Error with Client Certificate Authentication

rdesoju · April 7, 2020, 8:56pm

Hi,
I have enabled authentication for message-vpn to be client-certificate by following the instruction on the docs page.

# commands used
enable
configure
message-vpn <vpn_name>
authentication
client-certificate
validate-certificate-date
allow-api-provided-username
no shutdown

While using SDK Perf to test the SSL connectivity, seeing below error:

JAVA: /bin/java
SOLACE_VM_ARGS: -Xms512m -Xmx1024m
Run Info: CPU usage currently disabled.
Client naming used:
        logging ID   = router generated.
        username     = perf_client000001
        vpn          = default
        client names = sdk generated.

> VM Name: OpenJDK 64-Bit Server VM
Run Info: Using Java Nanosecond Timer for Timing
> Timing Package Clock Speed (Hz): 1000000000
> Getting ready to init clients
E: Initialization error: client creation failed.
com.solacesystems.pubsub.sdkperf.core.PubSubException: Error while connecting.
        at com.solacesystems.pubsub.sdkperf.core.AbstractClientCollection.connect(AbstractClientCollection.java:449)
        at com.solacesystems.pubsub.sdkperf.SDKPerf_java.run(SDKPerf_java.java:183)
        at com.solacesystems.pubsub.sdkperf.SDKPerf_java.main(SDKPerf_java.java:117)
Caused by: com.solacesystems.jcsmp.InvalidPropertiesException: Client Certificate Authenticate is supported only for SSL secured schemes
        at com.solacesystems.jcsmp.secure.SecureProperties.<init>(SecureProperties.java:237)
        at com.solacesystems.jcsmp.JCSMPFactory.createSession(JCSMPFactory.java:163)
        at com.solacesystems.pubsub.sdkperf.jcsmpcore.JcsmpClient.connect(JcsmpClient.java:1084)
        at com.solacesystems.pubsub.sdkperf.core.AbstractClientCollection.connect(AbstractClientCollection.java:447)
        ... 2 more

Am I missing something, could someone please help?

Thanks,
Raghu

uherbst · April 8, 2020, 4:01am

The line with “Client Certificate Authenticate is supported only for SSL secured schemes” indicates, that you are not connecting to a SSL port (eg SMF over TLS or MQTT over TLS).
What is your sdkperf-commandline ?
What is the output of
“show service” ?
And always a good idea: Have a look at the broker event.log for any errors.

TomF · April 8, 2020, 7:19am

Hi @rdesoju, looks like you’re making progress, which is good. @uherbst has it right - you’re connecting to the unencrypted broker port. By default, if you specify just the broker address with the -cip option to sdkperf, it connects to port 55555 - the unencrypted broker port. Try -cip :55443 which is the default encrypted port.

rdesoju · April 8, 2020, 12:55pm

Here is the command I’m using. Still seeing the same issue.

#!/bin/bash
broker_hosts=<ip1>:55443,<ip2>:55443
vpn=<vpn_name>
cert_keystore=./client.keystore
keystore_pass=<passwd>
./sdkperf_java.sh -cip=tcps://$broker_hosts -cu=@$vpn \
    -pt1=ssl/topic -mn=10000 -stl=ssl/topic -q -md \
    -sslks=$cert_keystore -sslksp=$ketystore_pass

Also, I tried with and without port number in -cip switch. Default and non-default port numbers both throw the same error.
Here is the show service command output:

Msg-Backbone:       Enabled
  VRF:              management
  SMF:              Enabled
    Web-Transport:  Enabled
  REST Incoming:    Enabled
  REST Outgoing:    Enabled
  MQTT:             Enabled
  AMQP:             Enabled
  Health-check:     Enabled
  Mate-link:        Enabled
  Redundancy:       Enabled

Max Incoming Connections:       100
  Service SMF:                  100
  Service Web-Transport:        100
  Service REST:                 100
  Service MQTT:                 100
  Service AMQP:                 100
Max Outgoing Connections:
  Service REST:                 100
Max SSL Connections:            100

Event Threshold                           Set Value      Clear Value
---------------------------------- ---------------- ----------------
Incoming Connections                        80%(80)          60%(60)
  Service SMF                               80%(80)          60%(60)
Outgoing Connections
  Service REST                              80%(80)          60%(60)
SSL Connections                             80%(80)          60%(60)


