Error while signing message

56 views
Skip to first unread message

Keith

unread,
Nov 27, 2009, 1:00:31 AM11/27/09
to Hermes 2.0 Discussion List
Hello, I would like to ask about how to solve an error while signing a
message,
here are some basics info of my environment ...

- Hermes version 20090731
- JDK 1.5 with JCE replaced
- MySQL
- Apache Tomcat Web server running on HTTP(8080) HTTPS(8443)
- All message will be send over ebMS protocol
- Keystore type is PKCS12, TrustStore type is JKS

I got my Hermes servers up and running for months,
and now I'm trying to send a signed message over HTTPS.

Both sender and receiver are Hermes,

Test case #1.1: Sending message over HTTP (passed)
Test case #1.2: Sending message over HTTP/ACK (passed)
Test case #2.1: Sending message over HTTPS (passed)
Test case #2.2: Sending message over HTTPS/ACK (passed)
Test case #2.3: Sending message over HTTPS/ACK/SIGNED (failed)

At the first time, Hermes use the default private key to sign the
message.
"C:\Program Files\hermes2\plugins\hk.hku.cecid.ebms\security
\corvus.p12"

** with the default private key, hermes was able to complete signing
process and send
without error. **

So I tried to use my PCKS12 private key by using KeyTool and edit the
"ebms.module.xml".

After restart Apache, there is an error message when Hermes try to
sign the message, about "Cannot get certificate path",

I tried to solve this error, by using keytool to add certificate into
TrustStore (JKS),
but it still not work.

Here are errors in ebms.log ... (I remove some parts of them for
shorter)
=================================================================
<cecid.ebms.spa> <Outbound payload received - cpaId: cpaid, service:
https://ebms.101.com:8443/corvus/httpd/ebms/inbound, serviceType:null,
action: action, convId: convId, fromPartyId: fromPartyId,
fromPartyType: fromPartyType, toPartyId: toPartyId, toPartyType:
toPartyType, refToMessageId: null>
<cecid.ebms.spa> <Genereating message id:
20091127-1...@10.20.24.101>
<INFO > <cecid.ebms.spa> <Store outgoing message:
20091127-1...@10.20.24.101>
<INFO > <cecid.ebms.spa> <Outbound payload processed - cpaId: cpaid,
service: https://ebms.101.com:8443/corvus/httpd/ebms/inbound, action:
action, convId: convId, fromPartyId: fromPartyId, fromPartyType:
fromPartyType, toPartyId: toPartyId, toPartyType: toPartyType,
refToMessageId: null>
<INFO > <cecid.ebms.spa> <Sign the message:
20091127-1...@10.20.24.101>
<DEBUG> <pkg.pki.ApacheXMLDSigner> <setEnvelope, using algorithm: rsa-
sha1>
<DEBUG> <pkg.pki.ApacheXMLDSigner> <addDocument URI: cid:Payload-0,
contentType: application/octream>
<DEBUG> <pkg.pki.ApacheXMLDSigner> <start signing>
<DEBUG> <pkg.pki.ApacheXMLDSigner> <got private key from keystore>
<DEBUG> <pkg.pki.ApacheXMLDSigner> <created DocumentResolver>
<DEBUG> <pkg.pki.ApacheXMLDSigner> <created Transform>
<DEBUG> <pkg.pki.ApacheXMLDSigner> <added main document (envelope)>
<DEBUG> <pkg.pki.ApacheXMLDSigner> <added 1 attachment documents>
<WARN > <pkg.pki.ApacheXMLDSigner> <Cannot get certificate path:
shop101>
<ERROR> <cecid.ebms.spa> <Cannot get the sign the message: >
hk.hku.cecid.ebms.spa.task.MessageValidationException: Cannot sign the
ebxml message
by hk.hku.cecid.ebms.pkg.SignatureException: [10204] Cannot sign
message
Exception: hk.hku.cecid.ebms.pkg.pki.SignException
Message: Cannot get certificate path: shop101
Try to retreive key alias[shop101] from keystore[C:\Certificates
\shop101.p12]
by hk.hku.cecid.ebms.pkg.pki.SignException: Cannot get certificate
path: shop101
at hk.hku.cecid.ebms.spa.task.OutboxTask.checkAndSignEbxmlMessage
(OutboxTask.java:552)
at hk.hku.cecid.ebms.spa.task.OutboxTask.execute(OutboxTask.java:356)
at hk.hku.cecid.piazza.commons.module.ActiveThread.run
(ActiveThread.java:90)
at java.lang.Thread.run(Unknown Source)
================================================================

Thank you ^^

Kit

unread,
Nov 27, 2009, 5:43:56 AM11/27/09
to Hermes 2.0 Discussion List
Hi Keith,

maybe we can reduce the problem scope.
have u tried the Sending message over HTTP/SIGNED?
the keystore for signing message should have nothing to do with the
truststore.

truststore is the for client authentication in https. that means if u
need to send message with transport endpoint url in https. then u need
to play with the truststore.

