User D.Bugger on this portal has resolved this issue however did not have more details how he resolved it. So it is great if he can answer or anyone can help who faced this and resolved it.
We are configuring Web service consumption on Domino server. For that purpose we exported remote server Root Certificate and imported on Domino JVM by referring: http://www-01.ibm.com/support/docview.wss?uid=swg21588966 also we imported certificate on Lotus Notes client and IE browser however we are still facing same error of cross certification as below when webagent runs. So we really need to create cross certificate on Domino directory for remote server as we are accessing remote server's service. Do we have any exact steps that we need to follow (some admin guide or so) to achieve this?
Server log:
12/16/2014 12:22:40 PM Opened session for Domino/SVR (Release 8.5)
12/16/2014 12:22:40 PM HTTP JVM: Error ; nested exception is:
12/16/2014 12:22:40 PM HTTP JVM: Error connecting to 'something.thing.com' on port '443', SSL invalid certificate, may need to cross-certify.
12/16/2014 12:22:40 PM HTTP JVM: WebServiceEngineFault
12/16/2014 12:22:40 PM HTTP JVM: faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
12/16/2014 12:22:40 PM HTTP JVM: faultSubcode:
12/16/2014 12:22:40 PM HTTP JVM: faultString: Error connecting to 'something.thing.com' on port '443', SSL invalid certificate, may need to cross-certify.
12/16/2014 12:22:40 PM HTTP JVM: faultActor:
12/16/2014 12:22:40 PM HTTP JVM: faultNode:
12/16/2014 12:22:40 PM HTTP JVM: faultDetail:
12/16/2014 12:22:40 PM HTTP JVM: Error connecting to 'something.thing.com' on port '443', SSL invalid certificate, may need to cross-certify.
Had a similar problem before. As far as I see, this might be related to a known issue, related with an faulty behaviour in the SSL client of some server tasks (SMTP, DA, WebService Consumer, etc.).
http://www-01.ibm.com/support/docview.wss?uid=swg21673152
Here, an IBM engineer explains the problem:
http://www-10.lotus.com/ldd/ndseforum.nsf/xpTopicThread.xsp?documentId=384D0763885F710385257CBD005E5919
This SPR deals with an issue where the Domino server is acting as the
SSL client. After the SSL server has sent the server certificate and
server key exchange messages, the SSL server can optionally request a
certificate from the SSL client, specifying a list of distinguished
names of acceptable certificate authorities. In some instances, no DN
list of acceptable certificate authorities is specified by the SSL
server.
Currently, in this case (where the SSL server is requesting a client
certificate from Domino but does not specify the acceptable
certificate authorities), the Domino server will respond with a fatal
alert and end the SSL handshake. In a future fix, the Domino server
will send a non-fatal SSL alert or the cert that it has, depending on
the customer's preference.
However, it seems like fixed in 9.0.1 FP2.
http://www-10.lotus.com/ldd/fixlist.nsf/Public/1CFEB3634431FC6685257C5C0047848B?OpenDocument
My Issue is resolved.
No need to create cross certificate in domino or not even in javacert. We had to just merge remote site Root Certificate to our Domino server's keyfile.kyr file from Certificate Admin Server database. This solution suggested by IBM person.
Still thanks for your support.
Cheers!!
Related
I'm trying to setup Apache Guacamole with KeyCloak as OpenID Connect Authorization Server.
