Problems adding new connector to ecosystem

[Urtza2]

I have made the folling steps: 1.-python3 pki.py cert create --subCA ReferenceTestbedSubCA --common-name connectorc --algo rsa --bits 2048 --hash sha256 --country-name ES --organization-name ORG--unit-name TestHPA --server --client --san-name connectorc --san-name localhost --san-ip 127.0.0.1 2.-openssl pkcs12 -export -out connectorC.p12 -inkey connectorc.key -in connectorc.crt -passout pass:password 3.-openssl pkcs12 -in connectorC.p12 -out connectorC.cert -nokeys -nodes -passin pass:password 4.-Copy "connectorC.cert" to DAPS/keys directory 5.- Register connector in DAPS: ./register_connector.sh connectorC 6.- Modify docker-compose.yml to include new connector and modify config.json file. 7.- Add new DNS to etc/hosts

Wwhen I try to consume (connectorC) provider (connectorA) artifacts I have the following error: **connectorc | 2023-02-23T10:33:44,166 [https-jsse-nio-8085-exec-5] ERROR - PRODUCTIVE_DEPLOYMENT: No IDS-Message sent! No DAT could be acquired from DAPS! [code=(IMSCOE0001), reason=(Error connecting to DAPS (possibly currently not reachable or wrong DAPS-URL): Unexpected code Response{protocol=http/1.1, code=400, message=Bad Request, url=https://omejdn/auth/token} Body: {"error":"invalid_client","error_description":"Client unknown"})]

connectorc | 2023-02-23T10:33:44,171 [https-jsse-nio-8085-exec-5] WARN - Connection to DAPS could not be established. [exception=(Error connecting to DAPS (possibly currently not reachable or wrong DAPS-URL): Unexpected code Response{protocol=http/1.1, code=400, message=Bad Request, url=https://omejdn/auth/token} Body: {"error":"invalid_client","error_description":"Client unknown"})]

connectorc | 2023-02-23T10:33:44,204 [https-jsse-nio-8085-exec-5] WARN - Unable to retrieve valid DAT. [exception=(Access is denied)]**

[Urtza2]

I forgot this step... 8.- keytool -import -alias connectorC -file connectorc.crt -storetype PKCS12 -keystore truststore.p12

[Urtza2]

When tutorial says: Add the certificate provided by the local CA, newly created by the local CA or provided by Fraunhofer AISEC. Place the certificate at the folder DAPS/keys/omejdn/ with name omejdn.key to avoid dependency issues later on.

I have to delete omejdn.key file in 'DAPS/keys/omejdn' directory and what file I have to put there with "omejdn.key", the new "connectorC.key" file?

[jfernandezsqs]

Hello @Urtza2, I have followed your steps and I get no error. Could you please share here the docker-compose.yml and config.json file of (point 6) you have used?

7.- Add new DNS to etc/hosts -> You do not need to fo this point because it is already done with the previous points and point 8.

[jfernandezsqs]

When tutorial says: Add the certificate provided by the local CA, newly created by the local CA or provided by Fraunhofer AISEC. Place the certificate at the folder DAPS/keys/omejdn/ with name omejdn.key to avoid dependency issues later on.

I have to delete omejdn.key file in 'DAPS/keys/omejdn' directory and what file I have to put there with "omejdn.key", the new "connectorC.key" file?

This part of the documentation details the process to change the signing key of the DAPS component. You only have to change the Dataspace Connector to add a new connector to the IDS-testbed and perform the changes related in the documentation:

• Add the certificate to the DAPS's client list,
• Configure your connector (truststore, config.json, create proper certificate and docker-compose.yml)).

[Urtza2]

[config.txt](https://github.com/International-Data-Spaces-Association/IDS-testbed/files/10825562/config.txt) [docker-compose.txt](https://github.com/International-Data-Spaces-Association/IDS-testbed/files/10825565/docker-compose.txt)

[Urtza2]

I have to change the extension of these file in order to attach them, sorry.

[Urtza2]

I am not sure what I am doing wrong I am able last week to add two new connectors but now during last three days I have receiveing this error.

[jfernandezsqs]

The config.json and docker-compose,.yml files seem to be fine. Just to make sure, could you check at the route DAPS/config/clients.yml the content of your certificate? Does it contain the attribute keyid dividing the SKI AKI at the client-id line content?

