Article

Diagnosing CONNECT failures (9318) and (9407).

Information

 
Article Number000093585
EnvironmentProduct: OpenEdge
Version:11.7.x
OS: Windows
Other: Progress Application Server for OpenEdge (PAS for OpenEdge), SSL/TLS
Question/Problem Description
An application is being tested to run under a PAS for OpenEdge instance. When the following simple code is executed, two error windows pop up issuing the following errors:
Secure Socket Layer (SSL) failure. error code <err_number>:  <ssl_error_message> (9318)
Connection failure for host <host_name> port <port> transport <transport_name>. (9407)
The error code associated with the 9318 error is 10060.
 
DEFINE VARIABLE hSocket AS HANDLE NO-UNDO.
CREATE SOCKET hSocket.
hSocket:CONNECT('-H 172.29.16.80 -S 9011 -ssl -nohostverify ').
IF hSocket:CONNECTED() = FALSE THEN
DO:
    MESSAGE "Unable to connect" VIEW-AS ALERT-BOX.
    RETURN.
END.
ELSE
DO:
    MESSAGE "Connected" VIEW-AS ALERT-BOX.
    hSocket:DISCONNECT() NO-ERROR.
    DELETE OBJECT hSocket.
END.


 
Steps to Reproduce
Clarifying Information
Connections using http (not using TLS) successfully connect.
All certificates have been installed correctly.
The tomcat-keystore.p12 file has been updated with the new keys.
File catalina.properties has been updated with the correct alias and password.

catalina.<date>.log in the PAS instance's logs directory contains the following:

27-Dec-2018 09:24:28.906 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8811]]
 org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8811]]
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
    at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
    at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:632)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:655)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
    at org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
    ... 12 more
Caused by: java.lang.IllegalArgumentException: Alias name [demoSSLnew] does not identify a key entry
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:116)
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:87)
    at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
    at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1086)
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:268)
    at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
    at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
    at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
    ... 13 more
Caused by: java.io.IOException: Alias name [demoSSLnew] does not identify a key entry
    at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:229)
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
    ... 20 more


From the partial log file above, the most illustrative entry is the following:
Caused by: java.lang.IllegalArgumentException: Alias name [demoSSLnew] does not identify a key entry

The java keytool -list command provided the following information:

 C:\DLCWORK\oepas1\conf>c:\dlc\jdk\bin\keytool.exe -v -list -keystore tomcat-keys
tore.p12
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: 1
Creation date: Dec 27, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=WIN764.bedford.progress.com, OU=Technical Support, O=Progress Software
, ST=Massachusetts, C=US
Issuer: CN=WIN764.bedford.progress.com, OU=Technical Support, O=Progress Softwar
e, L=Bedford, ST=Massachusetts, C=US
Serial number: 1
Valid from: Thu Dec 27 08:37:06 EST 2018 until: Fri Dec 27 08:37:06 EST 2019
Certificate fingerprints:
         MD5:  3F:10:C6:16:19:92:B7:95:41:0F:85:4C:48:A9:67:05
         SHA1: 76:47:C4:11:50:EC:A6:F4:B6:B0:5E:D8:01:93:96:69:9D:0B:DC:8D
         SHA256: 7D:82:ED:26:66:2E:1E:0C:E0:DA:32:AC:54:2C:E5:0F:EC:22:F1:95:DD:
9C:CB:1F:F0:1C:A3:B1:8F:F8:C5:7B
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]


Notice above that the keystore entry contains an alias name of 1.

The area of the catalina.properties files that defines certificate and keystore information contained the following:

# JSSE keystore used by server.xml for its server key & certificates
psc.as.https.keypass=jzwjzwjzw
psc.as.https.keyalias=demoSSLnew
psc.as.https.storeType=PKCS12

# JSSE certificate store used by server.xml for validating client certificates
psc.as.https.trustpass=password
psc.as.https.trustType=JKS 


A network trace of a connection attempt of HTTPS looked like the following:

Show the capture in wireshark of an unsuccessful connection attempt.

Notice that the client sent a Client Hello message. The PAS instance acknowledged the Client Hello message but did not 
continue with the full handshake exchange.

The following command was used to place the key in the keystore:
 
C:\DLCWORK\oepas1\conf>sslc pkcs12 -export -inkey c:\dlc\keys\requests\demoSSLne
w.pk1 -in c:\dlc\keys\demoSSLnew.pem -out tomcat-keystore.p12
Enter pass phrase for c:\dlc\keys\requests\demoSSLnew.pk1:
Enter Export Password:
Verifying - Enter Export Password:

 
Error MessageSecure Socket Layer (SSL) failure. error code <err_number>:  <ssl_error_message> (9318)
Connection failure for host <host_name> port <port> transport <transport_name>. (9407)
Defect/Enhancement Number
Cause
When the private key was inserted into the keystore (tomcat-keystore.pk1) using the sslc pkcs12 command, the -name option was left off. Due to this the sslc pkcs12 command used a default alias name of 1, instead of the intended alias name demoSSLnew. The PAS instance took the value of psc.as.https.keyalias from catalina.properties and attempted to find an entry by that name (demoSSLnew). Since none existed, the PAS instance was unable to activate its SSL/TSL port. 
Resolution
Ensure that when placing he private key into the keystore (using sslc pkcs12), that the -name option used and that the correct alias name is used as the value for the name attribute. That value is used by the PAS instance to find the private key in the keystore.

The sslc pkcs12 command should look like the following:

C:\DLCWORK\oepas1\conf>sslc pkcs12 -export -inkey c:\dlc\keys\requests\demoSSLne
w.pk1 -in c:\dlc\keys\demoSSLnew.pem -out tomcat-keystore.p12 -name demoSSLnew
Enter pass phrase for c:\dlc\keys\requests\demoSSLnew.pk1:
Enter Export Password:
Verifying - Enter Export Password:


Check catalina.<date>.log for errors. This type of error does not show up in <instance name>.agent.log.

Use pkiutil -v -list to get a list of certificates and their aliases.
Use c:\dlc\jdk\bin\keytool -v -list -keystore tomcat-keystore.p12 to view the aliases store in the tom keystore file.

A successful SSL/TLS handshake and connection, as viewed in a network analyzer such as Wireshark, should look like the following:

SHows a successful keyexchange in Wireshark

 
Workaround
Notes
References to other documentation:

Administration Guide: Server Security: Configuring PAS for OpenEdge for SSL/TLS:
https://documentation.progress.com/output/ua/OpenEdge_latest/index.html#page/pasoe-admin/configuring-pas-for-openedge-for-ssl-2ftls.html

Installation and Configuration: Configuration: Managing OpenEdge Key and Certificate Stores: Managing key stores for OpenEdge
servers: Using pkiutil to manage an OpenEdge key store:
https://documentation.progress.com/output/ua/OpenEdge_latest/index.html#page/gsins/using-pkiutil-to-manage-an-openedge-key-store.html

Installation and Configuration: Command and Utility Reference: Installing and managing keys and digital certificates: pkiutil:
https://documentation.progress.com/output/ua/OpenEdge_latest/index.html#page/gsins/pkiutil.html

Progress article(s):

000074259, How to configure and test a PASOE instance for secure communications?
000013338, How to create self-signed SSL certificates in OpenEdge
Attachment 
Last Modified Date12/28/2018 6:42 PM


Feedback
 
Did this article resolve your question/issue?

   

Your feedback is appreciated.

Please tell us how we can make this article more useful. Please provide us a way to contact you, should we need clarification on the feedback provided or if you need further assistance.

Characters Remaining: 1025