I need to talk to a service which requires CA signed certificates. I have certificates on my own username and the same certificates has been imported at the server side.So that when I send request, I will produce my certificate for authentication with the server and server matches those certificate and send the response back.
When I request the URL in the browser, it automatically selects/asks (In pop-up) with the certificate on my username and when I select that user name the request loads with a proper response.
Now I want to simulate the same thing in Gatling. However in Gatling I am getting a 401 (Unauthorized).
I verified at the server side that when I send the request from browser, I can able to see the certificates are passing but when I send request from Gatling the certificates are not sending along with request for authentication. At the server side it says no certificates found.
I have imported my username CA signed certificates into JDK keystore and sending the request as shown below.
def execute(): ScenarioBuilder = {
val parameters = Map("$filter" -> "${Id}")
val positionsScenario: ScenarioBuilder = scenario("Locations")
.feed(accountFeed)
.exec(requestHandler.getSAPRequest("Locations", parameters))
positionsScenario
}
def getRequest(requestName: String, parameters: Map[String, String]): ChainBuilder = {
val messageBuilder = exec(http(requestName)
.get(s"$uri")
.queryParamMap(parameters)
.check(status.is(200))
)
messageBuilder
}
I have configured my certs using system.property since gatling.conf is not sending the the certificates in the scenario.
System.setProperty("gatling.http.ssl.trustStore.file", "C:/Program Files/Java/jdk1.8.0_111/jre/lib/security/cacerts")
System.setProperty("gatling.http.ssl.trustStore.password", "changeit")
System.setProperty("gatling.http.ssl.trustStore.type", "JKS")
System.setProperty("gatling.http.ssl.keyStore.file", "C:/Program Files/Java/jdk1.8.0_111/jre/lib/security/vikram")
System.setProperty("gatling.http.ssl.keyStore.password", "changeit")
System.setProperty("gatling.http.ssl.keyStore.type", "JKS")
Here are the log from gatling
Session(SAPPositions,4,Map(gatling.http.ssl.keyStore.password -> changeit,
gatling.http.cache.dns -> io.gatling.http.resolver.ShuffleJdkNameResolver#6e027c67,
gatling.http.ssl.trustStore.type -> JKS, gatling.http.ssl.trustStore.password -> changeit,
accountId -> (account_id eq '000194878-182182-AU-AUD'),
gatling.http.ssl.keyStore.file -> C:/Program Files/Java/jdk1.8.0_111/jre/lib/security/vikram,
gatling.http.ssl.keyStore.type -> JKS, gatling.http.referer -> https://d3u.internal.com/sap/op/data/ACCOUNT_LOCATION_API_SRV/locationapi?%24filter=%28account_id%20eq%20%27000194878,
gatling.http.ssl.trustStore.file -> C:/Program Files/Java/jdk1.8.0_111/jre/lib/security/cacerts,
gatling.http.cookies -> CookieJar(Map(CookieKey(sap-usercontext,d3u.internal.com,/) -> StoredCookie(sap-usercontext=sap-client=100; path=/,true,false,1517797866679))))
1517797866640,0,KO,List(),io.gatling.core.protocol.ProtocolComponentsRegistry$$Lambda$458/906347731#1443b002)
=========================
HTTP request:
GET https://d3u.internal.com/sap/op/data/ACCOUNT_LOCATION_API_SRV/locationapi?%24filter=%28account_id%20eq%20%27000194878
headers=
Connection: Keep-Alive
Accept: */*
Accept-Encoding: gzip, deflate
Host: d3u.internal.com
=========================
HTTP response:
status=
401 Unauthorized
headers=
set-cookie: sap-usercontext=sap-client=100; path=/
content-type: text/html; charset=utf-8
sap-system: D3U
www-authenticate: Basic realm="SAP NetWeaver Application Server [D3U/100]"
Transfer-Encoding: chunked
Content-Encoding: gzip
Here are my Server side log:
[Thr 139749210060544] Server-configured Ciphersuites: "TLS_ECDHE_RSA_WITH_AES128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES256_GCM_SHA384:T
[Thr 139749210060544] Mon Feb 5 11:09:34 2018
[Thr 139749210060544] Client-offered Ciphersuites: "TLS_RSA_WITH_AES256_CBC_SHA:TLS_RSA_WITH_AES128_CBC_SHA:TLS_RSA_WITH_RC4_128_S
[Thr 139749210060544] No Client Certificate
[Thr 139749210060544] New session (TLSv1.2, TLS_RSA_WITH_AES128_CBC_SHA)
[Thr 139749210060544] HexDump of new SSL session ID { &buf= 7f19c001306c, buf_len= 32 }
[Thr 139749210060544] 00000: 3e 2d 9e fb b6 f3 bf 63 fb 49 27 75 f3 d8 24 c7 >-.....c .I'u..$.
