39423.as2".
[11:33:12 AM] mec_as2-1151314391190-37426@as2_tester1_as2_tester2: Raw outgoing message stored to "$MEC_HOME/messages/Tester2/error/raw/AS2Message39423.as2.raw".
Best regards
Tobias Hergenroether
Tobias and me found the solution.
Whenever you are using keys/certificates for SSL please ensure that they are trusted else this error message occurs.
If you create the keys using "keytool -genkey" you are asked at the end if you would like to trust them.
Hello,
also should be mentioned, that if you change the setting File -> Preferences -> Security -> Keystore (https send) or the setting File -> Preferences -> Security -> Keystore Password (https send), the tool needs to be restarted that the changes take effect.
Thanks Tobias. I have another hint:
If the error message Unconnected sockets not implemented occurs there is a problem with the keystore/password combination in the GUI settings which could result from the problems Tobias mentioned in the post before.
Heller
Hi Heller
You write, that i can start AS2 server
with start script and then i will be able to see in jetty log 2 lines about connector start.
So, if use start executable (AS2.exe), does it
means that https listener does not started automatically? (because after application start i can't open page like "https://host:8443/mec_as2/HttpReceiver")
I followed your instructions about keystore creation, jetty config files modification and
partner URL to "https" setting.
After that i found in "jetty-ssl.xml" file
that i can start with "java -jar start.jar etc/jetty.xml etc/jetty-ssl.xml".
I started it from command line, then started mecAS2.exe and after that i successfully
could interact between partners via https.
But my question is:
should i start https listener separately from
main application (AS2.exe) or there is possibility to start all together?
Regards
Eugene
Eugene,
This thread was older and described the setup for jetty 6.0. m-e-c as2 is delivered now with jetty 6.1.1.
In this version you could copy the SSL listener part from jetty-ssl.xml into jetty.xml. If you start the server then, you will see that it listens to both ports.
Using SSL the jetty.xml file should contain something like the following for jetty 6.1.1:
...
<Call name="addConnector">
<Arg>
<New class="org.mortbay.jetty.nio.SelectChannelConnector">
<Set name="port"><SystemProperty name="jetty.port" default="8080"/></Set>
<Set name="maxIdleTime">30000</Set>
<Set name="Acceptors">2</Set>
<Set name="confidentialPort">8443</Set>
</New>
</Arg>
</Call>
<Call name="addConnector">
<Arg>
<New class="org.mortbay.jetty.security.SslSocketConnector">
<Set name="Port">8443</Set>
<Set name="maxIdleTime">30000</Set>
<Set name="keystore"><SystemProperty name="jetty.home" default="." />/etc/keystore</Set>
<Set name="password">mypass</Set>
<Set name="keyPassword">mypass</Set>
</New>
</Arg>
</Call>
...
Regards
Heller
Heller,
thank you very much for your answer.
Now all works correctly
Regards
Eugene
Heller,
From the information here you provide, I did correcvtly start https.
dfds2006
Hi Heller -
I installed AS2 1.1 b31. And try to use SSH on that
After copying the below mentioned code from jetty-ssl.xml to jetty.xml
8443
30000
/etc/keystore
OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
OBF:1u2u1wml1z7s1z7a1wnl1u2g
/etc/keystore
OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
I ran
C:\mendelson\opensource\as2\jre\bin>java -jar C:\mendelson\opensource\as2\jetty\start.jar etc\jetty.xml etc\jetty-ssl.xml
but it showed me the following error
java.lang.ClassNotFoundException: org.mortbay.xml.XmlConfiguration
at java.net.URLClassLoader$1.run(URLClassLoader.java:200)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
at java.lang.ClassLoader.loadClass(ClassLoader.java:303)
at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
at org.mortbay.start.Main.invokeMain(Main.java:179)
at org.mortbay.start.Main.start(Main.java:534)
at org.mortbay.start.Main.start(Main.java:441)
at org.mortbay.start.Main.main(Main.java:119)
Rahul,
You tried to start the jetty server in stand-alone mode by your command. Please ensure to include all required jars if you would like to do this. Please refer to http://docs.codehaus.org/display/JETTY/Running+Jetty-6.1.x for further information.
