Genesys CTI User Forum
Genesys CTI User Forum => Genesys CTI Technical Discussion => Topic started by: pablocaamano on November 30, 2015, 09:06:43 PM
-
Hi Everybody,
I hope everyone is fine!
I am just trying to make ESJ work with Exchage 10 using SSL.
I followed Deploying an E-Mail System in Secured Mode Procedure of eSerice Deployment guide but it still not working.
I really hope anybody could help me with that.
Here is the configurarion of ESJ:
[pop-client]
address=genesys@_domain
allow-bad-msg-size=FALSE
connect-timeout=00:05:00
cycle-time=00:00:30
delete-bad-formatted-msg=FALSE
delete-big-msg=FALSE
enable-big-msg-stripping=TRUE
enable-client=TRUE
enable-debug=FALSE
endpoint=default
leave-msg-on-server=true
mailbox=genesys
maximum-msg-number=500
maximum-msg-size=5
password=_the_password
pop-connection-security=ssl-tls
port=993
protocol-timeout=00:05:00
server=_the_server
type=IMAP
As Doccumentation suggested I have also include -Djavax.net.ssl.trustStore parameter in JavaEmailServerDriver.ini file.
The .truststore file was generated by client, he also generate a .cer file.
If I try to connect using Thunderbird everything is ok (I know thunderbird use the .cer file instead of .truststore, but al least I could say connectivity is OK)
Here is the emailserver error log:
17:46:04.109 Std 20015 [MsgIn-1] <pop-client> JavaMail Exception.
javax.mail.MessagingException: Unable to establish handshake using SSL - server may be expecting plain text connection;
nested exception is:
javax.net.ssl.SSLException: Unable to establish handshake using SSL - server may be expecting plain text connection
at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:695)
at javax.mail.Service.connect(Service.java:381)
at com.genesyslab.icc.emailserver.MailDeliveryAgentImpl.openConnection(MailDeliveryAgentImpl.java:260)
at com.genesyslab.icc.emailserver.InboundMessagingClient$SessionRunLoop.retrieveMessages(InboundMessagingClient.java:1121)
at com.genesyslab.icc.emailserver.InboundMessagingClient$SessionRunLoop.run(InboundMessagingClient.java:993)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at com.genesyslab.util.concurrent16.NamedThreadFactory$1.run(NamedThreadFactory.java:55)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLException: Unable to establish handshake using SSL - server may be expecting plain text connection
at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:245)
at com.sun.mail.iap.Protocol.<init>(Protocol.java:116)
at com.sun.mail.imap.protocol.IMAPProtocol.<init>(IMAPProtocol.java:121)
at com.sun.mail.imap.IMAPStore.newIMAPProtocol(IMAPStore.java:710)
at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:659)
... 8 more
17:46:04.109 Dbg 23005 [MsgIn-1] <pop-client> Inbound messaging client finished.
Any idea? ???
Is any way I could verify .truststore file? ???
Thanks and regards. ;D
-
Import via the import tool ESJ has on it
-
You can check it via standard keytool utility which is provided by Java in general - on internet you can find many step-by-step description how to do it. In other hand, you can enable debugging on IMAP/POP3 protocol level to be able to track the communication between exchange server and ESJ as the client. from the posted log it seems that the used certs not matching or something like that.
-
Hi kubig,
As far as I could check using keytool, the .truststore I generated (based on .cer) is ok.
Here are the keytool print:
Tipo de almacÚn de claves: JKS
Proveedor de almacÚn de claves: SUN
Su almacÚn de claves contiene entrada 1
exchub01.bancocomercial.com.uy, 01/12/2015, trustedCertEntry,
Huella digital de certificado (MD5): 9D:AF:2F:74:1F:46:57:F4:00:44:2D:E3:1F:16:D
5:F3
(Sorry it is in spanish).
In the JavaEmailServerDriver.ini, the -Djavax.net.ssl.trustStore have to point to .truststore, the path have to include .truststore (file extension)?
I have no idea what else I could check...
-
[quote author=cavagnaro link=topic=9238.msg41597#msg41597 date=1448918490]
Import via the import tool ESJ has on it
[/quote]
Hi Cavagnaro,
Where can I find import ESJ tool? I searched in installation directory and further inside and I did not find it.
