NoSuchAlgorithmException

This may help. See Heller's last comment in

http://community.mendelson-e-c.com/node/359

Yes, the partner's URL is https://b2bqa.them.com/as2/inbound. I originally had an issue because they gave it to me as http://, which redirected to https:// and MEC was choking on the redirection. See here: http://community.mendelson-e-c.com/node/428

This is the block you're talking about, right?

"sorry, havent seen that you are using ssl. Please check the keystore (defaults to jetty/etc/keystore). The keys must be in JKS format and all root certs should be in, too. Please check the path settings to the keystore in the AS2 server config."

I checked the format; it's JKS. The password on the actual store is "test". I did notice that in the AS2 config, the hidden password was much longer than 4 characters, so I reset it to "test" and restarted MEC. Now the hidden password stays at 4 chars, same as the one for certificates.p12. I also changed it from the relative path of jetty/etc/keystore to the full path of /opt/as2/1.1b27/jetty/etc/keystore. I then changed the password for that keystore in the AS2 config to "the wrong password". None of that made a difference and I've never seen anything in the logs about having trouble opening that keystore, which all makes me wonder, does it even matter? When is that keystore used? Would it ever come into play for outbound connections?

I opened up that keystore and added all of the certs/keys that I had added to the certificates.p12 in the MEC directory, as well as the Equifax Secure Certificate Authority, which is the CA for the SSL cert that our partner is using and which I would expect to already be in the trusted roots (the cert being used for the internal signing and encryption is self-signed by them) and it didn't help. I was then able to import the partner's wildcard cert (the fact that it's a wildcard shouldn't be a problem, right?) without being prompted to trust it, so we know there's a match and the cert chaining process works.

Are we sure that that error is referring to the SSL cert? Could it have anything to do with the internal self-signed encryption and signing cert? It certainly seems from the log like that all goes swimmingly and then chokes when it first tries to open up the outside SSL connection.

Thanks,
Chaz

mccachar,

If this is an SSL issue - its possible to debug the whole SSL communication by setting the JVM parameter "-Djavax.net.debug=ssl,session".

Could you try this?

