AppWorx, Dollar Universe and Sysload Community

 View Only
  • 1.  Dollar Universe - SSL Configuration

    Posted May 09, 2020 01:45 PM
    Edited by Flavien May 13, 2020 04:52 AM
    Bonjour,

    Je suis en train d'essayer de mettre une configuration SSL sur les composants suivants: 

    • UVMS
    • DUAS
    • LDAP

    J'ai réussi à configurer la partie UVMS avec succès mais reste bloqué depuis plusieurs jours sur DUAS & LDAP...

    Plateforme : Windows Server 2019
    Java Version : zulu11.39.15-ca-jdk11.0.7-win_x64

    Version UVMS/DUAS/UVC : 6.10.31
    Pour le LDAP, j'ai un AD de niveau fonctionnel : WinSrv 2016,
    Nom du domaine : CORP.COM 
    Le pare-feu de l'AD et AX2012 sont désactivés dans le cas de mes tests pour exclure la possiblité d'un filtrage réseau

    Mon serveur AD fait également office d'AD-CS et DNS

    UVMS & DUAS sont sur la même machine 'AX2012'
    J'utilise les ports par default, à savoir 4184 pour UVMS, 4443 pour la partie SSL et la plage par default de DUAS

    Problème DUAS
    Pour DUAS, j'ai bien créé tous les éléments décrits dans la documentation,

    • GENKEY DUAS
    • GENCSR pour DUAS Server
    • Récupération du certificat avec mon AC
    • IMPORT du TrustedCACert, le même que pour ma configuration avec UVMS
    • IMPORT du certificat DUAS
    • Arrêt de DUAS X I/O

    Ci-dessous les commandes jouées :

    CMD
    C:\Program Files\AUTOMIC\DUAS\UNI610_AX2012\unienv.bat
    cd "C:\Program Files\AUTOMIC\DUAS\UNI610_AX2012\bin"
    unissl.exe GENKEY -overwrite -size 2048 -pwd "XXXX"
    unissl.exe GENCSR -algo SHA256 -dn "CN=AX2012.corp.com" -overwrite -file "C:\TEMP\DUAS.CSR" -pwd "XXXX"
    certreq -submit -attrib "CertificateTemplate:WebServer" "c:\temp\DUAS.csr" "c:\temp\DUAS.cER"
    unissl.exe IMPORT -type TRUSTEDCACERT -pathfile "c:\temp\AC.cer" -overwrite
    unissl.exe IMPORT -type SERVERCERT -pathfile "c:\temp\DUAS.cer" -overwrite

    Aucun problème jusqu'ici, j'utilise les chemins par default.

    J'ai ensuite importé le certificat du DUAS dans le KeyStore d'UVMS en tant que TRUSTEDSERVER
    .\unissl.bat IMPORT -type TRUSTEDSERVER -alias duas -host AX2012.corp.com -port 4443 -file 'c:\temp\duas.cer' -overwrite -pwd $pwd

    .\unissl.bat LIST -type TRUSTEDCACERT -pwd $pwd
    UniViewer Management Server environment loaded.

    Content of alias: ac
    Type: CA Certificate
    Subject: CN=corp-AD-CA, DC=corp, DC=com
    Valid from: 06/05/2020
    Valid to: 06/05/2119
    Fingerprint (MD5): 54:F2:2F:C9:54:1C:47:1E:5F:E1:24:7E:A9:88:A4:44
    Fingerprint (SHA1): 11:8C:D6:3D:E9:93:20:2A:A1:5A:3A:5A:86:09:8B:F6:5D:FB:1F:D2
    Content of alias: duas
    Type: CA Certificate
    Subject: CN=corp-AD-CA, DC=corp, DC=com
    Valid from: 06/05/2020
    Valid to: 06/05/2119
    Fingerprint (MD5): 54:F2:2F:C9:54:1C:47:1E:5F:E1:24:7E:A9:88:A4:44
    Fingerprint (SHA1): 11:8C:D6:3D:E9:93:20:2A:A1:5A:3A:5A:86:09:8B:F6:5D:FB:1F:D2
    Content of alias: ldap
    Type: Certificate
    Subject: CN=AD.corp.com
    Valid from: 08/05/2020
    Valid to: 08/05/2022
    Fingerprint (MD5): 5A:E6:35:80:52:43:1B:3A:C7:A7:DF:BF:10:F3:48:2C
    Fingerprint (SHA1): 19:F6:FE:4E:AE:13:6B:CF:47:7B:68:56:8A:8B:F8:16:77:16:C1:12

    J'ai l'erreur suivante quand j'essaye d'activer SSL sur le DUAS avec la commande suivante :
    • unissl SET -enable ON -mshost "AX2012.corp.com" -msport 4443


    "Enabling SSL mode for the node.
    Error updating information with UVMS.
    SSL configuration unchanged (off)"

    ///////////////////////////////////////////////////////////////////////////////////////////////////
    Problème LDAP

    LDAP Config en pièce jointe.

