Generated the client certificate 'Not trusted' error.

cjasniew
cjasniew Member Posts: 15

I am working on C/C++ application on Linux for use with a Solace messaging appliance.
I received the Client Certificate signed by our CA .
When I run the secureSession.c example from C CSMP API Documentation I have the following error:
“The peer certificate is not trusted, rc='self signed certificate in certificate chain'”
Please see below output for the details.

Do you have any suggestions?
Thanks,
Chris J

[ld72277@nycsl00[Output]50222 bin]$ ./SecureSSL --cip=https:solace-amer-dev.us.net.intra:55443 --cu=cu_cbm_dev_us@gpfgba_dev_us --dir=/home/ld72277/solace/certificates --cert=/home/ld72277/solace/certificates/cu_cbm_dev_us.pem --key=/home/ld72277/solace/certificates/keys/cu_cbm_dev_us.key --auth=1

secureSession.c (Copyright 2009-2020 Solace Corporation. All rights reserved.)
CCSMP Version 7.8.0.11 (Feb 27 2019 16:55:39) Variant: Linux26-x86_64_opt - C SDK

SDK WARNING Fri Oct 09 16:59:24.316 2020 solClientSSL.c:397 (7fc015ec4700) Session '(c0,s1)_gpfgba_dev_us': The peer certificate is not trusted, rc='self signed certificate in certificate chain'

Comments

  • arih
    arih Member, Employee Posts: 125 Solace Employee

    Hi Chris,

    I'd look into your certificate first and check if there's a self-signed cert in there. One way to check: keytool -printcert -file cu_cbm_dev_us.pem

  • cjasniew
    cjasniew Member Posts: 15

    I passed to next step by adding option to not verify authenticity of certificate and now have error like:
    ReturnCode="Not ready", SubCode="SOLCLIENT_SUBCODE_COMMUNICATION_ERROR", ResponseCode=0, Info="solClientHTTP.c:3968 (7f3153ec6700) Cannot re-connect transport for HTTP due to non-clean close for session '(c0,s1)_

  • cjasniew
    cjasniew Member Posts: 15

    I passed that as well by specifying "tcps" as transport in host and port string. Now I cannot create and use a queue in my C program having method
    if ( !solClient_session_isCapable ( session_p, SOLCLIENT_SESSION_CAPABILITY_ENDPOINT_MANAGEMENT ) )
    returning false; Solace explains that method checks if the specified capability is set on the currently connected Session.
    Why my session do not have that capability and how to set it up?

  • arih
    arih Member, Employee Posts: 125 Solace Employee

    Hi Chris,

    Could you verify if the username you are using has the capability to create endpoints as per the screenshot below?

  • cjasniew
    cjasniew Member Posts: 15

    Thank you.
    I don't know how to access that page.
    Two questions:
    1. How to make topic endpoint durable in C/C++ code? Same as queues using solClient_session_endpointProvision () method?
    Can you give an example? How to name topic endpoint?
    2 Will topic durable endpoint publisher written in C/C++ work with Java topic endpoint subscriber?

  • cjasniew
    cjasniew Member Posts: 15

    Another question. When I run my topic endpoint publisher,send message and exit publisher and then start topic endpoint subscriber it do not receive that message. I set SOLCLIENT_DELIVERY_MODE_PERSISTENT and from a documentation that message shall be stored in server and guaranteed to be delivered to subscribers. Do I need to make my topic endpoint durable as well in addition to setting delivery mode as persistent?
    Long story short: What i need to do in topic endpoint to guarantee delivery to all subscribers even if they not listening at the time of sending a message?

  • arih
    arih Member, Employee Posts: 125 Solace Employee

    Hi Chris,

    @cjasniew said:
    Thank you.
    I don't know how to access that page.

    Okay, this is the Solace Web UI for administration. I guess then you need to check with the admin who provided you with your username then.

    Two questions:
    1. How to make topic endpoint durable in C/C++ code? Same as queues using solClient_session_endpointProvision () method?
    Can you give an example? How to name topic endpoint?
    2 Will topic durable endpoint publisher written in C/C++ work with Java topic endpoint subscriber?

    I need to test this, but my understanding is that you need to provision the durable topic endpoint with solClient_session_endpointProvision() and use the SOLCLIENT_ENDPOINT_PROP_TE and the usual SOLCLIENT_ENDPOINT_PROP_NAME for the name.

    I'll let others share some samples as I don't have the environment to test it right now :)

  • cjasniew
    cjasniew Member Posts: 15

    Thanks. One more thing. Do you have Java SSL API example of topic endpoint subscriber?

  • cjasniew
    cjasniew Member Posts: 15

    Can I have for one session delivery and send message methods for two or more diferent topics?

    First set first topic:
    solace-> AllocateAndSetDeliveryAndDestination((char *)&commandOpts.destinationName[0], SOLCLIENT_DELIVERY_MODE_PERSISTENT);

    while (fgets(message, MAXCHAR, fp) != NULL)
    {
          solace->SendMessage((char *)&commandOpts.**destinationName**[0],message);
    }
    

    Then use another topic for a same session:
    solace-> AllocateAndSetDeliveryAndDestination((char *)&commandOpts.SecondationName[0], SOLCLIENT_DELIVERY_MODE_PERSISTENT);

    while (fgets(message, MAXCHAR, fp) != NULL)
    {
          solace->SendMessage((char *)&commandOpts.**SecondationName**[0],message);
    }
    
  • Aaron
    Aaron Member, Administrator, Moderator, Employee Posts: 595 admin

    Hi there @cjasniew ! Ari has given you some really great pointers. Here's a few additional thoughts:

    If you don't have admin access to your broker, you'll probably have to liaise with your middleware team to help you configure some Guaranteed endpoints for you to use. Now, you may have the ability to create Endpoints dynamically (as determined by the settings in the client-profile that Ari showed), but this is not typically a best practice in production: to let applications create their own endpoints. Sometimes it's required yes, but usually an admin-created durable Endpoint is what you need.

    Now, in order for your message to be persisted in the broker so that your subscriber can receive it later, the Endpoint must already be created. If you create a mailbox after the message was attempted to deliver, where would it go? The Endpoint belongs to the consumer application... think of it as the consumer's "online storage". When the consumer/subscriber is connected to the Endpoint, it receives the message right away. And if it's not connected, then the message will be stored inside the broker.

    Finally, it's good that you want to use Topics... this allows more flexible architecture. But I would recommend you to use Queues (Endpoints) instead of Topic Endpoints... they offer more functionality. The Solace best practice for Persistent/Guaranteed messaging is to create a Queue for your consumer/subscriber application, and then add topic subscriptions to that Queue so that it attracts messages published on topics (that match the subscription). Again, you may need to work with the admin/ops team to create the queue and add topic subscriptions to it.

    Then your consumer connects to the queue, and your publisher publishes on topics that get matched to the Queue's subscription and stored in the Queue. Publishers can publish to any number of topics... each message you send can go to a different topic if you want. It's totally dynamic.