Thanks.
-
It is the tool you mentioned. Read the documentation and it describes how to do the import.
Or search about java and certificates
-
As far as I know, ESJ does not have keytool on it. Keytool is a JAVA tool, it does not came with ESJ distribution. Am I correct?
As I mentioned before I have used keytool to import the certificate, I used the keytool from a JAVA distribution that I have installed on my server...
-
You are right, just checked my ESJ new folders.
Please check my oneNote "notes" about this
[url=http://www.filedropper.com/casodesslenimap4pop3paraemailocualquieraqueusejava]http://www.filedropper.com/casodesslenimap4pop3paraemailocualquieraqueusejava[/url]
-
Thanks very much Cavagnaro!!
With the .java you shared and the procedure, I was able to add the certificate to my keystore! Definitely I was making some mistake with keytool...
Now it is working okay.
Just for the record, I chose to add the generated truststore to java home directory.
Thanks again!!
Regards,
Pablo.
-
Dear Pablo,
I am facing the same problem in ESJ dat the server requires plain text connection. Can you share the steps or procedures which you had done in your ESJ configuration. Please share that .java too as well
-
You can try the Java parameters:
-Dmail.imap.auth.plain.disable
Check the java doc for these parameters.
-
My procure is there, shared, ready to be downloaded... Can't you read a post above? Arrgggggg how I hate lazy people like this
-
Yes, I did and I am unable to download the file which u have shared provided the link. Can you let me know where should i configure or add this
-Dmail.imap.auth.plain.disable
-
Hi rifai,
Please follow instructions shared by cavagnaro, there you will find everything you need to achieve the connection implementing SSL.
I follow this instructions and Deploying an E-Mail System in Secured Mode Procedure of eService Deployment guide.
If you have any question please post it here.
-
Little bit more effort please. Because of the value is Java based, it is necessary to configure it on init level - so, it means on init file level (on Windows platform) or sh file level (on linux platform). It is described in any documentation and of course, it is standard Java-based, nothing special about Genesys itself.
-
Kubig,
I tried with the following parameters. Still I am facing the same issue
-Dmail.imap.auth.login.disable=false
-Dmail.imap.auth.plain.disable=true
10:36:21.641 Dbg 23021 [OutSbSchd] Found 0 matching messages in database in 13 ms
10:36:21.642 Dbg 23022 [OutSbSchd] Queue size : 0 (no new messages found).
10:36:21.762 Dbg 23192 [MsgIn-1] <pop-client> Thread 'MsgIn-1' registers to shutdown notification.
10:36:21.762 Trc 21621 [MsgIn-1] <pop-client> Running inbound messaging client.
10:36:21.763 Dbg 29999 [MsgIn-1] <pop-client> factory creating impl for pop/imap server
10:36:21.767 Dbg 25112 [MsgIn-1] <pop-client> JavaMail POP: DEBUG: mail.imap.class property exists and points to com.sun.mail.imap.IMAPSSLStore
10:36:21.767 Dbg 25112 [MsgIn-1] <pop-client> JavaMail POP: DEBUG IMAP: mail.imap.fetchsize: 16384
10:36:21.767 Dbg 25112 [MsgIn-1] <pop-client> JavaMail POP: DEBUG IMAP: mail.imap.ignorebodystructuresize: false
10:36:21.767 Dbg 25112 [MsgIn-1] <pop-client> JavaMail POP: DEBUG IMAP: mail.imap.statuscachetimeout: 1000
10:36:21.768 Dbg 25112 [MsgIn-1] <pop-client> JavaMail POP: DEBUG IMAP: mail.imap.appendbuffersize: -1
10:36:21.768 Dbg 25112 [MsgIn-1] <pop-client> JavaMail POP: DEBUG IMAP: mail.imap.minidletime: 10
10:36:21.768 Dbg 25112 [MsgIn-1] <pop-client> JavaMail POP: DEBUG IMAP: trying to connect to host "10.200.20.40", port 993, isSSL true
