I am trying to authenticate my client application with the server over https - i am using axis 1.4 jar. I am passing the correct JKS file to the truststore. However, i am getting following exception.
Caused by: javax.net.ssl.SSLException: Server key
at com.sun.net.ssl.internal.ssl.Handshaker.throwSSLException(Handshaker.java:927)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:199)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:958)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1203)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1230)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1214)
at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
... 26 more
Caused by: java.security.spec.InvalidKeySpecException: does not support java.security.spec.ECPublicKeySpec
at com.certicom.ecc.jcae.ECKeyFactorySpi.engineGeneratePublic(Unknown Source)
at java.security.KeyFactory.generatePublic(KeyFactory.java:304)
at com.sun.net.ssl.internal.ssl.HandshakeMessage$ECDH_ServerKeyExchange.<init>(HandshakeMessage.java:910)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:195)
... 36 more
It was identified that the ECDH cipher suite is not part of java 1.6 setup by default which causes the exception of ECDH spec not supported.
This was fixed by added this spec which comes in the bcprov-jdk1.6.jar (bouncycastle) in the java setup. To do this do following changes
java/jdk1.6.0_45\jre\lib\security\java.security
security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider
[Note: security.provider.1 - numbering denotes the priority of choosing the cipher suite]
and add the bcprov-jdk1.6.jar inside jdk1.6.0_45\jre\lib\ext
Related
I'm new in ejbca and i have to install it on a virtual machine for job
Ubuntu 20.04
ejbca_7_4_3_2
wildfly-18.0.0.Final
mariadb-server version: 10.3.32-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04
openjdk version "1.8.0_312"
Apache Ant(TM) version 1.10.7 compiled on October 24 2019
After a few try's(and a lot of virtual machines cloned and deleted), i finally get the "build successfully" message with the commands ant runinstall and ant deploy-keystore
But when i try to use the URL https://localhost:8443/ejbca/ (the certificate SuperAdmin.p12 is installed) my browser(firefox 96.0 64bits) give the message
An error occurred during a connection to localhost:8443. Cannot communicate securely with peer: no common encryption algorithm(s).
Error code: SSL_ERROR_NO_CYPHER_OVERLAP
i have this errors on my log file, the first one related with ant -q clean deployear
and the last, appear every time i try to access via URL https://localhost:8443/ejbca/
ERROR [org.jboss.as.jsf] (MSC service thread 1-1) WFLYJSF0002: Could not load JSF managed bean class: org.ejbca.ui.web.admin.peerconnector.PeerConnectorMBean
ERROR [io.undertow.request] (default I/O-2) Closing SSLConduit after exception on handshake: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.Alert.createSSLException(Alert.java:117)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
at sun.security.ssl.ServerHello$T12ServerHelloProducer.chooseCipherSuite(ServerHello.java:461)
at sun.security.ssl.ServerHello$T12ServerHelloProducer.produce(ServerHello.java:296)
at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:421)
at sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(ClientHello.java:1020)
at sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:727)
at sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:693)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:981)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:915)
at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1072)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.lang.Thread.run(Thread.java:748)
ERROR [io.undertow.request] (default I/O-2) Closing SSLConduit after exception
Sounds like a TLS configuration issue. You will find the TLS configuration you did when configuring WildFly in the commands you ran like:
/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/server-ssl-context=httpspriv:add(key-manager=httpsKM,protocols=["TLSv1.2"],use-cipher-suites-order=false,cipher-suite-filter="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",trust-manager=httpsTM,need-client-auth=true)'
The result is somewhere in standalone.xml in WildFly, and you can modify it directly in WildFly. For example if you have EC keys in the server certificate while using the above RSA algorithm selection.
In server.log you should also see when WildFly starts up if there are any error in parsing the values, or keystores.
Make sure that you server and client certificates have keys and algorithms that match the TLS algorithm settings, otherwise WildFly will remove those algortihms.
