I tried connecting to Google cloud IOT MQTT Brocker. I am getting Not authorized to connect (5) as Exception in Java client.
The device_id and other details are correct.The public key set for the device in the cloud iot.
using the example code for the below repo.
https://github.com/GoogleCloudPlatform/java-docs-samples/tree/master/iot/api-client/mqtt_example
Another point to look at is the configured GCP IoT Core cloud region.
Had similar problem with this. I configured GCP IoT Core cloud region as "asia-east1" while on the client application side, its default cloud region is "us-central1".
If the cloud region is not configured correctly, the python/NodeJS IoT Core examples (mqtt, http, end2end) would return errors such as
Creating JWT using RS256 from private key file rsa_private.pem
Publishing message 1/100: 'test/test_1-payload-1'
('on_connect', 'Connection Refused: not authorised.')
('on_disconnect', '5: The connection was refused.')
To solve this, just pass the correct cloud region parameter to the command --cloud_region=asia-east1
Example:
python cloudiot_mqtt_example.py --project_id=project_id --registry_id=registry_id --device_id=device_id --private_key_file=rsa_private.pem --algorithm=RS256 --cloud_region=asia-east1
Couple things to check:
1) Are you sure the format of the SSL key matches what you registered? RS256 vs. RS256 with X509, etc?
2) Did you setup the TLS on the mqtt client and grab the Google root certificate?
2a) >=TLS 1.2?
3) Verify the JWT has the correct 'aud' value (project-id, not project-name), and that it's got a proper issue and expiry time?
Related
I am trying to create a opc ua client with java using milo library. I need to connect with an OPC Server which uses http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256 Security Policy in addition i need to authenticate the user with certificates.
I am having the following error in the client "The user identity token is valid but the server has rejected it" which corresponds with the opc ua error "UA_SCBADIDENTITYTOKENREJECTED 0x80210000".
I can look for the server information and i have the following log information "Verification of UserTokenSignature failed".
I have investigate the topic and it seems that the UserTokenSignature has not been created properly, I think that it could be because of the nonce, but i am not sure, i have had a look to the wireshark information and in the startup of the communication the client does not include any nonce.
I do not know if it is necessary to configure any property in the client to include the nonce, i think that it should be included automatically.
Maybe the "Verification of UserTokenSignature failed" error is caused because of an error in the certificates, i do not know, but i have tested the connection with UA Expert and it works properly.
You shouldn't have to do anything with nonces or signing; this is all handled by the SDK.
What server are you connecting to? Does it happen if you connect without security? You've configured an X509IdentityProvider for your client?
While using Okhttp3 to request(get and post) HTTPS urls from Dataflow jobs, the program is throwing SSL handshake Exception and failing. Exact message is "javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure"
The same code was working earlier like 3-4 weeks(Before Nov-23) back in Dataflow. Now it's failing with the above exception. Will this be an issue arrise because of some changes in the server (HTTPS URL provider) ? Or is it something to do with the my dataflow/beam setup.
SDK and lib versions -
Apache Beam SDK for Java 2.16.0
com.squareup.okhttp3:okhttp:4.2.2
Looks like a change in the SSL configuration of your server. Try this site to confirm your server and device are compatible.
https://www.ssllabs.com/ssltest/
Like I explain in my answer here, GCP disables GCM algos by default, and most probably your server only supports GCM and POLY.
To re-enable GCM in the pipeline, you need to register a JvmInitializer and change the security settings.
Please look at my other answer on how to do this.
I'm currently facing some troubles by reaching my https-endpoint for my alexa-custom-skill.
My endpoint is an internal PC on my network. For reaching this web server I use a DDNS (<server>.linkpc.net) for my router. The router itself has a port forwarding (443 => internal WebServer Port). That means the current architecture is:
Alexa => Router (.linkpc.net):443 => :
=> RESPONSE => ROUTER => Alexa
I also created a self-signed certificate, that is placed inside a jks and loaded by my WebServer.
