MyOSCAR Auto-login fails
open source web-based Electronic Medical Record (EMR) system
Brought to you by:
davidhcchan,
jaygallagher
can you document a bit more about the issue? It works for me on my local machine to the maple server
On the demo server with the new oscar 14, I'm seeing this error in the
logs. I had the same problem with my fax server and found there is a
bug in Java 7 with the Diffie Hellmann hash code. Once I specified the
cipher for tomcat to use as TLS_RSA_WITH_AES_256_CBC_SHA everything
works well.
2014-09-17 15:26:07,984 ERROR [MyOscarUtils:190] Error attempting
auto-myoscar login
javax.xml.ws.WebServiceException:
org.apache.cxf.service.factory.ServiceConstructionException: Failed to
create service.
at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:149)
at
org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98)
at javax.xml.ws.Service.<init>(Service.java:77)
at org.oscarehr.myoscar_server.ws.LoginWsService.<init>(Unknown
Source)
at
org.oscarehr.myoscar.client.ws_manager.MyOscarServerWebServicesManager.getLoginWs(MyOscarServerWebServicesManager.java:125)
at
org.oscarehr.myoscar.client.ws_manager.AccountManager.login(AccountManager.java:163)
at
org.oscarehr.phr.util.MyOscarUtils.attemptMyOscarAutoLoginIfNotAlreadyLoggedIn(MyOscarUtils.java:173)
at org.oscarehr.phr.util.MyOscarUtils$1.run(MyOscarUtils.java:121)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.cxf.service.factory.ServiceConstructionException:
Failed to create service.
at
org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:100)
at
org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199)
at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147)
... 12 more
Caused by: javax.wsdl.WSDLException: WSDLException:
faultCode=PARSER_ERROR: Problem parsing
'https://maple.myoscar.org:8443/myoscar_server//ws/LoginService?wsdl'.:
javax.net.ssl.SSLException: java.lang.RuntimeException: Could not
generate DH keypair
at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
at
org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
at
org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
at
org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)
... 14 more
Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Could
not generate DH keypair
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1842)
at
sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1825)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1346)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1300)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at
org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
at
org.apache.xerces.impl.XMLVersionDetector.determineDocVersion(Unknown
Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown
Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown
Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown
Source)
... 20 more
Caused by: java.lang.RuntimeException: Could not generate DH keypair
at sun.security.ssl.ECDHCrypt.<init>(ECDHCrypt.java:80)
at
sun.security.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:632)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:218)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
... 32 more
Caused by: java.security.InvalidAlgorithmParameterException: parameter
object not a ECParameterSpec
at
org.bouncycastle.jce.provider.JDKKeyPairGenerator$EC.initialize(Unknown
Source)
at sun.security.ssl.ECDHCrypt.<init>(ECDHCrypt.java:75)
... 39 more </init></init></init></init></init></init></init></init>
I've discussed this error with Jay and Ted but no resolution was agreed upon.
I'll drop this from a 9. I think flagging that the app is unusable is probably too strong.
I've been playing with ciphers, trying to eliminate the diffie hellman ciphers but to no avail.