Guacamole is redirecting me to KeyCloak, I can Log in with my user I created on KeyCloak and I get redirected back to Guacamole, but there it says that my token is invalid
08:08:11.477 [http-nio-4432-exec-7] INFO o.a.g.a.o.t.TokenValidationService - Rejected invalid OpenID token: Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable verification key for JWS w/ header {"alg":"RS256","typ" : "JWT","kid" : "8ZNpgh_vnmG0HMMNYdOz1lw4ECoWxmsiUGte1mJfvyI"} due to an unexpected exception (javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty) while obtaining or using keys from JWKS endpoint at https://172.16.47.229:12345/auth/realms/Guacamole-test/protocol/openid-connect/certs): JsonWebSignature{"alg":"RS256","typ" : "JWT","kid" : "8ZNpgh_vnmG0HMMNYdOz1lw4ECoWxmsiUGte1mJfvyI"}->eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI4Wk5wZ2hfdm5tRzBITU1OWWRPejFsdzRFQ29XeG1zaVVHdGUxbUpmdnlJIn0.eyJleHAiOjE2MDIzOTczODgsImlhdCI6MTYwMjM5NjQ4OCwiYXV0aF90aW1lIjoxNjAyMzk2NDcwLCJqdGkiOiI5Y2RiZDVjZC01MDJhLTRjNmItYTM3Mi1jZDIxMTNjNTE1NTMiLCJpc3MiOiJodHRwczovLzE3Mi4xNi40Ny4yMjk6MTIzNDUvYXV0aC9yZWFsbXMvR3VhY2Ftb2xlLXRlc3QiLCJhdWQiOiJHdWFjYW1vbGUiLCJzdWIiOiI1YzQ3N2NiZC04ZjIzLTRlMjEtYmNhMi1kMzNlMTRhZGY0ZDYiLCJ0eXAiOiJJRCIsImF6cCI6Ikd1YWNhbW9sZSIsIm5vbmNlIjoiaTQyZDBpZTc4c2s0MjRjMHJzMmJvdTM4YnUiLCJzZXNzaW9uX3N0YXRlIjoiMjNlZjdhMTYtMDhhNS00YTNkLTgxYTItYTQ2ZmE1NmM1NjE3IiwiYWNyIjoiMCIsImlzX3N1cGVydXNlciI6IlRydWUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIm5hbWUiOiJ0ZXN0IHRlc3QiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciIsImdpdmVuX25hbWUiOiJ0ZXN0IiwiZmFtaWx5X25hbWUiOiJ0ZXN0IiwiZW1haWwiOiJ0ZXN0QHRlc3QuY29tIn0.eOhkDqcgfdJnO12PRDqLIHACRNVdVHoSDFjThHWc6Ug1gdoz9t_T2K7F_B6dJSbNygAJrGvc5BVRx9XCJH1fVFSYhpXVqCO0jrHm0XJKhw_kBce4x3ZluGAtktx614j9qFzUwZHXOkFAUGPtyPQKuRTfdzHqQUILLJhVdSRPmou40rX31-l7VwqWZk_Yp1JCdQsA61XvJcQrU_aiKivZFaDGiY5GrnpL8zcEwJcFemptVoGKrG63O_LjxDCxhLpO1C1fi8GjngMSfco9aAp4AaGpHWy8ofJAu-TWbLGf-UPLUhC3lf903-Q_BU3eehYxtMyN1eet0HeGm0x_gV_wvA
In KeyCloak I created a Client as follows:
(Will change the Valid Redirect URI`s once I have it working)
And my guacamole.properites look like this:
guacd-port: 4822
guacd-hostname: localhost
# OpenID Connect Properties
openid-authorization-endpoint: https://172.16.47.229:12345/auth/realms/Guacamole-test/protocol/openid-connect/auth
openid-jwks-endpoint: https://172.16.47.229:12345/auth/realms/Guacamole-test/protocol/openid-connect/certs
openid-issuer: https://172.16.47.229:12345/auth/realms/Guacamole-test
openid-client-id: Guacamole
openid-redirect-uri: http://172.16.47.229:4432/guacamole/
# Postgresql Properties
postgresql-hostname: 172.16.47.229
postgresql-port: 4444
postgresql-database: guacamoledb
postgresql-username: guacamoleuser
postgresql-password: test
What do I have to change for guacamole to accept the token?
Update: I found the configuration to be working, if I use KeyCloak with HTTP instead of HTTPS, but that is not desirable. I have now also configured Guacamole, or more precisely the tomcat that's hosting guacamole, to use https, but I still can not get it to work (without having to use HTTP for KeyCloak).
I've caught the same issue. Most probably you just have to provide valid SSL certificate for your IdP (Keycloak).
