Skip to main content
Announcements
A fresh, new look for the Data Integration & Quality forums and navigation! Read more about what's changed.
cancel
Showing results for 
Search instead for 
Did you mean: 
Anonymous
Not applicable

Enabling client authentication for SSL and Configuring jetty for SSL don't work

Hi community,

 

As described in the title of this topic, the two solutions described in the title of this topic don't work in my environment : 

 

Enabling client authentication for SSL : 

I tried to reproduce exactly the example given in the talend help https://help.talend.com/reader/yovCMqvJzyaSSSIdrlB4FQ/HlVXm6zYbAL14q4Lq84a1w , when i call my rest service from Chrome, Firefox, CURL or Postman after adding the client certificate it always show me "BAD CERTIFICATE", i added our certificate Authority and restarted karaf, always the same error message "BAD CERTIFICATE"

 

Configuring jetty for SSL : 

As the first solution did not work for me, i tried the second solution by modifying the jetty.xml file and tested the one way ssl for example as described here : https://help.talend.com/reader/yovCMqvJzyaSSSIdrlB4FQ/xWGGon_HvMs8tUG8RhStDQ , after restarting karaf i'm not able to call the rest service.

 

here is my talend rest service used for the tests : 

0683p000009M8ZL.png

 

My first try by modifying the org.ops4j.pax.web.cfg and restarting karaf: 

 

0683p000009M8ZQ.png     

My second try by modifying the jetty.xml file and adding my connector and restarting karaf: 

0683p000009M8ZV.png

0683p000009M8Za.png

 

Any answer, suggestion would be very appreciated.

 

Thank you in advance.

Labels (3)
26 Replies
Anonymous
Not applicable
Author

Ok and thank you in advance.
Anonymous
Not applicable
Author

OK and thank you in advance.

Anonymous
Not applicable
Author

I think I have found you issue. Sorry, French is not a language I read well. The error I believe you are seeing is because it is a self-signed certificate. You will always get this error unless your certificate is signed by a trusted authority. It's not actually an error, more of a warning.

 

If you click on the "Continnuer vers le site localhost (dangereux)" link, it will take you to the runtime. Once you get an authorized certificate, you won't see this. 

In the meantime, I have found another issue which I believe affects Macs. I've tested this on Ubuntu and Windows and it works fine....with the warning you are seeing.

Anonymous
Not applicable
Author

Hi,

 

Are you using this parameter in your org.ops4j.pax.web.cfg file :  org.ops4j.pax.web.ssl.clientauthneeded=true              ?

 

If i don't use this parameter, i have the same result as you and i can click on the "Continuer vers le site localhost (dangereux)" link and it will take me to the runtime. (already tested) but iin this case we don't force client to be trusted and he can access to the runtime without the certificate.

 

If i use the  org.ops4j.pax.web.ssl.clientauthneeded=true (so force the client to be trusted) and click on the "Continuer vers le site localhost (dangereux)" , iam not able to access to the runtime.

 

Here is the first response when i call the runtime console : 

 

0683p000009M8CN.png

And when i click on "Continuer vers le site localhost (dangereux)" : 

 

0683p000009M8EK.png

 

The text in the last image means :

Localhost did not accept your certificate of connection, or you did not provide it.

Try to contact the system administrator.

ERR_BAD_SSL_AUTH_CERT.

 

Regards

 

 

Anonymous
Not applicable
Author

Yes, I am using that parameter.

 

My parameters look like below....

org.osgi.service.http.port=8042

org.osgi.service.http.port.secure=8443
org.osgi.service.http.secure.enabled=true
org.ops4j.pax.web.ssl.keystore=./etc/keystores/keystore.jks
org.ops4j.pax.web.ssl.password=password
org.ops4j.pax.web.ssl.keypassword=password
#org.ops4j.pax.web.ssl.clientauthwanted=false
org.ops4j.pax.web.ssl.clientauthneeded=true
#org.ops4j.pax.web.config.file=${karaf.base}/etc/jetty.xml

Can you delete all of the certificates you have configured (for this) in Firefox, try loading the page again (which should fail....note the precise message) and then add your certificate to Firefox again. Then try loading the page. If there is an error it should be a different error to the very last error you received.

 

I actually installed exactly the same version as you and was able to get this working first time. I used these instructions http://blog.nanthrax.net/?p=316 and copied and pasted the commands to ensure I got it correct. These instructions are from the creator of Apache Karaf.

Anonymous
Not applicable
Author

Hi @Nabilos31, were you able to get this sorted?

Anonymous
Not applicable
Author

Hi,

 

Unfortunatly, iam not able to get this sorted, i have this error in firefox when i click on "Continue" : 

 

0683p000009M7uv.pngMay be a bug in my chrome and firefox version ... i tried many manupulations without success (purge the ssl cache, delete certificte and insert it again, check the system date, create the keystore.jks and client.jks from scatch and restarting karf... etc).

 

Iam downloading windows server 2012 sharewere version, i will install it on virtual machine install TOS inside and do some tests (hope it works).

 

Regards

Anonymous
Not applicable
Author

Can I just confirm you are using the v7.1 ESB TOS edition? If so, I know that this does work. If you are using the v7.3M3, there is a problem with this.

I installed v7.1 ESB TOS on a Mac and an Ubuntu machine and was able to set these up so each machine could log on to the other machine's v7.1 Runtime Webconsole. The first time I tried this, I was working with v7.3M3 and it did not work. I have raised a bug regarding this. Thankfully, v7.3M3 is a pre-release version.

Anonymous
Not applicable
Author

Hi @rhall ,

 

Iam using the v7.2.1 TOS edition and i think that there is something broken in this version because i dwnloaded the the 7.0.1 and it works perfectly ! like a charm ! ( both org.ops4j.pax.web.cfg and jetty.xml work !).

 

Special thank to you for your help during my issues.

 

Should i set this topic to resolved ? (even if my TOS esb 7.2.1 doesn't work as expected) 

 

Regards.

Anonymous
Not applicable
Author

Let me take a look at v7.2.1. I need to check this out