Closed RupaliYadav closed 3 years ago
SSL keystore pfx file
If you were to build a client application that runs on a user's machine, the application will need the client certificate(s) for the organization identification(s) you want to use. We are using web-based applications that consist of an HTML/JS frontend and a Java backend, where the backend runs on a server and contains the client certificate(s). A basic example can be found here: https://github.com/OSGP/open-smart-grid-platform/tree/development/public-lighting-demo-app
FIND Devices SOAP API Filter Issue
The value HasTechnicalInstallation
is required. I don't think this value is actually used when filtering on devices, but at this moment, this value is a non-optional part of the interface. This request works for me:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="http://www.opensmartgridplatform.org/schemas/common/2014/10" xmlns:ns1="http://www.opensmartgridplatform.org/schemas/devicemanagement/2014/10">
<soapenv:Header>
<ns:ApplicationName>SoapUI</ns:ApplicationName>
<ns:UserName>Kevin</ns:UserName>
<ns:OrganisationIdentification>test-org</ns:OrganisationIdentification>
</soapenv:Header>
<soapenv:Body>
<ns1:FindDevicesRequest>
<ns1:DeviceFilter>
<!--Optional:-->
<ns1:OrganisationIdentification>test-org</ns1:OrganisationIdentification>
<ns1:HasTechnicalInstallation>true</ns1:HasTechnicalInstallation>
</ns1:DeviceFilter>
</ns1:FindDevicesRequest>
</soapenv:Body>
</soapenv:Envelope>
We build an spring boot application which acts as a SOAP client to OSGP platform API. But In FindDevicesRequest
Soap request we get Extended key usage does not permit use for TLS server authentication error. The trust.jks and test-org.pfx files which are added in HttpComponentsMessageSender are same present in https://github.com/OSGP/open-smart-grid-platform/tree/development/public-lighting-demo-app example.
note : The extendedKeyUsage attribute in osgp-ca.cfg file is only set to clientAuth.
Are there additional steps required after Creating a certificate for the new organisation using create_client_cert.sh script
2021-01-09 06:54:08.566 ERROR 18629 --- [nio-9090-exec-1] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is org.springframework.ws.client.WebServiceIOException: I/O error: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS server authentication; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS server authentication] with root cause
sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS server authentication
trust.jks has:
eytool -v -list -keystore ./trust.jks
Enter keystore password:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: localhost
Creation date: Apr 29, 2015
Entry type: trustedCertEntry
Owner: CN=localhost
Issuer: EMAILADDRESS=address@OSGP.com, CN=OSGP, OU=OSGP, O=OSGP, L=Arnhem, ST=Gelderland, C=NL
Serial number: 1
Valid from: Tue Apr 28 16:24:33 UTC 2015 until: Fri Apr 27 16:24:33 UTC 2018
Certificate fingerprints:
MD5: E8:4D:D6:CD:9C:1B:84:7F:A6:B8:97:9C:C0:A3:3D:DB
SHA1: 57:08:5D:B4:F1:BA:52:8C:D0:D5:3D:AA:18:9B:E5:A5:AB:74:8B:8B
SHA256: 61:49:2A:1E:89:AA:45:61:8D:07:CC:DC:04:4C:4B:18:A9:FA:84:0A:E5:EA:0D:01:73:AF:77:48:0D:BE:27:A9
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#2: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]
#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 7E 55 C3 18 31 5F 85 BA 9D 0F 74 77 AA D3 D2 05 .U..1_....tw....
0010: FA F9 FD 06 ....
]
]
*******************************************
*******************************************
Alias name: osgp-ca
Creation date: Apr 29, 2015
Entry type: trustedCertEntry
Owner: EMAILADDRESS=address@OSGP.com, CN=OSGP, OU=OSGP, O=OSGP, L=Arnhem, ST=Gelderland, C=NL
Issuer: EMAILADDRESS=address@OSGP.com, CN=OSGP, OU=OSGP, O=OSGP, L=Arnhem, ST=Gelderland, C=NL
Serial number: 83643e5f90533700
Valid from: Tue Apr 28 14:24:51 UTC 2015 until: Fri Apr 25 14:24:51 UTC 2025
Certificate fingerprints:
MD5: 71:CF:2C:D9:11:66:70:5A:45:43:64:C8:53:C0:21:D9
SHA1: 93:D9:AD:44:A7:35:DC:E5:F1:15:0D:12:91:03:7E:D2:E3:BF:FF:1B
SHA256: 3D:2C:0B:09:F5:BD:60:D5:EF:90:5F:FE:89:4C:3D:CF:C7:E4:9C:AA:93:E6:E8:81:1A:14:33:29:CF:80:F3:17
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 42 47 3F AB B8 66 32 A6 14 15 99 78 7E 73 25 32 BG?..f2....x.s%2
0010: A9 95 8F 13 ....
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 42 47 3F AB B8 66 32 A6 14 15 99 78 7E 73 25 32 BG?..f2....x.s%2
0010: A9 95 8F 13 ....
]
]
*******************************************
*******************************************
I think you are connecting directly from your client application to the platform web service. I guess you need extendedKeyUsage = clientAuth, serverAuth
(and perhaps different settings for keyUsage
, even though I suspect that is not needed).
We use Apache HTTPD as a webserver in front of the platform web service, and this webserver handles the server certificate, which is different from your setup, I think.
SSL keystore pfx file
SOAP API require organisation's .pfx file for authentication. If we want to build and UI Application client where users from various organisation login and make soap request on behalf of organisation. Is it required to store .pfx file (crypto material of each organisation) on user's machine? if not what are the approach's for .pfx file management for server?
FIND Devices SOAP API Filter Issue
In DeviceManagement.wsdl we have FindDevicesRequest SOAP request. In body template in all tags are marked as optional But if we apply only filter in request body we get validation error. It says other tag details are also required. Does FIND Devices SOAP API not support the filtering on only few tags?
SOAP Request Passed: