Hello Group,
We have recently purchased SIFWorks ADK and with it we also received ZIS. Both are integrated awesome and working excellent. ZIS interface is very nice and user-friendly. We really experience the difference in the SIFWorks paid product and appreciate all your efforts. Thanks so much.
As per the needs of ADK SIF Compliance Testing, we are trying the test the SimpleProvider agent (example agent provided by SIFWorks) with HTTPS protocol. We have followed the - SIFWorks ZIS HTTPS Guide.pdf - document provided by SIFWorks to setup HTTPS Administration in ZIS. In the way, we have created Server Certificates from ZIS web interface, created .ks & .cer files for Agent using the advised Portecle open source tool. Imported agent .cer file to ZIS under Agent Transports -> HTTPS -> Agent Certificates
Now, also imported above created zis.cer and agent.cer files to C:\Program Files\Java\jre6\lib\security\cacerts file using Portecle open source tool.
Copied agent.cer file to SimpleProvider folder and ran the SimpleProvider as follows:
C:\Program Files\sifworks-adk\examples\SimpleProvider>java -cp .;..\..\lib\log4j.jar;..\..\lib\javax.servlet.jar;..\..\lib\org.mortbay.jetty.jar;..\..\lib\xercesImpl.jar;..\..\lib\jsr173_api.jar;..\..\lib\sjsxp.jar;..\..\lib\sifworks-adk.jar;..\..\lib\sdoall.jar;..\..\lib\commons-logging.jar SimpleProvider /zone zone1 /url https://172.20.12.30:7443/zone1 /port 8000 /push /https /keystore AIMSAgent.ks /ksPwd changeit /log prov.log /auth
2009-11-26 17:07:23,834 DEBUG [ADK] Using ADK 2.2.3.32009-11-26 17:07:23,834 DEBUG [ADK] Using SIF 2.32009-11-26 17:07:24,084 INFO [ADK.Agent] Initializing agent...2009-11-26 17:07:24,084 INFO [ADK.Agent] Setting work directory to: C:\ProgramFiles\sifworks-adk\examples\SimpleProvider\work2009-11-26 17:07:24,115 INFO [ADK.Agent] Agent initialized2009-11-26 17:07:24,522 DEBUG [ADK.Agent] Reading SIF_Request ID cache: C:\Program Files\sifworks-adk\examples\SimpleProvider\work\requestcache.adk2009-11-26 17:07:24,537 DEBUG [ADK.Agent] Read 0 pending SIF_Request IDs from cachelog4j:WARN No appenders could be found for logger (org.mortbay.util.Container).log4j:WARN Please initialize the log4j system properly.2009-11-26 17:07:24,725 INFO [ADK.Agent.transport$https] Using default Java truststore2009-11-26 17:07:25,600 DEBUG [ADK.Agent$zone1] Send SIF_Register2009-11-26 17:07:25,615 DEBUG [ADK.Agent$zone1] Using keystore: C:\Program Files\sifworks-adk\examples\SimpleProvider\AIMSAgent.ks2009-11-26 17:07:25,615 DEBUG [ADK.Agent$zone1] Using default Java keystore password 'changeit'2009-11-26 17:07:25,615 DEBUG [ADK.Agent$zone1] Using default Java truststore2009-11-26 17:07:25,615 DEBUG [ADK.Agent$zone1] Using default Java truststore password 'changeit'Could not establish a connection to the ZIS (https://172.20.12.30:7443/zone1): java.net.SocketException: Software caused connection abort: recv failed2009-11-26 17:07:25,959 INFO [ADK.Agent] Shutting down agent...2009-11-26 17:07:25,959 INFO [ADK.Agent$zone1] Shutting down zone...2009-11-26 17:07:25,959 INFO [ADK.Agent$zone1] Shutting down Message Dispatcher2009-11-26 17:07:25,959 INFO [ADK.Agent$zone1] Shutting down Protocol Handler2009-11-26 17:07:25,959 INFO [ADK.Agent$zone1] Zone shutdown complete2009-11-26 17:07:25,959 INFO [ADK.Agent] Shutting down Transports...2009-11-26 17:07:26,068 DEBUG [ADK.Agent] Agent shutdown completeC:\Program Files\sifworks-adk\examples\SimpleProvider>
But as you see, we are receiving above error which has clue for us to resolve! Could you please a probable solution and advise us, if what all we did above is correct/ correct us please.
FYI - HTTP version of SimpleProvider & SimpleSubscriber are working fine.
Thanks in advance,
Shravan Kumar. M
----------------------------------------------
Hey.. we got some kind of solution to this problem....
We have disabled "Require Client Authentication" in ZIS -> Transports -> HTTPS configuration and then agent was able to successfully connect to ZIS, register,...
Hope this helps some one else :)
Shravan,
I just worked on a case similar to what you experienced. Hopefully, I can clarify what is happening. When you require client authentication at the ZIS, it sets the SIF Authentication Level to a point where it requires certain criteria to be met in order to establish a connection.
The first is that the agent present a certificate to the ZIS as it attempts to establish a connection. The second is that it requires that certificate to be signed by a Certificate Authority. So a self-signed agent certificate would not be sufficient in this case as has not be verified by a legitimate Certificate Authority.
When you uncheck the requirement for client authentication, that lowers the SIF Authentication Level which in turn means that when the agent attempts to connect over HTTPS with the ZIS, a self-signed certificate is sufficient to allow authentication to work.
For more information on authentication levels you can refer to the SIF Specification or you can take a look at an article posted by Andrew Elmhorst that discusses the theory behind it at:
http://sifzone.com/blogs/sifbits/archive/2005/09/05/sif-security-part-1.aspx
Also, if you're interested in seeing the handshake process when the SSL connection is being established, add the following to your JVM arguments:
-Djavax.net.debug=ssl,verbose
Hope that helps!
Any suggestions/ pointers to fix this https issue [or] steps to setup https in a SIF Agent & SIF ZIS (fyi - we are using SIFWorks ADK & ZIS).
Thank You,
----------------------------------
Thanks so much for your explanation behind the issue Jared. That helps. We have actually got to know the same after few experiments and fixed it by un-checking "Require Client Authentication" at ZIS Transports HTTPS. However, the installation guides provided by SIFWorks mislead us in this area and waste our time.