SSL configuration problem
Hi!
I have a SSL problem: After configure, create the DB, generate a certificate request, signing, include the CA Cert and the server cert (with the default name Server-Cert" nickname), configure the ics.conf, I can not set enable the SSL server.
Looking in the /var/opt/SUNWics5/logs/http.log, I found the follow lines:
[11/Jun/2007:12:19:30 +0200] umbriel cshttpd[8047]: General Error: SSL initialization error: ASockSSL_Init: PK11 auth failed to Server-Cert (-8177)
[11/Jun/2007:12:19:30 +0200] umbriel cshttpd[8047]: General Error: http_ssl_init(): SSL initialization failed
Using the command
truss -f -o /tmp/ical.log /opt/SUNWics5/cal/sbin/start-cal
The calendar server find the key3.db (under / directory, not in /etc/opt/SUNWics5/config directory specified in the ics.conf file :@), the cert8.db (in the same / directory), and sslpassword .conf in the /etc/opt/SUNWics5.config directory
I can read both three files, but the log message looks like the password does not works.
The password stored in the sslpassword.conf is the same stored in service.http.ssl.certdb.password line in the ics.conf file (it is open, unencrypted line!)
The password works, due I can use the sslpassword.conf file to open, read, and verify the certificate.
The SUNWics5 package is the last: 6.3. No patches.
Any Idea? Thanks in advance!
Message was edited by:
h.molina
[1447 byte] By [
h.molinaa] at [2007-11-27 7:02:02]
# 1
Hi,
What do you have set for the following ics.conf values?
encryption.rsa.nssslpersonalityssl
encryption.rsa.nsssltoken
What do you have in your sslpassword.conf file?
If you run the following, what do you get?
cd <calendar_base>/sbin/
./certutil -L -d <calendar database base directory>
Regards,
Shane.
# 2
Hi,
The values in ics.conf:
> encryption.rsa.nssslpersonalityssl
> encryption.rsa.nsssltoken
>
encryption.rsa.nssslpersonalityssl = "Server-Cert"
encryption.rsa.nsssltoken = "internal"
> What do you have in your sslpassword.conf file?
Internal (Software) Token:password
Yes, I known, it is not the most safety password in the world, but... when the system starts to work I will change.
The certificate database was created with the command:
certutil -N -f /etc/opt/SUNWics5/config/sslpassword.conf -d /etc/opt/SUNWics5/config/
So, the password match with the database password.
> If you run the following, what do you get?
>
> cd <calendar_base>/sbin/
> ./certutil -L -d <calendar database base directory>
TSC CA CertificateCT,C,C
Server-Cert u,u,u
Where TSC CA Certificate is our PKI CA Certificate.
Thanks in advance for any help!
H.
# 3
Hi,
After much swearing and cursing and finding out that service.http.ssl.certdb.path doesn't work (nor does service.http.ssl.certdb.password for that matter), you need to use local.ssldbpath instead (bug #6409449 - SSL does not work (per JES4 documentation)- configurator should transfer the existing SSL settings), I managed to get SSL working with calendar.
1. Copy your cert8.db and key3.db files to /opt/SUNWics5/cal/config, make sure their owner:group matches the calendar owner:group (icsuser:icsgroup)
2. Make sure your sslpassword.conf is also in /opt/SUNWics5/cal/config and contains:
bash-3.00# cat sslpassword.conf
Internal (Software) Token:password
Same owner:group as (1) above applies.
3. Get your ics.conf settings to match these:
bash-3.00# grep ssl ics.conf | grep -v "\!\!"
encryption.rsa.nssslactivation = "on"
encryption.rsa.nssslpersonalityssl = "Server-Cert"
encryption.rsa.nsssltoken = "internal"
service.http.ssl.cachedir = "."
service.http.ssl.cachesize = "10000"
local.ssldbpath = "/opt/SUNWics5/cal/config"
service.http.ssl.port = "443"
service.http.ssl.port.enable = "yes"
service.http.ssl.ssl2.ciphers = ""
service.http.ssl.ssl2.sessiontimeout = "0"
service.http.ssl.ssl3.ciphers = "rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_rc4_128_md5,rsa_3des_sha"
service.http.ssl.ssl3.sessiontimeout = "0"
service.http.ssl.usessl = "yes"
4. ./stop-cal http; ./start-cal http
Tell us how it goes.