10:36:21.777 Std 29997 [MsgIn-1] <pop-client> javax.net.ssl.SSLException: Unable to establish handshake using SSL - server may be expecting plain text connection
10:36:21.778 Std 29997 [MsgIn-1] <pop-client> at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:576)
10:36:21.778 Std 29997 [MsgIn-1] <pop-client> at com.sun.mail.util.SocketFetcher.createSocket(SocketFetcher.java:381)
10:36:21.779 Std 29997 [MsgIn-1] <pop-client> at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:232)
10:36:21.779 Std 29997 [MsgIn-1] <pop-client> at com.sun.mail.iap.Protocol.<init>(Protocol.java:116)
10:36:21.779 Std 29997 [MsgIn-1] <pop-client> at com.sun.mail.imap.protocol.IMAPProtocol.<init>(IMAPProtocol.java:121)
10:36:21.780 Std 29997 [MsgIn-1] <pop-client> at com.sun.mail.imap.IMAPStore.newIMAPProtocol(IMAPStore.java:710)
10:36:21.780 Std 29997 [MsgIn-1] <pop-client> at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:659)
10:36:21.781 Std 29997 [MsgIn-1] <pop-client> at javax.mail.Service.connect(Service.java:381)
10:36:21.781 Std 29997 [MsgIn-1] <pop-client> at com.genesyslab.icc.emailserver.MailDeliveryAgentImpl.openConnection(MailDeliveryAgentImpl.java:260)
10:36:21.782 Std 29997 [MsgIn-1] <pop-client> at com.genesyslab.icc.emailserver.InboundMessagingClient$SessionRunLoop.retrieveMessages(InboundMessagingClient.java:1121)
10:36:21.782 Std 29997 [MsgIn-1] <pop-client> at com.genesyslab.icc.emailserver.InboundMessagingClient$SessionRunLoop.run(InboundMessagingClient.java:993)
10:36:21.783 Std 29997 [MsgIn-1] <pop-client> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
10:36:21.783 Std 29997 [MsgIn-1] <pop-client> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
10:36:21.783 Std 29997 [MsgIn-1] <pop-client> at com.genesyslab.util.concurrent16.NamedThreadFactory$1.run(NamedThreadFactory.java:55)
10:36:21.784 Std 29997 [MsgIn-1] <pop-client> at java.lang.Thread.run(Thread.java:745)
10:36:21.784 Std 20015 [MsgIn-1] <pop-client> JavaMail Exception.
[color=red]javax.mail.MessagingException: Unable to establish handshake using SSL - server may be expecting plain text connection;
nested exception is:
javax.net.ssl.SSLException: Unable to establish handshake using SSL - server may be expecting plain text connection[/color]
at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:695)
at javax.mail.Service.connect(Service.java:381)
at com.genesyslab.icc.emailserver.MailDeliveryAgentImpl.openConnection(MailDeliveryAgentImpl.java:260)
at com.genesyslab.icc.emailserver.InboundMessagingClient$SessionRunLoop.retrieveMessages(InboundMessagingClient.java:1121)
at com.genesyslab.icc.emailserver.InboundMessagingClient$SessionRunLoop.run(InboundMessagingClient.java:993)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at com.genesyslab.util.concurrent16.NamedThreadFactory$1.run(NamedThreadFactory.java:55)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLException: [color=red]Unable to establish handshake using SSL - server may be expecting plain text connection[/color]
at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:245)
at com.sun.mail.iap.Protocol.<init>(Protocol.java:116)
at com.sun.mail.imap.protocol.IMAPProtocol.<init>(IMAPProtocol.java:121)
at com.sun.mail.imap.IMAPStore.newIMAPProtocol(IMAPStore.java:710)
at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:659)
... 8 more
10:36:21.785 Dbg 23005 [MsgIn-1] <pop-client> Inbound messaging client finished.
10:36:31.467 Dbg 23030 [TimerTask] LogReconfigureTask is now running.
10:36:31.467 Dbg 23032 [TimerTask] LogReconfigureTask cycleTime = 30000 ms.
