As soon as I import the first key with keytool into the wso2carbon.jks file (and I restart the service) my service already fails to launch properly and logs the following error:
TID: [0] [EMM] [2014-03-06 23:46:42,106] ERROR
{org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiverDS} - Can not
create and start Agent Server
{org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiverDS}
org.wso2.carbon.databridge.core.exception.DataBridgeException: Cannot start agent server
on port 7711
at
org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiver.startSecureEventTransmission(ThriftDataReceiver.java:129)
at org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiver.start(ThriftDataReceiver.java:101)
at org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiverDS.activate(ThriftDataReceiverDS.java:96)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.eclipse.equinox.internal.ds.model.ServiceComponent.activate(ServiceComponent.java:260)
at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.activate(ServiceComponentProp.java:146)
at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.build(ServiceComponentProp.java:347)
at org.eclipse.equinox.internal.ds.InstanceProcess.buildComponent(InstanceProcess.java:620)
at org.eclipse.equinox.internal.ds.InstanceProcess.buildComponents(InstanceProcess.java:197)
at org.eclipse.equinox.internal.ds.Resolver.getEligible(Resolver.java:343)
at org.eclipse.equinox.internal.ds.SCRManager.serviceChanged(SCRManager.java:222)
at org.eclipse.osgi.internal.serviceregistry.FilteredServiceListener.serviceChanged(FilteredServiceListener.java:107)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.dispatchEvent(BundleContextImpl.java:861)
at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230)
at org.eclipse.osgi.framework.eventmgr.ListenerQueue.dispatchEventSynchronous(ListenerQueue.java:148)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.publishServiceEventPrivileged(ServiceRegistry.java:819)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.publishServiceEvent(ServiceRegistry.java:771)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistrationImpl.register(ServiceRegistrationImpl.java:130)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.registerService(ServiceRegistry.java:214)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.registerService(BundleContextImpl.java:433)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.registerService(BundleContextImpl.java:451)
at org.wso2.carbon.core.init.CarbonServerManager.initializeCarbon(CarbonServerManager.java:517)
at org.wso2.carbon.core.init.CarbonServerManager.start(CarbonServerManager.java:219)
at org.wso2.carbon.core.internal.CarbonCoreServiceComponent.activate(CarbonCoreServiceComponent.java:77)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.eclipse.equinox.internal.ds.model.ServiceComponent.activate(ServiceComponent.java:260)
at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.activate(ServiceComponentProp.java:146)
at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.build(ServiceComponentProp.java:347)
at org.eclipse.equinox.internal.ds.InstanceProcess.buildComponent(InstanceProcess.java:620)
at org.eclipse.equinox.internal.ds.InstanceProcess.buildComponents(InstanceProcess.java:197)
at org.eclipse.equinox.internal.ds.Resolver.getEligible(Resolver.java:343)
at org.eclipse.equinox.internal.ds.SCRManager.serviceChanged(SCRManager.java:222)
at org.eclipse.osgi.internal.serviceregistry.FilteredServiceListener.serviceChanged(FilteredServiceListener.java:107)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.dispatchEvent(BundleContextImpl.java:861)
at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230)
at org.eclipse.osgi.framework.eventmgr.ListenerQueue.dispatchEventSynchronous(ListenerQueue.java:148)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.publishServiceEventPrivileged(ServiceRegistry.java:819)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.publishServiceEvent(ServiceRegistry.java:771)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistrationImpl.register(ServiceRegistrationImpl.java:130)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.registerService(ServiceRegistry.java:214)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.registerService(BundleContextImpl.java:433)
at org.eclipse.equinox.http.servlet.internal.Activator.registerHttpService(Activator.java:81)
at org.eclipse.equinox.http.servlet.internal.Activator.addProxyServlet(Activator.java:60)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.init(ProxyServlet.java:40)
at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.init(DelegationServlet.java:38)
at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1267)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1186)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1081)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5027)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5314)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1559)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1549)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
at java.util.concurrent.FutureTask.run(FutureTask.java:166)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:724)
Caused by: org.wso2.carbon.databridge.commons.exception.TransportException: Thrift transport exception occurred
at org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiver.startSecureEventTransmission(ThriftDataReceiver.java:150)
at org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiver.startSecureEventTransmission(ThriftDataReceiver.java:127)
... 63 more
Caused by: org.apache.thrift.transport.TTransportException: Error creating the transport
at org.apache.thrift.transport.TSSLTransportFactory.createSSLContext(TSSLTransportFactory.java:201)
at org.apache.thrift.transport.TSSLTransportFactory.getServerSocket(TSSLTransportFactory.java:102)
at org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiver.startSecureEventTransmission(ThriftDataReceiver.java:146)
... 64 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:138)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:55)
at java.security.KeyStore.getKey(KeyStore.java:792)
at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:131)
at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:68)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:259)
at org.apache.thrift.transport.TSSLTransportFactory.createSSLContext(TSSLTransportFactory.java:187)
... 66 more
I've tried to do all sorts of things with the certificates for weeks now but I failed to succeed to setup a completely running service. Can anyone please help me through the certificate handling step by step, because following the manual apparently has no success for some reason. Remark : I don't have an iOS certificate and I generated all my certificates with openSSL by following the wso2 manual. I executed this command to generate this specific (KEYSTORE)p12 file for import in wso2carbon.jks. Do I first need to manually delete all jks files in that folder, or should I import into the existing files for one? What else might I be doing wrong? Thanks for the support.
