International-Data-Spaces-Association / omejdn-daps

Open Source implementation of the Dynamic Attribute Provisioning Service based on http://github.com/Fraunhofer-AISEC/omejdn-server
Apache License 2.0
6 stars 10 forks source link

Hostname localhost not verified #35

Closed aaguayo21 closed 1 year ago

aaguayo21 commented 1 year ago

Following the documentation provided on the IDS-Testbed and Omenjdn repository I was able to deploy my own Daps in my virtual machine. The steps I followed are: Create and register my ConectorA certificates using the script provided at "scripts/register_connector.sh", generating ConectorA.cert and ConectorA.key, and the clientID.cert inside client folder. This is the configuration added to the client.yml for my ConectorA:

Change my application.properties and config files from my ConectorA. Generate the .p12 and .crt files from my previous .cert and .key files created by the Daps script, and adding my new certificates to TrustScore file.

I tried to get the avaible resources offered by my conector but the response I recive is that the Dat is generated fine but my connector url is not verified:

INFO - Successfully received DAT from DAPS. [code=(IMSCOI0054)] INFO - Cached DAPS DAT expired or no expiration set. [expiration=(null), code=(IMSCOI0052)] INFO - Successfully received DAT from DAPS. [code=(IMSCOI0054)] INFO - Sending request to https://localhost:8080/api/ids/data ... [code=(IMSMEI0065)] WARN - Message handling or processing failed. [exception=(Hostname localhost not verified:\n certificate: sha256/Ba9x+6+r5Tcxmi/5tn4WyGY3qZ5xXarMlN+vEM/mujQ=\n DN: O=Internet Widgits Pty Ltd, ST=Some-State, C=AU\n subjectAltNames: [])] javax.net.ssl.SSLPeerUnverifiedException: Hostname localhost not verified: certificate: sha256/Ba9x+6+r5Tcxmi/5tn4WyGY3qZ5xXarMlN+vEM/mujQ= DN: O=Internet Widgits Pty Ltd, ST=Some-State, C=AU subjectAltNames: []

Doing some researches online I was able to find that my certificates are missing some parametres like the host or DNS attached to the certificates, I tried to make my own certificates using the CertificateAuthority but they didnt work.

What I'm doing wrong? What I'm missing?

Thank you.

bellebaum commented 1 year ago

Hi, you are correct that the (self-signed) certificates generated by these shell scripts are not suited for usage as an authentication anchor within TLS. The reason is that they were never supposed to work this way and instead work as independent identities solely to authenticate to the DAPS. This means that you will need a separate TLS certificate to communicate with other data space components. Preferably one which is signed by a widely trusted CA (or your own CA if you are just testing out stuff).

The way these two certificates are provisioned will very much depend on the connector software you are using.

aaguayo21 commented 1 year ago

If my only goal is to test a minimally viable local data space using two connectors (a provider and a consumer), for the sole purpose of testing and not using them in a productive environment, can I use to create these certificates the CA provided in the IDS-TestBed repository? https://github.com/International-Data-Spaces-Association/IDS-testbed/tree/master/CertificateAuthority

Thank you.

bellebaum commented 1 year ago

Yes, that certainly seems reasonable. However, I am unfamiliar with the exact testbed setup, so you might want to ask over there :)

aaguayo21 commented 1 year ago

Okey, thank you. :)