-
Enable debug logging on IMAP box level (on ESJ) to see what happens within the IMAP communication, afterthat you would be able to recognize what options have to be added
-
[quote author=cavagnaro link=topic=9238.msg41613#msg41613 date=1448996451]
You are right, just checked my ESJ new folders.
Please check my oneNote "notes" about this
[url=http://www.filedropper.com/casodesslenimap4pop3paraemailocualquieraqueusejava]http://www.filedropper.com/casodesslenimap4pop3paraemailocualquieraqueusejava[/url]
[/quote]
Cavagnaro, hello. Can you please re-upload the files? The link has expired i think.
I am facing the same issue and i have spent a day trying to figure it out.
-
Well, it seems that I'm also running into this issue... cavagnaro, do you still have those notes?
[code]
23:25:37.214 Std 25080 [SvcSrvW-44] <322> Exception message: Connnection to SMTP Server host 'smtp.office365.com', port 587 failed..
23:25:37.214 Trc 25097 [SvcSrvW-44] <322> Response:
Id=322
Type=Fault
AppName=DEMO_ESJ
AppType=EMAIL_SERVER
Service=Email
Method=Send.
23:25:37.230 Trc 25098 [SvcSrvW-44] <322> 'Email.Send' (request id 322) handling duration : 204 ms.
23:25:37.230 Std 29997 [SvcSrvW-47] <323 023GT72RJ02FC003> javax.net.ssl.SSLException: Unable to establish handshake using SSL - server may be expecting plain text connection
[/code]
It's late, i'll try tomorrow the following instructions from the deployment guide, Andrei Stanciu, you tried it ?
[b]Prerequisites:[/b]
• The .truststore file has been created.
1. Open JavaEmailServerDriver.ini in a text editor.
2. In the [JavaArgs] section, add the following: -
Djavax.net.ssl.trustStore=<path to certificate>
3. Save and close the file.
Configuring the Corporate E-mail Server
[b]Configure TLS/SSL in the Corporate E-mail Server. Follow the constructor recommendations
to generate a certificate and configure TLS/SSL on ports POP3, IMAP and SMTP.[/b]
The following is an example of generation of a certificate with keytool (keytool is a Java
utility that is available with the JRE. The utility can be found in
<eServices_Install_Dir>/jre/bin for Unix operating systems, and in
<eServices_Install_Dir>\jre\bin for Windows operating systems):
keytool -genkey -v -alias hostname.example.com
-dname “CN=hostname.example.com,OU=IT,O=ourcompany,C=FR” -keypass
<certificate_password>
-keystore <certicate_name>.keystore -storepass <certificate_password>
-keyalg “RSA” -sigalg “SHA1withRSA” -keysize 2048 -validity 3650
The arguments used in this command are the following:
• -alias—Defines an alias in keystore, to store the key.
• -dname—Distinguished Name, a comma-separated list made up of the following, in
the following order:
◦ CN—Common Name. This must be the name of the host where the corporate e-mail server is running. It must be the host name used in E-mail Server's settings; for example, if connecting to a POP 3 server, the option server in the pop-client section must have this value.
◦ OU—Organizational Unit Name
◦ O—Organization Name
◦ L—Locality Name (city)
◦ S—State
◦ C—Country Name
-keypass—Password of the key of the certificate.
• -keystore—Specifies the keystore used.
• -storepass—Password of the keystore.
• -keyalg—Algorithm used to generate the key. Possible values are DSA and RSA. More
information is available at http://docs.oracle.com/javase.
• -sigalg—Specifies the algorithm used to sign the key.
• -keysize—Specifies the size of the key.
• -validity—Defines the validity of the certificate, in days. The value in the example is
3,650 days, or 10 years.
-
By the way, I searched for a long time the "famous" keytool, and it's under the JDK folder of java, for example ;
C:\Program Files\Java\jdk1.8.0_65\bin\keytool.exe
-
what do you get when you telnet the host/port of the IMAP server and perform the command "a0 capability" (whitout the quotes)?