Again, I have some problems with Solr. I'm trying to set up a SolrCloud cluster with three ZooKeeper instances and two Solr instances. Communication should be secured with SSL. I used the official Solr wiki as manual: https://cwiki.apache.org/confluence/display/solr/Enabling+SSL
When I start the first Solr node everything works fine. I can access the Web UI via HTTPS and communication between Solr and ZooKeeper also works. But when I start the second Solr node in my cluster I get the following exception:
Error while trying to recover. core=core1_shard2_replica2:java.util.concurrent.ExecutionException: org.apache.solr.client.solrj.SolrServerException: IOException occured when talking to server at: https://ec2-xx-xx-xxx-xx.eu-central-1.compute.amazonaws.com:8983/solr
at java.util.concurrent.FutureTask.report(FutureTask.java:122)
at java.util.concurrent.FutureTask.get(FutureTask.java:192)
at org.apache.solr.cloud.RecoveryStrategy.sendPrepRecoveryCmd(RecoveryStrategy.java:593)
at org.apache.solr.cloud.RecoveryStrategy.doRecovery(RecoveryStrategy.java:350)
at org.apache.solr.cloud.RecoveryStrategy.run(RecoveryStrategy.java:221)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at org.apache.solr.common.util.ExecutorUtil$MDCAwareThreadPoolExecutor.lambda$execute$22(ExecutorUtil.java:229)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.solr.client.solrj.SolrServerException: IOException occured when talking to server at: https://ec2-xx-xx-xxx-xx.eu-central-1.compute.amazonaws.com:8983/solr
at org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:604)
at org.apache.solr.client.solrj.impl.HttpSolrClient.lambda$httpUriRequest$13(HttpSolrClient.java:299)
... 5 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:543)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
at org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:495)
... 6 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:352)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:260)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
... 24 more
Caused by: java.security.cert.CertPathValidatorException: signature check failed
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:219)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:347)
... 30 more
Caused by: java.security.SignatureException: Signature does not match.
at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:424)
at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:166)
at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
So it seems that Solr does not accept the self-signed certificate. The option -Dsolr.ssl.checkPeerName=false as stated in the Solr Wiki has no effect (I put this parameter in the solr.in.sh script). I have to admit I'm pretty clueless right now :(
Does anyone have any idea what I could do to make the inter-Solr-node communication work?
BTW: I'm on Solr 6.1.0, and before I activated SSL everything worked like a charm.
Thanks a lot!
You can also add second node's certificate to the first node's keystore and also add first node's certificate to the second node's keystore via following command:
keytool -import -alias ca -file other_node_cert -keystore solr-ssl.keystore.jks
Then you can use self-signed certificate.
Looking at exception details it appears to be a handshake issue between java client code and the ssl enabled server. The JRE involved here probably doesn't trust the certificate. You can try to mark the cert as a trusted one (include in JRE truststore). Check JRE version specific documentation for steps to update truststore.
I do not understand the origin of this issue:
com.ibm.sslite.d: reason=2; alert=40; exception=null
It happens when i call:
int statusCode = httpClient.executeMethod(method);
It might be related to the SSL protocol and maybe websphere is quite old and incompatible.
12:56:46 [sid=] [uid=] [oid=] - ERROR com.darty.ecom.frontoffice.newespaceclient.core.service.cev.CevProxyConnection - CEV > STACK TRACE >
com.ibm.sslite.d: reason=2; alert=40; exception=null
at com.ibm.sslite.m.a(m.java:50)
at com.ibm.sslite.t.b(t.java:113)
at com.ibm.sslite.t.a(t.java:43)
at com.ibm.sslite.a.read(a.java:7)
at com.ibm.jsse.a.read(Unknown Source)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:200)
at java.io.BufferedInputStream.read(BufferedInputStream.java:218)
at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:77)
at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:105)
at org.apache.commons.httpclient.HttpConnection.readLine(HttpConnection.java:1115)
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.readLine(MultiThreadedHttpConnectionManager.java:1373)
at org.apache.commons.httpclient.HttpMethodBase.readStatusLine(HttpMethodBase.java:1832)
at org.apache.commons.httpclient.HttpMethodBase.readResponse(HttpMethodBase.java:1590)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:995)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:397)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
at com.darty.ecom.frontoffice.newespaceclient.core.service.cev.CevProxyConnection.executeMethod(CevProxyConnection.java:137)
the same error in the integration environmenent is a little different and says:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
That means the server-side sent a TLS alert telling you the handshake failed. (alert#40) You'll need to debug the why on the server -- maybe it requries TLS client authentication, maybe your client only uses ancient protocols/ciphers or visa versa.
