Hello All,
Im trying for 2 days to have the ssl communication working, but no luck.
Http: works fine| without signature and encryptation
Https: gives an error message: | without signature and encryptation
[6:20:20 PM] Processing the file "Order.xml" for the receiver "bpcm_ssl".
[6:20:20 PM] mec_as2-1152206420065-85677@bpcm_develop_bpcm_ssl: Outgoing message is not signed.
[6:20:20 PM] mec_as2-1152206420065-85677@bpcm_develop_bpcm_ssl: Outgoing message has not been encrypted.
[6:20:20 PM] mec_as2-1152206420065-85677@bpcm_develop_bpcm_ssl: Outgoing message created.
[6:20:20 PM] mec_as2-1152206420065-85677@bpcm_develop_bpcm_ssl: Sending message to https://www.otherserver.com:8443/mec_as2/HttpReceiver, sync MDN requested.
[6:20:20 PM] mec_as2-1152206420065-85677@bpcm_develop_bpcm_ssl: Unconnected sockets not implemented
[6:20:20 PM] mec_as2-1152206420065-85677@bpcm_develop_bpcm_ssl: Connection problem, failed to transmit data.
[6:20:20 PM] mec_as2-1152206420065-85677@bpcm_develop_bpcm_ssl: Message payload stored to "messages/bpcm_ssl/error/AS2Message36145.as2".
[6:20:20 PM] mec_as2-1152206420065-85677@bpcm_develop_bpcm_ssl: Raw outgoing message stored to "messages/bpcm_ssl/error/raw/AS2Message36145.as2.raw".
Does anyone can give a help? thanks in advance.
I've tried to create new 2 keystore like the post "SSL-Problems" in this forum says but the gui does not recognize, so im using the default keystore and the default certificate.
Hello edup,
I had the same problem. Heller and me solved it as descriped in the thread SSL Problems.
The error message Unconnected socket not implemented has his root cause in the fact you try to use your own keystore. So, if you change the settings about the keystore (path and password) you need to restart the tool, that this changes take effect.
An other thing is, that the certificates you are using/generating need to be trusted (self signed).
Hope this will help and I'm sure Heller will post some additional facts. ;-)
edup,
SSL configuration setup seems to be a little bit complicated because your have to set up the receipt unit for your keystore (which is jetty) and the send unit SSL (which could be set up in the m-e-c as2 server GUI).
You mentioned 2 keystores for SSL but in fact it is only one that is referenced twice (from receipt and send unit). Anyway for sending AS2 messages with sync MDN only one (outgoing) HTTP/S connection will be used and no http receipt unit is necessary. The HTTP receipt unit is only used for incoming async MDN and incoming AS2 messages.
Tobias is right, the best starting point for the SSL setup might be having a lookup at the thread SSL Problems. Other documentation does not exist so far.
Your error message "
Unconnected socket not implemented" occurs if you have set the wrong keystore password or keystore name in the m-e-c as2 GUI for the send unit.We already fixed the refresh problems Tobias mentioned for the next version which has not been released so far.
But anyway don't hesitate to post what exactly you have done to set up your own keystore, I am sure that we could find the problem.
Regards
Stefan Heller
Sorry my mistake in last post, it was a written error (the part that i said that i've saved the keystore in jetty.xml)...
Anyway i was trying to change it and it created a new post. Please ignore this and sorry for the inconvinience.
edup,
you are right, there are two keystores in the whole application but only one is relevant for SSL:
First: $MEC_AS_PATH/certificates.p12 (PKCS #12 type)
This one contains the key pair of yourself and the certificates of your trading partners for encryption and digital signatures
Second: $JETTYPATH/jetty/etc/keystore (JKS type - created with java keytool or even the portecle tool)
This one is used for SSL, referenced by HTTPS send and HTTPS receipt unit
I've created a:
1)verify signed trial certificate, i add to a keystore of the type pkcs#12 and save it on certificates.p12.
--> now this one is for encryption/decryption, creation of digital signatures/verfication of digital signatures only
2)a keystore (with the keytool) and i've imported/added the verify signed certificate and saved it to jetty/etc/jetty.xml (the application become very very low)
--> You should add the keys by default to the keystore $JETTYPATH/jetty/etc/keystore and reference it with its password and keystore name in jetty.xml. Please don't overwrite the config file jetty.xml with a keystore file.
Anyway you could use a PKS keystore file at any location (this is for SSL), just be sure to reference it in two locations: jetty.xml (config file for https receipt unit) and in the m-e-c as2 gui in the preferences dialog (configuration for the https send unit).
[8:33:40 PM] Processing the file "Order.xml" for the receiver "mendelsontest".
[8:33:42 PM] Error processing the file "Order.xml" for the receiver "mendelsontest": "Private key for alias Key1 not found.".
note: key1 is the name that i've gave to the certificate.
Once you add a key or certificate to the keystore located in $MEC_AS_PATH/certificates.p12 you should restart the m-e-c as2 server (even in this version, this problem has been fixed for the next version as I mentioned). If you now go into the trading partner configuration gui, you could only set alias for certificates/keys that really exist in the keystore $MEC_AS_PATH/certificates.p12.
I think you mixed up the SSL and the encryption/signature keystore in this case.
Hope that helps a little bit
Regards
Heller
edup,
I had a look at the jetty documentation because there should be a section on how to set up jetty for SSL (mainly this is what is to be done to set up SSL for m-e-c as2). There is something in the faq (security in jetty): http://jetty.mortbay.org/jetty/faq?s=400-Security&t=ssl
This should give you more information about the SSL setup.
Regards
Heller