Based on your older questions I assume you are trying to configure the Android management part. Most of the certificate related stuff in the document is associated with iOS. If you want to try out the Android configuration you can skip most of the parts in that. Simply skip the CA/RA generations.
When configuring Android, only place you need a keystore is to configure the Android agent app. You can find the step by step configuration at Android client configurations. In this link it has pointed to the iOS CA generation since this step is already followed if you configure both iOS and Android. Otherwise you just have to execute these commands.
openssl genrsa -out <CA PRIVATE KEY> 4096
For example: openssl genrsa -out ca_private.key 4096
openssl req -new -key <CA PRIVATE KEY> -out <CA CSR>
For example: openssl req -new -key ca_private.key -out ca.csr
openssl x509 -req -days <DAYS> -in <CA CSR> -signkey <CA PRIVATE KEY> -out <CA CRT> -extensions v3_ca
For example: openssl x509 -req -days 365 -in ca.csr -signkey ca_private.key -out ca.crt -extensions v3_ca
openssl rsa -in <CA PRIVATE KEY> -text > <CA PRIVATE PEM>
For example: openssl rsa -in ca_private.key -text > ca_private.pem
openssl x509 -in <CA CRT> -out <CA CERT PEM>
For example: openssl x509 -in ca.crt -out ca_cert.pem
End of the following commands you should have a ca_cert.pem with you.
Now you need to export this ca file into pkcs12. Command is as follows.
openssl pkcs12 -export -out ca.p12 -inkey ca_private.pem -in ca_cert.pem -name "cacert"
Now you get the ca.p12 file.
Just exectue following command to create a keystore file.
keytool -importkeystore -srckeystore ca.p12 -srcstoretype PKCS12 -destkeystore wso2mobilemdm.jks
As mentioned in my other thread wso2-mdm-android-agent-issue you can either rename this to bks file format or you can use portecle to convert this to bks since Android expect you to make the keystore file in bouncycastle format. Then embed this bks as mentioned in the doc and recompile the Android agent code.
In order to start its better you clear everything and get a fresh WSO2 EMM zip file. Extract it and start from the scratch. From you log what I feel is your existing wso2carbon.jks is corrupted. When generating do not import your generated CA to it and use a new keystore file as I mentioned in the last step.
Hope this helps.
Try this,
First try connecting to the server with HTTP protocol. Simply change the SERVER_PORT to 9763 and SERVER_PROTOCOL to http:// in the CommonUtilities.java file in MDM Agent.
If it's successful, then check your BKS generation options, specially the host name. It is the only place where it can go wrong. Try above and let us know the result.
I struggled with this as well, but finally figured it out. I debugged the app, and found the BKS gets checked when you select the IP on the mobile device, and if it fails, it doesn't error out. This however mean the authentication is still not working, and you get the error when you input the next few screens before it even attempt to connect.To fix this, I did the following :-
- Prepare a separate folder. DO NOT CREATE THE CERTS YET!
- Copy the following files from your \repository\resources\security folder :-
- client-truststore.jks
- wso2carbon.jks
- Since the jks files are in the temp folder now, also ensure to back them up
- Run the above from Dilshan in order (use the examples, they work fine)
- When prompted to Country etc, for your "Common name", make those your server IP address on your test environment. This is very important.
- For the "Challenge password" after asking for "Common name" etc, leave it blank. Only on this one though!
- All other password prompts, enter wso2carbon for simplicity sake
- By following the above, the 3 JKS (A new one called wso2mobilemdm.jks is also present now) files will now be updated with the new certs. Copy them, and the *.p12 files back to \repository\resources\security
This takes care of the Server part. Just edit the mdm-config.xml under \repository\conf, and unlike the document, remember I made all the password uniform above to make it easier, so ensure they are set as wso2carbon. Ignore the iOS parts, juts the "Keystore section" needs to be completed.
Also, edit the sso-idp-config.xml, and change the ip addesses as needed.
Now, to the BKS. This part is just vaguely mentioned in the documents. Get bcprov-jdk15on-146.jar downloaded. Copy this to your current temp folder for simplicity sake. I tried the bcprov-jdk15on-150.jar but it didn't work for some reason.
Run this now within this folder (My Keytool path is messed up since I have multiple versions of Java running):-
"%JAVA_HOME%\bin\keytool" -importcert -trustcacerts -keystore emm_truststore.bks -storetype bks -storepass wso2carbon -file ca_cert.pem -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath ./bcprov-jdk15on-146.jar
This will now create the BKS file in the temp folder, with the other Certs. Copy this emm_truststore.bks now back to your agent folder under res/raw, overwriting it.
In the MDM project, also check for "public static String SENDER_ID =" in the config file when you change the IP address etc prior to exporting.
Clean the project, and rebuild it. Now you are ready to export. What I did was to copy the wso2mobilemdm.jks to the root of my android project, since it is already in the correct format to use. But you can export, and create a new key for this. Note, this is nothing to do with the BKS you created, this is to sign the apk to run on the device.
If you run this now it should work. You will see activity when you try to authenticate to the server.
来源:https://stackoverflow.com/questions/22244726/wso2-mdm-configuration-certificate-problems