Regards
Heller
Hi Heller -
Thanks for the quick response.
I copied the code from jetty-ssl.xml to jetty.xml
What is the step that I need to take next, Do I need to run
java -jar C:\mendelson\opensource\as2\jetty\start.jar etc\jetty.xml etc\jetty-ssl.xml?
I though AS2.exe will run the jetty for me.
After i copy the code in jetty.xml, my http://localhost:8080/as2/ServerState page dosent show me that the http server is running.
and i get the same status for HTTPS server when i try
https://localhost:8443/as2/ServerState
Rahul,
To be honest I dont understand this issue. If you would like to start the AS2 server using SSL please use the start script or the AS2.exe (depends on your OS) after modifying the jetty.xml file. The AS2 server itself is not running inside the HTTP server, only the HTTP receipt unit is running inside it. Please have a look at the architecture of the product at http://opensource.mendelson-e-c.com/#architecture for further information.
Regards
Heller
© 1999-2010 mendelson-e-commerce GmbH | Twitter | Contact us
Tobias,
I tested the SSL communication here and it worked. I performed the following steps:
Generate a keystore for the SSL
I saw that the keystore delivered with jetty contains expired keys so I generated new keys using java keytool (the needed format is JKS).
set JAVA_HOME=C:\Programme\Java\jdk1.5.0_06%JAVA_HOME%\bin\keytool -genkey -alias Key1 -keypass changeit -keysize 1024 -keystore heller.keystore -keyalg RSA -storepass changeit
%JAVA_HOME%\bin\keytool -genkey -alias Key2 -keypass changeit -keysize 1024 -keystore heller.keystore -keyalg RSA -storepass changeit
%JAVA_HOME%\bin\keytool -list -keystore heller.keystore -storepass changeit
I stored this new keystore in jetty/etc/heller.keystore
Enable the SSL listener in the http server
The file jetty/etc/jetty.xml has to be modified to listen to port 8443 with ssl. I uncommented the following section and modified it to:
<Item>
<New class="org.mortbay.jetty.security.SslSocketConnector">
<Set name="Port">8443</Set>
<Set name="maxIdleTime">30000</Set>
<Set name="Keystore"><SystemProperty name="jetty.home" default="." />/etc/heller.keystore</Set>
<Set name="Password">changeit</Set>
<Set name="KeyPassword">changeit</Set>
</New>
</Item>
The password has been obfuscated in the default configuration but it seems to be possible to define it in plain text, too. The obfuscation tool is in the jetty package if you need it.
Set SSL keystore and pass in m-e-c as2 GUI for sending process
Please start the m-e-c as2 server now. If you start it with a start script you should see the two lines
:INFO: Started SelectChannelConnector @ 0.0.0.0:8080
:INFO: Started SslSocketConnector @ 0.0.0.0:8443
from the jetty log. You won't see these lines if you use the installed start executable.
Now edit the server preferences, "Send https keystore" and "Send https password" to the new keystore and the new password. This is necessary because the data is not send by the http server but an integrated http client.
Set https URL to partner
Please set all partner configurations URLs to https protocol. The URLs have to follow now the pattern "https://host:8443/mec_as2/HttpReceiver".
Test in browser
You may want to test the new configuration and could point your browser to "https://localhost:8443/mec_as2/HttpReceiver" on your machine. The behavior now depends on your browser because the SSL certificates are not trusted by your browser. Mainly the browser asks if you would like to trust the certificates and then the normal GET page will appear. But, this really depends on the browser how it deals with nontrusted certificates for SSL.
Now the AS2 data could be transmitted normally, no problem occured on my test configuration.
Best regards
Heller