Hi there,
Have you tried the following?
https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html
I have not tried to use a PKCS12 keystore type. Was there a particular
reason why you are using it? Could you try with a JKS?
--Udo
On 6/11/18 03:31, Liron Ben Ari wrote:
Hello team.
I am trying to move my Client server to work with SSL as part of Security POC
we are running .
I was moving on GEODE documents (there are a lot! :)) and there was a lot of
different options...
This is the configuration I used:
I've generated Keystore & certificate using a private tool (that uses the
openssl + Keytools)
For client:
A file containing PEM encoded X.509 certificate and PEM encoded PKCS#8
encrypted private key
For server:
PKCS#12 - this part works
as we could see openssl s_client to return the chain
On the gemfire.proerties file - I used:
ssl-enabled-components=all
ssl-protocols=any
ssl-ciphers=SSL_RSA_WITH_NULL_SHA //I've tries both option (empty as well)
ssl-keystore-type=PKCS12
ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
ssl-keystore-password=changeme
ssl-truststore-type=JKS
ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
ssl-truststore-password=changeit
on the Client Side I used the PEM format:
gfcpp1.properties:
ssl-enabled=true
ssl-keystore=/tmp/server4.pem
ssl-keystore-password=changeme
ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem
this is the error I am getting from the server when client is trying to connect
(locator):
[info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request thread[16]>
tid=0x55] Exception in processing request from 192.168.2.100
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification
path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at
sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1906)
at
sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at
org.apache.geode.internal.net.SocketCreator.configureServerSSLSocket(SocketCreator.java:1013)
at
org.apache.geode.distributed.internal.tcpserver.TcpServer.lambda$processRequest$0(TcpServer.java:366)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:227)
at
sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:118)
at
sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1888)
... 12 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
:
this are the errors I am getting from the client:
ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
ACE_SSL (45715|140147953735424) error code: 336151574 - error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
ACE_SSL (45715|140148921374464) error code: 336151574 - error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
ACE_SSL (45715|140148896196352) error code: 336151574 - error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
ACE_SSL (45715|140148004091648) error code: 336151574 - error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
ACE_SSL (45715|140147978913536) error code: 336151574 - error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
ACE_SSL (45715|140148398352128) error code: 336151574 - error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
ACE_SSL (45715|140148373174016) error code: 336151574 - error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
Any help will be appreciated !!
Thanks.
This message and the information contained herein is proprietary and
confidential and subject to the Amdocs policy statement,
you may review at https://www.amdocs.com/about/email-disclaimer
<https://www.amdocs.com/about/email-disclaimer>