Regards,
Shane.
# 4
Hi!
Mmmmm, does not work...
The log file says:
[13/Jun/2007:12:03:26 +0200] umbriel cshttpd[7050]: General Error: _cshttpd_parse_commandline: cannot bind process 7050 to processor 0, errno 1
[13/Jun/2007:12:03:30 +0200] umbriel cshttpd[7050]: General Error: SSL initialization error: ASockSSL_Init: PK11 auth failed to Server-Cert (-8177)
[13/Jun/2007:12:03:30 +0200] umbriel cshttpd[7050]: General Error: http_ssl_init(): SSL initialization failed
[13/Jun/2007:12:04:45 +0200] umbriel cshttpd[7050]: Stats Warning: Unable to delete counter instance (dbstat): 2
My ics.conf's ssl parameters are:
encryption.rsa.nssslactivation = "on"
encryption.rsa.nssslpersonalityssl = "Server-Cert"
encryption.rsa.nsssltoken = "internal"
service.http.ssl.cachedir = "."
service.http.ssl.cachesize = "10000"
service.http.ssl.certdb.password = "password"
local.ssldbpath = "/opt/SUNWics5/cal/config"
service.http.ssl.certdb.path = "alias"
service.http.ssl.port = "443"
service.http.ssl.port.enable = "yes"
service.http.ssl.securesession = "yes"
service.http.ssl.sourceurl = "https://calendar.tsc.uc3m.es"
service.http.ssl.ssl2.ciphers = ""
service.http.ssl.ssl2.sessiontimeout = "0"
service.http.ssl.ssl3.ciphers = "rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_rc4_128_md5,rsa_3des_sha"
service.http.ssl.ssl3.sessiontimeout = "0"
service.http.ssl.usessl = "yes"
My ssl related files are:
-rw-1 icsuser icsgroup65536 Jun 13 11:52 cert8.db
-rw-1 icsuser icsgroup32768 Jun 13 11:52 key3.db
-rw-1 icsuser icsgroup35 Jan 10 20:41 sslpassword.conf
And using the strace tool for debuging calendar process, I found the follow lines:
7050/1: stat("/cert8.db", 0xFFBFCD60)= 0
7050/1: open("/cert8.db", O_RDONLY) = 22
7050/1: fcntl(22, F_SETFD, 0x00000001)= 0
7050/1: read(22, "\00615 a\0\0\002\0\010E1".., 260)= 260
7050/1: lseek(22, 16384, SEEK_SET) = 16384
7050/1: read(22, "\0\b ?F7 ?F4 ?E7 ?8A ? 1".., 16384)= 16384
7050/1: stat("/key3.db", 0xFFBFCE20)= 0
7050/1: open("/key3.db", O_RDONLY) = 23
7050/1: fcntl(23, F_SETFD, 0x00000001)= 0
7050/1: read(23, "\00615 a\0\0\002\0\010E1".., 260)= 260
7050/1: lseek(23, 8192, SEEK_SET)= 8192
7050/1: read(23, "\0\n1FF91FF81FED1FDD1FCF".., 8192)= 8192
7050/1: stat("/libnssckbi.so", 0xFFBFCB70) = 0
7050/1: resolvepath("/libnssckbi.so", "/libnssckbi.so", 1023) = 14
7050/1: open("/libnssckbi.so", O_RDONLY)= 24
Funny things about this log:
The process looks in / directory searching key3.db, cert8.db and libnssckbi.so files!! Ommiting the local.ssldbpath defined in the ics.conf!!!
Anyway, I copy these files in / meanwhile.
Other entries in the strace log:
7050/1: open("/opt/SUNWics5/cal/config/sslpassword.conf", O_RDONLY) = 27
7050/1: read(27, " I n t e r n a l( S o".., 255)= 35
Then, the process founds, open and read the sslpassword.conf file...
The 7050 is the cshttpd process.