    La connection avec les comptes AD fonctionne bien seulement avec  SSL = NO et PORT = 389,

    • SSL = NO   et PORT = 636 => KO
    • SSL = YES et PORT = 636=> KO
    • SSL = YES et PORT = 389 => KO

    J'ai importé le certificat du server AD avec la commande ci-dessous,

    • .\unissl.bat IMPORT -type TRUSTEDSERVER -alias ldap -host AD.corp.com -port 636 -file 'c:\temp\ldap.cer' -overwrite -pwd $pwd

    UniViewer Management Server environment loaded.

    Opening connection to AD.corp.com:636...
    The chain contains 1 certificate(s)

    1 Type: Server Certificate
    Subject: CN=AD.corp.com
    Valid from: 08/05/2020
    Valid to: 08/05/2022
    Fingerprint (MD5): 5A:E6:35:80:52:43:1B:3A:C7:A7:DF:BF:10:F3:48:2C
    Fingerprint (SHA1): 19:F6:FE:4E:AE:13:6B:CF:47:7B:68:56:8A:8B:F8:16:77:16:C1:12

    Enter the position of the certificate to add to the alias "ldap" of the Keystore or 'q' to quit: [1]
    1
    Import successful

    Note: Avec le port 389 je ne peux pas importer le certificat.

    Quand j'applique les modifications au fichier ldap.xml avec port = 636 & SSL = YES... Ca ne fonctionne pas. J'ai redémarré UVMS à chaque modification du fichier ldap.xml

    D'autres outils arrive parfaitement à se connecter au server avec un 'protocole' LDAP
    J'ai essayéé celui-ci qui a plus ou moins le même comportement  https://www.ldapsoft.com/ldapbrowserfree.html 

    Quand je créée la connection, le SSL + port 636 + simple, il me demande d'ajouté le certificat dans le keystore et après j'ai accès à mon AD normalement.

    ///////////////////////////////////////////////////////////////////

    Je vous remercie par avance pour la lecture du pavet et de vos éventuelles tips, aides sur le sujet car pour le moment je séche. J'ai beau retourné la documentation dans tous les sens, je n'y trouve pas mon compte :(



    ------------------------------
    Cordialement,
    Flavien Marcantoni
    ------------------------------

    Attachment(s)

    txt
    DUAS_log_error_java.txt   5 KB 1 version
    xml
    ldap.xml   1 KB 1 version
    txt
    UVMS_log_error_java.txt   12 KB 1 version


  • 2.  RE: Dollar Universe - SSL Configuration

    Posted May 10, 2020 12:09 PM
    Edited by Flavien May 12, 2020 11:27 AM

    LDAP SSL

    OS : 
    Windows Server 2019
    AD Level : 2016
    Java versionzulu11.39.15-ca-jdk11.0.7-win_x64

    Après quelques recherches, il semble que la version de Java ait un impact sur la façon dont est fait les échanges SSL.
    J'ai essayé la configuration LDAP avec la version OpenJRE8U212b04 fournit dans le package de $U Explorer, ça fonctionne !

    Normalement la v11 est supportée d'après la matrice de compatibilité :(
    Quelqu'un a-t'il déjà rencontré ce genre de problème avec Java 11 ?

    Solution : Changer la version de Java utilisé par UVMS par  OpenJRE8U212b04
                      Fonctionne aussi avec Zulu8.46.0.19-ca-jdk8.0.252-win_x64 



  • 3.  RE: Dollar Universe - SSL Configuration

    Posted May 10, 2020 12:20 PM
    Edited by Flavien May 12, 2020 04:26 PM
    DUAS SSL

    Quelques éléments de plus, trouvé une erreur interessante mais je ne sais pas quoi en faire. 

    Problème pendant le handshake ssl :
    SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list

    OS :  
    Windows Server 2019 / Windows Server 2012R2
    DUAS/UVMS Version: 
    6.10.31
    Java Version : 
    OpenJRE8U212b04 / Zulu8.46.0.19-ca-jdk8.0.252-win_x64
    Note:
    • DUAS & UVMS sont sur la même machine
    • J'ai bien ajouté le certificat du DUAS dans le KeyStore d'UVMS
    • Le certificat d'UVMS fait partis des TRUSTEDCACERT de DUAS
    • Les tests effectués sont avec le pare-feu désactivé
    • Port SSL 4443

    Configuration DUAS

    J'ai activé le log en mode trace sur DUAS et UVMC et j'ai une erreur Java :(

    LOG DUAS

    | 2020-05-12 22:01:19 |INFO |X|ssl|pid=2000.1576| o_set_ca_additional_certi | 2 additional SSL CA certificates
    | 2020-05-12 22:01:19 |TRACE|X|ssl|pid=2000.1576| k_ReadILocal | local passphrase is [158931353940950000000000F09FB8]
    | 2020-05-12 22:01:19 |TRACE|X|ssl|pid=2000.1576| u_io_connect | Call u_io_callsrv_connect_r: vl_noeud=[local], vl_company=[UNI610], vl_espace=[X], **connexion=[000000000013FA88], *connexion=[0000000000000000]
    | 2020-05-12 22:01:19 |TRACE|X|ssl|pid=2000.1576| u_io_callsrv_connect_r | Begin: pf_node=[local], pf_io_company=[UNI610], pf_io_area=[X], **pf_connexion=[000000000013FA88], *pf_connexion=[0000000000000000]
    | 2020-05-12 22:01:19 |TRACE|X|ssl|pid=2000.1576| u_io_callsrv_connect_r | Connecting IO server: node=[], service=[]
    | 2020-05-12 22:01:19 |TRACE|X|ssl|pid=2000.1576| o_connect_auth | target is [UNI610]/[X]/[local]/[SIO]
    | 2020-05-12 22:01:19 |INFO |X|ssl|pid=2000.1576| k_connect | u_req_serv - connection not established, making it...
    | 2020-05-12 22:01:19 |INFO |X|ssl|pid=2000.1576| k_connect | socket not connected (-1), making connection... (time-out is 0)
    | 2020-05-12 22:01:19 |TRACE|X|ssl|pid=2000.1576| u_connect | serv[UNI610_local_SIO_X/26665], host[/127.0.0.1]
    | 2020-05-12 22:01:19 |INFO |X|ssl|pid=2000.1576| u_connect | calling 'socket' system call
    | 2020-05-12 22:01:19 |INFO |X|ssl|pid=2000.1576| u_connect | socket returns 168
    | 2020-05-12 22:01:19 |INFO |X|ssl|pid=2000.1576| u_connect | calling setsockopt on socket 168
    | 2020-05-12 22:01:19 |TRACE|X|ssl|pid=2000.1576| u_connect | socket 168 created
    | 2020-05-12 22:01:19 |TRACE|X|ssl|pid=2000.1576| u_retrieve_ipaddress_from | specified IP: 127.0.0.1
    | 2020-05-12 22:01:19 |TRACE|X|ssl|pid=2000.1576| u_retrieve_ipaddress_from | inet_addr(ip '127.0.0.1') returns ip addr 16777343
    | 2020-05-12 22:01:19 |INFO |X|ssl|pid=2000.1576| u_connect | calling connect on socket 168
    | 2020-05-12 22:01:20 |INFO |X|ssl|pid=2000.1576| u_connect | connect returns -1
    | 2020-05-12 22:01:20 |ERROR|X|ssl|pid=2000.1576| u_connect | connect(socket 168) returns error
    | 2020-05-12 22:01:20 |TRACE|X|ssl|pid=2000.1576| u_close_socket | Closing socket 168.
    | 2020-05-12 22:01:20 |INFO |X|ssl|pid=2000.1576| u_ferm_dial_serv | ok (terminated)
