Error SSO Authentification after installation certificate

[Tofdu31]

Hi all,

Error after installation certificate

I have customized the IP address of the server. Everything works fine. When I set up the certificates for my domain name, I have an error when starting the WSO2 server Iot 3.1.0

I can connect without worry with the certificates to WSO2 carbon and the certificate is well recognized

14/5000 Here are the logs : [2017-07-06 14:32:35,278] [IoT-Core] INFO - {org.wso2.carbon.dashboard.deployment.DashboardDeployer} Dashboard definition [device-statistics-dashboard] has been created. [2017-07-06 14:32:35,285] [IoT-Core] WARN - {org.wso2.carbon.application.deployer.internal.ApplicationManager} No artifacts found to be deployed in this server. Ignoring Carbon Application : org_wso2_carbon_iot_geo_dashboard-1.0.0.car [2017-07-06 14:32:35,298] [IoT-Core] INFO - {org.apache.tomcat.util.net.NioSelectorPool} Using a shared selector for servlet write/read [2017-07-06 14:32:35,342] [IoT-Core] INFO - {org.apache.tomcat.util.net.NioSelectorPool} Using a shared selector for servlet write/read [2017-07-06 14:32:35,513] [IoT-Core] INFO - {org.wso2.carbon.ntask.core.service.impl.TaskServiceImpl} Task service starting in STANDALONE mode... [2017-07-06 14:32:35,531] [IoT-Core] INFO - {org.wso2.carbon.device.mgt.core.task.impl.DeviceTaskManagerServiceImpl} Task adding for android [2017-07-06 14:32:35,654] [IoT-Core] INFO - {org.wso2.carbon.ntask.core.impl.AbstractQuartzTaskManager} Task scheduled: [-1234][DEVICE_MONITORING][android-1234] [2017-07-06 14:32:35,654] [IoT-Core] INFO - {org.wso2.carbon.device.mgt.core.task.impl.DeviceTaskManagerServiceImpl} Task adding for windows [2017-07-06 14:32:35,689] [IoT-Core] INFO - {org.wso2.carbon.ntask.core.impl.AbstractQuartzTaskManager} Task scheduled: [-1234][DEVICE_MONITORING][windows-1234] [2017-07-06 14:32:35,693] [IoT-Core] INFO - {org.wso2.carbon.device.mgt.core.status.task.impl.DeviceStatusTaskManagerServiceImpl} Device Status monitoring Task adding for android [2017-07-06 14:32:35,724] [IoT-Core] INFO - {org.wso2.carbon.ntask.core.impl.AbstractQuartzTaskManager} Task scheduled: [-1234][DEVICE_STATUS_MONITORING][DEVICE_STATUS_MONITORING_android_1] [2017-07-06 14:32:35,724] [IoT-Core] INFO - {org.wso2.carbon.device.mgt.core.status.task.impl.DeviceStatusTaskManagerServiceImpl} Device Status monitoring Task adding for windows [2017-07-06 14:32:35,754] [IoT-Core] INFO - {org.wso2.carbon.ntask.core.impl.AbstractQuartzTaskManager} Task scheduled: [-1234][DEVICE_STATUS_MONITORING][DEVICE_STATUS_MONITORING_windows_3] [2017-07-06 14:32:35,898] [IoT-Core] INFO - {org.wso2.carbon.ntask.core.impl.AbstractQuartzTaskManager} Task scheduled: [-1234][MONITORING_TASK][MONITORING_-1234] [2017-07-06 14:32:35,952] [IoT-Core] INFO - {org.wso2.carbon.registry.eventing.internal.RegistryEventingServiceComponent} Successfully Initialized Eventing on Registry [2017-07-06 14:32:36,129] [IoT-Core] INFO - {org.wso2.carbon.core.init.JMXServerManager} JMX Service URL : service:jmx:rmi://localhost:11111/jndi/rmi://localhost:9999/jmxrmi [2017-07-06 14:32:36,131] [IoT-Core] INFO - {org.wso2.carbon.device.mgt.url.printer.URLPrinterStartupHandler} IoT Console URL : https://MY_DOMAIN:9443/devicemgt [2017-07-06 14:32:36,159] [IoT-Core] INFO - {org.wso2.carbon.core.internal.StartupFinalizerServiceComponent} Server : WSO2 IoT Server-3.1.0-SNAPSHOT [2017-07-06 14:32:36,160] [IoT-Core] INFO - {org.wso2.carbon.core.internal.StartupFinalizerServiceComponent} WSO2 Carbon started in 196 sec [2017-07-06 14:32:36,660] [IoT-Core] INFO - {org.wso2.carbon.ui.internal.CarbonUIServiceComponent} Mgt Console URL : https://MY_DOMAIN:9443/carbon/ [2017-07-06 14:32:40,740] [IoT-Analytics] ERROR {org.wso2.carbon.device.mgt.input.adapter.mqtt.util.MQTTAdapterListener} - Failed to create a http connection. javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:261) at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:118) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:314) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:357) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:218) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:194) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:85) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:186) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57) at org.wso2.carbon.device.mgt.input.adapter.mqtt.util.MQTTAdapterListener.startListener(MQTTAdapterListener.java:174) at org.wso2.carbon.device.mgt.input.adapter.mqtt.util.MQTTAdapterListener.run(MQTTAdapterListener.java:302) at java.lang.Thread.run(Thread.java:748) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:105) at org.apache.http.conn.ssl.SSLContextBuilder$TrustManagerDelegate.checkServerTrusted(SSLContextBuilder.java:190) at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:984) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496) ... 22 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ... 30 more Exception in thread "Thread-38" org.wso2.carbon.apimgt.integration.client.exception.APIMClientOAuthException: failed to retrieve oauth token using jwt at org.wso2.carbon.apimgt.integration.client.OAuthRequestInterceptor.apply(OAuthRequestInterceptor.java:114) at feign.SynchronousMethodHandler.targetRequest(SynchronousMethodHandler.java:158) at feign.SynchronousMethodHandler.executeAndDecode(SynchronousMethodHandler.java:88) at feign.SynchronousMethodHandler.invoke(SynchronousMethodHandler.java:76) at feign.ReflectiveFeign$FeignInvocationHandler.invoke(ReflectiveFeign.java:103) at com.sun.proxy.$Proxy40.apisGet(Unknown Source) at org.wso2.carbon.apimgt.webapp.publisher.APIPublisherServiceImpl.publishAPI(APIPublisherServiceImpl.java:53) at org.wso2.carbon.apimgt.webapp.publisher.APIPublisherStartupHandler.publishAPIs(APIPublisherStartupHandler.java:97) at org.wso2.carbon.apimgt.webapp.publisher.APIPublisherStartupHandler.access$500(APIPublisherStartupHandler.java:30) at org.wso2.carbon.apimgt.webapp.publisher.APIPublisherStartupHandler$1.run(APIPublisherStartupHandler.java:69) at java.lang.Thread.run(Thread.java:748) Caused by: org.wso2.carbon.identity.jwt.client.extension.exception.JWTClientException: Failed loading the private key. at org.wso2.carbon.identity.jwt.client.extension.util.JWTClientUtil.generateSignedJWTAssertion(JWTClientUtil.java:301) at org.wso2.carbon.identity.jwt.client.extension.util.JWTClientUtil.generateSignedJWTAssertion(JWTClientUtil.java:212) at org.wso2.carbon.identity.jwt.client.extension.JWTClient.getAccessToken(JWTClient.java:71) at org.wso2.carbon.apimgt.integration.client.OAuthRequestInterceptor.apply(OAuthRequestInterceptor.java:99) ... 10 more Caused by: java.lang.IllegalArgumentException: The private RSA key must not be null at com.nimbusds.jose.crypto.RSASSASigner.<init>(RSASSASigner.java:55) at org.wso2.carbon.identity.jwt.client.extension.util.JWTClientUtil.generateSignedJWTAssertion(JWTClientUtil.java:282) ... 13 more

