Error installing 3.5.0 agent on tomcat server

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Error installing 3.5.0 agent on tomcat server

Francisco Rodriguez Corredor
Hi all,

    I'm trying to install a 3.5.0 agent on Tomcat V7, but when the installer ask for the openam url and I introduce it I get the next error in log:
[09/01/2016 11:57:12:709 CEST] ValidateURL.isServerUrlValid threw exception :
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ssoweb.pre.juntadeandalucia.es found.
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1747)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1209)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:135)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:943)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1215)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1199)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:133)
    at com.sun.identity.install.tools.configurator.ValidateURL.isServerURLValidInternal(ValidateURL.java:103)
    at com.sun.identity.install.tools.configurator.ValidateURL.access$000(ValidateURL.java:44)
    at com.sun.identity.install.tools.configurator.ValidateURL$URLValidatorProxy.run(ValidateURL.java:350)
    at java.lang.Thread.run(Thread.java:662)
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching ssoweb.pre.juntadeandalucia.es found.
    at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:193)
    at sun.security.util.HostnameChecker.match(HostnameChecker.java:77)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:264)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:250)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1188)
    ... 14 more
[09/01/2016 11:57:12:721 CEST] If OpenAM server is SSL enabled and the root CA certificate for the OpenAM server certificate has been not imported into installer JVMs key store(see installer-logs/debug/Agent.log for detailed exception), import the root CA certificate and restart the installer; or continue installation without verifying OpenAM server URL.
[09/01/2016 11:57:12:721 CEST] InstallInteraction.processData: If OpenAM server is SSL enabled and the root CA certificate for the OpenAM server certificate has been not imported into installer JVMs key store(see installer-logs/debug/Agent.log for detailed exception), import the root CA certificate and restart the installer; or continue installation without verifying OpenAM server URL.


    The certificate is already installed on the JVM's cacerts so I don't know why it fails. The url of openam is https://ssoweb.pre.juntadeandalucia.es and it uses a wildcard certificate with the common-name *.juntadeandalucia.es. Any idea?


-- 

Francisco Rodríguez Corredor
Dept. Sistemas de Información
Área Desarrollo SSII
Ud. Proyectos de SSII Horizontales
Sociedad Andaluza para el Desarrollo de las Telecomunicaciones, S.A.
Avda. Camino de los Descubrimientos, 17
Pabellón de Francia - PCT Cartuja 
(Ver en Mapea: http://lajunta.es/11rmz)
41092 – Sevilla
Tf.: 671 590 066 - 690 066 
[hidden email]



_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

francisco_r_corredor.vcf (457 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Error installing 3.5.0 agent on tomcat server

LOW Chee Chong
On the agent server, run SSLPoke to verify that your certificate is correctly installed in the JVM.

e.g. $ java SSLPoke ssoweb.pre.juntadeandalucia.es 443


Hope this helps.

--
Chee Chong


On Sep 1, 2016, at 6:23 PM, Francisco Rodriguez Corredor <[hidden email]> wrote:

Hi all,

    I'm trying to install a 3.5.0 agent on Tomcat V7, but when the installer ask for the openam url and I introduce it I get the next error in log:
[09/01/2016 11:57:12:709 CEST] ValidateURL.isServerUrlValid threw exception :
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ssoweb.pre.juntadeandalucia.es found.
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1747)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1209)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:135)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:943)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1215)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1199)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:133)
    at com.sun.identity.install.tools.configurator.ValidateURL.isServerURLValidInternal(ValidateURL.java:103)
    at com.sun.identity.install.tools.configurator.ValidateURL.access$000(ValidateURL.java:44)
    at com.sun.identity.install.tools.configurator.ValidateURL$URLValidatorProxy.run(ValidateURL.java:350)
    at java.lang.Thread.run(Thread.java:662)
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching ssoweb.pre.juntadeandalucia.es found.
    at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:193)
    at sun.security.util.HostnameChecker.match(HostnameChecker.java:77)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:264)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:250)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1188)
    ... 14 more
[09/01/2016 11:57:12:721 CEST] If OpenAM server is SSL enabled and the root CA certificate for the OpenAM server certificate has been not imported into installer JVMs key store(see installer-logs/debug/Agent.log for detailed exception), import the root CA certificate and restart the installer; or continue installation without verifying OpenAM server URL.
[09/01/2016 11:57:12:721 CEST] InstallInteraction.processData: If OpenAM server is SSL enabled and the root CA certificate for the OpenAM server certificate has been not imported into installer JVMs key store(see installer-logs/debug/Agent.log for detailed exception), import the root CA certificate and restart the installer; or continue installation without verifying OpenAM server URL.