Here's the stack trace again
2014-10-29 12:11:35,954 ERROR [MyOscarUtils:190] Error attempting auto-myoscar login
javax.xml.ws.WebServiceException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:149)
at org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:98)
at javax.xml.ws.Service.<init>(Service.java:77)
at org.oscarehr.myoscar_server.ws.LoginWsService.<init>(Unknown Source)
at org.oscarehr.myoscar.client.ws_manager.MyOscarServerWebServicesManager.getLoginWs(MyOscarServerWebServicesManager.java:125)
at org.oscarehr.myoscar.client.ws_manager.AccountManager.login(AccountManager.java:163)
at org.oscarehr.phr.util.MyOscarUtils.attemptMyOscarAutoLoginIfNotAlreadyLoggedIn(MyOscarUtils.java:173)
at org.oscarehr.phr.util.MyOscarUtils$1.run(MyOscarUtils.java:121)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:100)
at org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:199)
at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:147)
... 12 more
Caused by: javax.wsdl.WSDLException: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'https://maple.myoscar.org:8443/myoscar_server//ws/LoginService?wsdl'.: javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:98)
... 14 more
Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1842)
at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1825)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1346)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1300)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
at org.apache.xerces.impl.XMLVersionDetector.determineDocVersion(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
... 20 more
Caused by: java.lang.RuntimeException: Could not generate DH keypair
at sun.security.ssl.ECDHCrypt.<init>(ECDHCrypt.java:80)
at sun.security.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:632)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:218)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
... 32 more
Caused by: java.security.InvalidAlgorithmParameterException: parameter object not a ECParameterSpec
at org.bouncycastle.jce.provider.JDKKeyPairGenerator$EC.initialize(Unknown Source)
at sun.security.ssl.ECDHCrypt.<init>(ECDHCrypt.java:75)
... 39 more</init></init></init></init></init></init></init></init>
Here's the connector:
<connector port="11047" sslenabled="true" keepalivetimeout="360000" keystorepass="changeit" keyalias="tomcat" maxthreads="150" scheme="https" secure="true" protocol="org.apache.coyote.http11.Http11NioProtocol" sslprotocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" sslprotocol="TLS" keystorefile="/etc/tomcat6/.keystore" maxparametercount="100000"></connector>
I confirmed with Marc that the latest supported requirements are :
jdk1.6 & tomcat7
I also just confirmed that using 1.6.0_39-b04, and tomcat 7.0.54, it works fine against our production server. This is using the default configuration as committed into sourceforge. (recently updated for tomcat7)
I've found the problem with oscar & jdk1.7 it comes down to the bouncy castle encryption libraries. We currently have a slew included, the look like :
bcprov-jdk14-1.38.jar
bcprov-jdk14-138.jar
bcprov-jdk15-140.jar
bcprov-jdk15-1.46.jar
bcprov-jdk16-1.40.jar
notice specficially we're missing one for jdk1.7
This is how you prove this is the problem :
1) you need commit https://source.oscartools.org:8080/#/c/11168 or later.
2) start oscar, go to http://127.0.0.1:8080/oscar/myoscar_login_tester.jsp and attempt to login. Notice it will fail.
3) delete the bcprov*.jar from your catalina_base/webapps/oscarWEB-INF/lib and restart tomcat.
4) go do step #2 again, see that it will succeed. Now just login to oscar normally with oscardoc, notice all web services works now (auto login, checking messages, etc)
This is only a diagnosis of the problem. How to solve it is harder. There appears to be no bcprov-jdk17 available at the moment. I will email the developers to see why bouncycastle is required and or how the dependency can be removed.
Note that this is not a myoscar problem, this is a encryption / cipher problem. This problem can affect any / all encryption through the system including any encrypted network connections to other servers.
https://source.oscartools.org:8080/#/c/11173/
This patch updates oscar to use the latest bcprov version, ignore the name, it's misleading, bcprov-15on means for "jdk1.5 and on" (and newer). The latest library version itself is actually 1.51 (advers to 140 the previous version)
Note that this change is deep routing. It has the potential to affect any/all encryption and secure network communications.
This patch was very lightly tested againt jdk1.7 and jdk1.6 and tomcat7.
Whom ever is responsible for release will need to thoroughly QA everything which uses encryption and or secure sockets / secure network communications.
Re-tested gerrit commit: https://source.oscartools.org:8080/#/c/11173/ against tomcat6 and java 1.7 -> issue has been resolved regards the reported myOscar connection.
To Note: when running regression test on gerrit commit https://source.oscartools.org:8080/#/c/11173/ and setup tomcat6 to run ssl, not able to get new ui interface.
2014-11-10 16:36:24,882 WARN [ProblemCheckFilter:140] Some one putting non serialisable item into session. key=org.oscarehr.util.LoggedInInfo.LOGGED_IN_INFO_KEY
Can I suggest you open another bug for this? It doesn't really sound related given the information provided at present. I think it would be best assigned to Marc.