Possible workaround was found here: How to configure Keycloak to work with Guacamole's OpenID plugin?.
I've re-compiled guacamole-auth-openid extension with this change:
diff --git a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java
index 5efb09dab..27d818ee5 100644
--- a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java
+++ b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java
## -79,6 +79,7 ## public class TokenValidationService {
// Create JWT consumer for validating received token
JwtConsumer jwtConsumer = new JwtConsumerBuilder()
+ .setSkipSignatureVerification()
.setRequireExpirationTime()
.setMaxFutureValidityInMinutes(confService.getMaxTokenValidity())
.setAllowedClockSkewInSeconds(confService.getAllowedClockSkew())
And this solved the issue. Don't think it's applicable for production needs but in production self-signed certificates should not be used.
With Guacamole 1.4.0 and Keycloak 15.0.2 I fixed the HTTPS issue by mounting a custom cacerts keystore in the the Guacamole container. This custom keystore is just the OpenJDK 8 cacerts with Let's Encrypt CA bundle https://letsencrypt.org/certs/isrgrootx1.pem imported. Because my Keycloak and Guacamole instance use Let's Encrypt certificates.
On the host I had OpenJDK 8 installed. So Docker mount was
/etc/ssl/certs/java/cacerts:/usr/local/openjdk-8/jre/lib/security/cacerts
I have a server (Centos 7) setup to be used as mail server. Using postfix/dovecot/opendkim/opendmarc..
It works as it should, users are able to connect their emails using gmail for example. Able to send and receive mail.
Also when I use MailKit and test my .NET Core application from my home pc MailKit connects fine and the emails are send.
However, when I deploy the application to my server MailKit fails to connect.
If I look in the logs I see the following
postfix/submission/smtpd[4486]: match_hostname: unknown ~? 127.0.0.1/32
postfix/submission/smtpd[4486]: match_hostaddr: MY_SERVER_IP ~? 127.0.0.1/32
postfix/submission/smtpd[4486]: match_hostname: unknown ~? MY_SERVER_IP/32
postfix/submission/smtpd[4486]: match_hostaddr: MY_SERVER_IP ~? MY_SERVER_IP/32
postfix/submission/smtpd[4486]: lost connection after STARTTLS from unknown[MY_SERVER_IP]
But if I look a bit higher in the logs I see
Anonymous TLS connection established from unknown[MY_SERVER_IP]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
My MailKit (which works fine from outside of the server):
using (SmtpClient emailClient = new SmtpClient())
{
await emailClient.ConnectAsync(emailConfiguration.SmtpServer, emailConfiguration.SmtpPort, SecureSocketOptions.StartTls);
emailClient.AuthenticationMechanisms.Remove("XOAUTH2");
await emailClient.AuthenticateAsync(emailConfiguration.SmtpUsername, emailConfiguration.SmtpPassword);
await emailClient.SendAsync(message);
await emailClient.DisconnectAsync(true);
}
edit:
The exception from MailKit (certificate is proper and not self-signed):
MailKit.Security.SslHandshakeException: An error occurred while attempting to establish an SSL or TLS connection.
May 19 16:07:37 domain.com NETCoreApp[4452]: The server's SSL certificate could not be validated for the following reasons:
May 19 16:07:37 domain.com NETCoreApp[4452]: • The server certificate has the following errors:
May 19 16:07:37 domain.com NETCoreApp[4452]: • unable to get certificate CRL
May 19 16:07:37 domain.com NETCoreApp[4452]: • The root certificate has the following errors:
May 19 16:07:37 domain.com NETCoreApp[4452]: • unable to get certificate CRL
May 19 16:07:37 domain.com NETCoreApp[4452]: • unable to get local issuer certificate
May 19 16:07:37 domain.com NETCoreApp[4452]: ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
The unable to get certificate CRL error sounds like SslStream was unable to get the CRL, perhaps because the CRL server is unreachable for some reason.
You could try adding emailClient.CheckCertificateRevocation = false; before the ConnectAsync to check if that's the issue.
The other error, unable to get local issuer certificate, might be because the server that MailKit is running on doesn't have the Root CA certificate in its X509Store but your home PC does.