I can not connect to devicemgt too

Error : ` SAML 2.0 based Single Sign-On

Error when processing the authentication request!

Please try login again.

`

Thanks for your help

[tylert]

I have run into the exact same problem as described here with IoT 3.1.0-M8, 3.1.0-alpha and 3.1.0-beta.

Steps to reproduce the problem for any recent IoT 3.1.0 builds:

1. Download an official IoT zip file and extract it.
2. Make the changes defined by https://docs.wso2.com/display/IoTS310/Configuring+WSO2+IoT+Server+with+the+IP (replace "localhost" with "test1.mydomain.foo").
3. Follow the steps to correct the certificates as defined by https://wso2.org/jira/browse/DOCUMENTATION-4535.
4. Copy the resulting *.jks files back to their expected locations.

The following steps work perfectly for IoT 3.0.0 but fail to work for recent 3.1.0 builds:

1. Download an official IoT zip file and extract it.
2. Make the changes defined by https://docs.wso2.com/display/IoTS300/Configuring+WSO2+IoT+Server+with+the+IP (replace "localhost" with "test1.mydomain.foo").
3. Copy the existing *.jks files from the zip file to a temp location.
4. Follow the steps to correct the certificates as defined by https://docs.wso2.com/display/IoTS300/General+iOS+Server+Configurations.
5. Copy the modified *.jks files back to their expected locations.