[Thr 139749210060544] 00010: 90 85 bb ed 5e 39 d6 cc 15 27 25 04 fe 29 44 3f ....^9.. .'%..)D?
[Thr 139749210060544] SapSSLISessionStartFin(sssl_hdl=7f19c0016b50)==SAP_O_K
[Thr 139749210060544] in/out: status = "new SSL session,TLSv1.2,TLS_RSA_WITH_AES128_CBC_SHA, **NO client cert"**
[Thr 139749210060544] <<- SapSSLSessionStartNB(sssl_hdl=7f19c0016b50)==SAP_O_K
[Thr 139749210060544] HttpParseRequestHeader: no content length set
[Thr 139749210060544] HttpParseRequestHeader: no transfer-encoding set
[Thr 139749210060544] HttpParseRequestHeader: Version: 1001
[Thr 139749210060544] HttpParseRequestHeader: Keep-Alive: 0
[Thr 139749210060544] HttpParseRequestHeader: no server port set
[Thr 139749210060544] HTTP request (raw) [5/540445/1]:
[Thr 139749210060544] GET /sap/bc/gui/sap/its/webgui?sap-client=000 HTTP/1.1
[Thr 139749210060544] host: d3u.internal.com
[Thr 139749210060544] connection: Close
[Thr 139749210060544] Connection Info: role=Server, local=vd3u01.internal.com:44300, peer=10.137.249.2, protocol=HTTPS
[Thr 139749210060544] ->> SapSSLGetPeerInfo(sssl_hdl=7f19c0016b50, &cert=7f19e605e990, &cert_len=7f19e605e99c,
[Thr 139749210060544] &subject_dn=7f19e605e988, &issuer_dn=7f19e605e978, &cipher=7f19e605e980)
[Thr 139749210060544] <<- SapSSLGetPeerInfo(sssl_hdl=7f19c0016b50)==SAP_O_K
[Thr 139749210060544] out: cert_len = <no cert>
[Thr 139749210060544] out: cipher = "TLS_RSA_WITH_AES128_CBC_SHA"
In the server side log, it says client certificate not sent. I am suspecting I am sending something wrong in the request or my code itself.
Thanks
I figured it out what's the problem. The certificates which I am producing are not valid certificates to authenticate with the server.
How do I know whether they are valid/invalid?
Just enabled the java debug using the below line
System.setProperty("javax.net.debug", "all") and see the debug line when the gatling initially starts. I see everything empty which is suspicious to me.
keyStore is : C:/Program Files/Java/jdk1.8.0_111/jre/lib/security/vthaduri
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: C:\Program Files\Java\jdk1.8.0_111\jre\lib\security\cacerts
trustStore type is : jks
trustStore provider is :
Use javax.net.ssl [Just for debugging purpose]
Also I have used javax.net.ssl instead of gatling.http.ssl for setting trustore and keystore.
Lastly .disableClientSharing
val httpBuilder: HttpProtocolBuilder = http
.disableClientSharing
.baseURL(AppConfig.getRuntimeConfig("endpoints." + environment + ".sap"))
.connectionHeader("Keep-Alive")
.acceptHeader("*/*")
.acceptEncodingHeader("gzip, deflate")
Later I configured everything properly as per galting.
Related
I have searched enough on the web, but couldn't find the solution yet.
Creating a Signed upload URL with an expiry of 1 hour.
val extensionHeaders: MutableMap<String, String> = HashMap()
extensionHeaders["Content-Type"] = "application/octet-stream"
val url: URL? = storage?.signUrl(
blobInfo,
60,
TimeUnit.MINUTES,
Storage.SignUrlOption.httpMethod(HttpMethod.PUT),
Storage.SignUrlOption.withExtHeaders(extensionHeaders),
Storage.SignUrlOption.withV4Signature()
)
Trying to upload using the signed URL. As I know, to upload a file using the signed URL we must POST an empty request as shown below.
curl -v -X 'POST' \
-H 'content-type: application/octet-stream' \
-H 'x-goog-resumable:start' \
-d '' \
'https://storage.googleapis.com/path/some_jar_file.jar?X-Goog-Algorithm=GOOG4-RSA-SHA256&X-Goog-Credential=sa-p.iam.gserviceaccount.com%2F20230107%2Fauto%2Fstorage%2Fgoog4_request&X-Goog-Date=20230107T071742Z&X-Goog-Expires=3600&X-Goog-SignedHeaders=content-type%3Bhost&X-Goog-Signature=629e30c352a3c241cbe7b37c0d79dba8804c489ace423c43b55ea7e561e02f745b356eb9d7979e0b183870f8683613725d4f67fe4d8fbffa4529a1c433753918b692d033be7ac2f609992e30793570db08dce5250d78e5bef1e7458f56d7ee88c5f502855766cb68047423691ab30aa7a14c1f396d64a08053040925c4e70f58cec78bfba2b4fda11603aa1ee246c02492ee1f8ffc30c767cab944d0d0ffea8c407142c46f8d8be872e467a047b68c718a21134d6dc19b9415dda74c6728b1e70273737122a3a44110308d880bc3ad30cd18aa2ebe324ff5caaa7987b8339fe8fe63189f5acdc7cd11563f5997a5d89f2b1ba2ed6473134d1661ab8bdd624c89'
I am getting below error.
< HTTP/2 403
< x-guploader-uploadid: ADPycdsLHvii2xdFRxOEJxWwwvRqVW8N6eqrfGFIbQFxASjN3-mAKhLR8t9EAcp66HEQLiEQSiB1fqtBnDeHzQe0yVfkzg
< content-type: application/xml; charset=UTF-8
< content-length: 950
< date: Sat, 07 Jan 2023 07:19:18 GMT
< server: UploadServer
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
<
* TLSv1.2 (IN), TLS header, Supplemental data (23):
<?xml version='1.0' encoding='UTF-8'?><Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your Google secret key and signing method.</Message><StringToSign>GOOG4-RSA-SHA256
20230107T071742Z
20230107/auto/storage/goog4_request
746ce8eb1510cb4496849f391a89f924ad83720ac1b3e96a9d743c4b2fbdc818</StringToSign><UnsignedSensitiveHeaders>x-goog-resumable</UnsignedSensitiveHeaders><CanonicalRequest>POST
/path/some_jar_file.jar
X-Goog-Algorithm=GOOG4-RSA-SHA256&X-Goog-Credential=sa-p.iam.gserviceaccount.com%2F20230107%2Fauto%2Fstorage%2Fgoog4_request&X-Goog-Date=20230107T071742Z&X-Goog-Expires=3600&X-Goog-SignedHeaders=content-type%3Bhost
content-type:application/octet-stream
host:storage.googleapis.com
content-type;host
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection #0 to host storage.googleapis.com left intact
UNSIGNED-PAYLOAD</CanonicalRequest></Error>
Please help.
Fabric Version: v2.2.4
Fabric Gateway Version: v2.2.0
Currently, I am not using Fabric CA and docker. Instead, I am using OpenSSL to generate my own certificates. There is no problem using command line to join channel or invoke chaincode with TLS enabled (Server TLS).
However, when I try to invoke my chaincode using Fabric Gateway Java SDK with TLS, the peer shows:
2021-10-20 23:53:51.571 EDT [core.comm] ServerHandshake -> ERRO 411 Server TLS handshake failed in 731.664253ms with error remote error: tls: internal error server=PeerServer remoteaddress=127.0.0.1:48920
2021-10-20 23:53:51.648 EDT [core.comm] ServerHandshake -> ERRO 412 Server TLS handshake failed in 17.623962ms with error remote error: tls: internal error server=PeerServer remoteaddress=127.0.0.1:48924
2021-10-20 23:53:52.389 EDT [core.comm] ServerHandshake -> ERRO 413 Server TLS handshake failed in 31.834126ms with error remote error: tls: internal error server=PeerServer remoteaddress=127.0.0.1:48928
2021-10-20 23:53:53.013 EDT [core.comm] ServerHandshake -> ERRO 414 Server TLS handshake failed in 20.97883ms with error remote error: tls: internal error server=PeerServer remoteaddress=127.0.0.1:48932
2021-10-20 23:53:53.453 EDT [core.comm] ServerHandshake -> ERRO 415 Server TLS handshake failed in 27.840631ms with error remote error: tls: internal error server=PeerServer remoteaddress=127.0.0.1:48936
if I disable the TLS, the chaincode can be invoked and queried but it shows an error message and display the certificate of the peer:
04:45:56.020 [main] ERROR org.hyperledger.fabric.sdk.security.CryptoPrimitives - Cannot
validate certificate. Error is: Path does not chain with any of the trust anchors
Certificate[
[
Version: V3
Subject: CN=peer-telecom, OU=peer, O=peer0.telecom.com, ST=Wilayah Persekutuan Kuala Lumpur, C=MY
Signature Algorithm: SHA256withECDSA, OID = 1.2.840.10045.4.3.2
Key: Sun EC public key, 256 bits
public x coord: 63258922835963897769642318382353579773301130246303245867091942631050654760639
public y coord: 17014436126955018341557373411142402131278326611630973049174140241981148702177
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
Validity: [From: Mon Oct 18 04:30:10 EDT 2021,
To: Tue Oct 18 04:30:10 EDT 2022]
Issuer: CN=hyperledger-telecom, O=ica.hyperledger.telecom.com, ST=Wilayah Persekutuan Kuala Lumpur, C=MY
SerialNumber: [ 1000]
Certificate Extensions: 4
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 70 2B 57 B5 7C 6A 38 DE AB 6F DD 7E C4 63 FE 39 p+W..j8..o...c.9
0010: 54 22 D9 F9 T"..