    The certificate is already installed on the JVM's cacerts so I don't know why it fails. The url of openam is https://ssoweb.pre.juntadeandalucia.es and it uses a wildcard certificate with the common-name *.juntadeandalucia.es. Any idea?


-- 

Francisco Rodríguez Corredor
Dept. Sistemas de Información
Área Desarrollo SSII
Ud. Proyectos de SSII Horizontales
Sociedad Andaluza para el Desarrollo de las Telecomunicaciones, S.A.
Avda. Camino de los Descubrimientos, 17
Pabellón de Francia - PCT Cartuja 
(Ver en Mapea: http://lajunta.es/11rmz)
41092 – Sevilla
Tf.: 671 590 066 - 690 066 
[hidden email]


<francisco_r_corredor.vcf>_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Error installing 3.5.0 agent on tomcat server

Rabel Christoph (DCCS)
In reply to this post by Francisco Rodriguez Corredor

Hi,


The error is correct. A wildcard certificate does not match subsubdomains. It matches only one level. You need to change your url or create a new certificate.

For reference https://tools.ietf.org/html/rfc2818#section-3.1


hth Christoph


From: [hidden email] <[hidden email]> on behalf of Francisco Rodriguez Corredor <[hidden email]>
Sent: Thursday, September 1, 2016 12:23
To: [hidden email]
Subject: [OpenAM] Error installing 3.5.0 agent on tomcat server
 
Hi all,

    I'm trying to install a 3.5.0 agent on Tomcat V7, but when the installer ask for the openam url and I introduce it I get the next error in log:
[09/01/2016 11:57:12:709 CEST] ValidateURL.isServerUrlValid threw exception :
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ssoweb.pre.juntadeandalucia.es found.
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1747)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1209)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:135)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:943)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1215)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1199)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:133)
    at com.sun.identity.install.tools.configurator.ValidateURL.isServerURLValidInternal(ValidateURL.java:103)
    at com.sun.identity.install.tools.configurator.ValidateURL.access$000(ValidateURL.java:44)
    at com.sun.identity.install.tools.configurator.ValidateURL$URLValidatorProxy.run(ValidateURL.java:350)
    at java.lang.Thread.run(Thread.java:662)
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching ssoweb.pre.juntadeandalucia.es found.
    at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:193)
    at sun.security.util.HostnameChecker.match(HostnameChecker.java:77)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:264)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:250)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1188)
    ... 14 more
[09/01/2016 11:57:12:721 CEST] If OpenAM server is SSL enabled and the root CA certificate for the OpenAM server certificate has been not imported into installer JVMs key store(see installer-logs/debug/Agent.log for detailed exception), import the root CA certificate and restart the installer; or continue installation without verifying OpenAM server URL.
[09/01/2016 11:57:12:721 CEST] InstallInteraction.processData: If OpenAM server is SSL enabled and the root CA certificate for the OpenAM server certificate has been not imported into installer JVMs key store(see installer-logs/debug/Agent.log for detailed exception), import the root CA certificate and restart the installer; or continue installation without verifying OpenAM server URL.


    The certificate is already installed on the JVM's cacerts so I don't know why it fails. The url of openam is https://ssoweb.pre.juntadeandalucia.es and it uses a wildcard certificate with the common-name *.juntadeandalucia.es. Any idea?