I am testing some functionality on server. It was working fine till yesterday. Today they have enabled ssl to server (i.e, From http to https). Now when I am running my test plans I'm getting the following error. How can I resolve this issue.
Though I am changing the protocol value to https in my request I'm getting the following error,
javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:436)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:643)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
at org.apache.jmeter.protocol.http.sampler.HTTPHC4Impl.executeRequest(HTTPHC4Impl.java:481)
at org.apache.jmeter.protocol.http.sampler.HTTPHC4Impl.sample(HTTPHC4Impl.java:298)
at org.apache.jmeter.protocol.http.sampler.HTTPSamplerProxy.sample(HTTPSamplerProxy.java:74)
at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1105)
at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1094)
at org.apache.jmeter.threads.JMeterThread.process_sampler(JMeterThread.java:429)
at org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java:257)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.RuntimeException: Could not generate DH keypair
at com.sun.net.ssl.internal.ssl.DHCrypt.<init>(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverKeyExchange(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
... 17 more
Caused by: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive)
at com.sun.crypto.provider.DHKeyPairGenerator.initialize(DashoA13*..)
at java.security.KeyPairGenerator$Delegate.initialize(Unknown Source)
... 24 more
What was the reason for it? Do I need to add anything in my request?
Dupe of Java: Why does SSL handshake give 'Could not generate DH keypair' exception?
and Java 7 and Could not generate DH keypair except update Java8 has lifted the DH limit to 2048.
This occurs when your client Java (JSSE) and the server negotiate a ciphersuite using ephemeral Diffie-Hellman (DHE) and the server uses D-H size larger than 1024 bits and your client Java doesn't support it. This depends on the combination of your client Java version and the server implementation and (usually) configuration, which you don't specify.
If your client (here jmeter) runs on Java6 or Java7, it cannot handle DH size over 1024, which is now considered necessary for security and required by authorities like NIST for the US government. Solutions in descending desirability are:
run client on Java8 (assuming server only wants DHE 2048 bits as is now standard/conventional)
if the server also supports ECDHE, and either prefers it over DHE or honors client preference, use edit any Java8 or /edit recent Java7 (which supports ECDHE and prefers it after about 7u09) or use Java6 with an ECC provider added (which supports and prefers ECDHE) (but Java6 is no longer supported and thus a Bad Idea in general, as well as possibly not supporting a recently-compiled client).
if the server also supports plain-RSA (no ephemeral) change your client to only negotiate that. For standard Java HttpsURLConnection this can be done with system property https.cipherSuites; I don't know if Apache httpclient does the same or equivalent. This does not provide Perfect Forward Secrecy for your client, which is less than ideal but more than nothing.
change the server to use DHE of 1024 bits (a little less secure for other clients) or only plain-RSA (even less secure for others)
I have the PushAdapter from the example push notification defined in an new project, and, I've added the apns-certificate-sandbox.p12 to the native api application (a native api), added the correct bundleId value in the application-descriptor.xml, but, I keep getting this error:
[WARNING ] Failed to retreive invalid devices
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
[ERROR ] Couldn't get feedback connection
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
[ERROR ] Unknown exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
Unknown exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
This is a new installation of Worklight (6.0.0.20130909-1459), and I've tried two separate installations (one into Eclipse and one into RAD), both same errors.