]
]
[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
]
[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 62 C2 4A FB 13 54 44 DF 15 AB 2B 09 78 4F 79 4A b.J..TD...+.xOyJ
0010: CB 37 1D D7 .7..
]
]
]
Algorithm: [SHA256withECDSA]
Signature:
0000: 30 44 02 20 2D 20 15 9D 53 D4 DE EF 56 0D E6 6D 0D. - ..S...V..m
0010: 04 DA 99 F8 0C AC D5 A7 87 66 51 04 23 A0 4D C2 .........fQ.#.M.
0020: C8 98 95 5C 02 20 5C A5 5A 2D 19 43 FA E8 C0 E1 ...\. \.Z-.C....
0030: 49 4E C0 DF C9 59 F8 10 34 D6 94 05 51 38 E9 17 IN...Y..4...Q8..
0040: C5 F1 20 1F 0C EC .. ...
]
Java Application code:
package org.example.contract;
import java.io.IOException;
import java.io.Reader;
import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.Files;
import java.util.concurrent.TimeoutException;
import java.security.InvalidKeyException;
import java.security.PrivateKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import org.hyperledger.fabric.gateway.Identities;
import org.hyperledger.fabric.gateway.Identity;
import org.hyperledger.fabric.gateway.Contract;
import org.hyperledger.fabric.gateway.ContractException;
import org.hyperledger.fabric.gateway.Gateway;
import org.hyperledger.fabric.gateway.Network;
import org.hyperledger.fabric.gateway.Wallet;
import org.hyperledger.fabric.gateway.Wallets;
public class Sample {
X509Certificate[] clientCert = null;
PrivateKey clientKey = null;
private static X509Certificate readX509Certificate(final Path certificatePath) throws IOException, CertificateException {
try (Reader certificateReader = Files.newBufferedReader(certificatePath, StandardCharsets.UTF_8)) {
return Identities.readX509Certificate(certificateReader);
}
}
private static PrivateKey getPrivateKey(final Path privateKeyPath) throws IOException, InvalidKeyException {
try (Reader privateKeyReader = Files.newBufferedReader(privateKeyPath, StandardCharsets.UTF_8)) {
return Identities.readPrivateKey(privateKeyReader);
}
}
public static void main(String[] args) throws IOException {
// Load an existing wallet holding identities used to access the network.
// A wallet stores a collection of identities
Path walletPath = Paths.get(".", "wallet");
Wallet wallet = Wallets.newFileSystemWallet(walletPath);
try {
Path credentialPath = Paths.get("/root","fabric","localtls","crypto-config", "peerOrganizations",
"org1.telecom.com", "users", "Admin#org1.telecom.com", "msp");
System.out.println("credentialPath: " + credentialPath.toString());
Path certificatePath = credentialPath.resolve(Paths.get("signcerts",
"Admin#org1.telecom.com-cert.pem"));
System.out.println("certificatePem: " + certificatePath.toString());
Path privateKeyPath = credentialPath.resolve(Paths.get("keystore",
"Admin#telecom.com.key"));
X509Certificate certificate = readX509Certificate(certificatePath);
PrivateKey privateKey = getPrivateKey(privateKeyPath);
Identity identity = Identities.newX509Identity("Org1MSP", certificate, privateKey);
String identityLabel = "Admin#org1.telecom.com";
wallet.put(identityLabel, identity);
System.out.println("Write wallet info into " + walletPath.toString() + " successfully.");
} catch (IOException | CertificateException | InvalidKeyException e) {
System.err.println("Error adding to wallet");
e.printStackTrace();
}
// Path to a common connection profile describing the network.
Path networkConfigFile = Paths.get("/root","fabric","localtls","connection.yaml");
String userName = "Admin#org1.telecom.com";
// Configure the gateway connection used to access the network.,
Gateway.Builder builder = Gateway.createBuilder()
.identity(wallet, userName)
.networkConfig(networkConfigFile);
// Create a gateway connection
try (Gateway gateway = builder.connect()) {
// Obtain a smart contract deployed on the network.
