We are trying to implement HTTPS for our AS2 server and here are the list of steps we performed for the configuration:
1- Registered a domain against our URL/IP address for inbound communication.
2- Bought SSL certificate with that domain.
3- Implemented nginx reverse proxy to route the traffic from http to https. (Is this required if we are configuring SSL HTTPs in AS2?)
4- Imported the SSL certificate only in the ssl_certs.jks file. 5- Imported public/private keys extracted from the SSL certificate in the as2_certs.p12 file.
6- Update the as2_url part with https://ourdomain:10443/ in partnerships.xml file.
7- Uncommented the AS2ReceiverModule part of https in the config.xml file.
With all the steps, we configured the AS2 and while doing a self test, it gaves us SSL handshake error and there is no response from the URL as well.
We tried all the options available in this open platform and How To document but didn't get any success.
Can you please guide us what are we doing wrong?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
FINE DirectoryPollingModule: processing /myapp/bin/../config/../data/Outbound/PartnerAToPartnerB/997.edi
FINE MessageBuilderModule: File assigned to message: 997.edi
FINE AS2SenderModule: message sender invoked
FINE AS2SenderModule: Save Original mic & message id information into file: /myapp/bin/../config/../data/pendinginfoMDN3/OPENAS2-20052022154304+0000-b33b67ad-17be-48da-abcb-7e57161db86e@partnerA-partnerB
FINE AS2SenderModule: Connecting to: https://ourdomain/
ERROR AS2SenderModule: Failed to connect to partner using SSL certificate. Please run the SSL certificate checker utility to identify the issue: https://ourdomain/
ERROR javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:370)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:313)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:652)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:471)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:367)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:479)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:457)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:200)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:154)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1290)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1199)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:401)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:373)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.BasicHttpClientConnectionManager.connect(BasicHttpClientConnectionManager.java:325)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at org.openas2.util.HTTPUtil.execRequest(HTTPUtil.java:390)
at org.openas2.processor.sender.AS2SenderModule.sendMessage(AS2SenderModule.java:190)
at org.openas2.processor.sender.AS2SenderModule.handle(AS2SenderModule.java:128)
at org.openas2.processor.DefaultProcessor.handle(DefaultProcessor.java:65)
at org.openas2.processor.receiver.MessageBuilderModule.processDocument(MessageBuilderModule.java:182)
at org.openas2.processor.receiver.DirectoryPollingModule.processFile(DirectoryPollingModule.java:196)
at org.openas2.processor.receiver.DirectoryPollingModule.updateTracking(DirectoryPollingModule.java:170)
at org.openas2.processor.receiver.DirectoryPollingModule.poll(DirectoryPollingModule.java:81)
at org.openas2.processor.receiver.PollingModule$PollTask.run(PollingModule.java:62)
at java.util.TimerThread.mainLoop(Timer.java:555)
at java.util.TimerThread.run(Timer.java:505)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at sun.security.validator.Validator.validate(Validator.java:271)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:312)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:221)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:128)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:636)
... 34 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hqve you read the infortmation in the OpenAS2HowTo.pdf for configuring SSL? The section "Configuring HTTPS Transport" is dedicated to the SSL configurationand.
HTTPS certificates ONLY go in the ssl_certs.jks file.
The as2_certs.p12 is ONLY for the AS2 encryption and signing (nothing to do with SSL).
Mixing them will create confusionv so step 5 in your first post is wrong.
If you followed the steps you defiend above an uncommented the AS2ReceiverModule part of https in the config.xml file but did not change the port it is set for, then pointing any browser at this URL should at very least provide a valid connection but with an HTTP error returned about an invalid request: https://ourdomain:10443/
If you do not want to specify the port in the URL then you must set the port in the AS2ReceiverModule element to 443 (default is 10443 in the config.xml)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
What version of OpenAS2 are you on? That seems to be quite an old version.
If you uncomment the default setting with the original SSL certificates provided with the install package, start the OpenAS2 server and then go to this URL with a decent browser like Firefox or alternatively Chriome, you should see the attached screenshot: https://localhost:10443/
If that works, then try repalcing the ssl_certs.jks with your own certs.