[s]Also, recently, Windows has stopped supporting SHA-1 certificates. Perhaps this explains why there were two reports of this issue in this brief time[/s] (Edit: Disregard... I reviewed the publication and it seems that only the Microsoft Browsers are not supporting it anymore)
-
Basically, you want to add the server's certificate to the KeyStore with your trusted certificates. There are any number of ways to achieve that, but a simple solution is to compile and run the attached program as java InstallCert hostname, for example
% java InstallCert ecc.fedora.redhat.com
Loading KeyStore /usr/jdk/instances/jdk1.5.0/jre/lib/security/cacerts...
Opening connection to ecc.fedora.redhat.com:443...
Starting SSL handshake...
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:846)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)
at InstallCert.main(InstallCert.java:63)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
at sun.security.validator.Validator.validate(Validator.java:203)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
at InstallCert$SavingTrustManager.checkServerTrusted(InstallCert.java:158)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:839)
... 7 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
... 13 more
Server sent 2 certificate(s):
1 Subject CN=ecc.fedora.redhat.com, O=example.com, C=US
Issuer CN=Certificate Shack, O=example.com, C=US
sha1 2e 7f 76 9b 52 91 09 2e 5d 8f 6b 61 39 2d 5e 06 e4 d8 e9 c7
md5 dd d1 a8 03 d7 6c 4b 11 a7 3d 74 28 89 d0 67 54
2 Subject CN=Certificate Shack, O=example.com, C=US
Issuer CN=Certificate Shack, O=example.com, C=US
sha1 fb 58 a7 03 c4 4e 3b 0e e3 2c 40 2f 87 64 13 4d df e1 a1 a6
md5 72 a0 95 43 7e 41 88 18 ae 2f 6d 98 01 2c 89 68
Enter certificate to add to trusted keystore or 'q' to quit: [1]
What happened was that the program opened a connection to the specified host and started an SSL handshake. It printed the exception stack trace of the error that occured and shows you the certificates used by the server. Now it prompts you for the certificate you want to add to your trusted KeyStore. You should only do this if you are sure that this is the certificate of the trusted host you want to connect to. You may want to check the MD5 and SHA1 certificate fingerprints against a fingerprint generated on the server (e.g. using keytool) to make sure it is the correct certificate.
If you've changed your mind, enter 'q'. If you really want to add the certificate, enter '1'. (You could also add a CA certificate by entering a different certificate, but you usually don't want to do that'). Once you have made your choice, the program will print the following:
[
[
Version: V3
Subject: CN=ecc.fedora.redhat.com, O=example.com, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: SunPKCS11-Solaris RSA public key, 1024 bits (id 5158256, session object)
modulus: 1402933022884660852748661816869706021655226675890
635441166580364941191074987345500771612454338502131694873337
233737712894815966313948609351561047977102880577818156814678
041303637255354084762814638611185951230474669455913908815827
173696651397340074281578017567044868711049821409365743953199
69584127568303024757
public exponent: 65537
Validity: [From: Wed Jan 18 13:16:12 PST 2006,
To: Wed Apr 18 14:16:12 PDT 2007]
Issuer: CN=Certificate Shack, O=example.com, C=US
SerialNumber: [ 0f]
Certificate Extensions: 2
[1]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL server
]
[2]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
Key_Encipherment
]
]
Algorithm: [MD5withRSA]
Signature:
0000: 6D F4 2A 63 76 2A 05 70 A2 21 0E 1E 4A 31 BE 6B m.*cv*.p.!..J1.k
0010: 15 64 D8 BB 35 36 82 B0 0D 2A 96 FA 7A 9F A1 59 .d..56...*..z..Y
0020: CA 90 C3 28 C5 A6 9B 59 05 3B EB B2 8D C9 5E 38 ...(...Y.;....^8
0030: 62 ED 1A D7 93 DF 2A A5 D6 54 94 23 15 A2 0C E5 b.....*..T.#....
0040: 13 40 2C 3E 59 E4 2A EB 51 AC 9E 28 44 23 87 B1 .@,>Y.*.Q..(D#..
0050: 34 0B AC F3 E0 39 CA B8 35 B4 78 07 BF 28 4C C4 4....9..5.x..(L.
0060: 9A 2B A3 E9 04 26 78 19 F0 62 EA 0A B5 BB DC 0B .+...&x..b......