Network network = gateway.getNetwork("mychannel");
Contract contract = network.getContract("chaincode");
// Submit transactions that store state to the ledger.
byte[] createCarResult = contract.createTransaction("createMyAsset")
.submit("CAR", "Honda");
System.out.println(new String(createCarResult, StandardCharsets.UTF_8));
byte[] queryCar = contract.submitTransaction("readMyAsset", "CAR");
System.out.println(new String(queryCar, StandardCharsets.UTF_8));
} catch (ContractException | TimeoutException | InterruptedException e) {
e.printStackTrace();
}
}
}
connection.yaml:
name: "Network-Config-Test"
description: "The network used in the integration tests"
version: 1.0.0
client:
organization: telecom
organizations:
telecom:
mspid: Org1MSP
peers:
- peer0.org1.telecom.com
#adminPrivateKey:
#path: '/root/fabric/localtls/crypto-config/peerOrganizations/org1.telecom.com/users/Admin#org1.telecom.com/msp/keystore/Admin#telecom.com.key'
#signedCert:
#path: '/root/fabric/localtls/crypto-config/peerOrganizations/org1.telecom.com/users/Admin#org1.telecom.com/msp/signcerts/Admin#org1.telecom.com-cert.pem'
orderers:
orderer.example.com:
url: grpcs://localhost:6050
#client:
#keyfile: '/root/fabric/localtls/crypto-config/peerOrganizations/org1.telecom.com/users/Admin#org1.telecom.com/tls/client-o.key'
#certfile: '/root/fabric/localtls/crypto-config/peerOrganizations/org1.telecom.com/users/Admin#org1.telecom.com/tls/client-o.crt'
grpcOptions:
hostnameOverride: orderer.example.com
grpc-max-send-message-length: 15
grpc.keepalive_time_ms: 360000
grpc.keepalive_timeout_ms: 180000
negotiationType: TLS
sslProvider: openSSL
tlsCACerts:
path: /root/fabric/localtls/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/ca.crt
peers:
peer0.org1.telecom.com:
url: grpcs://localhost:7051
#client:
#keyfile: '/root/fabric/localtls/crypto-config/peerOrganizations/org1.telecom.com/users/Admin#org1.telecom.com/tls/client.key'
#certfile: '/root/fabric/localtls/crypto-config/peerOrganizations/org1.telecom.com/users/Admin#org1.telecom.com/tls/client.crt'
grpcOptions:
ssl-target-name-override: peer0.org1.telecom.com
grpc.http2.keepalive_time: 15
hostnameOverride: peer0.org1.telecom.com
negotiationType: TLS
sslProvider: openSSL
tlsCACerts:
path: /root/fabric/localtls/crypto-config/peerOrganizations/org1.telecom.com/peers/peer0.org1.telecom.com/tls/ca.crt
What am I missing? Any answer is welcomed!
Update 1.0
These are the certificates generated by using openSSL, they work when I use command line (I ommitted the hf thing in the Subject Alternative Name, not sure is it important for the application to work?):
The tlscacert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1f:a5:9f:1a:01:ed:c7:3d:30:ca:27:b6:79:9c:82:10:b8:94:84:23
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = MY, ST = Wilayah Persekutuan Kuala Lumpur, L = Kuala Lumpur, O = rca.verisign.com, CN = tls-verisign
Validity
Not Before: Oct 21 03:11:13 2021 GMT
Not After : Oct 19 03:11:13 2031 GMT
Subject: C = MY, ST = Wilayah Persekutuan Kuala Lumpur, L = Kuala Lumpur, O = rca.verisign.com, CN = tls-verisign
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:34:b5:ac:a3:42:8c:d4:17:97:ca:16:d5:2f:7a:
00:32:bf:fd:dd:02:8a:33:28:ed:c0:53:5d:e0:42:
79:0d:08:43:1c:22:83:1e:f0:71:91:08:d6:c3:ec:
eb:ac:9c:56:00:da:e8:08:cf:ad:4c:b3:46:e7:e1:
39:1c:5f:bf:fc
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
EB:7B:8E:23:26:A7:17:3D:E0:0B:8D:B4:6E:6C:5D:D5:EE:EF:80:AF
X509v3 Authority Key Identifier:
keyid:EB:7B:8E:23:26:A7:17:3D:E0:0B:8D:B4:6E:6C:5D:D5:EE:EF:80:AF
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
Signature Algorithm: ecdsa-with-SHA256
30:45:02:20:63:40:88:2d:c8:51:e5:42:2b:d3:98:60:6f:1e:
3c:d2:f6:59:48:bb:0c:7c:10:b6:28:27:86:20:58:35:0b:19:
02:21:00:c7:87:df:79:75:21:8d:bf:bc:be:aa:c9:44:53:b5:
b4:32:4d:06:2b:a0:05:eb:38:b7:9f:3d:71:80:17:77:69
The Peer TLS cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4097 (0x1001)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = MY, ST = Wilayah Persekutuan Kuala Lumpur, L = Kuala Lumpur, O = rca.verisign.com, CN = tls-verisign
Validity
Not Before: Oct 21 03:11:13 2021 GMT
Not After : Oct 21 03:11:13 2022 GMT
Subject: C = MY, ST = Wilayah Persekutuan Kuala Lumpur, O = tls.peer.telecom.com, CN = tls-peer-telecom
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:76:c2:e9:94:10:03:2c:3b:2d:90:56:e8:b5:30:
bf:67:f6:b5:b8:9c:73:cd:28:b3:f2:f7:21:e9:f7:
6c:66:38:a9:e8:7c:b0:ea:67:fb:f7:db:72:29:9d:
aa:56:20:92:ab:b1:e5:53:2a:a1:19:0b:0c:8b:65:
36:fe:98:aa:e1