Update:
The problem is that LetsEncrypt SSL certificates do not include a CRL location which means that certificate revocation checks will fail.
To bypass this, you need to set client.CheckCertificateRevocation = false; before connecting.
I found an answer which works but isn't my preferred method since I wanted to be able to use MailKit for more that just my own server (make it configurable from within the app itself)
I came to the solution because I thought it had to do with some internal traffic going wrong..
By using the old SmtpClient from System.Net.Mail I was able to use the DefaultCredentials.
using (SmtpClient client = new SmtpClient("127.0.0.1"))
{
client.UseDefaultCredentials = true;
MailAddress from = new MailAddress(emailMessage.FromAddress.Address, emailMessage.FromAddress.Name);
foreach (IEmailAddress emailAddress in emailMessage.ToAddresses)
{
MailAddress to = new MailAddress(emailAddress.Address, emailAddress.Name);
MailMessage email = new MailMessage(from, to)
{
Subject = emailMessage.Subject,
Body = emailMessage.Content
};
await client.SendMailAsync(email);
}
}
I have the same problem on ubuntu 20.04 with .NET core 3.1
and after 3 hours of trial and error, I finally found the solution.
I've just ignored the Certificate Validation CallBack.
using var client = new SmtpClient(new ProtocolLogger("smtp.log"));
client.CheckCertificateRevocation = false;
client.ServerCertificateValidationCallback = (sender, certificate, chain, errors) => true;
client.Connect("your.smtp.host", 587, SecureSocketOptions.StartTls);
I hope this would be helpful :)
I setup the UMS-email driver in SOA 11.1.1.7 em to read emails from our company email account. I used POP3 and enabled SSL. I also imported the SSL Certificate using openSSL. This is how the keystore looks like when I look at it:
Your keystore contains 5 entries
certgenca, Mar 22, 2002, trustedCertEntry,
Certificate fingerprint (MD5): A1:B2:C3:D4:E5:F6:G7:H8:I9:J0:K1:L2:M3:N4:O5:P6
-outlook.companyname.com, Apr 29, 2015, trustedCertEntry,
However, when I restarted the SOA server and the admin server, I see the following error in the soa_server1.out log file over and over again. Any help would be much appreciated:
DEBUG: setDebug: JavaMail version 1.4.1
DEBUG: getProvider() returning javax.mail.Provider[STORE,pop3,com.sun.mail.pop3.POP3Store,Sun Microsystems, Inc]
DEBUG POP3: connecting to host "outlook.companyname.com", port 443, isSSL false
C: QUIT
<Apr 30, 2015 11:12:39 AM AKDT> <Error> <oracle.sdp.messaging.driver.email> <SDP-26123> <Could not initialize Email Store for user username >
<Apr 30, 2015 11:12:39 AM AKDT> <Error> <oracle.sdp.messaging.driver.email> <SDP-25700> <An unexpected exception was caught.