Is there some additional work that needs to be done for push testing to work in the Worklight Development Server (Websphere Liberty) environment for SSL to work? There aren't any devices subscribed yet, but, not sure why this error is occurring or if it's relevant at all.
The detailed trace is here:
[11/1/13 11:50:20:834 EDT] 00000034 com.worklight.core.exceptions.InstrumentedException E Unknown exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
com.worklight.core.exceptions.InstrumentedException: Unknown exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at com.worklight.core.exceptions.DefaultExceptionHandler.handleException(DefaultExceptionHandler.java:56)
at com.worklight.core.tasks.TaskThread.run(TaskThread.java:113)
Caused by: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at com.notnoop.apns.internal.Utilities.parseFeedbackStreamRaw(Utilities.java:201)
at com.notnoop.apns.internal.Utilities.parseFeedbackStream(Utilities.java:211)
at com.notnoop.apns.internal.ApnsFeedbackConnection.getInactiveDevicesImpl(ApnsFeedbackConnection.java:87)
at com.notnoop.apns.internal.ApnsFeedbackConnection.getInactiveDevices(ApnsFeedbackConnection.java:67)
at com.notnoop.apns.internal.AbstractApnsService.getInactiveDevices(AbstractApnsService.java:99)
at com.notnoop.apns.internal.ApnsServiceImpl.getInactiveDevices(ApnsServiceImpl.java:36)
at com.worklight.integration.notification.apns.ApplicationConnection.getInactiveDevices(ApplicationConnection.java:110)
at com.worklight.integration.notification.apns.APNSMediator.maintain(APNSMediator.java:95)
at com.worklight.integration.notification.Dispatcher.maintain(Dispatcher.java:148)
at com.worklight.integration.notification.NotificationCleanupTask.step(NotificationCleanupTask.java:29)
at com.worklight.core.tasks.TaskThread.run(TaskThread.java:111)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1961)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:882)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:102)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:69)
at java.io.DataInputStream.readInt(DataInputStream.java:387)
at com.notnoop.apns.internal.Utilities.parseFeedbackStreamRaw(Utilities.java:192)
... 10 more
This looks like an error from the server trying to test a connection to the Apple Push/Feedback service.
A couple of things to check:
Is the application built for development or distribution?
If development, ensure you are using the Development SSL certificate. Export both the certificate and private key into a file named: apns-certificate-sandbox.p12
If distribution, ensure you are using the Production SSL certificate. Export both the certificate and private key into the a file named: apns-certificate-production.p12
Ensure the .p12 file was created correctly and that you specified the corresponding password in the application descriptor file.
Ensure that your Worklight server can access the APNs hosts/ports for the push and for feedback service. i.e Firewall ports need to be opened for the following:
gateway.push.apple.com, port 2195
gateway.sandbox.push.apple.com, port 2195
feedback.push.apple.com, port 2196
feedback.sandbox.push.apple.com on port 2196
Worklight product never used http://code.google.com/p/javapns for push, it is using com.notnoop.apns . This package works well with Oracle JDK 1.6 and 1.7
Can you shed some more light on which JDK exactly version were you using ?
I tested push sample on the embedded Liberty+Oracle JDK 1.7_07b +iPhone 5 and it worked.
how did you create this certificate ? can you write here step-by-step what you did? (and specify every file you copied,edited i the way)
If you are asking about using javaPNS: Ofcourse, since its an open framework, you could manually copy (and use) any jar into your Worklight project as a 3rd party dependency, however, it seems that this javaPNS jar has some bugs with SSL.
Why don't you look at the Worklight's push notification samples and work your way from there ( http://www.ibm.com/developerworks/mobile/worklight/getting-started.html#client-basics ) ? (Worklight comes with a working push notification solution , works on JDK1.6 or 1.7 without issues with your PKCS12 certificates)
On my side it has been veririfed that in OS X (sometimes in Windows too actually), the certificate_unknown error is thrown when using JRE 7 instead of JRE 6. It seems that the notnoop open source library used in Worklight is not handling well Java 7.
https://github.com/notnoop/java-apns/issues/54