I found the following script template very helpful while trying to automate some of the tedious manual steps:

#!/usr/bin/env bash

if [ -z "${myhostname}" ]; then
    myhostname="test1.mydomain.foo"
fi

# Perform tedious, in-place configuration changes
perl -pi -e "s/localhost/${myhostname}/g" $(find . -name 'carbon.xml')
perl -pi -e "s/localhost/${myhostname}/g" $(find . -name 'wso2server.sh')  # IoT 3.0.0
perl -pi -e "s/localhost/${myhostname}/g" $(find . -name 'iot-server.sh')  # IoT 3.1.0
perl -pi -e "s/localhost/${myhostname}/g" $(find . -name 'sso-idp-config.xml')
perl -pi -e "s/localhost/${myhostname}/g" $(find . -name 'app-manager.xml')
perl -pi -e "s/localhost/${myhostname}/g" $(find . -name 'app-conf.json')
perl -pi -e "s/%iot.keymanager.host%/${myhostname}/g" $(find . -name 'app-conf.json')
perl -pi -e "s/%iot.keymanager.https.port%/9443/g" $(find . -name 'app-conf.json')
perl -pi -e "s/%iot.manager.host%/${myhostname}/g" $(find . -name 'app-conf.json')
perl -pi -e "s/%iot.manager.https.port%/9443/g" $(find . -name 'app-conf.json')
perl -pi -e "s/localhost/${myhostname}/g" $(find . -name 'site.json')
perl -pi -e "s/localhost/${myhostname}/g" $(find . -name 'designer.json')
perl -pi -e "s/%https.host%/https:\/\/${myhostname}:9443/g" $(find . -name 'designer.json')
perl -pi -e "s/localhost/${myhostname}/g" $(find . -name 'admin--Android-Mutual-SSL*.xml')

# XXX FIXME XXX
# Grab the existing keystores to be fixed (it is assumed that they're all the same)
mkdir -p junk
cp --verbose $(find . -name 'client-truststore.jks' | head -1) junk
cp --verbose $(find . -name 'wso2carbon.jks' | head -1) junk
cp --verbose $(find . -name 'wso2certs.jks' | head -1) junk

# Do some certificate fixing stuff here...
# XXX FIXME XXX

# Put the repaired keystores back (overwrite the existing ones)
for target in $(find . -name 'client-truststore.jks'); do
    cp --verbose junk/client-truststore.jks ${target}
done
for target in $(find . -name 'wso2carbon.jks'); do
    cp --verbose junk/wso2carbon.jks ${target}
done
for target in $(find . -name 'wso2certs.jks'); do
    cp --verbose junk/wso2certs.jks ${target}
done

[Tofdu31]

Hi all, I will explain to you a little better my method used. The CA that I use is Let's Encrypt : https://letsencrypt.org/ I'm using Debian 8.6

For the certificates of MY_DOMAIN, I use cerbot. So I recover 4 files:

Cert = /etc/letsencrypt/live/MY_DOMAIN/cert.pem Privkey = /etc/letsencrypt/live/MY_DOMAIN/privkey.pem Chain = /etc/letsencrypt/live/MY_DOMAIN/chain.pem Fullchain = /etc/letsencrypt/live/MY_DOMAIN/fullchain.pem

Procedure: Preparing the certificate in PFX format I go with the root user in the folder /etc/letsencrypt/live I run the following command : openssl pkcs12 -export -in cert.pem -inkey privkey.pem -name "MY_DOMAIN" -certfile chain.pem -certfile fullchain.pem -out wso2carbon.pfx -passout pass:wso2carbon

Converting the PFX file to Java Keystore : I run the following command : keytool -importkeystore -srckeystore wso2carbon.pfx -srcstoretype pkcs12 -destkeystore wso2carbon.jks -deststoretype JKS -storePass wso2carbon -srcstorepass wso2carbon

Exporting public key from JKS file: keytool -export -alias "MY_DOMAIN" -keystore wso2carbon.jks -file wso2carbon.pem -storePass wso2carbon

Copying temporary directory files I copy all the files to create in a temporary directory called: certifs_wso2

• wso2carbon.pem
• wso2carbon.jks

---

Implementation of certificates CERTIFICAT FOR IOT-CORE First I save the Localhost certificates in a save_files folder: cd Home_wso2iot/repository/resources/security mkdir sauv_files cp client-truststore.jks pwd/sauv_files cp wso2carbon.jks pwd/sauv_files cp wso2certs.jks pwd/sauv_files rm wso2carbon.jks