7038:access("/opt/SUNWics5/cal/lib/cshttpd", X_OK)= 0
7038:open("/opt/SUNWics5/cal/data/proc/http", O_RDONLY) Err#2 ENOENT
7038:write(2, " S t a r t i n g ", 9)= 9
7038:write(2, " h t t p", 4) = 4
7038:write(2, "s e r v e r. . .", 11) = 11
7038:unlink("/opt/SUNWics5/cal/data/proc/http")Err#2 ENOENT
7038:fork1()= 7050
7038:lwp_sigmask(SIG_SETMASK, 0x00000000, 0x00000000) = 0xFFBFFEFF [0x0000FFFF]
7050:fork1() (returning as child ...)= 7038
7050:getpid()= 7050 [7038]
7038:open("/opt/SUNWics5/cal/data/proc/http", O_RDONLY) Err#2 ENOENT
7038:write(2, " .", 1)= 1
7050:lwp_self() = 1
7050:lwp_sigmask(SIG_SETMASK, 0x00000000, 0x00000000) = 0xFFBFFEFF [0x0000FFFF]
7050:execve("/opt/SUNWics5/cal/lib/cshttpd", 0xFFBFFA74, 0xFFBFFC0C) argc = 1
7050:resolvepath("/usr/lib/ld.so.1", "/lib/ld.so.1", 1023) = 12
7050:resolvepath("/opt/SUNWics5/cal/lib/cshttpd", "/opt/SUNWics5/cal/lib/cshttpd", 1023) = 29
Information about the SUNWics5 package:
PKGINST: SUNWics5
NAME: Calendar Server (Core)
CATEGORY: application
ARCH: sparc
VERSION: 6.0,REV=2003.11.14.18.12.58
BASEDIR: /opt
VENDOR: Sun Microsystems, Inc.
DESC: Calendar Server - Calendar Server and supporting components
PSTAMP: monks20070110115349
INSTDATE: Jun 11 2007 12:59
HOTLINE: Please contact your local service provider
STATUS: completely installed
FILES:363 installed pathnames
7 shared pathnames
18 directories
320 executables
128537 blocks used (approx)
Thanks for any help to solve this problem
H.
# 5
this hint worked for me. the one thing i did that was not mentioned was to create an additional file that had only the password in it and instead of using:
certutil -N -f /etc/opt/SUNWics5/config/sslpassword.conf -d /etc/opt/SUNWics5/config/
i used:
certutil -N -f /etc/opt/SUNWics5/config/sslpasswordonly -d /etc/opt/SUNWics5/config/
# 6
Dear autohand,
The sslpassword.conf file is able to open the CertDB:
Executing
/opt/SUNWics5/cal/sbin/certutil -V -n Server-Cert -e -u V -d / -f /etc/opt/SUNWics5/config/sslpassword.conf
says:
certutil: certificate is valid
Thanks, anyway, for your help :-D
H.
# 7
ok - i know i'm no expert at this - but i have suspicion that certutil takes the text in the password file literally and the calendar takes the text in the password file and strips the prefix label text off - so that certutil created the cert file with one key and the calendar is using another. i don't think the calendar is able to read the cert file, i think it has the wrong key. i was unable to use the same password file for both applications. the validation wouid work no matter which key file was used and the example you show is using the "long" key - if you will. of course, i'm not 100% sure i am right - i only have a bit of confidence because calender https started working today.
# 8
Hi,
> service.http.ssl.certdb.password = "password"
Try commenting this out.
> service.http.ssl.certdb.path = "alias"
Try commenting this out as well
> And using the strace tool for debuging calendar
> process, I found the follow lines:
>
> [code]
> 7050/1: stat("/cert8.db", 0xFFBFCD60)
>= 0
> en("/cert8.db", O_RDONLY) = 22
> 7050/1: fcntl(22, F_SETFD, 0x00000001)
>= 0
> ead(22, "\00615 a\0\0\002\0\010E1".., 260)= 260
> 7050/1: lseek(22, 16384, SEEK_SET)
> = 16384
> 22, "\0\b ?F7 ?F4 ?E7 ?8A ? 1".., 16384)= 16384
> 7050/1: stat("/key3.db", 0xFFBFCE20)
>= 0
> n("/key3.db", O_RDONLY) = 23
> 7050/1: fcntl(23, F_SETFD, 0x00000001)
>= 0
> ead(23, "\00615 a\0\0\002\0\010E1".., 260)= 260
> 7050/1: lseek(23, 8192, SEEK_SET)
>= 8192
> 3, "\0\n1FF91FF81FED1FDD1FCF".., 8192)= 8192
> 7050/1: stat("/libnssckbi.so", 0xFFBFCB70)
> = 0
> resolvepath("/libnssckbi.so", "/libnssckbi.so",
> 1023) = 14
> 050/1: open("/libnssckbi.so", O_RDONLY)
>= 24
> y things about this log:
> The process looks in / directory searching key3.db,
> cert8.db and libnssckbi.so files!! Ommiting the
> local.ssldbpath defined in the ics.conf!!!