[Urtza2]

It has the following:

• client_id: 44:55:31:10:C0:D4:66:85:55:1E:C1:18:26:CE:53:C5:D7:86:EA:34:41:30:3C:7E:87:C2:EF:66:72:27:91:82:EF:56:E9:0C:5C:2B:BC:2B client_name: connectorC grant_types: client_credentials token_endpoint_auth_method: private_key_jwt scope: idsc:IDS_CONNECTOR_ATTRIBUTES_ALL attributes:
  • key: idsc value: IDS_CONNECTOR_ATTRIBUTES_ALL
  • key: securityProfile value: idsc:BASE_SECURITY_PROFILE
  • key: referringConnector value: http://connectorC.demo
  • key: "@type" value: ids:DatPayload
  • key: "@context" value: https://w3id.org/idsa/contexts/context.jsonld
  • key: transportCertsSha256 value: f954d363bc1ab323299298de39fadda7ed7fbd1259450ff23abe3ce3c69c39fe

[jfernandezsqs]

Okay, I see the error. Please change this line client_id with the following content and try it again.

client_id: 44:55:31:10:C0:D4:66:85:55:1E:C1:18:26:CE:53:C5:D7:86:EA:34:keyid:41:30:3C:7E:87:C2:EF:66:72:27:91:82:EF:56:E9:0C:5C:2B:BC:2B

Which version of Ubuntu are you using? Which set-up are you using (OS _UbuntuXXX)?

[Urtza2]

Distributor ID: Ubuntu Description: Ubuntu 22.04.1 LTS Release: 22.04 I have change this line that now I am deploying it again

[Urtza2]

I have the following again: connectorc | 2023-02-24T15:29:53,877 [https-jsse-nio-8082-exec-5] ERROR - PRODUCTIVE_DEPLOYMENT: No IDS-Message sent! No DAT could be acquired from DAPS! [code=(IMSCOE0001), reason=(Error connecting to DAPS (possibly currently not reachable or wrong DAPS-URL): Unexpected code Response{protocol=http/1.1, code=400, message=Bad Request, url=https://omejdn/auth/token} Body: {"error":"invalid_client","error_description":"Error decoding JWT: No verification key available"})] connectorc | 2023-02-24T15:29:53,879 [https-jsse-nio-8082-exec-5] WARN - Connection to DAPS could not be established. [exception=(Error connecting to DAPS (possibly currently not reachable or wrong DAPS-URL): Unexpected code Response{protocol=http/1.1, code=400, message=Bad Request, url=https://omejdn/auth/token} Body: {"error":"invalid_client","error_description":"Error decoding JWT: No verification key available"})] connectorc | 2023-02-24T15:29:53,902 [https-jsse-nio-8082-exec-5] WARN - Unable to retrieve valid DAT. [exception=(Access is denied)]

[jfernandezsqs]

Please execute this section of the guide and try again.

[jfernandezsqs]

Distributor ID: Ubuntu Description: Ubuntu 22.04.1 LTS Release: 22.04 I have change this line that now I am deploying it again

Okay, you are using release 22.04 I will test it with that version.

[Urtza2]

register_connector.sh script it puts: CLIENT_ID="$SKI:$AKI" It doesn't put "keyid" between SKI and aKI. "register_connector.sh" :

!/bin/sh

if [ ! $# -ge 1 ] || [ ! $# -le 3 ]; then echo "Usage: $0 NAME (SECURITY_PROFILE) (CERTFILE)" exit 1 fi

CLIENT_NAME=$1

CLIENT_SECURITY_PROFILE=$2 [ -z "$CLIENT_SECURITY_PROFILE" ] && CLIENT_SECURITY_PROFILE="idsc:BASE_SECURITY_PROFILE"

CLIENT_CERT="keys/$CLIENT_NAME.cert"

SKI="$(openssl x509 -in "keys/${CLIENT_NAME}.cert" -noout -text | grep -A1 "Subject Key Identifier" | tail -n 1 | tr -d ' ')" AKI="$(openssl x509 -in "keys/${CLIENT_NAME}.cert" -noout -text | grep -A1 "Authority Key Identifier" | tail -n 1 | tr -d ' ')" CLIENT_ID="$SKI:$AKI"

CLIENT_CERT_SHA="$(openssl x509 -in "$CLIENT_CERT" -noout -sha256 -fingerprint | tr '[:upper:]' '[:lower:]' | tr -d : | sed 's/.*=//')" echo $CLIENT_ID cat >> config/clients.yml <<EOF