Then I copy wso2carbon.jks from my certifs_wso2 file to Home_wso2iot/repository/resources/security

In a console I go to the folder Home_wso2iot/repository/resources/security and I execute the following command:

Adding Public Key to Public Trustore keytool -delete -alias wso2carbon -keystore client-truststore.jks -storePass wso2carbon

And, Using the file client-trustore.jks, we export the public key of our file wso2carbon.jks in wso2carbon.pem keytool -export -alias MY_DOMAIN -keystore wso2carbon.jks -file wso2carbon.pem -storePass wso2carbon

I import the public key that has just been extracted in the file client-trustore.jks keytool -import -alias MY_DOMAIN -file wso2carbon.pem -keystore client-truststore.jks -storepass wso2carbon

I also do the same manipulations for the file: ../wso2/analytics/repository/resources/security ../wso2/broker/repository/resources/security

Result https://MY_DOMAIN:9443/carbon - Wso2 carbon recognizes the certificate and I have a connection in https with the valid certificate.

https://MY_DOMAIN:9443/devicemgt - To access the console mgtdevices, I acceded well to the connection part but the authentication crashes with as message: SAML 2.0 based Single Sign-On Error when processing the authentication request! Please try login again.

This error is same for Wso2 Store, Publisher, Api... Additional information I use wso2iot 3.1.0 I deleted localhost and add a domain name. Everything works correctly before adding certificates I think the concern comes from the SSO authentication that crashes when you add a certificate signed by an authority I do not have strong competence in certificates. The procedure was carried out by following and analyzing several tutorials:

• https://www.yenlo.com/blog/setting-up-wso2-with-a-valid-certificate
• https://docs.wso2.com/display/Carbon420/Creating+New+Keystores
• https://docs.wso2.com/display/ADMIN44x/Configuring+Keystores+in+WSO2+Products Thanks for your help Tof

[tylert]

@Tofdu31 c'est possible que ce problem n'est pas present avec 3.1.0-beta2.

It's possible this problem has already been fixed in 3.1.0-beta2. I am going to try it today and confirm.

[tylert]

@Tofdu31 confirmed, 3.1.0-beta2 works correctly for me with the following certificate magique...

hostname="${1}"

if [ "${hostname}" == "" ]; then
    hostname='test1.mydomain.foo'
fi

echo "Generating certificates for '${hostname}'"

alias='wso2carbon'

keytool -genkey -alias ${alias} -keyalg RSA -keysize 4096 \
    -keypass wso2carbon -keystore selfsigned.jks -storepass wso2carbon \
    -dname "cn=${hostname}, ou=My Org Unit, o=Org Unit, l=Location, st=XX, c=ZZ"

keytool -export -alias ${alias} -keystore selfsigned.jks \
    -rfc -storepass wso2carbon -file public.cert

# Grab the existing keystores to be fixed (it is assumed that they're all the same)
cp --verbose $(find wso2iot* -name 'client-truststore.jks' | head -1) .
cp --verbose $(find wso2iot* -name 'wso2carbon.jks' | head -1) .

# Clear out the existing entry for this alias
keytool -delete -alias ${alias} -keystore client-truststore.jks \
    -storepass wso2carbon

# Re-add the new entry for this alias
keytool -import -noprompt -trustcacerts -alias ${alias} -file public.cert \
    -keystore client-truststore.jks -storepass wso2carbon

# Clear out the existing entry for this alias
keytool -delete -alias ${alias} \
    -keystore wso2carbon.jks -storepass wso2carbon

keytool -import -noprompt -trustcacerts -alias ${alias} -file public.cert \
    -keystore wso2carbon.jks -storepass wso2carbon

keytool -importkeystore -srckeystore selfsigned.jks -destkeystore keystore.p12 \
    -deststoretype PKCS12 -deststorepass wso2carbon -srcstorepass wso2carbon
keytool -importkeystore -noprompt \
    -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass wso2carbon \
    -destkeystore wso2carbon.jks -deststorepass wso2carbon

# Put the keystores in the desired locations
for target in $(find wso2iot* -name 'wso2carbon.jks'); do
    cp --verbose wso2carbon.jks ${target}
done
for target in $(find wso2iot* -name 'client-truststore.jks'); do
    cp --verbose client-truststore.jks ${target}
done

# Create the missing payload for ./wso2iot-3.1.0-beta2/conf/identity/identity-providers/iot_default.xml
cat public.cert | sed '1d;$d' | tr -d '\r\n' > ugh.txt

Paste the contents of ugh.txt into iot_default.xml.