Regards
Heller

Oct 9, 2009 12:07:16 PM sun.reflect.NativeMethodAccessorImpl invoke0
INFO: Logging to org.slf4j.impl.JDK14LoggerAdapter(org.mortbay.log) via org.mortbay.log.Slf4jLog
Oct 9, 2009 12:07:17 PM sun.reflect.NativeMethodAccessorImpl invoke0
INFO: jetty-6.1.1
Oct 9, 2009 12:07:17 PM sun.reflect.NativeMethodAccessorImpl invoke0
INFO: Extract jar:file:/opt/as2/1.1b27/jetty/webapps/as2.war!/ to /tmp/Jetty_0_0_0_0_8080_as2.war__as2__4x5vr/webapp
Oct 9, 2009 12:07:18 PM org.directwebremoting.util.CommonsLoggingOutput info
INFO: DWR Version 2.0.rc2 starting.
Oct 9, 2009 12:07:18 PM org.directwebremoting.util.CommonsLoggingOutput info
INFO: - Servlet Engine: jetty-6.1.1
Oct 9, 2009 12:07:18 PM org.directwebremoting.util.CommonsLoggingOutput info
INFO: - Java Version: 1.6.0_16
Oct 9, 2009 12:07:18 PM org.directwebremoting.util.CommonsLoggingOutput info
INFO: - Java Vendor: Sun Microsystems Inc.
Oct 9, 2009 12:07:18 PM org.directwebremoting.util.CommonsLoggingOutput info
INFO: Probably not an issue: org.jdom.Document is not available so the jdom converter will not load. This is only an problem if you wanted to use it.
Oct 9, 2009 12:07:18 PM org.directwebremoting.util.CommonsLoggingOutput info
INFO: Probably not an issue: org.jdom.Element is not available so the jdom converter will not load. This is only an problem if you wanted to use it.
Oct 9, 2009 12:07:18 PM sun.reflect.NativeMethodAccessorImpl invoke0
INFO: Started SelectChannelConnector @ 0.0.0.0:8080
Oct 9, 2009 12:07:18 PM de.mendelson.comm.as2.server.AS2Server
INFO: mendelson opensource AS2 1.1 build 27
Oct 9, 2009 12:07:18 PM de.mendelson.comm.as2.server.AS2Server
INFO: (c) 2000-2009 mendelson-e-commerce GmbH Berlin, Germany
[Server@2c35e]: [Thread[pool-1-thread-1,5,main]]: putPropertiesFromString(): [port=3333;database.0=file:AS2_DB;dbname.0=as2db;silent=true;trace=false;hsqldb.cache_scale=15;hsqldb.cache_file_scale=8;no_system_exit=true;shutdownarg=COMPACT;]
[Server@2c35e]: [Thread[pool-1-thread-1,5,main]]: checkRunning(false) entered
[Server@2c35e]: [Thread[pool-1-thread-1,5,main]]: checkRunning(false) exited
Oct 9, 2009 12:07:20 PM de.mendelson.comm.as2.database.DBServer run
INFO: HSQL Database Engine 1.8.0 started.
AgentServer#0 started: OK
Oct 9, 2009 12:07:20 PM de.mendelson.comm.as2.jms.MessageQueueServer startup
INFO: Message queue server is started at localhost.
Oct 9, 2009 12:07:22 PM de.mendelson.comm.as2.jms.MessageQueueServer setupQueue
INFO: Message queue set up: #0.0.1085
Oct 9, 2009 12:07:24 PM de.mendelson.comm.as2.cert.CertificateManager loadKeystoreCertificates
INFO: Keys and certificates loaded from "/opt/as2/1.1b27/certificates.p12".
Oct 9, 2009 12:07:24 PM de.mendelson.comm.as2.server.AS2Server
INFO: Server startup in 7331 ms.
Oct 9, 2009 12:07:24 PM de.mendelson.comm.as2.send.DirPollManager
INFO: Directory poll manager started.
Oct 9, 2009 12:07:24 PM de.mendelson.util.clientserver.AbstractServer start
INFO: Starting mendelson opensource AS2 1.1 build 27 client-server interface, listening on port 1235
Oct 9, 2009 12:07:24 PM de.mendelson.util.clientserver.AbstractServer start
INFO: mendelson opensource AS2 1.1 build 27 client-server interface started.
Oct 9, 2009 12:07:24 PM de.mendelson.comm.as2.send.DirPollManager addPartnerPollThread
INFO: Directory poll manager: Poll for relationship "transfertest.ME.com/THEMTHEM" started. Ignore files: "--". Poll interval: 10s
Oct 9, 2009 12:07:29 PM de.mendelson.comm.as2.cert.CertificateManager loadKeystoreCertificates
INFO: Keys and certificates loaded from "/opt/as2/1.1b27/certificates.p12".
Oct 9, 2009 12:07:37 PM de.mendelson.comm.as2.message.AS2MessagePacker createMessage
INFO: mendelson_opensource_AS2-1255104457158-0@transfertest.ME.com_THEMGISAPPIT1: Outgoing message signed with the algorithm SHA-1,using keystore alias "transfertest".
Oct 9, 2009 12:07:38 PM de.mendelson.comm.as2.message.AS2MessagePacker createMessage
INFO: mendelson_opensource_AS2-1255104457158-0@transfertest.ME.com_THEMGISAPPIT1: Outgoing message encrypted with the algorithm 3DES, using keystore alias "THEMTHEMit".
Oct 9, 2009 12:07:38 PM de.mendelson.comm.as2.jms.JMSMessageSender send
INFO: mendelson_opensource_AS2-1255104457158-0@transfertest.ME.com_THEMGISAPPIT1: Outbound AS2 message created from "portecle-1.4.zip" for the receiver "THEMTHEM" in 1.23s, raw message size: 1.82 MB
Oct 9, 2009 12:07:39 PM de.mendelson.comm.as2.send.MessageHttpUploader performUpload
INFO: mendelson_opensource_AS2-1255104457158-0@transfertest.ME.com_THEMGISAPPIT1: Sending message to https://b2bqa.THEM.com/as2/inbound, sync MDN requested.
keyStore is : /opt/as2/1.1b27/jetty/etc/keystore
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
***
found key for : key1
chain [0] = [
[
Version: V1
Subject: CN=mend, OU=mendelson-e-commerce GmbH, O=mendelson-e-commerce GmbH, L=Berlin, ST=Berlin, C=DE, EMAILADDRESS=rosettanet@mendelson.de
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key: Sun RSA public key, 1024 bits
modulus: 133684073607911857887556521896853856007731026752226734359132207131744659173466825025786637528130280554298894787375771808991559349514891173805383800323037828754683836295051784080676154126786466096364360960328708158453234897844197391671786606611362944138783152252481636545132745560241609846191742613990532168069
public exponent: 65537
Validity: [From: Thu Dec 01 08:42:19 EST 2005,
To: Sat Aug 10 09:42:19 EDT 2019]
Issuer: CN=mend, OU=mendelson-e-commerce GmbH, O=mendelson-e-commerce GmbH, L=Berlin, ST=Berlin, C=DE, EMAILADDRESS=rosettanet@mendelson.de
SerialNumber: [ 438efdbb]

]
Algorithm: [SHA1withRSA]
Signature:
0000: BC 0E 21 CF EB 58 C0 00 35 D1 21 FC 68 0E FC 34 ..!..X..5.!.h..4
0010: A4 54 CC 31 33 95 01 AF 74 E4 61 B2 D4 FF 98 E0 .T.13...t.a.....
0020: D0 BC 23 DD 8F BE 2A 1B A6 61 2A F1 9D 87 B0 48 ..#...*..a*....H
0030: BA 8A F8 95 C0 E0 EB 3D 34 9F 9B DD E6 51 66 79 .......=4....Qfy
0040: D8 43 D7 8A 79 46 60 74 4F D0 3F D5 C4 D3 8C BC .C..yF`tO.?.....
0050: 58 BE 99 1C B0 78 B0 39 E6 B2 05 5A 4D 4F A9 D2 X....x.9...ZMO..
0060: 51 72 1F 44 DE F4 DC 8F 04 6D 09 F3 CD 74 F4 25 Qr.D.....m...t.%
0070: CA 75 70 93 48 DE 60 AB 44 B5 09 F6 27 D2 CB 5A .up.H.`.D...'..Z

]
***
default context init failed: java.security.UnrecoverableKeyException: Cannot recover key
Oct 9, 2009 12:07:40 PM de.mendelson.comm.as2.send.MessageHttpUploader performUpload
SEVERE: mendelson_opensource_AS2-1255104457158-0@transfertest.ME.com_THEMGISAPPIT1: [SocketException]@MessageHttpUploader.performUpload java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
Oct 9, 2009 12:07:40 PM de.mendelson.comm.as2.message.store.MessageStoreHandler storeSentMessageState
INFO: mendelson_opensource_AS2-1255104457158-0@transfertest.ME.com_THEMGISAPPIT1: Transaction state written to /opt/as2/1.1b27/messages/THEMTHEM/sent/transfertest_ME_com/20091009/portecle-1.4.zip_mendelson_opensource_AS2_1255104457158_0@transfertest_ME_com_THEMGISAPPIT1.sent.state.
Oct 9, 2009 12:07:42 PM de.mendelson.comm.as2.jms.JMSMessageReceiver run
SEVERE: mendelson_opensource_AS2-1255104457158-0@transfertest.ME.com_THEMGISAPPIT1: Connection problem, failed to transmit data.
Oct 9, 2009 12:07:42 PM de.mendelson.comm.as2.message.store.MessageStoreHandler storeSentErrorMessage
SEVERE: mendelson_opensource_AS2-1255104457158-0@transfertest.ME.com_THEMGISAPPIT1: Message payload stored to "/opt/as2/1.1b27/messages/THEMTHEM/error/transfertest_ME_com/20091009/AS2Message8990060157655231449.as2".
Oct 9, 2009 12:07:42 PM de.mendelson.comm.as2.message.store.MessageStoreHandler storeSentErrorMessage
SEVERE: mendelson_opensource_AS2-1255104457158-0@transfertest.ME.com_THEMGISAPPIT1: Raw outgoing message stored to "/opt/as2/1.1b27/messages/THEMTHEM/error/transfertest_ME_com/20091009/raw/error6974309137440346359.raw".
Oct 9, 2009 12:07:42 PM de.mendelson.comm.as2.message.store.MessageStoreHandler storeSentMessageState
INFO: mendelson_opensource_AS2-1255104457158-0@transfertest.ME.com_THEMGISAPPIT1: Transaction state written to /opt/as2/1.1b27/messages/THEMTHEM/sent/transfertest_ME_com/20091009/portecle-1.4.zip_mendelson_opensource_AS2_1255104457158_0@transfertest_ME_com_THEMGISAPPIT1.sent.state.