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Key Identifier:
08:9D:B8:81:4B:39:0D:B1:D4:BD:EC:49:E5:AC:BA:FB:F1:7A:58:51
X509v3 Authority Key Identifier:
keyid:EB:7B:8E:23:26:A7:17:3D:E0:0B:8D:B4:6E:6C:5D:D5:EE:EF:80:AF
X509v3 Subject Alternative Name:
IP Address:127.0.0.1
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:c0:d7:26:b4:e9:30:08:b5:37:46:66:0f:fb:
b6:36:22:04:5f:78:ab:ae:ff:7f:48:e0:7b:ff:e8:f0:88:b4:
e5:02:21:00:86:64:ec:c8:9b:b4:06:b5:3d:d3:c1:54:4f:d2:
a2:bb:1a:e1:a7:e7:84:28:9a:ef:ac:db:ab:65:95:0d:10:2d
The only thing I am missing in the cert is:
1.2.3.4.5.6.7.8.1:
{"attrs":{"hf.Affiliation":"","hf.EnrollmentID":"peer0","hf.Type":"peer"}}
Is this only being used by the Fabric CA? Or it is a must to include?
Fabric TLS certificates are very fiddly. For instance, we've found several cases where the peer and chaincode will accept a malformed cert, but the gateway client refuses to connect using the same certificate. What is probably happening is that you have a problem with the openssl generated cert, but the peer is too lax to report the error. (It also doesn't help that the client TLS libraries simply disconnect, without reporting on the root failure during the handshake.)
In the example above, the cert output shows some differences in PathLen and KeyUsage attributes that differ from what are normally generated by a Fabric CA.
Here are some ideas and techniques that we've found to be useful in debugging TLS handshake issues with the gateway / client SDKs. Try to use these techniques to close any gaps between your certs and the reference certs generated by the Fabric CAs:
Use the Fabric CAs. Even if you plan to generate a certificate chain using OpenSSL and an external authority, you can use the Fabric CAs to generate TLS enrollments and certificates, and compare the reference certs against what you have built up with OpenSSL.
Use curl, or other TLS-enabled clients to help verify the correctness of a certificate. In many cases the errors output by an independent client are directly applicable to the failed TLS handshake when connecting the fabric client.
Use the test-network-k8s system as a reference for setting up the TLS and CA infrastructure. In addition to a "push button" test network, this will provide CA endpoints that can be used to generate reference enrollments / certificates for study.
Inspect the certificates generated by the Fabric CAs, and compare against your hand-crafted certs. For example, here is a certificate dump from a TLS cert generated with the Kube test network - make sure your OpenSSL certs have the same, or similar feature sets and attributes.
$ openssl x509 -in /tmp/ca-cert.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4c:63:74:d5:99:29:ce:e0:b6:28:a2:b5:a4:0e:a0:c1:f3:e9:a9:d5
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=fabric-ca-server
Validity
Not Before: Oct 21 10:36:00 2021 GMT
Not After : Oct 17 10:36:00 2036 GMT
Subject: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=fabric-ca-server
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:53:f4:ad:e6:6b:4c:75:7e:4a:6d:6e:cd:73:b0:
81:a8:d7:d7:55:c0:fd:22:92:15:fc:2d:20:44:c6:
ec:55:c9:cc:88:3a:14:09:77:e5:4f:4b:b8:98:ee:
71:09:da:e6:f8:7c:f7:39:fa:41:fc:f3:a2:fe:a4:
1e:34:ec:a9:b5
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
X509v3 Subject Key Identifier:
AB:AF:85:A3:D3:2E:9A:A9:03:49:F5:5C:30:32:2B:92:EC:92:B3:D0
X509v3 Subject Alternative Name:
IP Address:127.0.0.1
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:bf:cc:c1:d2:29:b1:04:3f:55:31:c6:b7:69:
ca:72:12:d7:67:55:14:cd:23:f7:75:16:6c:b1:63:7f:e6:9c:
24:02:20:5d:ff:e3:7e:84:22:d3:f3:52:bd:96:fa:dc:2d:94:
2f:6b:a3:bc:ab:3e:b3:87:10:fd:30:51:a2:4a:ca:ce:b4
-----BEGIN CERTIFICATE-----
MIICKDCCAc6gAwIBAgIUTGN01ZkpzuC2KKK1pA6gwfPpqdUwCgYIKoZIzj0EAwIw
aDELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK
EwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMt
Y2Etc2VydmVyMB4XDTIxMTAyMTEwMzYwMFoXDTM2MTAxNzEwMzYwMFowaDELMAkG
A1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBl
cmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMtY2Etc2Vy
dmVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEU/St5mtMdX5KbW7Nc7CBqNfX
VcD9IpIV/C0gRMbsVcnMiDoUCXflT0u4mO5xCdrm+Hz3OfpB/POi/qQeNOyptaNW
MFQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE
FKuvhaPTLpqpA0n1XDAyK5LskrPQMA8GA1UdEQQIMAaHBH8AAAEwCgYIKoZIzj0E
AwIDSAAwRQIhAL/MwdIpsQQ/VTHGt2nKchLXZ1UUzSP3dRZssWN/5pwkAiBd/+N+
hCLT81K9lvrcLZQva6O8qz6zhxD9MFGiSsrOtA==
-----END CERTIFICATE-----
I am trying to call an API using cURL.