Also, don't forget to update mobile-config.xml too...

perl -pi -e "s/localhost/${myhostname}/g" $(find . -name 'mobile-config.xml')

[Tofdu31]

Hi Tyler, Thank you very much. I'll test that tomorrow and keep you posted. I also worked to make my server with an IP. I will provide you the script for making comparisons or forgetting that I will have done

Thanks again to you

[tylert]

Pas de quoi. Bonne chance.

[Tofdu31]

arrf un français !!! moi qui galére grave en anglais ;)

[MattcCR92]

Salut à tous,

J'ai une petite question pour toi Tyler, je me demandais si ton script pour le certificat est compatible avec la version 3.0.0 ?

Merci d'avance pour ta réponse.

[tylert]

@MattcCR92 Je vais répondre en anglais pour toutes les autres gens.

I got IoT 3.0.0 working correctly with a self-signed certificate using the instructions found at https://docs.wso2.com/display/IoTS300/General+iOS+Server+Configurations (my script may be found at https://gist.github.com/tylert/015d6718150b50a0ff9d2897dc9ce744).

The script I provided here works perfectly for IoT 3.1.0-beta2 (my script may be found at https://gist.github.com/tylert/0e72f3179ff853e75e07943a9dc6d8e3). You must not forget to also fix the certificate payload in iot_default.xml and make all the other recommended changes from https://docs.wso2.com/display/IoTS310/Configuring+WSO2+IoT+Server+with+the+IP as well to get a working system that isn't pointed at localhost.

I would say that this issue is probably eligible to be closed once @Tofdu31 has had a chance to confirm that these instructions work for him/her and/or one of the WSO2 team members adds these instructions to their "Configuring WSO2 IoT Server with the IP" page.

[MattcCR92]

Je comprend,

En tout cas merci d'avoir répondu à ma question. Cela m'a été très utile.

Bye.

[MattcCR92]

@tylert Ton script fonctionne parfaitement.

Mais j'ai un soucis en moment de l'auth sur la page "devicemgt".

J'ai le message d'erreur suivant :

"HTTP Status : 500

{/app/modules/oauth/token-handlers.js} Could not set up encoded tenant based client credentials to session context as the server is unable to obtain such credentials - setUpEncodedTenantBasedClientAppCredentials(x)"

Tu as déjà rencontré ce problème ?

[tylert]

@MattcCR92 Oui! Tu as oublié de changer le certificat dans ton iot_default.xml. (You forgot to update the default certificate in iot_default.xml.)

~/wso2iot-3.1.0-beta2$ find . -name 'iot_default.xml'
./conf/identity/identity-providers/iot_default.xml

[Tofdu31]

Bonjour @tylert Pour moi, ça ne marche toujours pas. J'ai bien validé ton premier script pour la customisation du produit wso2iot afin d'y apporter mon adresse IP. Sur la documentation on indique concernant iot-server.sh de modifier les points suivants :

-Diot.core.host="" \ -Diot.keymanager.host="" \ -Diot.gateway.host="" \

Alors que ton script modifie l'ensemble des localhost :

perl -pi -e "s/localhost/${myhostname}/g" $(find . -name 'iot-server.sh') # IoT 3.1.0

J'ai donc utilisé au final ton script de modification de l'adresse IP. Cela permettra de rester proche de ton mode opératoire. Si tu as un lien pour les sources de cette partie là, je suis preneur :)

Pour la suite : J'ai modifié iot_default.xml avec la clé produit que je récupére dans ugh.txt

Je récupere pour info les sources de wso2iot sur Jenkins et au final, iot-server.sh fonctionne !!! Enfin j'avance.

Je continue donc mon investigation et laisse le ticket ouvert tant que j'ai pas finalisé.

@tylert et @MattcCR92 , je voulais mettre en place un forum dédié à WSO2IOT 3.1 en français. Si cela vous interesse, tenez moi au courant car actuellement, il n'y en a pas.

Pour finir, je vais au final créer un plugin pour mon drone et pouvoir récuperer de l'info avec wso2iot. La route est encore longue pour moi !

Tof

[tylert]

@Tofdu31 yes, the stuff from https://github.com/wso2/product-iots/issues/1126#issuecomment-313480480 is what I was using to modify all the localhost entries in the config files (including iot-server.sh). In my case, I am using a hostname rather than an IP address, in case that helps you too. Glad you are making progress.

Yes, it does sound like there are a few users who would benefit from having a French language forum for these kinds of issues.