0070: 90 59 E7 77 90 F8 BC 8A 1B 74 4B 4D C1 F8 3B 6C .Y.w.....tKM..;l
]
Added certificate to keystore 'jssecacerts' using alias 'ecc.fedora.redhat.com-1'
It displayed the complete certificate and then added it to a Java KeyStore 'jssecacerts' in the current directory. To use it in your program, either configure JSSE to use it as its trust store (as explained in the documentation) or copy it into your $JAVA_HOME/jre/lib/security directory. If you want all Java applications to recognize the certificate as trusted and not just JSSE, you could also overwrite the cacerts file in that directory.
After all that, JSSE will be able to complete a handshake with the host, which you can verify by running the program again:
% java InstallCert ecc.fedora.redhat.com
Loading KeyStore jssecacerts...
Opening connection to ecc.fedora.redhat.com:443...
Starting SSL handshake...
No errors, certificate is already trusted
Server sent 2 certificate(s):
1 Subject CN=ecc.fedora.redhat.com, O=example.com, C=US
Issuer CN=Certificate Shack, O=example.com, C=US
sha1 2e 7f 76 9b 52 91 09 2e 5d 8f 6b 61 39 2d 5e 06 e4 d8 e9 c7
md5 dd d1 a8 03 d7 6c 4b 11 a7 3d 74 28 89 d0 67 54
2 Subject CN=Certificate Shack, O=example.com, C=US
Issuer CN=Certificate Shack, O=example.com, C=US
sha1 fb 58 a7 03 c4 4e 3b 0e e3 2c 40 2f 87 64 13 4d df e1 a1 a6
md5 72 a0 95 43 7e 41 88 18 ae 2f 6d 98 01 2c 89 68
Enter certificate to add to trusted keystore or 'q' to quit: [1]
q
KeyStore not changed
I hope that helps. For more information about the InstallCert program, have a look at the source code. I am sure you can figure out how it works.
-
installCert.java
[code]
/*
* Copyright 2006 Sun Microsystems, Inc. All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* - Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* - Neither the name of Sun Microsystems nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
import java.io.*;
import java.net.URL;
import java.security.*;
import java.security.cert.*;
import javax.net.ssl.*;
public class InstallCert {
public static void main(String[] args) throws Exception {
String host;
int port;
char[] passphrase;
if ((args.length == 1) || (args.length == 2)) {
String[] c = args[0].split(":");
host = c[0];
port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
String p = (args.length == 1) ? "changeit" : args[1];
passphrase = p.toCharArray();
} else {
System.out.println("Usage: java InstallCert <host>[:port] [passphrase]");
return;
}
File file = new File("jssecacerts");
if (file.isFile() == false) {
char SEP = File.separatorChar;
File dir = new File(System.getProperty("java.home") + SEP
+ "lib" + SEP + "security");
file = new File(dir, "jssecacerts");
if (file.isFile() == false) {
file = new File(dir, "cacerts");
}
}
System.out.println("Loading KeyStore " + file + "...");
InputStream in = new FileInputStream(file);
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(in, passphrase);
in.close();
SSLContext context = SSLContext.getInstance("TLS");
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);
X509TrustManager defaultTrustManager = (X509TrustManager)tmf.getTrustManagers()[0];
SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
context.init(null, new TrustManager[] {tm}, null);
SSLSocketFactory factory = context.getSocketFactory();
System.out.println("Opening connection to " + host + ":" + port + "...");
SSLSocket socket = (SSLSocket)factory.createSocket(host, port);
socket.setSoTimeout(10000);
try {
System.out.println("Starting SSL handshake...");
socket.startHandshake();
socket.close();
System.out.println();
System.out.println("No errors, certificate is already trusted");
} catch (SSLException e) {
System.out.println();
e.printStackTrace(System.out);
}
X509Certificate[] chain = tm.chain;
if (chain == null) {
System.out.println("Could not obtain server certificate chain");
