A customer has exposed their Sametime Proxy to the internet so that they can access it using the Sametime client on mobile devices. One step is to import SSL certificates which the customer did using the very good Zero to Hero presentations.
I queried the application of the intermediary and root Certificate Authority (CA) certificates. The Zero to Hero and all other IBM documentation tells you to import the root and intermediary certificates into the CellDefaultTrustStore. I have for the STProxy and Sametime Gateway always installed into the CellDefaultKeyStore along with the CA signed device certificate. This creates a chain of certificates.
Anyway, once the customer had imported the certificates and I had imported them to the OS (Windows) so the Windows services would work the customer could not connect using his Android Sametime client but via a web browser it worked not problems.
I asked him to enable debugging and the logs he sent me from his handset showed the following (extract):
2013/06/21 16:28:15.891 340 FINE CommonHttpClient$QueryX509TrustManager.checkServerTrusted:928 ENTRY: Server certificate validation errorjava.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
2013/06/21 16:28:15.895 340 FINE HTTPComm.BadCertificateNotifier:579 Enter HTTPComm.BadCertificateNotifier()
2013/06/21 16:28:15.895 340 FINE CommonHttpClient$QueryX509TrustManager.checkServerTrusted:937 Trust anchor for certification path not found.
java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:192)
at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:163)
at com.lotus.android.common.CommonHttpClient$QueryX509TrustManager.checkServerTrusted(CommonHttpClient.java:923)
at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:597)
at org.apache.harmony.xnet.provider.jsse.NativeCrypto.SSL_do_handshake(Native Method)
at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:395)
at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl$SSLInputStream.<init>(OpenSSLSocketImpl.java:647)
at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:618)
at org.apache.http.impl.io.SocketInputBuffer.<init>(SocketInputBuffer.java:70)
at org.apache.http.impl.SocketHttpClientConnection.createSessionInputBuffer(SocketHttpClientConnection.java:83)
at org.apache.http.impl.conn.DefaultClientConnection.createSessionInputBuffer(DefaultClientConnection.java:170)
at org.apache.http.impl.SocketHttpClientConnection.bind(SocketHttpClientConnection.java:106)
at org.apache.http.impl.conn.DefaultClientConnection.openCompleted(DefaultClientConnection.java:129)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:172)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
at com.ibm.android.sametime.stproxy.HTTPComm.sendURLRequest(HTTPComm.java:468)
at com.ibm.android.sametime.stproxy.HTTPComm.sendURLRequestSync(HTTPComm.java:401)
at com.ibm.android.sametime.stproxy.HTTPComm$HttpRequestThread.run(HTTPComm.java:320)
2013/06/21 16:28:15.895 340 FINE CommonHttpClient$QueryX509TrustManager.checkServerTrusted:953 ENTRY: User rejected server’s certificate
2013/06/21 16:28:15.901 340 FINE STProxy.retryComm:1773 retryComm – command = 1 retries = 20
2013/06/21 16:28:15.901 340 INFO HTTPComm.sendURLRequest:501 _sendurlrequest: Connection rejected. req = POST, cmd = 1, exception = javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
I then found the following resource which suggested that I query the customers Sametime Proxy using an OpenSSL client using the command
openssl s_client -debug -connect http://www.thedomaintocheck.com:443
The last line from the output was Verify return code: 21 (unable to verify the first certificate)
So I imported the intermediary and root certificates in to the CellDefaultKeyStore and after a restart of STProxy his device could connect.
I’m, not sure why IBM’s documentation tells me to do it the other way but I do know that for this instance my way works!!