[Tofdu31]

@tylert many thank !!! It's ok, I was making an error while applying the script. For people who read us, there is no mistake in the bash script. But executing it with sh has a less extensive syntax ;)

So, run bash ./script.sh instead :)

But I still have questions: Your script, I have to run it also to replace the certificates in analytics folder and in the broker folder?

Thank again

[tylert]

@Tofdu31 yes, all the files named "wso2carbon.jks" and "client-truststore.jks" under the wso2iot directory need to be updated--my script updates all of them.

[Tofdu31]

Hi Tyler, I have an error once I run start-all.sh I do not have a connection between Analytics and the Broker:

[IoT-Analytics] ERROR {org.wso2.carbon.device.mgt.input.adapter.mqtt.util.MQTTAdapterListener} - Failed to create a http connection. javax.net.ssl.SSLException: hostname in certificate didn't match: <localhost> != <xxx.xxx.xxx.xxx> at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:231) at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54) at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:152) at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:133) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:291) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:262) at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:118) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:314) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:357) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:218) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:194) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:85) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:186) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57) at org.wso2.carbon.device.mgt.input.adapter.mqtt.util.MQTTAdapterListener.startListener(MQTTAdapterListener.java:174) at org.wso2.carbon.device.mgt.input.adapter.mqtt.util.MQTTAdapterListener.run(MQTTAdapterListener.java:302) at java.lang.Thread.run(Thread.java:748)

[tylert]

The error you are seeing is due to using the old "localhost" self-signed certificate with your newly configured host IP/name.

The steps for getting a fully-working system are:

1. Fetch a new 3.1.0-beta2 or newer IoT zip file (or build one).
2. Change all the appropriate config files to point to your new IP or hostname (as per https://docs.wso2.com/display/IoTS310/Configuring+WSO2+IoT+Server+with+the+IP).
3. Replace the appropriate certificates/keys inside the keystores (if using a self-signed cert, you may use https://gist.github.com/tylert/0e72f3179ff853e75e07943a9dc6d8e3 if you are using IoT 3.1.0-beta2 or newer).
4. Start broker.
5. Start iot-server.

My "fix_certs.sh" script is in my gist https://gist.github.com/tylert/0e72f3179ff853e75e07943a9dc6d8e3 and a close approximation of my "fix_config.sh" script may be found in comment https://github.com/wso2/product-iots/issues/1126#issuecomment-313480480.

[Tofdu31]

Re Tyler,

Je n'ai pas compris cette phrase :

My "fix_certs.sh" script is in my gist https://gist.github.com/tylert/0e72f3179ff853e75e07943a9dc6d8e3 and a close approximation of my "fix_config.sh" script may be found in comment #1126 (comment).

Procedure that I use:

1. In a folder temp_customize, I decompress wso2iot3.1.0
2. In the folder temp_customize, I place the script 01_script_IP_v1.2.sh and I execute it with the command bash ./01_script_IP_v1.2.sh
3. In the folder temp_customize, I place the 02_script_certif_v1.2.sh and I execute it with the command bash ./02_script_certif_v1.2.sh

The log of command 02_script_certif_v1.2.sh

Generating certificates for '163.172.90.197'

Certificate stored in file <public.cert>

‘wso2iot-3.1.0-SNAPSHOT/wso2/analytics/repository/resources/security/client-truststore.jks’ -> ‘./client-truststore.jks’

‘wso2iot-3.1.0-SNAPSHOT/wso2/analytics/repository/resources/security/wso2carbon.jks’ -> ‘./wso2carbon.jks’

Certificate was added to keystore

Certificate was added to keystore

Entry for alias wso2carbon successfully imported.

Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

Warning: Overwriting existing alias wso2carbon in destination keystore

Entry for alias wso2carbon successfully imported.

Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

‘wso2carbon.jks’ -> ‘wso2iot-3.1.0-SNAPSHOT/wso2/analytics/repository/resources/security/wso2carbon.jks’

‘wso2carbon.jks’ -> ‘wso2iot-3.1.0-SNAPSHOT/wso2/broker/repository/resources/security/wso2carbon.jks’

‘wso2carbon.jks’ -> ‘wso2iot-3.1.0-SNAPSHOT/repository/resources/security/wso2carbon.jks’

‘client-truststore.jks’ -> ‘wso2iot-3.1.0-SNAPSHOT/wso2/analytics/repository/resources/security/client-truststore.jks’

‘client-truststore.jks’ -> ‘wso2iot-3.1.0-SNAPSHOT/wso2/broker/repository/resources/security/client-truststore.jks’

‘client-truststore.jks’ -> ‘wso2iot-3.1.0-SNAPSHOT/repository/resources/security/client-truststore.jks’

I had to redo the orders by hand for the client-truststore.jks as it was always in localhost

When running the script, I have a warning.

