
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Enabling client authentication for SSL and Configuring jetty for SSL don't work
Hi community,
As described in the title of this topic, the two solutions described in the title of this topic don't work in my environment :
Enabling client authentication for SSL :
I tried to reproduce exactly the example given in the talend help https://help.talend.com/reader/yovCMqvJzyaSSSIdrlB4FQ/HlVXm6zYbAL14q4Lq84a1w , when i call my rest service from Chrome, Firefox, CURL or Postman after adding the client certificate it always show me "BAD CERTIFICATE", i added our certificate Authority and restarted karaf, always the same error message "BAD CERTIFICATE"
Configuring jetty for SSL :
As the first solution did not work for me, i tried the second solution by modifying the jetty.xml file and tested the one way ssl for example as described here : https://help.talend.com/reader/yovCMqvJzyaSSSIdrlB4FQ/xWGGon_HvMs8tUG8RhStDQ , after restarting karaf i'm not able to call the rest service.
here is my talend rest service used for the tests :
My first try by modifying the org.ops4j.pax.web.cfg and restarting karaf:
My second try by modifying the jetty.xml file and adding my connector and restarting karaf:
Any answer, suggestion would be very appreciated.
Thank you in advance.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK and thank you in advance.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I have found you issue. Sorry, French is not a language I read well. The error I believe you are seeing is because it is a self-signed certificate. You will always get this error unless your certificate is signed by a trusted authority. It's not actually an error, more of a warning.
If you click on the "Continnuer vers le site localhost (dangereux)" link, it will take you to the runtime. Once you get an authorized certificate, you won't see this.
In the meantime, I have found another issue which I believe affects Macs. I've tested this on Ubuntu and Windows and it works fine....with the warning you are seeing.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Are you using this parameter in your org.ops4j.pax.web.cfg file : org.ops4j.pax.web.ssl.clientauthneeded=true ?
If i don't use this parameter, i have the same result as you and i can click on the "Continuer vers le site localhost (dangereux)" link and it will take me to the runtime. (already tested) but iin this case we don't force client to be trusted and he can access to the runtime without the certificate.
If i use the org.ops4j.pax.web.ssl.clientauthneeded=true (so force the client to be trusted) and click on the "Continuer vers le site localhost (dangereux)" , iam not able to access to the runtime.
Here is the first response when i call the runtime console :
And when i click on "Continuer vers le site localhost (dangereux)" :
The text in the last image means :
Localhost did not accept your certificate of connection, or you did not provide it.
Try to contact the system administrator.
ERR_BAD_SSL_AUTH_CERT.
Regards

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I am using that parameter.
My parameters look like below....
org.osgi.service.http.port=8042 org.osgi.service.http.port.secure=8443 org.osgi.service.http.secure.enabled=true org.ops4j.pax.web.ssl.keystore=./etc/keystores/keystore.jks org.ops4j.pax.web.ssl.password=password org.ops4j.pax.web.ssl.keypassword=password #org.ops4j.pax.web.ssl.clientauthwanted=false org.ops4j.pax.web.ssl.clientauthneeded=true #org.ops4j.pax.web.config.file=${karaf.base}/etc/jetty.xml
Can you delete all of the certificates you have configured (for this) in Firefox, try loading the page again (which should fail....note the precise message) and then add your certificate to Firefox again. Then try loading the page. If there is an error it should be a different error to the very last error you received.
I actually installed exactly the same version as you and was able to get this working first time. I used these instructions http://blog.nanthrax.net/?p=316 and copied and pasted the commands to ensure I got it correct. These instructions are from the creator of Apache Karaf.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Nabilos31, were you able to get this sorted?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Unfortunatly, iam not able to get this sorted, i have this error in firefox when i click on "Continue" :
May be a bug in my chrome and firefox version ... i tried many manupulations without success (purge the ssl cache, delete certificte and insert it again, check the system date, create the keystore.jks and client.jks from scatch and restarting karf... etc).
Iam downloading windows server 2012 sharewere version, i will install it on virtual machine install TOS inside and do some tests (hope it works).
Regards

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can I just confirm you are using the v7.1 ESB TOS edition? If so, I know that this does work. If you are using the v7.3M3, there is a problem with this.
I installed v7.1 ESB TOS on a Mac and an Ubuntu machine and was able to set these up so each machine could log on to the other machine's v7.1 Runtime Webconsole. The first time I tried this, I was working with v7.3M3 and it did not work. I have raised a bug regarding this. Thankfully, v7.3M3 is a pre-release version.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @rhall ,
Iam using the v7.2.1 TOS edition and i think that there is something broken in this version because i dwnloaded the the 7.0.1 and it works perfectly ! like a charm ! ( both org.ops4j.pax.web.cfg and jetty.xml work !).
Special thank to you for your help during my issues.
Should i set this topic to resolved ? (even if my TOS esb 7.2.1 doesn't work as expected)
Regards.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let me take a look at v7.2.1. I need to check this out