Regards,
Kit Yuen, Software Engineer
Apacus Software - Innovate, Simplify

Email: kit....@apacus.com
Site: http://www.apacus.com
> 20091127-115252-38...@10.20.24.101>
> <INFO > <cecid.ebms.spa> <Store outgoing message:
> 20091127-115252-38...@10.20.24.101>
> <INFO > <cecid.ebms.spa> <Outbound payload processed - cpaId: cpaid,
> service:https://ebms.101.com:8443/corvus/httpd/ebms/inbound, action:
> action, convId: convId, fromPartyId: fromPartyId, fromPartyType:
> fromPartyType, toPartyId: toPartyId, toPartyType: toPartyType,
> refToMessageId: null>
> <INFO > <cecid.ebms.spa> <Sign the message:
> 20091127-115252-38...@10.20.24.101>

Keith

unread,
Nov 27, 2009, 8:08:18 AM11/27/09
to Hermes 2.0 Discussion List
@Kit

Yes, I can successfully send message by HTTP/Signed & HTTPS/Signed
with corvus.p12 key that came with Hermes.

The problem occur then I tried to replace corvus.p12 with my own .p12
key
that generated from keytool utility.

And there are many different properties when I looked into key
properties,
- version, corvus.p12 is version 3, but mine is version 1
- certification path value, corvus.p12 is "corvus". but mine is
"CN=xxxxxxxx"
- Friendly name, I'm not sure this attribute is "Key-alias" or not

Maybe my key is not suitable for use in Hermes?
I will try another keys tonight ^^

Regards,
Keith

Kit

unread,
Nov 27, 2009, 8:35:13 AM11/27/09
to Hermes 2.0 Discussion List
Hi Keith,

So u mean u can send the message with ur own keystore and cert thru
HTTP/Signed & HTTPS/Signed?

Regards,
Kit Yuen, Software Engineer
Apacus Software - Innovate, Simplify

Email: kit....@apacus.com
Site: http://www.apacus.com

Keith

unread,
Nov 27, 2009, 9:31:22 AM11/27/09
to Hermes 2.0 Discussion List
@Kit

Sorry for make you confuse,

With corvus.p12 I can send a signed message over HTTP/HTTPS.

But it always fail when I sign with my own key.

Keith

unread,
Nov 27, 2009, 1:28:43 PM11/27/09
to Hermes 2.0 Discussion List
YESSS!!!

I can solve my problem, everything works flawlessly right now.
I will move on Hermes <-> Axway communication test soon.

Its all about keystore file problem, I'll add more info for this case
in tomorrow.

Thank you for your help ^^

Regards,
Keith

Steve Chan

unread,
Nov 30, 2009, 9:50:24 AM11/30/09
to Hermes 2.0 Discussion List
Keith,

Happy to know your problem was resolved, but may i know a little more
about the detail?
And just being curious, how's your test with Axway?

Regards,
Steve

Keith

unread,
Dec 2, 2009, 10:22:34 AM12/2/09
to Hermes 2.0 Discussion List
@ Steve,

Sorry, I didn't get back to update this thread for a while. Here are
some info that I would like to share ...

1. There is a mysterious (at least for me) about keystore file that
compatible with Hermes.
It's all about "key-alias".

While testing, certificate that exported from Microsoft Windows always
got key-alias in
{xxxxx-xxxxx-xxxxxx-xxxx} format, yes it is very long alias. And when
I tried to use that alias with Hermes.
EBMS.log show some errors, this error same as when I specified alias
that doesn't exist in keystore file.

So, I guess my key alias was too long and not compatible with Hermes,
However, after I use keytool utility to rename alias, Hermes just
works as it should.

*** I'm not sure about key-alias standard format, maximum alias name
length or another restrictions.
Maybe someone could explain this stuff better than me ^^

2. There are some configurations steps that needed to do when your
certificate is not self-signed.
For example, certificate that issued from real CA.

For this case, there are 2 kinds of Certificate,
#1. Self-Issue certificate, which Issuer (CA) and Owner (Subject) are
same organization,
corvus.p12, which is pre-installed with Hermes, is self-sign
certificate.
#2. CA-Issue certificate (Commercial cert.), Issuer and Owner is not
same
e.g. Certificate that issued from Versign.

As I said in previous posts, I can sign message with corvus.p12
without problem.
Because corvus.p12 is self-issue keystore. Hermes no need to look-up
certificate chain and insert
CA's public certificate into the message. So there is only signature
and ONE x.509 information
attached to your message.