    | 2020-05-12 22:01:20 |TRACE|X|ssl|pid=2000.1576| u_io_connect | **connexion=[000000000013FA88] *connexion=[0000000000000000]
    | 2020-05-12 22:01:20 |INFO |X|ssl|pid=2000.1576| k_connect | u_req_serv - connection not established, making it...
    | 2020-05-12 22:01:20 |INFO |X|ssl|pid=2000.1576| k_connect | socket not connected (-1), making connection... (time-out is 15)
    | 2020-05-12 22:01:20 |INFO |X|ssl|pid=2000.1576| owls_ssl_client_startup | ssl client starting up
    | 2020-05-12 22:01:21 |INFO |X|ssl|pid=2000.1576| owls_ssl_client_startup | Additional CA certificate loaded: C:\Program Files\AUTOMIC\DUAS\UNI610_2012R2-U1\data\security\uvms.cer
    | 2020-05-12 22:01:21 |INFO |X|ssl|pid=2000.1576| owls_ssl_client_startup | Additional CA certificate loaded: C:\Program Files\AUTOMIC\DUAS\UNI610_2012R2-U1\data\security\ldap.cer
    | 2020-05-12 22:01:21 |TRACE|X|ssl|pid=2000.1576| owls_ssl_client_startup | set cipher list successful (1)
    | 2020-05-12 22:01:21 |TRACE|X|ssl|pid=2000.1576| o_connect_ssl | serv[AUT/23313], host[2012R2-U1.pepito.dc/]
    | 2020-05-12 22:01:21 |INFO |X|ssl|pid=2000.1576| o_connect_ssl | calling 'socket' system call
    | 2020-05-12 22:01:21 |INFO |X|ssl|pid=2000.1576| o_connect_ssl | socket returns 512
    | 2020-05-12 22:01:21 |INFO |X|ssl|pid=2000.1576| o_connect_ssl | calling setsockopt on socket 512
    | 2020-05-12 22:01:21 |TRACE|X|ssl|pid=2000.1576| o_connect_ssl | socket 512 created
    | 2020-05-12 22:01:21 |TRACE|X|ssl|pid=2000.1576| o_connect_ssl | Searching host '2012R2-U1.pepito.dc'...
    | 2020-05-12 22:01:21 |INFO |X|ssl|pid=2000.1576| u_gethostbyname_mf | calling gethostbyname(2012R2-U1.pepito.dc)
    | 2020-05-12 22:01:21 |INFO |X|ssl|pid=2000.1576| u_gethostbyname_mf | return gethostbyname
    | 2020-05-12 22:01:21 |INFO |X|ssl|pid=2000.1576| o_connect_ssl | calling connect on socket 512
    | 2020-05-12 22:01:21 |INFO |X|ssl|pid=2000.1576| o_connect_ssl | connect returns 0
    | 2020-05-12 22:01:21 |TRACE|X|ssl|pid=2000.1576| o_connect_ssl | Connection to service on port 4443 successful (socket 512)
    | 2020-05-12 22:01:21 |TRACE|X|ssl|pid=2000.1576| o_connect_ssl | beginning to create ssl socket and handshake with ssl server on socket 512
    | 2020-05-12 22:01:21 |TRACE|X|ssl|pid=2000.1576| o_connect_ssl | create ssl socket successfully on raw socket 512
    | 2020-05-12 22:01:21 |ERROR|X|ssl|pid=2000.1576| o_connect_ssl | ssl session connect error, SSL connect error, error:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list
    | 2020-05-12 22:01:21 |TRACE|X|ssl|pid=2000.1576| o_close_socket_ssl | Clean shut down ssl socket 512
    | 2020-05-12 22:01:21 |TRACE|X|ssl|pid=2000.1576| o_close_socket_ssl | calling close on ssl socket 512
    | 2020-05-12 22:01:21 |TRACE|X|ssl|pid=2000.1576| o_close_socket_ssl | Closing ssl socket 512.
    | 2020-05-12 22:01:21 |ERROR|X|ssl|pid=2000.1576| o_update_uvms_specif | Update is unable to connect to UVMS: 200

     