I had the same issue, but in my case rather then "/" it was looking in another incorrect directory. It was only by setting local.ssldbpath that it used the correct path for the *.db files.
For the libnssckbi.so I also had this issue. It appears to be due to the same issue documented here (I hope you can access this page):
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6244622
The short of it is that you need to set LD_LIBRARY_PATH=/opt/SUNWics5/cal/lib/ e.g.
(if you use bash shell)
./stop-cal http
export LD_LIBRARY_PATH=/opt/SUNWics5/cal/lib/
./start-cal http
On the Auth issue, not sure. I created a self-signed certificate by using the msgcert utility provided by messaging server 6.3.
Interesting though that my tests resulted in different outcome:
bash-3.00# /opt/SUNWics5/cal/sbin/certutil -V -n Server-Cert -e -u V -d /opt/SUNWics5/cal/config -f /etc/opt/SUNWics5/config/sslpassword.conf
Incorrect password/PIN entered.
certutil: certificate is valid
bash-3.00# cat /etc/opt/SUNWics5/config/sslpassword.conf
Internal (Software) Token:password
But when I enter the password ("password") manually it works:
bash-3.00# /opt/SUNWics5/cal/sbin/certutil -V -n Server-Cert -e -u V -d /opt/SUNWics5/cal/config
Enter Password or Pin for "NSS Certificate DB":
certutil: certificate is valid
So if you do the second test and enter the word "password" does it work?
Regards,
Shane.
# 9
Dear Shane,
Thanks for your help:
Enter the password manually does not work!!! How knows how the sslpassword.conf was interpreted!!
Now, I create a new database with a well known password, but the sslpassword.conf is not able to open the database.
How the password must be stored in sslpassword.conf to open the file?
About the libnssckbi.so issue: now I can read the URL, fix the LD_LIBRARY_PATH and include the libnssckbi.so in the secmod.db.
Thanks for your help and time!!
H.
# 10
ok - i'll try one more time - i'm just terrible at explaining this - this is what i think is happening - if you uer:
certutil -N -f /etc/opt/SUNWics5/config/sslpassword.conf -d /etc/opt/SUNWics5/config/
to create the database, and /etc/opt/SUNWics5/config/sslpassword.conf contains:
Internal (Software) Token:password
then your password is literally: Internal (Software) Token:password
if you have enter this "long" password manually, you could have read/verified your certificate file..
when calendar runs, and gets the text from sslpassword.conf and strips off: Internal (Software) Token: and uses the text: password, to read the cert database, it has the wrong password. i created two files one sslpassword.conf which has:
Internal (Software) Token:password
and another sslpasswordonly which has:
password
anytime i use the netscape cert utilities, i use sslpasswordonly - as in:
certutil -N -f /etc/opt/SUNWics5/config/sslpasswordonly -d /etc/opt/SUNWics5/config/
and in the validatiion example:
opt/SUNWics5/cal/sbin/certutil -V -n Server-Cert -e -u V -d / -f /etc/opt/SUNWics5/config/sslpasswordonly
that way both the netscape utiliies and the calendar are using the same password: i.e. "password". ok, that is my nest shot.
# 11
Dear Autohand,
Yes, you are right: if I use sslpassword.conf with certutil, the pasword will not be "password", will be "Internal (Software) Token:password"!!
Now, I create the new databases with sslpasswordonly file, verifying the pasword is working (using the sslpasswordonly file and using the keyboard), but, the sslpassword.conf with the correct password still not working.
It is not a rights problem, due debuging with truss (I am under solaris environment) it shows the cshttpd process is able to read that file.
Maybe some end character like Line Feed or Carry Return?
I do not known :-|
Thaks any case!
