Hi,
We have a DMCC application which has been working fine on the Avaya Lab and at a customer site. However, today when we deploy it to a new customer, we got these errors

Jan 08, 2016 4:50:37 PM com.avaya.mvap.svcproxy.prov.RemoteServiceProvider initServiceProviderImpl
INFO: CMAPI SERVER IP=10.102.5.205: CMAPI SERVER PORT=4722
Jan 08, 2016 4:50:37 PM com.avaya.common.nio.managed.tlsImpl.TLSHandshakeHandler handleRead
WARNING: java.nio.channels.SocketChannel[connected local=/10.101.4.24:48480 remote=/10.102.5.205:4722]: exception when handshaking:
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Unknown Source)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(Unknown Source)
at sun.security.ssl.SSLEngineImpl.wrap(Unknown Source)
at javax.net.ssl.SSLEngine.wrap(Unknown Source)
at com.avaya.common.nio.managed.tlsImpl.TLSHandshakeHandler.handleNeedWrap(TLSHandshakeHandler.java:232)
at com.avaya.common.nio.managed.tlsImpl.TLSHandshakeHandler.handleRead(TLSHandshakeHandler.java:141)
at com.avaya.common.nio.managed.defaultImpl.DelegatingWritableReadChannelHandler.handleRead(DelegatingWritableReadChannelHandler.java:89)
at com.avaya.common.nio.channels.defaultImpl.DefaultChannelServicer.serviceChannels(DefaultChannelServicer.java:343)
at com.avaya.common.nio.channels.defaultImpl.SingleThreadedSocketChannelDaemon.run(SingleThreadedSocketChannelDaemon.java:109)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker$1.run(Unknown Source)
at sun.security.ssl.Handshaker$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)
at com.avaya.common.nio.managed.tlsImpl.TLSHandshakeHandler.handleTasks(TLSHandshakeHandler.java:176)
at com.avaya.common.nio.managed.tlsImpl.TLSHandshakeHandler.handleNeedUnwrap(TLSHandshakeHandler.java:216)
at com.avaya.common.nio.managed.tlsImpl.TLSHandshakeHandler.handleRead(TLSHandshakeHandler.java:135)
... 4 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 14 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 20 more

Jan 08, 2016 4:50:37 PM com.avaya.mvcs.proxy.ClientProxy connect
WARNING:
java.io.IOException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at com.avaya.common.nio.managed.tlsImpl.TLSTCPChannel.connect(TLSTCPChannel.java:106)
at com.avaya.common.nio.managed.tlsImpl.TLSChannelProvider.openTCPChannel(TLSChannelProvider.java:88)
at com.avaya.mvcs.proxy.ClientProxy.connect(ClientProxy.java:420)
at com.avaya.mvcs.proxy.ClientProxy.<init>(ClientProxy.java:267)
at com.avaya.mvap.svcproxy.prov.RemoteServiceProvider.initServiceProviderImpl(RemoteServiceProvider.java:197)
at com.avaya.mvap.svcproxy.prov.ServiceProviderBuilder.getCmapiServiceProvider(ServiceProviderBuilder.java:192)
at com.avaya.mvap.svcproxy.prov.ServiceProviderBuilder.getServiceProviderType(ServiceProviderBuilder.java:177)
at com.avaya.mvap.svcproxy.prov.ServiceProviderBuilder.getServiceProviderImpl(ServiceProviderBuilder.java:112)
at com.avaya.cmapi.ServiceProvider.getCmapiServiceProvider(ServiceProvider.java:404)
at com.avaya.cmapi.ServiceProvider.getServiceProvider(ServiceProvider.java:390)
at myPackage.OrkDmcc.Initialization(OrkDmcc.java:152)
at myPackage.OrkDmcc.main(OrkDmcc.java:68)