javax.mail.MessagingException: Connect failed;
nested exception is:
java.net.SocketException: Connection reset
at com.sun.mail.pop3.POP3Store.protocolConnect(POP3Store.java:161)
at javax.mail.Service.connect(Service.java:288)
at javax.mail.Service.connect(Service.java:170)
at oracle.sdpinternal.messaging.driver.email.Pop3EmailStore.initStore(Pop3EmailStore.java:158)
at oracle.sdpinternal.messaging.driver.email.Pop3EmailStore.initStore(Pop3EmailStore.java:132)
at oracle.sdpinternal.messaging.driver.email.EmailResourceAdapter.createEmailStore(EmailResourceAdapter.java:1292)
at oracle.sdpinternal.messaging.driver.email.MailboxPollingWorker.getInitializedEmailStore(MailboxPollingWorker.java:104)
at oracle.sdpinternal.messaging.driver.email.MailboxPollingWorker.run(MailboxPollingWorker.java:47)
at weblogic.connector.security.layer.WorkImpl.runIt(WorkImpl.java:108)
at weblogic.connector.security.layer.WorkImpl.run(WorkImpl.java:44)
at weblogic.connector.work.WorkRequest.run(WorkRequest.java:95)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:545)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused By: java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:168)
at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:830)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:788)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
at java.io.BufferedInputStream.read(BufferedInputStream.java:238)
at java.io.DataInputStream.readLine(DataInputStream.java:496)
at com.sun.mail.pop3.Protocol.simpleCommand(Protocol.java:360)
at com.sun.mail.pop3.Protocol.<init>(Protocol.java:104)
at com.sun.mail.pop3.POP3Store.getPort(POP3Store.java:214)
at com.sun.mail.pop3.POP3Store.protocolConnect(POP3Store.java:157)
at javax.mail.Service.connect(Service.java:288)
at javax.mail.Service.connect(Service.java:170)
at oracle.sdpinternal.messaging.driver.email.Pop3EmailStore.initStore(Pop3EmailStore.java:158)
at oracle.sdpinternal.messaging.driver.email.Pop3EmailStore.initStore(Pop3EmailStore.java:132)
at oracle.sdpinternal.messaging.driver.email.EmailResourceAdapter.createEmailStore(EmailResourceAdapter.java:1292)
at oracle.sdpinternal.messaging.driver.email.MailboxPollingWorker.getInitializedEmailStore(MailboxPollingWorker.java:104)
at oracle.sdpinternal.messaging.driver.email.MailboxPollingWorker.run(MailboxPollingWorker.java:47)
at weblogic.connector.security.layer.WorkImpl.runIt(WorkImpl.java:108)
at weblogic.connector.security.layer.WorkImpl.run(WorkImpl.java:44)
at weblogic.connector.work.WorkRequest.run(WorkRequest.java:95)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:545)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
>
So I figured it out, changed POP3 to IMAP, disabled SSL and used port 143 and it is working now. Hope this helps someone someday.
I was trying to use it for Single sing on. I was able to successfully secure my web services/pages and want to extend it to my REST APIs (services) as well. I am using CAS 4.0.0.
I followed this link http://jasig.github.io/cas/4.0.0/protocol/REST-Protocol.html and change the web.xml as suggested and added the following jar to my CAS deployment WEB-INF/lib folder:
cas-server-integration-restlet-4.0.0.jar
org.restlet.jar
org.restlet.ext.spring.jar
org.restlet.ext.servlet.jar
The Call to the "v1/tickets" is reaching the restlet-frame work but I am getting a 404 error to my rest client
Status Code: 404 Not Found
Accept-Ranges: bytes
Content-Length: 439
Content-Type: text/html;charset=UTF-8
Date: Thu, 06 Nov 2014 13:12:46 GMT
Server: Restlet-Framework/2.2.2
Can you Please help me identify the issue with the set-up or point me to a detailed documentation.
Disclaimer: I'm the Chairman of CAS and founder of CAS in the cloud (https://www.casinthecloud.com).
The endpoint is in lower-case: can you try: /v1/tickets?
I just installed Jabber plugin for my Jenkins last week.
I have a XMPP server running for quite a long time, and there is no connection problem
From Jenkins log, I got some error "Jabber notifier plugin: There was an error sending notification to.
But this error does not happen all the time, it just pop up sometimes and disappeared after a while. And I cannot see anything wrong from Jenkins' log. and there is nothing generated after I created a system log for
hudson.plugins.jabber
as "FINEST" log level.
Nov 27, 2013 11:49:15 AM hudson.plugins.jabber.im.transport.JabberIMConnection
createConnection
INFO: Trying to connect to XMPP on <our_server>:5222/<our_server> with SASL
Nov 27, 2013 11:49:15 AM hudson.plugins.jabber.im.transport.JabberIMConnection
setupSubscriptionMode
INFO: Accepting all subscription requests
Nov 27, 2013 11:49:15 AM hudson.plugins.jabber.im.transport.JabberIMConnection connect
INFO: Connected to XMPP on <our_server>/<our_server> using TLS
Anyone knows if this is some stability issue with this plugin? Is there any way for me to do debug to see what exactly happened when this error pop up?
Thanks!