return;
}
BufferedReader reader =
new BufferedReader(new InputStreamReader(System.in));
System.out.println();
System.out.println("Server sent " + chain.length + " certificate(s):");
System.out.println();
MessageDigest sha1 = MessageDigest.getInstance("SHA1");
MessageDigest md5 = MessageDigest.getInstance("MD5");
for (int i = 0; i < chain.length; i++) {
X509Certificate cert = chain[i];
System.out.println
(" " + (i + 1) + " Subject " + cert.getSubjectDN());
System.out.println(" Issuer " + cert.getIssuerDN());
sha1.update(cert.getEncoded());
System.out.println(" sha1 " + toHexString(sha1.digest()));
md5.update(cert.getEncoded());
System.out.println(" md5 " + toHexString(md5.digest()));
System.out.println();
}
System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
String line = reader.readLine().trim();
int k;
try {
k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
} catch (NumberFormatException e) {
System.out.println("KeyStore not changed");
return;
}
X509Certificate cert = chain[k];
String alias = host + "-" + (k + 1);
ks.setCertificateEntry(alias, cert);
OutputStream out = new FileOutputStream("jssecacerts");
ks.store(out, passphrase);
out.close();
System.out.println();
System.out.println(cert);
System.out.println();
System.out.println
("Added certificate to keystore 'jssecacerts' using alias '"
+ alias + "'");
}
private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();
private static String toHexString(byte[] bytes) {
StringBuilder sb = new StringBuilder(bytes.length * 3);
for (int b : bytes) {
b &= 0xff;
sb.append(HEXDIGITS[b >> 4]);
sb.append(HEXDIGITS[b & 15]);
sb.append(' ');
}
return sb.toString();
}
private static class SavingTrustManager implements X509TrustManager {
private final X509TrustManager tm;
private X509Certificate[] chain;
SavingTrustManager(X509TrustManager tm) {
this.tm = tm;
}
public X509Certificate[] getAcceptedIssuers() {
throw new UnsupportedOperationException();
}
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
throw new UnsupportedOperationException();
}
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
this.chain = chain;
tm.checkServerTrusted(chain, authType);
}
}
}
[/Code]
-
god damn java... hate it!
I'm playing with my java setup as I'm getting an error running the script you provided.
Thanks for the script by the way.
p.s. "I" has to be uppercase to compile correctly
[code]
C:\Program Files\Java\jdk1.8.0_65\bin>java InstallCert.java
Error: Could not find or load main class InstallCert.java
C:\Program Files\Java\jdk1.8.0_65\bin>echo %CLASSPATH%
.;%JAVA_HOME%\lib\dt.jar;%JAVA_HOME%\lib\tools.jar
C:\Program Files\Java\jdk1.8.0_65\bin>echo %PATH%
C:\ProgramData\Oracle\Java\javapath;...;C:\Program Files\Java\jdk1.8.0_65\jre\bin;C:\Users\...\AppData\Local\Microsoft\WindowsApps
[/code]
>:(
-
:P Little mistake on my side, was the rush, but easy to spot ;)
-
Hey Guys, I'm getting back on this one. I had no time to continue this before now... @Cavagnaro, Thanks for the Java Program you provided, but it always failed with "unable to find main class/function" and I didn't want to spent a lot of time on. Because, i wanted to better understand the concept of truststore and keystore by doing it manually.
So, I'm tried to add smtp.office365.com certificate into truststore of EmailServer.
1. I've downloaded the public .cer file from outlook.office.com
2. Put that file "office.com.cer" in the same folder as keytool (under java/bin).
3. Ran the command "keytool -import -v -trustcacerts -alias office.com -file office.com.cer -keystore cacerts.jks -keypass [keypass] -storepass [storepass]"
Am I missing a command or something else? Any pre-requisite that I may have missed?
I've changed the ini file to have the truststore path at the same location of the keytool and all the store files.
