Author |
Message |
|
|
ClausSuffel
Joined: Nov 12, 2013
Messages: 12
Offline
|
Hello,
after upgrading AES from 4.0.1 to 4.1, our DMCC application is not longer able to connect via secured port 4722.
Connection to port 4721 still works fine.
Our application comes up with java.net.ConnectException: Connection refused: connect.
In the error log file of the AES, we can find the following entry:
09:58:14 ERROR:CRITICAL:TSAPI:TSERVER:InitSslContext.cpp/195 10 Unable to set the certificate chain file to "/etc/opt/avaya/certs/private/serverCert.pem" for SSL. (error:0906D06C:PEM routines:PEM_read_bio:no start line). Encrypted client connections will not be available.
Both files 'serverCert.pem' and 'serverKey.pem' have size 0 Bytes.
On the client side, we are using the certificate file 'avaya.jks' that comes with DMCC Java API:
What might be the reason for our connection problems to secured port ?
Regards,
Claus Suffel
|
|
|
|
|
NicholasDronen
Joined: Feb 12, 2007
Messages: 0
Offline
|
Hi, Claus:
The connection is being refused because the DMCC isn't listening on that port. It's not listening on that port because it can't set up SSL/TLS, and the reason it can't set up SSL/TLS is that the certificate and key files are empty. To get your application up and running, I would remove those files, double-check that your license file is installed, then restart the server. The files should appear again, not empty this time, and you should be able to connect again. Please try that and post an update.
Regards,
Nick
|
|
|
|
|
ClausSuffel
Joined: Nov 12, 2013
Messages: 12
Offline
|
Hi Nicki,
I've removed the empty certificate and key files and restarted the server. Unfortunately, both files do not appear again.
Our license file is already installed successfully.
Any ideas ?
Regards,
Claus
|
|
|
|
|
NicholasDronen
Joined: Feb 12, 2007
Messages: 0
Offline
|
Do you see any errors pertaining to those files in mvap-trace.log.0?
Regards,
Nick
|
|
|
|
|
ClausSuffel
Joined: Nov 12, 2013
Messages: 12
Offline
|
Hi Nicki,
I#ve checked the mvap-trace.lo.0 and found the following entries:
2008-03-19 09.37.59,257 com.avaya.main.Main main
WARNING: Unable to extract certificates from license file: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
2008-03-19 09.37.59,259 com.avaya.main.Main main
WARNING: SSL connections may fail.
...
2008-03-19 09.39.27,975 com.avaya.common.certmgt.PKCS12Utility readPassword
WARNING: StoreException when reading /opt/coreservices/certmgmt/passwordStore.str for alias No alias: Error Code: 102 Message :No such data name found for the given app name Cause :null
2008-03-19 09.39.28,506 com.avaya.mvcs.proxy.ClientProxyServiceImpl createSecureServerChannel
WARNING: Could not open the encrypted ServerChannel
java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
...
2008-03-19 09.39.28,907 com.avaya.mvcs.proxy.ClientProxyServiceImpl createSecureServerChannel
WARNING: Could not open the encrypted ServerChannel
May there be a corruption in the license file provided by Avaya ?
Regards,
Claus
|
|
|
|
|
NicholasDronen
Joined: Feb 12, 2007
Messages: 0
Offline
|
Hi, Claus:
This looks to me like a problem with passwordStore.str, not the license file, so let's try this:
# service mvap stop
# cd /opt/coreservices
# mv avaya avaya.bak
# mv certmgmt certmgmt.bak
# service mvap start
Let me know how that goes. I expect it to work, but if it doesn't, we can look at the license file as well. If the certificate and key files appear after restarting mvap, then you can remove the avaya.bak and certmgmt.bak directories, as the original directories will have been recreated for you.
Regards,
Nick
|
|
|
|
|
ClausSuffel
Joined: Nov 12, 2013
Messages: 12
Offline
|
Hi Nicki,
after performing the described steps, AES still rejects secured connections.
Also, there's no change in the files 'serverCert.pem' and 'serverKey.pem'. They still contain 0 Bytes.
Here's what mvap displayed during startup:
[root@AESSERVER coreservices]# [root@AESSERVER coreservices]# service mvap start
java version "1.5.0_10"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_10-b03)
Java HotSpot(TM) Client VM (build 1.5.0_10-b03, mixed mode, sharing)
Configuring Application Enablement Services...
Using Tomcat user tomcat5
keytool error: java.io.FileNotFoundException: /opt/coreservices/avaya/certs/CA/avayaprca.crt (No such file or directory)
Copying the common SSL certificate
Secure Store entry successfully made.
Starting tomcat5: [ OK ]
Certificate Management configuration complete.
JAVA_HOME=/usr/java/jdk1.5.0_10/
java version "1.5.0_10"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_10-b03)
Java HotSpot(TM) Client VM (build 1.5.0_10-b03, mixed mode, sharing)
Starting Application Enablement Services...
Waiting up to 300 seconds for services to start...
Services are offline, waiting 223 seconds
Services are running
Regards,
Claus
|
|
|
|
|
NicholasDronen
Joined: Feb 12, 2007
Messages: 0
Offline
|
If the 0-byte certificate and key files existed before you ran the suggested commands, they wouldn't be re-created. Please remove them and re-run those commands.
Regards,
Nick
|
|
|
|
|
ClausSuffel
Joined: Nov 12, 2013
Messages: 12
Offline
|
Hi Nicki,
I've tried again, but there's still no success.
The certificate and key files are re-created with 0 Bytes.
Additionally, the directories 'avaya' and 'certmgmt' are not re-created during this test run.
Regards,
Claus
|
|
|
|
|
NicholasDronen
Joined: Feb 12, 2007
Messages: 0
Offline
|
Hi, Claus:
Next thing to check is whether there's a PKCS12File XML element in your license file.
Regards,
Nick
|
|
|
|
|
ClausSuffel
Joined: Nov 12, 2013
Messages: 12
Offline
|
Yes, there is such an element in the license file.
It is filled with a lot of 'random' characters ;-)
Regards,
Claus
|
|
|
|
|
NicholasDronen
Joined: Feb 12, 2007
Messages: 0
Offline
|
Please post the contents of the Notes element that follows the HostID element.
|
|
|
|
|
ClausSuffel
Joined: Nov 12, 2013
Messages: 12
Offline
|
<Notes>License generated by the user bill using WebLG (version 4.4) on: Wed Mar 05 06:47:24 PST 2008 ESID: 12345678 SID: 10503000 MID: 1</Notes>
|
|
|
|
|
NicholasDronen
Joined: Feb 12, 2007
Messages: 0
Offline
|
Hi, Claus:
This is going to take some real-time investigation. Please click the Request Technical Support link on the left of the page.
Regards,
Nick
|
|
|
|
|
ClausSuffel
Joined: Nov 12, 2013
Messages: 12
Offline
|
Hi Nick,
I will open a support request.
Many thanks for your support so far.
Regards,
Claus
|
|
|