2016-01-08 16:50:37,653 OrkDmcc ERROR - Initialization falied
1732 [main] ERROR OrkDmcc - Initialization falied
java.lang.RuntimeException: java.io.IOException: java.io.IOException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at com.avaya.mvap.svcproxy.prov.ServiceProviderBuilder.getCmapiServiceProvider(ServiceProviderBuilder.java:198)
at com.avaya.mvap.svcproxy.prov.ServiceProviderBuilder.getServiceProviderType(ServiceProviderBuilder.java:177)
at com.avaya.mvap.svcproxy.prov.ServiceProviderBuilder.getServiceProviderImpl(ServiceProviderBuilder.java:112)
at com.avaya.cmapi.ServiceProvider.getCmapiServiceProvider(ServiceProvider.java:404)
at com.avaya.cmapi.ServiceProvider.getServiceProvider(ServiceProvider.java:390)
at myPackage.OrkDmcc.Initialization(OrkDmcc.java:152)
at myPackage.OrkDmcc.main(OrkDmcc.java:68)
Caused by: java.io.IOException: java.io.IOException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at com.avaya.mvcs.proxy.ClientProxy.connect(ClientProxy.java:423)
at com.avaya.mvcs.proxy.ClientProxy.<init>(ClientProxy.java:267)
at com.avaya.mvap.svcproxy.prov.RemoteServiceProvider.initServiceProviderImpl(RemoteServiceProvider.java:197)
at com.avaya.mvap.svcproxy.prov.ServiceProviderBuilder.getCmapiServiceProvider(ServiceProviderBuilder.java:192)
... 6 more


We have avaya.jks in place, and the md5sum is exactly matched the jks file from latest sdk download
Please advise us how to resolve this issue
Thanks

Hi,

It is quite possible that your new customer is using their own custom certificate instead of the Avaya provided default one.

In fact, In release 6.x users were encouraged to change the default Avaya provided certificates by means of warning messages in the documentation and on the OAM web page of AES.

In AES 7.0, there is change in the default server certificate that is pre-installed on the AES which drives users to change the default certificates.

You can find the How to Guide and some additional information at the link below.

http://www.devconnectprogram.com/site/global/products_resources/avaya_aura_application_enablement_services/releases/7_0/certificate_update.gsp

Regards,
Mak

HI,
I followed the instruction to import the customer key to avaya.jks and it seems to work
However, After successfully creating a request to register a device, the registration failed with error 2001. As suggestion on other thread, we configure CLAN and H323 Gatekeeper properly, but its still not working. Looking into AES' dmcc error log, we got this:
2016-01-20 12.26.55,906 gov.nist.core.LogWriter logError
WARNING: gov.nist.javax.sip.stack.TLSMessageProcessor.sslHandshake(TLSMessageProcessor.java:364) [Close the socket, because the client certificate is invalid or can not find CN on the authorized host list]
2016-01-20 12.26.55,906 gov.nist.core.LogWriter logError
WARNING: Problem Accepting Connection
java.security.cert.CertificateException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at gov.nist.javax.sip.stack.TLSPeerValidator.<init>(TLSPeerValidator.java:133)
at gov.nist.javax.sip.stack.TLSMessageProcessor.sslHandshake(TLSMessageProcessor.java:337)
at gov.nist.javax.sip.stack.TLSMessageProcessor.access$000(TLSMessageProcessor.java:73)
at gov.nist.javax.sip.stack.TLSMessageProcessor$BackoffTask.run(TLSMessageProcessor.java:501)
at java.util.TimerThread.mainLoop(Timer.java:512)
at java.util.TimerThread.run(Timer.java:462)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:345)
at gov.nist.javax.sip.stack.TLSPeerValidator.<init>(TLSPeerValidator.java:131)

Thanks

Hi,

Check if DMCC is set for Host authentication under security-->Host AA.
Else may be when you imported the CA, chain of trust was not established.

If these points don't help, I would suggest you open a DevConnect technical support ticket as it would need deeper investigation.

Regards,
Mak

Hi,
I encountered this issue again, this time is working with your Avaya Remote Lab
I used the same avaya.jks from the SDK. How can i obtain the certificate from the remote lab? I only see that you provide a certificate for SIP phone, which I dont really need here. My OneX can connect fine with H323 phone. I also tried to retreive the certificate directly from AES server on port 4722 but was not successful

The default certificate will probably not work with the remote labs as they are most likely on release 7.0. You will need to get the correct CA certificate from AE Services and install it into your Java keystore.

The following link is to a white paper which, I think, contains all the information you should need.

http://www.devconnectprogram.com/fileMedia/download/a4a2e2f9-3268-415b-840f-7776117be8ac

If this does not fix your problem, I suggest you open a Remote Lab support ticket for more help as this thread is probably not monitored by the lab managers.

Martin