Flags Legend:
TP - Transport
T+U - TCP and UDP
---Press any key to continue, or `q' to quit---
S - SSL (Y=Yes, N=No, -=not-applicable)
C - Compressed (Y=Yes, N=No, -=not-applicable)
R - Routing Ctrl (Y=Yes, N=No, -=not-applicable)
VRF - VRF (Mgmt=management, MsgBB=msg-backbone)
A - Admin State (U=Up, D=Down, -=not-applicable)
O - Oper State (U=Up, D=Down, -=not-applicable)

                                              Status
Service    TP  S C R VRF   MsgVpn          Port  A O Failed Reason
---------- --- ----- ----- --------------- ----- --- --------------------------
SEMP       TCP N - - Mgmt                   8080 U U
SEMP       TCP Y - - Mgmt                    943 U U
SMF        TCP N N N Mgmt                  55555 U U
SMF        TCP N Y N Mgmt                  55003 U U
SMF        TCP N N Y Mgmt                  55556 U D
SMF        TCP Y N N Mgmt                  55443 U U
SMF        WEB N - - Mgmt                     80 U U
SMF        WEB Y - - Mgmt                    443 U U
MQTT       TCP N - - Mgmt  default          1883 U U
MQTT       TCP Y - - Mgmt  default          8883 U U
MQTT       WEB N - - Mgmt  default          8000 U U
MQTT       WEB Y - - Mgmt  default          8443 U U
AMQP       TCP N - - MsgBB default          5672 U U
AMQP       TCP Y - - MsgBB default          5671 U U
REST       WEB N - - Mgmt  default          9000 U U
REST       WEB Y - - Mgmt  default          9443 U U
MATELINK   TCP N N N Mgmt                   8741 U U
HEALTHCHK  TCP N N N Mgmt                   5550 U U
REDUNDANCY TCP Y N N Mgmt                   8300 U U
REDUNDANCY T+U Y N N Mgmt                   8301 U U
REDUNDANCY T+U Y N N Mgmt                   8302 U U

Thanks,
Raghu

rdesoju · April 8, 2020, 6:11pm

Above mentioned SDK Perf command is working when the -cip switch is proivided with only one IP Address and port number broker_hosts=<ip1>:55443.
However, if I give two ips and ports as mentioned initially it is still failing with the same error.

Also, when I add below properties in my java smf code, it is still failing with same error as mentioned above:

            properties.setProperty(JCSMPProperties.HOST, "ip:55443");
            properties.setProperty(JCSMPProperties.AUTHENTICATION_SCHEME, JCSMPProperties.AUTHENTICATION_SCHEME_CLIENT_CERTIFICATE);
            properties.setProperty(JCSMPProperties.SSL_VALIDATE_CERTIFICATE, true);
            properties.setProperty(JCSMPProperties.SSL_VALIDATE_CERTIFICATE_DATE, false);
            properties.setProperty(JCSMPProperties.SSL_TRUST_STORE, "./cacerts");
            properties.setProperty(JCSMPProperties.SSL_TRUST_STORE_PASSWORD, <passwd>);
            properties.setProperty(JCSMPProperties.SSL_KEY_STORE, "./client.keystore");
            properties.setProperty(JCSMPProperties.SSL_KEY_STORE_PASSWORD, <passwd>);

So, only SDK Perf is working with single IP and port combination right now.
Please help.

Thanks,
Raghu

rdesoju · April 8, 2020, 7:58pm

After some trail and error, I figured it out that java code needs HOST parameter in below format:

 properties.setProperty(JCSMPProperties.HOST, "tcps://<ip>:55443");

So, How do we mention multiple hosts? does tcps://<ip1>:55443,tcps://<ip2>:55443 this work?

Topic		Replies	Views
Authentication using only certificate Connectors & Integrations configuration , security	2	9935	January 6, 2022
Do you have any guide to setup solace/solace-pubsub-standard over SSL? PubSub+ Event Broker docker , security	1	74	October 9, 2024
Client Certificate Authentication Is Shutdown - How to activate? PubSub+ Event Broker	3	484	October 24, 2022
Client certificate Authentication PubSub+ Event Broker	4	650	October 10, 2019
Configuring the server certificate on PubSub Broker- Invalid certificate PubSub+ Event Broker cli , security , broker	5	1558	October 6, 2020

Error with Client Certificate Authentication

Related topics