Using the Advanced Rest Client(ARC) when I send a request using this URL:
http://localhost:8080/jcr/root/myfolder/integrationTestNode
I receive this response:
Status:
500: Internal Server Error
Loading time: 37 ms
Date: Thu, 28 Jul 2016 06:20:11 GMT
Content-Type: text/plain
Content-Length: 88
And a message
Failed to delete filejavax.jcr.PathNotFoundException: /root/myfolder/integrationTestNode
Which is exactly what I want.
But when I try the same using cURL in a shell script I am unable to see the message.
Here is the script:
url="http://localhost:8080/jcr/root/myfolder/integrationTestNode"
echo ${url}
curl -u amit:pass --verbose -I -X DELETE \
--url "${url}"
echo " ----------------------------------------------------------------------------"
And here is the response of the script:
http://localhost:8080/jcr/root/myfolder/integrationTestNode
* timeout on name lookup is not supported
* Trying ::1...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to localhost (::1) port 8080 (#0)
* Server auth using Basic with user 'amit'
> DELETE /jcr/root/myfolder/integrationTestNode HTTP/1.1
> Host: localhost:8080
> Authorization: Basic YW1pdDpwYXNz
> User-Agent: curl/7.49.1
> Accept: */*
>
< HTTP/1.1 500 Internal Server Error
< Date: Thu, 28 Jul 2016 06:25:26 GMT
< Content-Type: text/plain
< Content-Length: 88
<
* Excess found in a non pipelined read: excess = 88 url = /jcr/root/myfolder/int egrationTestNode (zero-length body)
0 88 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0HT TP/1.1 500 Internal Server Error
Date: Thu, 28 Jul 2016 06:25:26 GMT
Content-Type: text/plain
Content-Length: 88
How can I see the response message using cURL ?
I am using javax.ws.rs.core.Response.status().entity("").build() to send the message.
My colleague set up a (Bluemix) secure gateway using mutual auth for our project to use. He tested it with Ruby and CURL and it works fine. but when configuring my Liberty server to use it, I am running in to many issues.
I used the instructions found here.
Basically...
To create a key store for the client, enter the following command. In the following example, key.p.12 is created.
openssl pkcs12 -export -in "[client]_cert.pem" -inkey "[client]_key" -out "sg_key.p12" -name BmxCliCert -noiter –nomaciter –password pass:<password>
Which creates a PKCS12 store. (I use this in server.xml below)
I then added the certs into my keystore.
I then changed my server.xml to have a trust store as referenced in my
<ldapRegistry baseDN="o=ibm.com" host="bluepages.ibm.com" id="bluepages" ignoreCase="true"
ldapType="IBM Tivoli Directory Server" port="636" realm="w3" sslEnabled="true" sslRef="SSLSettings">
<idsFilters groupFilter="(&(cn=%v)(objectclass=groupOfUniqueNames))" groupIdMap="*:cn" groupMemberIdMap="groupOfUniqueNames:uniquemember" userFilter="(&(emailAddress=%v)(objectclass=person))" userIdMap="*:emailAddress"/>
</ldapRegistry>
<ssl id="SSLSettings" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore"/>
<keyStore id="defaultKeyStore" password="xxxxxx"
location="${server.output.dir}/resources/security/key.jks"/>
<keyStore id="defaultTrustStore"
location="${server.output.dir}/resources/security/sg_key.p12"
type="PKCS12" password="xxxxxx" />
Here's issue #1
When I add the trust store, I can no longer authenticate via my LDAP server. It just says invalid user or password. I remove the trust store.. and I can authenticate again. So adding the truststore has some type of affect.