This solution works well, by calling the URL (<server>.linkpc.net/xxx/xxx) via browser from outside my network. I receive a message that connection is unsecured due to an untrusted certificate (my self-signed one). But that is a normal behaviour.
I imported the self-signed certificate to own "SSL certificate" via Amazon DEV Console (PEM Format).
From my point of view, everything should be fine, but I get the following error by sending a request to Amazon Dev Console:
"The remote endpoint could not be called, or the response it returned was invalid."
If I'm going to copy the xml-text and insert it into JSON chapter I got:
"There was an exception during the SSL handshake. Please check the
certificate you have provided."
I also created a BreakPoint in Eclipse. It works by using a Browser, but it didn't by using Alexa Dev Console. No response in the code. That means, from my personal point of view, the request is not even reaching my WebServer at all. There are three possible explanations (maybe):
The router provides the wrong certificate to Alexa (strange, because it should not work as a proxy and shouldn't need the self-signed certificate?!)
Self-Signed certificate was wrongly built for Amazon Alexa ?!
A bug inside amazon dev console (unlikely)
Could you please support? :-)
Greetings
Richard
I am trying to use Microsoft Azure IOT Hub to demonstrate connecting my device to IOT Hub and send messages using mqtt protocol.
I have an account and created device and SAS with TTL as required. I am using java client SDK given by microsoft azure to connect but my connection is not authorized.
I have followed all the steps as given in the below URL:
https://azure.microsoft.com/en-us/documentation/articles/iot-hub-mqtt-support/
Please help me in this regards. My logs are below:
Logs:
MqttIotHubConnection.open() connectionOptions=
============== Connection options ==============
CleanSession : false
SocketFactory : null
MqttVersion : 4
KeepAliveInterval : 20
ConTimeout : 30
UserName : PCSIOTHub.azure-devices.net/MQ...
SSLProperties : null
WillDestination : null
Exception in thread "main" java.io.IOException: Error initializing MQTT connection:Not authorized to connect
at com.microsoft.azure.iothub.transport.mqtt.MqttIotHubConnection.open(MqttIotHubConnection.java:142)
at com.microsoft.azure.iothub.transport.mqtt.MqttTransport.open(MqttTransport.java:83)
at com.microsoft.azure.iothub.DeviceClient.open(DeviceClient.java:163)
at samples.com.microsoft.azure.iothub.SendReceive.main(SendReceive.java:210)
If you're using the Microsoft Java client for IoT Hub, you don't need to create the SAS token yourself, the SDK does it for you.
If you follow the example here, https://azure.microsoft.com/en-us/documentation/articles/iot-hub-java-java-getstarted/#create-a-simulated-device-app, all you need to do is replace:
private static IotHubClientProtocol protocol = IotHubClientProtocol.AMQPS;
with:
private static IotHubClientProtocol protocol = IotHubClientProtocol.MQTT;
and you will have a basic Java client that can communicate with IoT Hub over MQTT.
As #DominicBetts said, you don't need to create the SAS token when using the IoTHub SDK for Java. More explaination for the security of IoTHub, please see the offical document Azure IoT Hub developer guide.
As reference as sample, you can refer to the example on GitHub to know how to send messages in the different protocols for Java.
I have a java client connecting to a WCF service. This service is configured to run on the host as a separate domain user (i.e. not as Local Service or Network Service). The Service publishes a userPrincipalName in its WSDL.
During the SpNego token exchange I get the following exception in the client
Defective token detected (Mechanism level: AP_REP token id does not match!)
This is the call stack:
at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:450)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
If I configure the WCF service to run under Local System account the SpNego token exchange works.
Do I need to modify the code for services not running under Local system account?
Update-1
After some debugging by getting a C# client to connect with the WCF service, I found that the C# client is using a modified version of SpNego protocol called MS-SPNG. Does Java 6 support this? When I inspect the token I get an error about unsupported mechanism 1.2.840.113554.1.2.2.3.
These links explains whats happening. MS has a extension for SpNego protocol, which kicks in when we run a WCF service as a user (i.e. not as Local Service etc).
This is the MS specification for the new protocol, and here is the openjdk doc that xplains the workarounds.