H.
# 12
are yiu still getting the same error now:[11/Jun/2007:12:19:30 +0200] umbriel cshttpd[8047]: General Error: SSL initialization error: ASockSSL_Init: PK11 auth failed to Server-Cert (-8177)
# 13
Dear Autohand,
Yeap, I still having the same error
[14/Jun/2007:23:44:04 +0200] umbriel cshttpd[897]: General Error: SSL initialization error: ASockSSL_Init: PK11 auth failed to Server-Cert (-8177)
[14/Jun/2007:23:44:04 +0200] umbriel cshttpd[897]: General Error: http_ssl_init(): SSL initialization failed
:-|
# 14
ok - i'm whipped. you'll have to wait for the shane.man for help. i guess i was just lucky to get this one running - i must have been in a sweet spot because all i had to do was use the config hint and get the password right. sorry - i sure wanted to help.
# 15
Hi,
Since you have changed your config/values etc. a lot, lets start from scratch.
1. Provide the output of the following (you commented out service.http.ssl.certdb.password and service.http.ssl.certdb.path right?):
grep ssl ics.conf | grep -v "\!\!"
2. Provide the truss output like previous, hopefully showing that the key3.db/cert8.db files are being picked up from /opt/SUNWics5/cal/config and not "/"
3. Run /opt/SUNWics5/cal/sbin/certutil -V -n Server-Cert -e -u V -d /opt/SUNWics5/cal/config
Enter the password "password", does it work (provide output)?
4. Provide output of /opt/SUNWics5/cal/sbin/certutil -L -d /opt/SUNWics5/cal/config
e.g.
bash-3.00$ /opt/SUNWics5/cal/sbin/certutil -L -d /opt/SUNWics5/cal/config
Server-Cert CTu,u,u
5. Provide output of:
cat /opt/SUNWics5/cal/config/sslpassword.conf
e.g.
bash-3.00$ cat /opt/SUNWics5/cal/config/sslpassword.conf
Internal (Software) Token:password
bash-3.00$
Hopefully something is inconsistent and points to where the problem is :)
Regards,
Shane.
# 16
Hi!
We still have the problem....
The information requested:
grep ssl ics.conf | grep - v "\!\!"
encryption.rsa.nssslactivation = "on"
encryption.rsa.nssslpersonalityssl = "Server-Cert"
encryption.rsa.nsssltoken = "internal"
service.http.ssl.cachedir = "."
service.http.ssl.cachesize = "10000"
! service.http.ssl.certdb.password = "password"
local.ssldbpath = "/opt/SUNWics5/cal/config"
! service.http.ssl.certdb.path = "alias"
service.http.ssl.port = "443"
service.http.ssl.port.enable = "yes"
service.http.ssl.securesession = "yes"
service.http.ssl.sourceurl = "https://calendar.tsc.uc3m.es"
service.http.ssl.ssl2.ciphers = ""
service.http.ssl.ssl2.sessiontimeout = "0"
service.http.ssl.ssl3.ciphers = "rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_rc4_128_md5,rsa_3des_sha"
service.http.ssl.ssl3.sessiontimeout = "0"
service.http.ssl.usessl = "yes"
/opt/SUNWics5/cal/config is a soft-link from /etc/opt/SUNWics5/config.
The truss output:
5940/1: stat("/cert8.db", 0xFFBFCD60)= 0
5940/1: open("/cert8.db", O_RDONLY) = 22
5940/1: fcntl(22, F_SETFD, 0x00000001)= 0
5940/1: read(22, "\00615 a\0\0\002\0\010E1".., 260)= 260
5940/1: lseek(22, 16384, SEEK_SET) = 16384
5940/1: read(22, "\0\b ?F7 ?F4 ?E7 ? Q >BF".., 16384)= 16384
5940/1: stat("/key3.db", 0xFFBFCE20)= 0
5940/1: open("/key3.db", O_RDONLY) = 23
5940/1: fcntl(23, F_SETFD, 0x00000001)= 0
5940/1: read(23, "\00615 a\0\0\002\0\010E1".., 260)= 260
5940/1: lseek(23, 8192, SEEK_SET)= 8192
Still looking in / directory
The output for /opt/SUNWics5/cal/sbin/certutil -V -n Server-Cert -e -u V -d / (looking in / directory where the httpd process still looking for the key database).