Thanks,
Chaz

The output from 1.1b29 is the same, and I never modified that jetty/etc/keystore.

So let me ask a stupid question . . . I *do* have to be running a separate JDK installation for this, right? I mean, from the Linux package, we don't have all the stuff we need already in the AS2 directory, right?

Thanks,
Chaz

I solicited some help from one of the developers here who's done some Java and here's our exchange:

=================================
In other words, if the keystore file (jetty/etc/keystore) is secured with "passwordA" and one of the certs inside (transfertest.ME.com) is secured with "passwordB", it won't work? In other other words, all the certs and the keystore have to have the same password? That's borderline retarded, but I'll give it a shot.

Thanks,
Chaz

-----Original Message-----
From: Tim XXXX
Sent: Fri 10/9/2009 1:17 PM
To: Charles McCabe
Subject: RE: Java error from Mendelson AS2

Quick glance I found this, not sure if it helps at all. I can take a look at it again a little later.

The error "java.security.UnrecoverableKeyException: Cannot recover key" occurs when the keystore and keyEntry passwords are different. To resolve this issue, you must remove all traces of the past certificate and request file.

You must generate a new keystore, keyEntry and CSR and specify the same password for the keystore and the keyEntry.
=================================

Thanks,
Chaz

mccachar,

There are 2 keystores in the application. The first one is certificates.p12. Its used for signatures and encryption. The 2nd is by default jetty/etc/keystore. This one is used for the SSL.

In the SSL keystore (JKS format) there may be only one key (yours) and several certificates (your partners). And it has to be the key your partners have the certificate of else a send and receipt will not work.

You could see in the debug output that the key in jetty/etc/keystore could be accessed, that means passwd and path are setup right. But the key that is used is "key1" (and its untrusted, that is the reason of the error), this is the default key. Please replace it by your key.

Regards
Heller

There is a manual for setting up SSL for the underlaying jetty, please have a look at http://docs.codehaus.org/display/JETTY/How+to+configure+SSL

Regards
Heller

I deleted the key1 key from the keystore (leaving only transfertest.ME.com) and it didn't make any difference, except that you never see anything about key1 in the output.

Then I deleted the transfertest.xxx key and re-imported it using "test" as the password. And guess what? It worked. So I deleted that key again and re-imported it using "not test" as the password. Guess what? It gave me the error again. I'd be happy to clone my existing setup (a VM) and test this with you further, if you'd like.

For the moment, on to the "The Message Integrity Code (MIC) does not match the sent AS2 message" in a new thread.

Thanks,
Chaz

If you used Portecle to create or modify certificates.p12, the simplest thing to do is to create a new keystore file and import all the same certs and keys that you imported into certificates.p12. Save it in JKS format as jetty/etc/keystore.

That way your trading partners can specify either http or https and they'll work the same way.

UPDATE: Partner's end sent clean, as well.

==================================================

The MIC error was this issue: http://community.mendelson-e-c.com/node/396

I imported my keystores into the 1.1b29 directory and everything worked a treat. Waiting for the partner to try sending [crosses fingers].

Many thanks for the help and all the work on the application.

Thanks,
Chaz

If this is an SSL issue - its possible to debug the whole SSL communication by setting the JVM parameter "-Djavax.net.debug=ssl,session".

Could you try this?

Regards
Heller
--------------------------------------
Hi -

Where and how can i set this JVM parameter? and where will i find the debug logs?

Regards
Rahul

Rahul,

you have to start the server using a script, then set the parameter with the option java -Djavax.net.debug=ssl,session ...

Regards
Heller