• client_id: $CLIENT_ID client_name: $CLIENT_NAME grant_types: client_credentials token_endpoint_auth_method: private_key_jwt scope: idsc:IDS_CONNECTOR_ATTRIBUTES_ALL attributes:
  • key: idsc value: IDS_CONNECTOR_ATTRIBUTES_ALL
  • key: securityProfile value: $CLIENT_SECURITY_PROFILE
  • key: referringConnector value: http://${CLIENT_NAME}.demo
  • key: "@type" value: ids:DatPayload
  • key: "@context" value: https://w3id.org/idsa/contexts/context.jsonld
  • key: transportCertsSha256 value: $CLIENT_CERT_SHA import_certfile: $CLIENT_CERT EOF

[Urtza2]

I think that the problem is that register_connector.sh in CLIENT_ID variable doesn't put "keyid" string. I don't know what it is happening, I'll try to change the register_connector.sh in order to concat "keyid" string between SKI and AKI. I'll try to start again with another connector, connectorC works putting "keyid" manually into CLIENT_ID value as you told me before.

[Urtza2]

I have updated "register_connector.sh" script to include "keyid" between SKI and AKI I have changed: CLIENT_ID="$SKI:$AKI" By..

CLIENT_ID="$SKI:keyid:$AKI"

Maybe it is a bug into script?

I have a question regarding this: keytool -import -alias connectorC -file connectorc.crt -storetype PKCS12 -keystore truststore.p12

For each new connector it is neccesary to import its certificate into truststore.p12?

I have observed into IDS-TESTbed that if you want to establish communication between two connectors (A and B for example) both of them should be into truststore.p12 otherwise gets PKIX error. Isn't it?

Thanks a lot for everything

[Urtza2]

Good morning,

It is an issue of OpenSSL version that I have installed on Ubuntu 22.04. In my version, OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022), AKI doesn't have "keyid" and that's why I have problems with CLIENT_ID. Which version of OPENSSL do you have or do you think that it is mandatory?

If I execute this:  openssl x509 -in "keys/connectorC.cert" -noout -text  , I get the following values for SKI and AKI. X509v3 Subject Key Identifier: critical                44:55:31:10:C0:D4:66:85:55:1E:C1:18:26:CE:53:C5:D7:86:EA:34  _X509v3 Authority Key Identifier: critical                41:30:3C:7E:87:C2:EF:66:72:27:91:82:EF:56:E9:0C:5C:2B:BC:2B_

AKI doesn't have "keyid" at the beggining of its value, I have tested the same command with "testbed1.cert" and the issue is the same AKI doesn't have "keyid" string.

If I do the same on a Ubuntu 20.04 with OpenSSL 1.1.1f 31 Mar 2020 version for testbed1.cert, I get the following:

X509v3 Subject Key Identifier: critical E2:C4:24:73:A1:0A:B1:20:E6:EE:77:5B:CB:24:98:7E:39:74:25:49 X509v3 Authority Key Identifier: critical keyid:41:30:3C:7E:87:C2:EF:66:72:27:91:82:EF:56:E9:0C:5C:2B:BC:2B

I have updated register_connector.sh taking into account AKI value if contains keyid or not including this: SUB='keyid' if [ "$AKI" == "$SUB" ]; then CLIENT_ID="$SKI:$AKI" else CLIENT_ID="$SKI:keyid:$AKI" fi

and it works now!!

Thanks for everything

[jfernandezsqs]

I have a question regarding this: keytool -import -alias connectorC -file connectorc.crt -storetype PKCS12 -keystore truststore.p12

For each new connector it is neccesary to import its certificate into truststore.p12?

I have observed into IDS-TESTbed that if you want to establish communication between two connectors (A and B for example) both of them should be into truststore.p12 otherwise gets PKIX error. Isn't it?

Yes, for now as it is a non production environment it is required to add each certificate into the truststore.p12. In production scenarios it is supposed that just having the different CA and SubCAs at the truststore. p12 will ensure that the device certificates will be trusted because the root is trusted.

[jfernandezsqs]

Thanks for opening this issue and finding the error at the register_connector.sh when different version of OpenSSL is used.

I have made a pull request that fix the error.

[Urtza2]

Thanks for your help!! We can close the issue, can't we?

[jfernandezsqs]

Thanks for your help!! We can close the issue, can't we?

Yes, thanks