Re: [Ejbca-develop] EJBCA 6.1.1 connectivity from client java application

[Branko M. <br...@ma...>]

On Fri, 6 Jun 2014 23:06:26 +0600
Тимур <tim...@gm...> wrote:

> Hello, dears
> 
> I have successfuly installed EJBCA 6.1.1, JBoss 7.1.1.Final, openjdk 6,
> Oracle 9.2.0.5, ojdbc6.jar, on Ubuntu Linux ("13.04, Raring Ringtail"). No
> any deployment and
> installation mistakes for this software combination. I have successfully
> created all profiles , add entuty and I have issued my first
> SSL-certificate and write one to USB HSM with eToken Client. So, I have
> full-functional EJBCA 6.1.1 at present.
> I have a custom java-application which uses eToken authentication and this
> java-application worked fine with previous version of EJBCA and I need to
> organize connectivity between this java-application and EJBCA. There is a
> parameter for EJBCA URL in java-application config file and I pointed out
> this parameter to "https://10.62.2.88:8443/ejbca".
> Java-application uses jdk cacerts and I imported issued certificate with CA
> certificate of EJBCA to cacerts but no connection yet.
> Checking connectivity to EJBCA by curl utility also gives negative result:
> 
> CA-certificate in PEM-format:
> 
> [oracle@duo ~]$ curl -v "https://10.62.2.88:8443/ejbca" -E
> /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer --key
> /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass
> 
> welcome123 --cacert /home/oracle/BTAIpotekaCA.cacert.pem
> * About to connect() to 10.62.2.88 port 8443
> *   Trying 10.62.2.88... * connected
> * Connected to 10.62.2.88 (10.62.2.88) port 8443
> * successfully set certificate verify locations:
> *   CAfile: /home/oracle/BTAIpotekaCA.cacert.pem
>   CApath: none
> * SSL certificate problem, verify that the CA cert is OK. Details:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed
> 
> CA-certificate in BASE-64 format:
> 
> [oracle@duo ~]$  curl -v "https://10.62.2.88:8443/ejbca" -E
> /home/oracle/CSR_EJBCA_duo2/certs_x509/duo.cer --key
> /home/oracle/CSR_EJBCA_duo2/duo/duo.teka.kz.key --pass
> 
> welcome123 --cacert /home/oracle/BTAIpotekaCA.cacert-base64.cer --sslv3
> --trace-ascii /tmp/curl.log
> curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed
> More details here: http://curl.haxx.se/docs/sslcerts.html
> 
> EJBCA console log contains no records to understand why no connectivity to
> EJBCA.
> Could you please to help to find out which URL must be used to connect to
> EJBCA for authentication ?  If "https://10.62.2.88:8443/ejbca" is correct
> what's the reason
> of trouble with EJBCA connection ?
> 
> thank you, Timur.

Hello Timur,

The problem you are facing happens during the TLS handshake between the
server and client, where (at least) client is unable to verify the
certificate presented by JBoss.

Since the TLS is handled by JBoss, you won't get any useful logging
messages from EJBCA. In fact, not even JBoss as such will produce any
useful debugging info. You could try enabling debugging of TLS
handshake via JAVA_OPTS, though.

I've noticed you are using the IP address for connecting to JBoss/EJBCA
- are you sure that you have this IP address specified in your server
certificate (on JBoss)? If not, that is your problem. The IP, FQDN, or
hostname used for connecting has to be part of subjectAltName DNS name
(or, if subjectAltName DNS name is not present, CN has to be used).

As a side-note, you should avoid using IP address in certificates or
for TLS connections in general, and instead rely on FQDN or hostname,
with FQDN being the recommended thing to use.

I hope this explanation will help you a bit :)

Best regards

-- 
Branko Majic
Jabber: br...@ma...
Please use only Free formats when sending attachments to me.

Бранко Мајић
Џабер: br...@ma...
Молим вас да додатке шаљете искључиво у слободним форматима.