Issue #2. When I remove my LDAP server and just use basic user registry... I can login in.. but when I try and use the secure gateway, I get..
[err] javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
I have imported the certificate from the secure gateway so not sure why I get this?
So two issues.. Using a truststore.. I can no longer auth via LDAP... and second.. cannot connect to the secure gateway even after importing all certs...
Anyone had success using Bluemix with a Secure Gateway (Mutual Auth) from Java?
Requested info (edited)
Enter Import Password:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
friendlyName: portal
localKeyID: 5F A0 D5 5D 68 C5 39 65 7D 24 D7 78 9B CD 7D 01 FB 1B 00 6D
subject=/ST=NC/C=US/L=RTP/O=IBM Corporation/OU=SWG/CN=*.integration.ibmcloud.com
issuer=/ST=NC/C=US/L=RTP/O=IBM Corporation/OU=SWG/CN=*.integration.ibmcloud.com
-----BEGIN CERTIFICATE-----
INFO
4Q==
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
friendlyName: portal
localKeyID: 5F A0 D5 5D 68 C5 39 65 7D 24 D7 78 9B CD 7D 01 FB 1B 00 6D
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
INFO
-----END ENCRYPTED PRIVATE KEY-----
Finally got this to work.
previous code..
. . . .
connection = (HttpsURLConnection) url.openConnection();
Where url was the URL of the Secure Gateway.
Added before this...
KeyStore clientStore = KeyStore.getInstance("PKCS12");
clientStore.load(new FileInputStream(KEY_STORE_PATH), "xxxxxx".toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(clientStore, "xxxxxx".toCharArray());
KeyManager[] kms = kmf.getKeyManagers();
KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load(new FileInputStream(TRUST_STORE_PATH), "xxxxxx".toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(trustStore);
TrustManager[] tms = tmf.getTrustManagers();
SSLContext sslContext = null;
sslContext = SSLContext.getInstance("TLS");
sslContext.init(kms, tms, new SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());`
connection = (HttpsURLConnection) url.openConnection();
Now it works... tx
Some good info in this thread.. LINK
I have problem with certificate. This is my stack trace:
trustStore is: /usr/user/programs/java/jdk1.7.0_10/jre/lib/security/jssecacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: EMAILADDRESS=******, CN=865409164, OU=http://www.sistem.net, O=DOO, L=Citluk, ST=Text, C=BA
Issuer: EMAILADDRESS=***********, CN=ecommtest.rbbh.ba, OU=ITRIOSS.CARD, O=BANK, L=CITY, ST=******, C=BA
Algorithm: RSA; Serial number: 0xf6e5b0e213f9b11b
Valid from Tue Jul 30 14:43:23 CEST 2013 until Wed Jul 30 14:43:23 CEST 2014
and at the end I got this:
***
%% Invalidated: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
main, SEND TLSv1 ALERT: fatal, description = certificate_unknown
main, WRITE: TLSv1 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 01 00 02 02 2E .......
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
main, IOException in getSession(): javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
main, called close()
main, called closeInternal(true)
I've got certifacte as PKCS12, then I importkeystore by keytool in jssecacerts and copy it in JDK/jre/lib/security
I use apache HttpClient to execute POST request.
Thanks for any help
Zlaja
We have found solution. These are steps:
Run InstallCert from https://code.google.com/p/java-use-examples/source/browse/trunk/src/com/aw/ad/util/InstallCert.java. It will create jssecacerts.
Backup your cacerts from jre/lib/security
Replace cacerts with jssecacert
Change your code like this:
val clientStore = KeyStore.getInstance("PKCS12")
clientStore.load(new FileInputStream("/home/zlaja/Downloads/imakstore_80009164.p12"), "12348765".toCharArray())
val kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm())
kmf.init(clientStore, "12348765".toCharArray())
val kms = kmf.getKeyManagers()
val trustStore = KeyStore.getInstance("JKS")
trustStore.load(new FileInputStream("/usr/user/programs/java/jdk1.7.0_10/jre/lib/security/cacerts"), "changeit".toCharArray())
val tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
tmf.init(trustStore)
val tms = tmf.getTrustManagers()
val sslContext = SSLContext.getInstance("TLS")
sslContext.init(kms, tms, new SecureRandom())
val schemeRegistry = new SchemeRegistry();
schemeRegistry.register(new Scheme("https", new SSLSocketFactory(init), 443))
val client = new DefaultHttpClient(new ThreadSafeClientConnManager(httpParameters, schemeRegistry), httpParameters);
I had this problem as well, but I finally have a solution that works for my JAX-WS client with SSL.
The problem in my case was JAX not able to look in another keystore but cacerts, and my certificate has 2 chained which was impossible to import via command line to cacerts.