    LOG UVMS
    | 2020-05-12 22:01:21 |TRACE| SSL-Work-Processor | com.orsyp.central.server.SSLServerConnector$SSLServerRunnable | New connection created. | 2020-05-12 22:01:21 |TRACE| SSL-Work-Processor | com.orsyp.central.server.SSLServerConnector$SSLServerRunnable | New connection created. | 2020-05-12 22:01:21 |TRACE| SSL-Work-Processor | com.orsyp.central.server.SSLServerConnector$SSLServerRunnable | Creating new connection. | 2020-05-12 22:01:21 |DEBUG| uvms-pool-1-tid-4 | com.orsyp.central.server.UniWorker | A new client is managed by the thread uvms-pool-1-tid-4. | 2020-05-12 22:01:21 |TRACE| uvms-pool-1-tid-4 | com.orsyp.central.server.UniWorker | Connection closed com.orsyp.UniverseException: read at com.orsyp.comm.server.CommunicationProtocolState.readBuffStream(CommunicationProtocolState.java:127) at com.orsyp.comm.server.CommunicationProtocolState.initiateHelloProtocolCommunication(CommunicationProtocolState.java:49) at com.orsyp.comm.server.ssl.SSLUniSocket.helloSocket(SSLUniSocket.java:186) at com.orsyp.comm.server.ssl.SSLUniSocket.readStream(SSLUniSocket.java:170) at com.orsyp.central.server.UniWorker.readHeaderMessages(UniWorker.java:131) at com.orsyp.central.server.UniWorker.run(UniWorker.java:101) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:834)Caused by: javax.net.ssl.SSLException: readHandshakeRecord at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1068) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:395) at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:711) at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:794) at java.base/java.io.FilterInputStream.read(FilterInputStream.java:133) at com.orsyp.comm.server.log.NetworkTrafficLogInputStream.read(NetworkTrafficLogInputStream.java:42) at java.base/java.io.BufferedInputStream.fill(BufferedInputStream.java:252) at java.base/java.io.BufferedInputStream.read1(BufferedInputStream.java:292) at java.base/java.io.BufferedInputStream.read(BufferedInputStream.java:351) at com.orsyp.comm.server.ssl.SSLUniSocket.read(SSLUniSocket.java:342) at com.orsyp.comm.server.CommunicationProtocolState.readBuffStream(CommunicationProtocolState.java:108) ... 8 more Suppressed: java.net.SocketException: Connection reset by peer: socket write error at java.base/java.net.SocketOutputStream.socketWrite0(Native Method) at java.base/java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:110) at java.base/java.net.SocketOutputStream.write(SocketOutputStream.java:150) at java.base/sun.security.ssl.SSLSocketOutputRecord.encodeAlert(SSLSocketOutputRecord.java:81) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:357) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:269) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:400) ... 17 moreCaused by: java.net.SocketException: Connection reset by peer: socket write error at java.base/java.net.SocketOutputStream.socketWrite0(Native Method) at java.base/java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:110) at java.base/java.net.SocketOutputStream.write(SocketOutputStream.java:150) at java.base/sun.security.ssl.SSLSocketOutputRecord.flush(SSLSocketOutputRecord.java:251) at java.base/sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:89) at java.base/sun.security.ssl.ECDHServerKeyExchange$ECDHServerKeyExchangeProducer.produce(ECDHServerKeyExchange.java:504) at java.base/sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(ClientHello.java:1102) at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:854) at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:813) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:168) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1148) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1057) ... 18 more| 2020-05-12 22:01:21 |DEBUG| uvms-pool-1-tid-4 | com.orsyp.central.server.UniWorker | Client managed by the thread uvms-pool-1-tid-4 terminated. 

    Voir PJ dans POST#1



  • 4.  RE: Dollar Universe - SSL Configuration

    Posted Sep 16, 2021 05:50 AM
    Please take a look at this (from a case I had)
    That could help

    On UVMS server, we use AdoptOpenJDK 11 LTS (= 11.0.11+9)

    I changed the log level to 3 and tried again. I got error SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list

    I found out it was linked to a bug in an old OpenSSL version (see article https://stackoverflow.com/questions/10678695/in-python-3-2-i-can-open-and-read-an-https-web-page-with-http-client-but-urlli)

    The workaround is to remove Elliptic Curve ciphers from the list of supported algorithms in the JVM

    I updated the conf\security\java.security configuration file in the JRE11

    Original line

    #jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \
    #    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    #    include jdk.disabled.namedCurves

    Modified line => disable ALL EC algorithms

    jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \
        DH keySize < 1024, EC, 3DES_EDE_CBC, anon, NULL, \
        include jdk.disabled.namedCurves

    I restarted UVMS

    UNISSL set -enable on -msport 4443 returned success.

    After restart, the node is now SSL Enabled