Using self-signed certificates...
Tom Gee
I've been trying to secure our XNAT installation with a self-signed
certificate (as you do with Central).
The main screens were working fine, but when I uploaded some image
data, the transfer pipeline failed and reported errors in establishing
a secure connection.
Is that problem likely related to the fact that the cert was self-
signed? How do you get around this problem in Central?
(I'm sorry for the lack of error messages ... I've misplaced those
logs. But I'm configuring a test system and will try to reproduce the
error with proper logging.)
Thanks for any help!
Tom
---
Tom Gee
In application.log was the error:
2010-02-11 13:49:37,801 [Thread-15] ERROR
org.nrg.pipeline.ProcessLauncher - Couldnt launch /usr/local/xnat/
xnat1.4rc3-spred3/pipeline/bin/XnatPipelineLauncher -pipeline
xnat_tools/Transfer.xml -id SPRED3_E00002 -label 002 -host
https://localhost:8080/spred3 -supressNotification -u admin -dataType
xnat:mrSessionData -project "RAMaster" -notify tgee@rotman-
baycrest.on.ca -notify tg...@rotman-baycrest.on.ca -parameter tbpath='/
usr/xnat/spred3/cachearchive/RAMaster/Thumbnail/' -parameter
cachepath='/usr/xnat/spred3/cachearchive/RAMaster/transfer_bk/
20100211_134910/001' -parameter xnat_project='RAMaster' -parameter
userfullname='A.Admin' -parameter cpath='/usr/xnat/spred3/
cachearchive/RAMaster/' -parameter useremail='tgee@rotman-
baycrest.on.ca' -parameter mailhost='rotman-baycrest.on.ca' -
parameter session='SPRED3_E00002' -parameter sourceDir='/usr/xnat/
spred3/prearchive/RAMaster/20100211_134910/001' -parameter
xnatserver='SPRED3' -parameter destinationDir='/usr/xnat/spred3/
archive/RAMaster/arc001/002/' -parameter createQc='1' -parameter
sessionType='xnat:mrSessionData' -parameter adminemail='tgee@rotman-
baycrest.on.ca' -parameter sessionLabel='002' -pwd 'cfokl'
When I ran the command from the command line as root, the output up to
the first error is:
Param Value Pair host=https://localhost:8080/spred3/
Param Value Pair u=admin
Param Value Pair tbpath=/usr/xnat/spred3/cachearchive/RAMaster/
Thumbnail/
Param Value Pair cachepath=/usr/xnat/spred3/cachearchive/RAMaster/
transfer_bk/20100211_134910/001
Param Value Pair xnat_project=RAMaster
Param Value Pair userfullname=A.Admin
Param Value Pair cpath=/usr/xnat/spred3/cachearchive/RAMaster/
Param Value Pair useremail=tg...@rotman-baycrest.on.ca
Param Value Pair mailhost=rotman-baycrest.on.ca
Param Value Pair session=SPRED3_E00002
Param Value Pair sourceDir=/usr/xnat/spred3/prearchive/RAMaster/
20100211_134910/001
Param Value Pair xnatserver=SPRED3
Param Value Pair destinationDir=/usr/xnat/spred3/archive/RAMaster/
arc001/002/
Param Value Pair createQc=1
Param Value Pair sessionType=xnat:mrSessionData
Param Value Pair adminemail=tg...@rotman-baycrest.on.ca
Param Value Pair sessionLabel=002
Param Value Pair pwd=********
Logging to File /usr/local/xnat/xnat1.4rc3-spred3/pipeline/logs/
pipeline_2010_02_11_13_51_40.log
AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}
Server.userException
faultSubcode:
faultString: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}
stackTrace:javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1627)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:204)
The error "unable to find valid certification path" is what made me
wonder about using a self-signed certificate.
The more I look at this, the less it appears to be an XNAT problem
then simply a problem using tomcat with self-signed certs. I'll
pursue the latter, but if anyone has any hints, I would gratefully
receive them. :-)
Thanks!
Tom
---
Tom Gee
I got around the "unable to find valid certification path" issue.
That problem arose because the certificate was not signed by a
recognized authority. The way around it is to import the certificate
itself into your host's JDK "cacerts" file, a store of recognized and
acceptable keys.
The instructions may be found here:
http://www.java-samples.com/showtutorial.php?tutorialid=210
However, a new problem has arisen later in the pipeline processing.
When the tool "WebBasedQCImageCreator" runs, it fails with a SAX
error.
The command was:
/usr/local/xnat/xnat1.4rc3-spred3/pipeline/image-tools/bin/
WebBasedQCImageCreator -session 004 -project RAMaster -xnatId
SPRED3_E00003 -host https://localhost:8080/spred3/ -u admin -pwd cfokl
-raw
And the output was:
log4j:WARN No appenders could be found for logger
(org.apache.axis.i18n.ProjectResourceBundle).
log4j:WARN Please initialize the log4j system properly.
Feb 11, 2010 2:25:42 PM com.noelios.restlet.Engine createHelper
WARNING: No available client connector supports the required
protocols: 'HTTPS' . Please add the JAR of a matching connector to
your classpath.
org.xml.sax.SAXParseException: Premature end of file.
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
at javax.xml.parsers.SAXParser.parse(SAXParser.java:392)
at javax.xml.parsers.SAXParser.parse(SAXParser.java:195)
at org.nrg.xdat.bean.reader.XDATXMLReader.parse(XDATXMLReader.java:
997)
at
org.nrg.plexiViewer.converter.WebBasedQCImageCreator.createQCImages(WebBasedQCImageCreator.java:
135)
at
org.nrg.plexiViewer.converter.WebBasedQCImageCreator.main(WebBasedQCImageCreator.java:
521)
Any ideas?
Tom
Mohana Ramaratnam
Tom
--
You received this message because you are subscribed to the Google Groups "xnat_discussion" group.
To post to this group, send email to xnat_di...@googlegroups.com.
To unsubscribe from this group, send email to xnat_discussi...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/xnat_discussion?hl=en.