Hi Dave, I believe that only self-signed certificates can be for signing AuthSub tokens. Can you try skipping the "certreq" step and just use your self-signed certificate? The following docs have the necessary commands for generating self-signed certificates with keytool.
http://code.google.com/apis/gdata/docs/auth/authsub.html#keytool I followed these steps to get a self-signed certificate with the "- validity 1825 -keysize 2048" flags, and I was able to successfully sign tokens. I don't believe that the extended validity is necessary, however; Google doesn't check for certificate expiry. Paul On Jul 6, 8:27 am, Dave <[email protected]> wrote: > Hello Paul, > > I've had no luck with this issue. We are still getting the same error > no matter what SSL cert we use. 1024 or 2048 size certificates > generate the same error. Here are the exact steps we are taking to > generate the certificates. This is a java environment on a windows > platform: > > keytool -genkey -v -alias d1google -dname "CN=careopinion.com, > OU=Corporate, O=DiagnosisONE, L=Nashua, S=New Hampshire, C=US" -alias > d1google -keypass xxxxx -keystore d1google2010b.jks -storepass xxxxx - > keyalg "RSA" -sigalg SHA1withRSA -validity 1825 -keysize 1024 > > keytool -certreq -v -alias d1google -sigalg "SHA1withRSA" -file > d1google2010b.csr -keystore d1google2010b.jks -storepass xxxxx - > keypass xxxxx > > Once I receive the cert back from the provider, I append it using a > test editor to the bottom of the certificate chain file also received > from the provider. > > keytool -import -v -file careopinion_com.txt -keypass xxxxx -keystore > d1google2010b.jks -storepass xxxxx -trustcacerts -alias d1google > > I then export the certificate from the keystore: > keytool -export -v -rfc -alias d1google -file d1google2010b.pem - > keystore d1google2010b.jks -storepass xxxxx > > And use the resulting file to upload to the manage domain tool for our > domain: > > Testing the application still results in the following exception: > > com.google.gdata.util.AuthenticationException: 401: Invalid AuthSub > header. > at > com.google.gdata.client.http.AuthSubUtil.exchangeForSessionToken(Unknown > Source) > at > com.google.gdata.client.http.AuthSubUtil.exchangeForSessionToken(Unknown > Source) > at > d1.process.HealthSample.exchangeAuthSubToken(HealthSample.java:91) > at hlink.GoogleHandler.AddProfile(GoogleHandler.java:1017) > at sun.reflect.GeneratedMethodAccessor377.invoke(Unknown > Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImp > l.java: > 25) > at java.lang.reflect.Method.invoke(Method.java:585) > at > org.apache.beehive.netui.pageflow.FlowController.invokeActionMethod(FlowCon > troller.java: > 879) > at > org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(Flo > wController.java: > 809) > at > org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowContro > ller.java: > 478) > at > org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFl > owController.java: > 306) > at > org.apache.beehive.netui.pageflow.FlowController.execute(FlowController.jav a: > 336) > at > org.apache.beehive.netui.pageflow.internal.FlowControllerAction.execute(Flo > wControllerAction.java: > 52) > at > org.apache.struts.action.RequestProcessor.processActionPerform(RequestProce > ssor.java: > 431) > at > org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access > $201(PageFlowRequestProcessor.java:97) > at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor > $ActionRunner.execute(PageFlowRequestProcessor.java:2044) > at > org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterce > ptors > $WrapActionInterceptorChain.continueChain(ActionInterceptors.java:64) > at > org.apache.beehive.netui.pageflow.interceptor.action.ActionInterceptor.wrap > Action(ActionInterceptor.java: > 184) > at > org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterce > ptors > $WrapActionInterceptorChain.invoke(ActionInterceptors.java:50) > at > org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterce > ptors > $WrapActionInterceptorChain.continueChain(ActionInterceptors.java:58) > at > org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterce > ptors.wrapAction(ActionInterceptors.java: > 87) > at > org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPer > form(PageFlowRequestProcessor.java: > 2116) > at > org.apache.struts.action.RequestProcessor.process(RequestProcessor.java: > 236) > at > org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal( > PageFlowRequestProcessor.java: > 556) > at > org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlow > RequestProcessor.java: > 853) > at > org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoReg > isterActionServlet.java: > 631) > at > org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowAct > ionServlet.java: > 158) > at > org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432) > at javax.servlet.http.HttpServlet.service(HttpServlet.java: > 727) > at javax.servlet.http.HttpServlet.service(HttpServlet.java: > 820) > at weblogic.servlet.internal.StubSecurityHelper > $ServletServiceAction.run(StubSecurityHelper.java:226) > at > weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelp > er.java: > 124) > at > weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java: > 283) > at > weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26) > at > weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java: > 42) > at > com.bea.portal.tools.servlet.http.HttpContextFilter.doFilter(HttpContextFil > ter.java: > 60) > at > weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java: > 42) > at > com.bea.p13n.servlets.PortalServletFilter.doFilter(PortalServletFilter.java : > 336) > at > weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java: > 42) > at > com.bea.jsptools.servlet.PagedResultServiceFilter.doFilter(PagedResultServi > ceFilter.java: > 82) > at > weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java: > 42) > at weblogic.servlet.internal.WebAppServletContext > $ServletInvocationAction.run(WebAppServletContext.java:3393) > at > weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubje > ct.java: > 321) > at weblogic.security.service.SecurityManager.runAs(Unknown > Source) > at > weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServlet > Context.java: > 2140) > at > weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext > .java: > 2046) > at > weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java: > 1366) > at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200) > at weblogic.work.ExecuteThread.run(ExecuteThread.java:172) > Add Profile exception: Problem while exchanging AuthSub token. > > Any ideas on what is going wrong here? Am I missing something very > basic? This is very frustrating.... > > Thanks, > > -Dave- > > On Jun 24, 8:43 pm, "Paul (Google)" <[email protected]> wrote: > > > > > Hi Dave, > > > I'm still investigating 2048 bit key support. I'll definitely post an > > update once I have a definitive answer. > > > When you click the link for the domains management test using Google > > Calendar, you'll be directed to the Calendar authorization page, and > > then back to your app with an authorized single-use token in the URL. > > You will be redirected back to the URL you have specified in the > > "Target URL path prefix" field, and the token will be a GET parameter > > on the URL. To verify that the signature was successful, you'll need > > to have your web application retrieve the token from the URL and > > attempt to upgrade it to a session token, which is what you're > > currently doing with Health. If you're able to exchange the single- > > use token for an session token, then the 2048 bit key should be > > useable. If you get same error that's in the initial post, then it's > > unlikely that the 2048 bit key can be used at this time. > > > In any event, I'll let you know what I find out about 2048 bit keys! > > > Paul > > > On Jun 22, 12:08 pm, Dave <[email protected]> wrote: > > > > Hi Paul, > > > > It won't be possible to get a 1024 length key now. All of the key > > > issuers are using 2048 as the default key size now. > > > > Is there any way for you to verify if google will support the 2048 > > > key? > > > > Also, I'm not clear how to test the key using the google calendar > > > link. When I click on it, it asks: > > > > The site CareOpinion is requesting access to your Google Account > > > for the product(s) listed below. > > > Google Calendar > > > > When I click "Grant Access" it immediately takes me to my > > > caropinion.com application page. Does this mean that the certificate > > > works? > > > > I am still getting the following error after I try to connect to > > > google health through our application: I've imported the google > > > health cert into our IIS store... > > > > <Jun 22, 2010 2:58:59 PM EDT> <Warning> <Security> <BEA-090477> > > > <Certificate chain received fromwww.google.com-72.14.204.147was > > > not trusted causing SSL handshake failure.> > > > javax.net.ssl.SSLKeyException: [Security:090477]Certificate chain > > > received fromwww.google.com-72.14.204.147was not trusted causing > > > SSL handshake failure. > > > > Thanks in advance for your help.... > > > > -Dave- > > > > On Jun 18, 1:45 pm, "Paul (Google)" <[email protected]> wrote: > > > > > Hi Dave, > > > > > Is it possible to test with a 1024 bit key? This should be the > > > > default when generating a key using Java keytool. The keytool example > > > > at the following link produces a 1024 bit key. > > > > >http://code.google.com/apis/gdata/docs/auth/authsub.html#keytool > > > > > There should be an option to test your key on the domain management > > > > tool (next link). Are you able to link to Google Calendar with your > > > > current key? > > > > >https://www.google.com/accounts/ManageDomain > > > > > Paul > > > > > On Jun 18, 6:49 am, Dave <[email protected]> wrote: > > > > > > Can anyone help with this? Thanks. > > > > > > On Jun 14, 11:21 am, Dave <[email protected]> wrote: > > > > > > > Hello, > > > > > > > We are still experiencing the same issue. > > ... > > read more » -- You received this message because you are subscribed to the Google Groups "Google Health Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/googlehealthdevelopers?hl=en.