/opt/SUNWics5/cal/sbin/certutil -V -n Server-Cert -e -u V -d /
Enter Password or Pin for "NSS Certificate DB":
certutil: certificate is valid
typing "password" password.
and the output for /opt/SUNWics5/cal/sbin/certutil -V -n Server-Cert -e -u V -d / -f /etc/opt/SUNWics5/config/sslpasswordonly
certutil: certificate is valid
Where sslpasswordonly has only "password" word.
The output for /opt/SUNWics5/cal/sbin/certutil -L -d /
/opt/SUNWics5/cal/sbin/certutil -L -d /
Server-Cert u,u,u
TSC CA CertificateCT,C,C
Mmmm, may here it can fails: The Server-Cert is not a Certificate Authority, so is nort C or T allowed, "TSC CA Certificate" is my trusted signer certificate.
The output for cat /etc/opt/SUNWics5/config/sslpassword,conf
cat /etc/opt/SUNWics5/config/sslpassword.conf
Internal (Software) Token:password
And finally the http.log output :'(
[18/Jun/2007:18:46:16 +0200] umbriel cshttpd[5940]: General Notice: cshttpd' session database opened successfully
[18/Jun/2007:18:46:16 +0200] umbriel cshttpd[5940]: General Notice: LdapCacheInit: Ldap Cache not enabled.
[18/Jun/2007:18:46:18 +0200] umbriel cshttpd[5940]: General Notice: cshttpd: comms sso is enabled
[18/Jun/2007:18:46:18 +0200] umbriel cshttpd[5940]: General Notice: cshttpd: am sso is enabled
[18/Jun/2007:18:46:18 +0200] umbriel cshttpd[5940]: General Error: SSL initialization error: ASockSSL_Init: PK11 auth failed to Server-Cert (-8177)
[18/Jun/2007:18:46:18 +0200] umbriel cshttpd[5940]: General Error: http_ssl_init(): SSL initialization failed
[18/Jun/2007:18:46:41 +0200] umbriel cshttpd[5940]: General Notice: cshttpd is ready
Otre truss information: cshttpd process is able to open /etc/opt/SUNWics5/config/sslpassword.conf file (iun read_only mode, reads the first line...):
5940/1: open("/opt/SUNWics5/cal/config/sslpassword.conf", O_RDONLY) = 27
5940/1: read(27, " I n t e r n a l( S o".., 255)= 35
5940/1: read(27, 0xFFBFD7CC, 255)= 0
5940/1: close(27)= 0
The only thing I can imagine is a bad encoded sslpassword.conf file.
Thanks for your help.
# 17
Hi,
I do not know if anyone read this last message. Anyway.
A weird thing: When I starts manually the cshttpd proceses and the ssl works now!!!
Looking in the httpd.log, I saw the SSO is not loaded:
[01/Jul/2007:15:25:56 +0200] umbriel cshttpd[16391]: General Notice: cshttpd attempting to open Calendar Database
[01/Jul/2007:15:25:56 +0200] umbriel cshttpd[16391]: General Notice: cshttpd' session database opened successfully
[01/Jul/2007:15:25:56 +0200] umbriel cshttpd[16391]: General Notice: LdapCacheInit: Ldap Cache not enabled.
[01/Jul/2007:15:25:56 +0200] umbriel cshttpd[16391]: General Critical: Loading of libamsdk failed: -5977 No such file or directory. IS SSO not enabled
[01/Jul/2007:15:25:56 +0200] umbriel cshttpd[16391]: General Notice: cshttpd: comms sso is enabled
[01/Jul/2007:15:25:56 +0200] umbriel cshttpd[16391]: General Notice: cshttpd: am sso is disabled
Well, if I set the LD_LIBRARY_PATH variable with /opt/SUNWics5/cal/lib, now the libamsdk is found, but the SSL settings does not work.
Maybe some problem with the SSO setup can cause the SSL fails?
My libamsdk sha1 hash are:
SHA1(/opt/SUNWics5/cal/lib/libamsdk.so.2)= 494da30cb842964e26b491d5664c444202038e78
I install the lastest patch 121657-18.
Thanks in advance for any Idea...
H.