Any other idea? If not, that's fine, I'll get to work this week, and will share my findings! :)
[code]
C:\Program Files\Java\jdk1.7.0_79\jre\bin>keytool -import -v -trustcacerts -alias office.com -file office.com.cer -keystore cacerts.jks -keypass [keypass] -storepass [storepass]
Owner: CN=outlook.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, ST=WA, C=US
Issuer: CN=Microsoft IT SSL SHA2, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US
Serial number: 5a00020e4289e78c6958489ec1000100020e42
Valid from: Tue Oct 13 18:20:04 EDT 2015 until: Thu Oct 12 18:20:04 EDT 2017
Certificate fingerprints:
MD5: 3A:A4:58:42:56:CD:BD:11:19:5B:CF:1E:85:16:8E:4D
SHA1: A0:47:6C:0C:30:34:7A:7A:15:9A:9F:F5:0B:CD:BC:84:BD:D3:D1:66
SHA256: A1:C0:26:65:59:14:1B:2E:70:D6:C6:5E:15:54:B2:16:AC:7B:D3:B4:9F:
5F:B0:6F:C8:4A:2C:4C:B9:64:EF:7A
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.2.840.113549.1.9.15 Criticality=false
0000: 30 69 30 0E 06 08 2A 86 48 86 F7 0D 03 02 02 02 0i0...*.H.......
0010: 00 80 30 0E 06 08 2A 86 48 86 F7 0D 03 04 02 02 ..0...*.H.......
0020: 00 80 30 0B 06 09 60 86 48 01 65 03 04 01 2A 30 ..0...`.H.e...*0
0030: 0B 06 09 60 86 48 01 65 03 04 01 2D 30 0B 06 09 ...`.H.e...-0...
0040: 60 86 48 01 65 03 04 01 02 30 0B 06 09 60 86 48 `.H.e....0...`.H
0050: 01 65 03 04 01 05 30 07 06 05 2B 0E 03 02 07 30 .e....0...+....0
0060: 0A 06 08 2A 86 48 86 F7 0D 03 07 ...*.H.....
#2: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
0000: 30 18 30 0A 06 08 2B 06 01 05 05 07 03 01 30 0A 0.0...+.......0.
0010: 06 08 2B 06 01 05 05 07 03 02 ..+.......
#3: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: http://www.microsoft.com/pki/mscorp/msitwww2.crt
,
accessMethod: ocsp
accessLocation: URIName: http://ocsp.msocsp.com
]
]
#4: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 51 AF 24 26 9C F4 68 22 57 80 26 2B 3B 46 62 15 Q.$&..h"W.&+;Fb.
0010: 7B 1E CC A5 ....
]
]
#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://mscrl.microsoft.com/pki/mscorp/crl/msitwww2.crl, URIName:
http://crl.microsoft.com/pki/mscorp/crl/msitwww2.crl]
]]
#6: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.311.42.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 28 68 74 74 70 3A 2F 2F 77 77 77 2E 6D 69 63 .(http://w
ww.mic
0010: 72 6F 73 6F 66 74 2E 63 6F 6D 2F 70 6B 69 2F 6D rosoft.com/pki/m
0020: 73 63 6F 72 70 2F 63 70 73 00 scorp/cps.
]] ]
]
#7: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#8: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
Data_Encipherment
]
#9: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: outlook.com
DNSName: *.outlook.com
DNSName: office365.com
DNSName: *.office365.com
DNSName: *.live.com
DNSName: *.internal.outlook.com
DNSName: *.outlook.office365.com
DNSName: outlook.office.com
DNSName: attachment.outlook.office.net
DNSName: attachment.outlook.officeppe.net
DNSName: *.office.com
]
#10: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 9D B0 98 1C 24 5A D4 9D ED 51 53 C4 D7 F6 BA B1 ....$Z...QS.....
0010: 8D 7B 90 0F ....
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
[Storing cacerts.jks]
[/code]
[code]
[JavaArgs]
-Xmx1G
-Xbootclasspath/p:./lib/acsc.jar
-Djava.rmi.dgc.leaseValue=60000
-Dtkv.multibytes=true
-Dpsdk.config.tls=false
-Dcom.genesyslab.platform.commons.connection.factory.class=com.genesyslab.platform.commons.connection.impl.netty.NettyConnectionFactory
-XX:+UseConcMarkSweepGC
-XX:+UseParNewGC
-XX:+ExplicitGCInvokesConcurrent
;-Djavax.net.ssl.trustStore=C:\Program Files\GCTI\DEMO_ESJ\cert
-Djavax.net.ssl.trustStore=C:\Program Files\Java\jdk1.7.0_79\jre\bin
[/code]