Running the commands in one console, one by one, I noticed that the warning came from here:

keytool -importkeystore -noprompt -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass wso2carbon -destkeystore wso2carbon.jks -deststorepass wso2carbon

I recopy all the commands with the execution order: `keytool -genkey -alias wso2carbon -keyalg RSA -keysize 4096 -keypass wso2carbon -keystore selfsigned.jks -storepass wso2carbon -dname "cn=163.172.90.197, ou=Blabla Dept, o=Blabla, l=Ottawa, st=ON, c=CA"

keytool -export -alias wso2carbon -keystore selfsigned.jks -rfc -storepass wso2carbon -file public.cert

cp --verbose $(find wso2iot -name 'client-truststore.jks' | head -1) . cp --verbose $(find wso2iot -name 'wso2carbon.jks' | head -1) .

keytool -delete -alias wso2carbon -keystore client-truststore.jks -storepass wso2carbon

keytool -import -noprompt -trustcacerts -alias wso2carbon -file public.cert -keystore client-truststore.jks -storepass wso2carbon

keytool -delete -alias wso2carbon -keystore wso2carbon.jks -storepass wso2carbon

keytool -import -noprompt -trustcacerts -alias wso2carbon -file public.cert -keystore wso2carbon.jks -storepass wso2carbon

keytool -importkeystore -srckeystore selfsigned.jks -destkeystore keystore.p12 -deststoretype PKCS12 -deststorepass wso2carbon -srcstorepass wso2carbon

keytool -importkeystore -noprompt -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass wso2carbon -destkeystore wso2carbon.jks -deststorepass wso2carbon

cat public.cert | sed '1d;$d' | tr -d '\r\n' > ugh.txt`

Merci

[tylert]

@Tofdu31 I just meant that the script I pasted into comment https://github.com/wso2/product-iots/issues/1126 wasn't 100% identical to the script I use for modifying the hostname entries but it's very close. I have a single script to make all the configuration changes and another one to perform the certificate changes.

The most probable reason you are encountering this error is because you already have an updated copy of "wso2carbon.jks" in the directory where you are running the script. Try removing the modified *.jks files from your working directory before running it.

[Tofdu31]

@Tyler I put in a folder TEMP my file wso2iot-3.1.0-SNAPSHOT I also put in the TEMP folder your srcript for the certificates.

I finally only the wso2iot-3.1.0-SNAPSHOT folder and the 02_script_certif_v1.2.sh script in my TEMP folder.

In a console under DEBIAN 8.6, I go to the TEMP folder and I run my command: bash ./02_script_certif_v1.2.sh

I always make the mistake: Warning: Overwriting existing alias wso2carbon in destination keystore

Warning caused by the command:

Keytool -importkeystore -noprompt -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass wso2carbon -destkeystore wso2carbon.jks -deststorepass wso2carbon

I then look at the files in my TEMP folder. I have the following files:

This is my console after executing the script:

console WSO2IOT 3.1.0 :

[Tofdu31]

Using the command: keytool -list -v -keystore wso2carbon.jks -storepass wso2carbon

I find in the wso2carbon.jks file information about localhost Would not there be a mistake?

`Alias name: localhost Creation date: Mar 21, 2017 Entry type: trustedCertEntry

Owner: CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US Issuer: CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US Serial number: 4b7e3782 Valid from: Fri Feb 19 08:02:26 CET 2010 until: Tue Feb 13 08:02:26 CET 2035 Certificate fingerprints: MD5: 02:FB:AA:5F:20:64:49:4A:27:29:55:71:83:F7:46:CD SHA1: 6B:F8:E1:36:EB:36:D4:A5:6E:A0:5C:7A:E4:B9:A4:5B:63:BF:97:5D SHA256: 1D:72:9F:B8:C4:68:EA:D8:20:A2:A0:BE:4A:DB:8F:BA:BE:D9:AB:1B:A1:26:C9:D2:14:66:C5:70:6E:8E:4D:30 Signature algorithm name: SHA1withRSA Version: 3

Extensions:

1: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [ DigitalSignature Non_repudiation Key_Encipherment Data_Encipherment ]`

[Tofdu31]

Yesss !!!! I found the bug

Pour corriger ceci : To correct this:

Replace line: keytool -genkey -alias ${alias} -keyalg RSA -keysize 4096 \ -keypass wso2carbon -keystore selfsigned.jks -storepass wso2carbon \ -dname "cn=${hostname}, ou=Blabla Dept, o=Blabla, l=Ottawa, st=ON, c=CA"

By : keytool -genkey -alias ${alias} -keyalg RSA -keysize 4096 \ -keypass wso2carbon -keystore selfsigned.jks -storepass wso2carbon \ -dname "cn=${hostname}, ou=Blabla Dept, o=Blabla, l=Ottawa, st=ON, c=CA" \ -ext SAN=DNS:localhost,IP:127.0.0.1,IP:${hostname}

[MattcCR92]

Re all,

Le serveur fonctionne parfaitement avec le certificat auto-signé, encore merci à @tylert .

