[midPoint] sms notification - https client certificate authentication

Petr Herman petr.herman at soc365.cz
Wed Mar 20 09:17:08 CET 2019 

Hello,

resolved by Apache reverse HTTP proxy running on the Midpoint server.

Below my configuration:

SSLProxyEngine  On
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
SSLProxyCheckPeerExpire Off
SSLProxyMachineCertificateFile /usr/share/tomcat/midpoint/clientPrivateKeyAndCertificate.pem
SSLProxyMachineCertificateChainFile /usr/share/tomcat/midpoint/trustedCAs.pem

ProxyRequests           Off
ProxyPreserveHost       On

ProxyPass               /smsconnector/getpost/GP  https://smsconnector.cz.o2.com/smsconnector/getpost/GP
ProxyPassReverse        /smsconnector/getpost/GP  https://smsconnector.cz.o2.com/smsconnector/getpost/GP

SetEnv nokeepalive ssl-unclean-shutdown

<Location "/smsconnector/getpost/GP">
  Order Deny,Allow
  Deny from All
  Allow from SERVER_IP
  Allow from 127.0.0.1
</Location>


Best regards
Petr


Od: midPoint <midpoint-bounces at lists.evolveum.com> za uživatele Petr Herman
Odesláno: Friday, March 15, 2019 10:01 AM
Komu: midPoint General Discussion <midpoint at lists.evolveum.com>
Předmět: Re: [midPoint] sms notification - https client certificate authentication

Hi,

below you can see the current Java properties.

/usr/lib/jvm/jre/bin/java -server -Xms256m -Xmx8192m -Xss4m -Dmidpoint.home=/usr/share/tomcat/midpoint/ -Djavax.net.ssl.trustStore=/usr/share/tomcat/midpoint/keystore.jceks -Djavax.net.ssl.trustStoreType=jceks -Djavax.net.ssl.keyStore=/usr/share/tomcat/midpoint/keystore-sms.jceks -Djavax.net.ssl.keystoretype=jceks -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.debug=ssl -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=8000 -classpath /usr/share/tomca /bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start

I’m using both keyStore and trustStore properties and tested both merged and split keystore file.

I’ve also tried to test SMS API via curl command and there is no problem.

Thank you for any ideas

Best regards
Petr Herman


Od: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> za uživatele Oleksandr Nekriach
Odesláno: Friday, March 15, 2019 9:15 AM
Komu: midPoint General Discussion <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Předmět: Re: [midPoint] sms notification - https client certificate authentication

Hi,
Show us what is your JAVA runtime properties
or just run
# ps aux | grep tomcat


On Thu, 14 Mar 2019 at 17:53, Petr Herman <petr.herman at soc365.cz<mailto:petr.herman at soc365.cz>> wrote:
Hello,

yes, I’ve tried to add a client private key, client certificate(p12 file) and all related CAs to Java keystore.

I’ve changed the name of the certificate KeyEntry to be the same as the HTTPS hostname, I’ve changed the password for the PrivateKeyEntry to be the same as keystore password, I’ve restarted Midpoint.

#keytool -keystore keystore.jceks -storetype jceks -storepass changeit –list
smsconnector.cz.o2.com<http://smsconnector.cz.o2.com>, Mar 14, 2019, PrivateKeyEntry,
thawte tls rsa ca g1, Mar 14, 2019, trustedCertEntry,
default, Aug 17, 2018, SecretKeyEntry,
et sms connector, Mar 14, 2019, trustedCertEntry,
o2 sms connector, Mar 14, 2019, trustedCertEntry,

There is still the same issue:

2019-03-14 15:53:48,434 [] [pool-6-thread-1] DEBUG (com.evolveum.midpoint.notifications.impl.api.transports.SimpleSmsTransport): Sending SMS to URL https://smsconnector.cz.o2.com/smsconnector/getpost/GP (method POST)
2019-03-14 15:53:48,434 [] [pool-6-thread-1] DEBUG (com.evolveum.midpoint.notifications.impl.api.transports.SimpleSmsTransport): Using request headers:
[Content-Type: application/x-www-form-urlencoded]
2019-03-14 15:53:48,443 [] [pool-6-thread-1] DEBUG (com.evolveum.midpoint.notifications.impl.api.transports.SimpleSmsTransport): Using request body text (encoding: ISO-8859-1):
action=send&baID=1991234&fromNumber=%2b420720001234&toNumber=%2b420604555666&text=Test+zprava
2019-03-14 15:53:48,663 [] [pool-6-thread-1] ERROR (com.evolveum.midpoint.notifications.impl.api.transports.SimpleSmsTransport): Couldn't send SMS to [+420604555666] via null, trying another gateway, if there is any, reason: Received fatal alert: handshake_failure (class javax.net.ssl.SSLHandshakeException)
2019-03-14 15:53:48,667 [] [pool-6-thread-1] DEBUG (com.evolveum.midpoint.notifications.impl.api.transports.SimpleSmsTransport): Couldn't send SMS to [+420604555666] via null, trying another gateway, if there is any.
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
        at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2020)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1127)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
...


Question is how to force Midpoint or Tomcat to use SSL client certificate from keystore during comunication with particular HTTPS URL?

Thank you for any advices

Best regards
Petr Herman



Od: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> za uživatele Jason Everling
Odesláno: Tuesday, March 12, 2019 9:10 PM
Komu: midPoint General Discussion <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Předmět: Re: [midPoint] sms notification - https client certificate authentication

Have you tried adding the client certificate/key into your midpoint keystore then running an sms notification?



On Tue, Mar 12, 2019 at 9:08 AM Petr Herman <petr.herman at soc365.cz<mailto:petr.herman at soc365.cz>> wrote:
Hello everyone,

the customer wants to integrate O2 SMS gateway using HTTP GET/POST, but SMS gateway is using HTTPS client certificate for authentication.

Does Midpoint support this feature?

Thank you in advance
Best regards

Petr Herman
Visitech a.s.

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint


--
Best regards,

[cid:image001.png at 01D4DEFD.B06AFA00]

Oleksandr Nekriach | Identity and access management engineer

Dynatech, Jeruzalemes iela 1, Rīga, LV-1010, Latvia<https://www.google.com/maps/place/DYNATECH/@56.9575205,24.1107235,17z/data=!3m1!4b1!4m5!3m4!1s0x46eecf5753e42351:0x23b120b9745cae62!8m2!3d56.9575205!4d24.1129122>
+37125314685<tel:+371%2025%20314%20685>
,
o.nekriach at dynatech.lv<mailto:o.nekriach at dynatech.lv>
|
www.dynatech.lv<http://www.dynatech.lv>


Stay connected:
[cid:image002.png at 01D4DEFD.B06AFA00]<https://www.facebook.com/DynatechLatvia/?ref=br_rs>
[cid:image003.png at 01D4DEFD.B06AFA00]<https://www.linkedin.com/company-beta/17893047/>


Confidentiality Notice: This message contains confidential information and is intended only for the named recipient(s). If you are not the addressee you may not copy, distribute or perform any other activities with this information. If you have received this transmission in error, please notify us by e-mail immediately. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190320/eabd551b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 4265 bytes
Desc: image001.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190320/eabd551b/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 790 bytes
Desc: image002.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190320/eabd551b/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 786 bytes
Desc: image003.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190320/eabd551b/attachment-0002.png>

More information about the midPoint mailing list