Hello,

after upgrading AES from 4.0.1 to 4.1, our DMCC application is not longer able to connect via secured port 4722.
Connection to port 4721 still works fine.

Our application comes up with java.net.ConnectException: Connection refused: connect.

In the error log file of the AES, we can find the following entry:

09:58:14 ERROR:CRITICAL:TSAPI:TSERVER:InitSslContext.cpp/195 10 Unable to set the certificate chain file to "/etc/opt/avaya/certs/private/serverCert.pem" for SSL. (error:0906D06C:PEM routines:PEM_read_bio:no start line). Encrypted client connections will not be available.

Both files 'serverCert.pem' and 'serverKey.pem' have size 0 Bytes.

On the client side, we are using the certificate file 'avaya.jks' that comes with DMCC Java API:

What might be the reason for our connection problems to secured port ?

Regards,
Claus Suffel

Hi, Claus:

The connection is being refused because the DMCC isn't listening on that port. It's not listening on that port because it can't set up SSL/TLS, and the reason it can't set up SSL/TLS is that the certificate and key files are empty. To get your application up and running, I would remove those files, double-check that your license file is installed, then restart the server. The files should appear again, not empty this time, and you should be able to connect again. Please try that and post an update.

Regards,

Nick

Hi Nicki,

I've removed the empty certificate and key files and restarted the server. Unfortunately, both files do not appear again.

Our license file is already installed successfully.

Any ideas ?

Regards,
Claus

Do you see any errors pertaining to those files in mvap-trace.log.0?

Regards,

Nick

Hi Nicki,

I#ve checked the mvap-trace.lo.0 and found the following entries:

2008-03-19 09.37.59,257 com.avaya.main.Main main
WARNING: Unable to extract certificates from license file: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
2008-03-19 09.37.59,259 com.avaya.main.Main main
WARNING: SSL connections may fail.
...
2008-03-19 09.39.27,975 com.avaya.common.certmgt.PKCS12Utility readPassword
WARNING: StoreException when reading /opt/coreservices/certmgmt/passwordStore.str for alias No alias: Error Code: 102 Message :No such data name found for the given app name Cause :null
2008-03-19 09.39.28,506 com.avaya.mvcs.proxy.ClientProxyServiceImpl createSecureServerChannel
WARNING: Could not open the encrypted ServerChannel
java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
...
2008-03-19 09.39.28,907 com.avaya.mvcs.proxy.ClientProxyServiceImpl createSecureServerChannel
WARNING: Could not open the encrypted ServerChannel

May there be a corruption in the license file provided by Avaya ?

Regards,
Claus

Hi, Claus:

This looks to me like a problem with passwordStore.str, not the license file, so let's try this:

# service mvap stop
# cd /opt/coreservices
# mv avaya avaya.bak
# mv certmgmt certmgmt.bak
# service mvap start

Let me know how that goes. I expect it to work, but if it doesn't, we can look at the license file as well. If the certificate and key files appear after restarting mvap, then you can remove the avaya.bak and certmgmt.bak directories, as the original directories will have been recreated for you.

Regards,

Nick

Hi Nicki,

after performing the described steps, AES still rejects secured connections.

Also, there's no change in the files 'serverCert.pem' and 'serverKey.pem'. They still contain 0 Bytes.

Here's what mvap displayed during startup:

[root@AESSERVER coreservices]# [root@AESSERVER coreservices]# service mvap start
java version "1.5.0_10"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_10-b03)
Java HotSpot(TM) Client VM (build 1.5.0_10-b03, mixed mode, sharing)

Configuring Application Enablement Services...
Using Tomcat user tomcat5
keytool error: java.io.FileNotFoundException: /opt/coreservices/avaya/certs/CA/avayaprca.crt (No such file or directory)
Copying the common SSL certificate
Secure Store entry successfully made.
Starting tomcat5: [ OK ]
Certificate Management configuration complete.
JAVA_HOME=/usr/java/jdk1.5.0_10/
java version "1.5.0_10"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_10-b03)
Java HotSpot(TM) Client VM (build 1.5.0_10-b03, mixed mode, sharing)
Starting Application Enablement Services...
Waiting up to 300 seconds for services to start...
Services are offline, waiting 223 seconds
Services are running

Regards,
Claus

If the 0-byte certificate and key files existed before you ran the suggested commands, they wouldn't be re-created. Please remove them and re-run those commands.

Regards,

Nick

Hi Nicki,

I've tried again, but there's still no success.

The certificate and key files are re-created with 0 Bytes.

Additionally, the directories 'avaya' and 'certmgmt' are not re-created during this test run.

Regards,
Claus

Hi, Claus:

Next thing to check is whether there's a PKCS12File XML element in your license file.

Regards,

Nick

Yes, there is such an element in the license file.
It is filled with a lot of 'random' characters ;-)

Regards,
Claus

Please post the contents of the Notes element that follows the HostID element.

<Notes>License generated by the user bill using WebLG (version 4.4) on: Wed Mar 05 06:47:24 PST 2008 ESID: 12345678 SID: 10503000 MID: 1</Notes>

Hi, Claus:

This is going to take some real-time investigation. Please click the Request Technical Support link on the left of the page.

Regards,

Nick

Hi Nick,

I will open a support request.

Many thanks for your support so far.

Regards,
Claus