Je reviens vers vous car j'aimerais cette fois configurer le serveur avec un certificat valide "Gandi" et je vous avoue que je sèche un peu.

Si vous avez des explications pour adapter les exemple ci-dessus avec un certificat valide, je suis prenneur.

A plus.

PS : Je suis pour l'ouverture d'un forum FR @Tofdu31

[Tofdu31]

Salut @MattcCR92 Je peux te joindre comment pour te parler de mon projet WSO2iot ?

[MattcCR92]

Re,

Par mail si tu veux ?

[Tofdu31]

@MattcCR92 Peux-tu me passer un MP sur le site https://www.developpez.net Mon compte est : Tofdu31

Au plaisir de te lire Tof

[milanperera]

This issue is fixed in the latest change-ip.sh script in the IoTs 3.1.0

[monta9]

@tylert Hi, please any help about certificate for me everything is installed but when i try devicemgt it causes problems .

HTTP Status : 500 Invalid signature found in the SAML response.

for log problem ERROR - {org.jaggeryjs.modules.sso.common.util.Util} Error while validating signature java.lang.NullPointerException at org.jaggeryjs.modules.sso.common.util.X509CredentialImpl.(X509CredentialImpl.java:66) at org.jaggeryjs.modules.sso.common.util.Util.validateSignature(Util.java:459) at org.jaggeryjs.modules.sso.common.util.Util.validateSignature(Util.java:384) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126) at org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:225) at org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52) at org.jaggeryjs.rhino..scripts.c0._c_anonymous_3(/scripts/sso.client.js:64) at org.jaggeryjs.rhino..scripts.c0.call(/scripts/sso.client.js) at org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42) at org.jaggeryjs.rhino.devicemgt.lib.modules.auth.c0._c_anonymous_20(/devicemgt/lib/modules/auth/auth.js:532) at org.jaggeryjs.rhino.devicemgt.lib.modules.auth.c0.call(/devicemgt/lib/modules/auth/auth.js) at org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42) at org.jaggeryjs.rhino.devicemgt.lib.modules.auth.c2._c_anonymous_1(/devicemgt/lib/modules/auth/acs.jag:34) at org.jaggeryjs.rhino.devicemgt.lib.modules.auth.c2.call(/devicemgt/lib/modules/auth/acs.jag) at org.mozilla.javascript.optimizer.OptRuntime.call0(OptRuntime.java:23) at org.jaggeryjs.rhino.devicemgt.lib.modules.auth.c2._c_script_0(/devicemgt/lib/modules/auth/acs.jag:22) at org.jaggeryjs.rhino.devicemgt.lib.modules.auth.c2.call(/devicemgt/lib/modules/auth/acs.jag) at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394) at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091) at org.jaggeryjs.rhino.devicemgt.lib.modules.auth.c2.call(/devicemgt/lib/modules/auth/acs.jag) at org.jaggeryjs.rhino.devicemgt.lib.modules.auth.c2.exec(/devicemgt/lib/modules/auth/acs.jag) at org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(RhinoEngine.java:567) at org.jaggeryjs.scriptengine.engine.RhinoEngine.exec(RhinoEngine.java:273) at org.jaggeryjs.jaggery.core.manager.WebAppManager.exec(WebAppManager.java:588) at org.jaggeryjs.jaggery.core.manager.WebAppManager.execute(WebAppManager.java:508) at org.jaggeryjs.jaggery.core.JaggeryServlet.doPost(JaggeryServlet.java:29) at javax.servlet.http.HttpServlet.service(HttpServlet.java:650) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:743) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:485) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:377) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:337) at org.jaggeryjs.jaggery.core.JaggeryFilter.doFilter(JaggeryFilter.java:21) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter.doFilter(ContentTypeBasedCachePreventionFilter.java:53) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:124) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:498) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99) at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57) at org.wso2.carbon.webapp.authenticator.framework.WebappAuthenticationValve.invoke(WebappAuthenticationValve.java:46) at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62) at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962) at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1775) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1734) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748)

[monta9]