I tried the most recent OpenAS2Server-3.0.0 version and followed your instructions above. It works as anticipated when run with the install package, however when I changed the JKS file with my own SSL certificate, an issue occurred. The error is below.:
javax.net.ssl.SSLHandshakeException: No available authentication scheme
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.Alert.createSSLException(Alert.java:117)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:270)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:261)
at sun.security.ssl.CertificateMessage$T13CertificateProducer.onProduceCertificate(CertificateMessage.java:956)
at sun.security.ssl.CertificateMessage$T13CertificateProducer.produce(CertificateMessage.java:945)
at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:420)
at sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1100)
at sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1034)
at sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:716)
at sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:683)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:451)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:428)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:184)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:154)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1198)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1107)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:400)
at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:727)
at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:74)
at sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:810)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
at java.io.BufferedInputStream.read(BufferedInputStream.java:265)
at org.openas2.util.HTTPUtil.readRequest(HTTPUtil.java:291)
at org.openas2.util.HTTPUtil.readHTTP(HTTPUtil.java:166)
at org.openas2.util.HTTPUtil.readData(HTTPUtil.java:246)
at org.openas2.processor.receiver.AS2ReceiverHandler.handle(AS2ReceiverHandler.java:102)
at org.openas2.processor.receiver.NetModule$ConnectionHandler.run(NetModule.java:176)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
Also just for note, I only added my SSL certificate in the JKS and exchange that with installed package JKS file.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
We are trying to implement HTTPS for our AS2 server and here are the list of steps we performed for the configuration:
1- Registered a domain against our URL/IP address for inbound communication.
2- Bought SSL certificate with that domain.
3- Implemented nginx reverse proxy to route the traffic from http to https. (Is this required if we are configuring SSL HTTPs in AS2?)
4- Imported the SSL certificate only in the ssl_certs.jks file. 5- Imported public/private keys extracted from the SSL certificate in the as2_certs.p12 file.
6- Update the as2_url part with https://ourdomain:10443/ in partnerships.xml file.
7- Uncommented the AS2ReceiverModule part of https in the config.xml file.
With all the steps, we configured the AS2 and while doing a self test, it gaves us SSL handshake error and there is no response from the URL as well.
We tried all the options available in this open platform and How To document but didn't get any success.
Can you please guide us what are we doing wrong?
Please find below error logs:
Hqve you read the infortmation in the OpenAS2HowTo.pdf for configuring SSL? The section "Configuring HTTPS Transport" is dedicated to the SSL configurationand.
HTTPS certificates ONLY go in the ssl_certs.jks file.
The as2_certs.p12 is ONLY for the AS2 encryption and signing (nothing to do with SSL).
Mixing them will create confusionv so step 5 in your first post is wrong.
If you followed the steps you defiend above an uncommented the AS2ReceiverModule part of https in the config.xml file but did not change the port it is set for, then pointing any browser at this URL should at very least provide a valid connection but with an HTTP error returned about an invalid request:
https://ourdomain:10443/
If you do not want to specify the port in the URL then you must set the port in the AS2ReceiverModule element to 443 (default is 10443 in the config.xml)
Hi Christopher, thanks for your response.
I added my SSL certificate to the sslcerts.jks file. Can you tell me what public/private keys I should import in p12 in the HTTPs case?
I also uncommented that line and put the 10443 port there, as well as in the partnerships.xml file against the as2 url attribute.
I followed the section provided in the OpenAS2HowTo document but was unsuccessful.
Is it possible for you to share the steps for getting HTTPs to work in AS2? So that we can start from scratch and succeed in implementing HTTPs?
Just to confirm, I added only my SSL certificate in the JKS keystore.
And attaching the partnerships and config file so you can review.
Do let me know if you want to review any other file like jks or p12 files.
What version of OpenAS2 are you on? That seems to be quite an old version.
If you uncomment the default setting with the original SSL certificates provided with the install package, start the OpenAS2 server and then go to this URL with a decent browser like Firefox or alternatively Chriome, you should see the attached screenshot:
https://localhost:10443/
If that works, then try repalcing the ssl_certs.jks with your own certs.
We are using 2.9.0 version.
Can you confirm what we need to put in p12 file? We can place SSL certs in JKS file but what public/private key we need to import in p12 file?
I tried the most recent OpenAS2Server-3.0.0 version and followed your instructions above. It works as anticipated when run with the install package, however when I changed the JKS file with my own SSL certificate, an issue occurred. The error is below.:
Also just for note, I only added my SSL certificate in the JKS and exchange that with installed package JKS file.
Did you get this working?