But when your keystore file type is CA-Issue (Verisign, Thawte,
GeoTrust, ...)
Hermes need to attach your signature + your X.509 certificate AND
Issuer X.509 certificate to message.
Yes, there are 2 X.509 certificates added to single message.

I'm not sure where Hermes will look for "Certificate chain", keystore,
truststore or elsewhere.
But if Hermes cannot find CA certificate, signing process is canceled.

Honestly, I cannot re-produce the working environment with new CA-
Issue keystore file.
I tried everything as I could remembered, it just not work as I
thought ... maybe human-error ...XD
Btw, if you guys really want to sign message, I suggest to use
corvus.p12 or self-issue certificate.


3. For Hermes-Axway Inter-op, I can successfully send message over
HTTP right now,
so I think I can jump to HTTPS communication within this week.

I'm waiting another team (Axway team) to send me back an updated
Collaboration Procol Profiles (CPP)

Hope this help,
Keith.

cheggers

unread,
Dec 8, 2009, 8:29:56 AM12/8/09
to Hermes 2.0 Discussion List

> While testing, certificate that exported from Microsoft Windows always
> got key-alias in
> {xxxxx-xxxxx-xxxxxx-xxxx} format, yes it is very long alias. And when
> I tried to use that alias with Hermes.
> EBMS.log show some errors, this error same as when I specified alias
> that doesn't exist in keystore file.
>
> So, I guess my key alias was too long and not compatible with Hermes,
> However, after I use keytool utility to rename alias, Hermes just
> works as it should.

Hi Keith,

I had a simular problem. When I viewed the keystore using the keytool
command line tool it gave me the alias in the {xxxxx-xxxxx-xxxxxx-
xxxx} format.

However, it gave it in lowercase. Hermes could not find the alias, I
then used keytool on another machine and it gave the same alias,
however this time it was in uppercase. I changed this in the Hermes
config and it all started working. So there may be a bug one of the
versions of java keytool where it shows the alias in the wrong case?

Thanks

Kit

unread,
Dec 10, 2009, 10:52:30 PM12/10/09
to Hermes 2.0 Discussion List
Hi Keith and Gavin,

i would like to know how to export a certificate from Microsoft
Windows.
so u got a keystore and u want to export the cert from one of the
aliases in that keystore?
is that keystore created by yourself or you got it from CA?

Thanks.

Regards,
Kit Yuen, Software Engineer
Apacus Software - Innovate, Simplify

Email: kit....@apacus.com
Site: http://www.apacus.com


Keith

unread,
Jan 4, 2010, 12:17:45 AM1/4/10
to Hermes 2.0 Discussion List
@ Kit

I'm so sorry, I just see your message in here.

To Export certificate from Microsoft Windows,
you have to install your certificates into windows first.
(by double click certificate file, .CER .P12 or .whatever
and then follow Wizard)

After your certificate is installed into windows,
you can see them by

- open Internet Explorer (There is other way to do, but this way is
easier)
- goto internet options
- select Content Tab
- click on Certificates button

Then you'll see your certificates there,
If you want to export, you can just click on Export button,
and follow Wizard.

- Keith

Kit

unread,
Jan 4, 2010, 2:57:23 AM1/4/10
to Hermes 2.0 Discussion List
Hi Keith,

1. i use openssl to generate a keystore and then try to regenerate the
cert file through Windows. but i cannot repeat your problem.
actually where do u get the keystore file? you generate it by urself
or get it from CA? and is it a PKCS12 keystore?


2. Refer to the following statement
*********************************************


While testing, certificate that exported from Microsoft Windows always
got key-alias in {xxxxx-xxxxx-xxxxxx-xxxx} format, yes it is very long
alias. And when I tried to use that alias with Hermes. EBMS.log show
some errors, this error same as when I specified alias that doesn't
exist in keystore file.

*********************************************

Actually the keyalias is set in the keystore file. u got the key-alias
in {xxxxx-xxxxx-xxxxxx-xxxx} format because this is what stored in the
keystore. u can use the "keytool -list -keystore <xxx.p12> -storetype
PKCS12" to check the name of key-alias in keystore.

but i am not sure how come the problem is fixed after u have changed
the keyalias to a shorter name...
so i guess u are not using a self-generated keystore. rite?

Keith

unread,
Feb 23, 2010, 5:53:33 AM2/23/10
to Hermes 2.0 Discussion List
Hi Kit,

I got my certificate problem solved,
I was using keytool to create keystore file,
that's why certificate chain information is missing,
so Hermes cannot attach certificate chain to the message.

But when I generated new keystore file using OpenSSL, it just work.
So I think OpenSSL better for use with Hermes.

My Hermes & Axway message interchange project is nearly complete soon,
it will be based on ebMS over HTTPS/SIGN.

> Email: kit.y...@apacus.com
> Site:http://www.apacus.com

Reply all
Reply to author
Forward
0 new messages