-- 

Francisco Rodríguez Corredor
Dept. Sistemas de Información
Área Desarrollo SSII
Ud. Proyectos de SSII Horizontales
Sociedad Andaluza para el Desarrollo de las Telecomunicaciones, S.A.
Avda. Camino de los Descubrimientos, 17
Pabellón de Francia - PCT Cartuja 
(Ver en Mapea: http://lajunta.es/11rmz)
41092 – Sevilla
Tf.: 671 590 066 - 690 066 
[hidden email]



_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Error installing 3.5.0 agent on tomcat server

Francisco Rodriguez Corredor
Thanks Rabel, and isn't it possible to disable this validation?
This is a test environment.
Thanks in advance

El 01/09/16 13:11, Rabel Christoph (DCCS) escribió:

Hi,


The error is correct. A wildcard certificate does not match subsubdomains. It matches only one level. You need to change your url or create a new certificate.

For reference https://tools.ietf.org/html/rfc2818#section-3.1


hth Christoph


From: [hidden email] [hidden email] on behalf of Francisco Rodriguez Corredor [hidden email]
Sent: Thursday, September 1, 2016 12:23
To: [hidden email]
Subject: [OpenAM] Error installing 3.5.0 agent on tomcat server
 
Hi all,

    I'm trying to install a 3.5.0 agent on Tomcat V7, but when the installer ask for the openam url and I introduce it I get the next error in log:
[09/01/2016 11:57:12:709 CEST] ValidateURL.isServerUrlValid threw exception :
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ssoweb.pre.juntadeandalucia.es found.
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1747)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1209)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:135)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:943)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1215)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1199)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:133)
    at com.sun.identity.install.tools.configurator.ValidateURL.isServerURLValidInternal(ValidateURL.java:103)
    at com.sun.identity.install.tools.configurator.ValidateURL.access$000(ValidateURL.java:44)
    at com.sun.identity.install.tools.configurator.ValidateURL$URLValidatorProxy.run(ValidateURL.java:350)
    at java.lang.Thread.run(Thread.java:662)
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching ssoweb.pre.juntadeandalucia.es found.
    at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:193)
    at sun.security.util.HostnameChecker.match(HostnameChecker.java:77)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:264)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:250)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1188)
    ... 14 more
[09/01/2016 11:57:12:721 CEST] If OpenAM server is SSL enabled and the root CA certificate for the OpenAM server certificate has been not imported into installer JVMs key store(see installer-logs/debug/Agent.log for detailed exception), import the root CA certificate and restart the installer; or continue installation without verifying OpenAM server URL.
[09/01/2016 11:57:12:721 CEST] InstallInteraction.processData: If OpenAM server is SSL enabled and the root CA certificate for the OpenAM server certificate has been not imported into installer JVMs key store(see installer-logs/debug/Agent.log for detailed exception), import the root CA certificate and restart the installer; or continue installation without verifying OpenAM server URL.


    The certificate is already installed on the JVM's cacerts so I don't know why it fails. The url of openam is https://ssoweb.pre.juntadeandalucia.es and it uses a wildcard certificate with the common-name *.juntadeandalucia.es. Any idea?


-- 

Francisco Rodríguez Corredor
Dept. Sistemas de Información
Área Desarrollo SSII
Ud. Proyectos de SSII Horizontales
Sociedad Andaluza para el Desarrollo de las Telecomunicaciones, S.A.
Avda. Camino de los Descubrimientos, 17
Pabellón de Francia - PCT Cartuja 
(Ver en Mapea: http://lajunta.es/11rmz)
41092 – Sevilla
Tf.: 671 590 066 - 690 066 
[hidden email]




_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam


-- 

Francisco Rodríguez Corredor
Dept. Sistemas de Información
Área Desarrollo SSII
Ud. Proyectos de SSII Horizontales
Sociedad Andaluza para el Desarrollo de las Telecomunicaciones, S.A.
Avda. Camino de los Descubrimientos, 17
Pabellón de Francia - PCT Cartuja 
(Ver en Mapea: http://lajunta.es/11rmz)
41092 – Sevilla
Tf.: 671 590 066 - 690 066 
[hidden email]



_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

francisco_r_corredor.vcf (457 bytes) Download Attachment
Loading...