Remoting (EJB) connection from jaws.jnlp to AAI Server on TLS
Article ID: 266467
Updated On:
Products
Issue/Introduction
After configuring the jboss server with SSL, the web consoles v1 and v2 are now available with the https connector, but the jnlp application is not working
Certificates configuration
There are 3 certificates available on the AAI server host.
These 3 certificates are installed in the windows trust store
- The client own CA Root certificate (in certlm admin tool > section Trusted Root Certification Authorities / Certificates)
- The intermediate certificate (in certlm admin tool > Intermediate Certification Authorities / Certificates
- The host certificate (with an additional dsn) (in admin tool > Personnal > certificates)
These 3 certificates are installed in the jre 1.8.0.361 truststore.
- The root CA is stored in the "System / Secure site CA" list in the java control panel security tab)
- The intermediate certificate is stored in the "System / Secure site CA" list in the java control panel security tab) (even if i think this is not mandatory).
For the jboss server, a keystore with the private key of the host certificate (jks format - alias "jawsserver") has been configured as describe in AAI documentation (Securing AAI / Configuring the AAI Server for TLS Authentication).
The cert chain is valid using a browser on the aai host, to access the web consoles (see screen shot).
Error Message when starting jaws.jnlp
The Automation Automic Intelligence (AAI) Server is currently unavailable. Please check your network connection or contact your administrator...
Stack trace og javaws console
The download jnlp is ok (<jnlp codebase="https://aai.domain.com>:8443/aai/" href="jaws.jnlp"> at the beginning the file)...
Here is the java web start console output...
```
Java Web Start 11.361.2.09
Using JRE version 1.8.0_361-b09 Java HotSpot(TM) 64-Bit Server VM
JRE expiration date: 17/05/23 00:00
console.user.home = C:\Users\user1
----------------------------------------------------
c: clear console window
f: finalize objects on finalization queue
g: garbage collect
h: display this help message
m: print memory usage
o: trigger logging
p: reload proxy configuration
q: hide console
r: reload policy configuration
s: dump system and deployment properties
t: dump thread list
v: dump thread stack
0-5: set trace level to <n>
----------------------------------------------------
JAWS client starting as JNLP app
17:59:10.810 INFO [client.main.JawsStartup] Automic Automation Intelligence version: 6.4.4 build: 6.4.4-202212010947
17:59:10.810 INFO [client.main.JawsStartup] Assertions not enabled
17:59:10.810 INFO [client.main.JawsStartup] Attempting to setup cross-process communication on port 58073
17:59:10.810 INFO [client.main.JawsStartup] Launcher parameters:
server=aai.domain.com
protocol=https
jawsServerId=AAI
port=8443
jawsServerDescription=AAI Server
17:59:12.200 INFO [jboss.ejb.client] JBoss EJB Client version 2.1.4.Final-redhat-1
17:59:12.294 INFO [org.xnio] XNIO version 3.3.6.Final-redhat-1
17:59:12.310 INFO [org.xnio.nio] XNIO NIO Implementation Version 3.3.6.Final-redhat-1
17:59:12.372 INFO [org.jboss.remoting] JBoss Remoting version 4.0.18.Final-redhat-1
17:59:12.435 WARN [client.remoting.ConfigBasedEJBClientContextSelector] Could not register a EJB receiver for connection to aai.domain.com:8443
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alert.createSSLException(Unknown Source)
at sun.security.ssl.TransportContext.fatal(Unknown Source)
at sun.security.ssl.TransportContext.fatal(Unknown Source)
at sun.security.ssl.TransportContext.fatal(Unknown Source)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(Unknown Source)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(Unknown Source)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(Unknown Source)
at sun.security.ssl.SSLHandshake.consume(Unknown Source)
at sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown Source)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(Unknown Source)
at org.xnio.ssl.JsseSslConduitEngine.handleHandshake(JsseSslConduitEngine.java:543)
at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:314)
at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:204)
at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:98)
at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:72)
at org.xnio.conduits.ConduitStreamSinkChannel.write(ConduitStreamSinkChannel.java:150)
at org.xnio.http.HttpUpgrade$HttpUpgradeState$StringWriteListener.handleEvent(HttpUpgrade.java:385)
at org.xnio.http.HttpUpgrade$HttpUpgradeState$StringWriteListener.handleEvent(HttpUpgrade.java:372)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65)
at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:93)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
at ...asynchronous invocation...(Unknown Source)
at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:294)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:416)
at org.jboss.ejb.client.remoting.EndpointPool$PooledEndpoint.connect(EndpointPool.java:192)
at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:153)
at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:133)
at org.jboss.ejb.client.remoting.ConnectionPool.getConnection(ConnectionPool.java:78)
at org.jboss.ejb.client.remoting.RemotingConnectionManager.getConnection(RemotingConnectionManager.java:51)
at org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector.setupEJBReceivers(ConfigBasedEJBClientContextSelector.java:161)
at org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector.getCurrent(ConfigBasedEJBClientContextSelector.java:118)
at org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector.getCurrent(ConfigBasedEJBClientContextSelector.java:47)
at org.jboss.ejb.client.EJBClientContext.getCurrent(EJBClientContext.java:281)
at org.jboss.ejb.client.EJBClientContext.requireCurrent(EJBClientContext.java:291)
at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:178)
at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:146)
at com.sun.proxy.$Proxy3.getCurrentJawsLicense(Unknown Source)
at com.termalabs.client.main.JawsStartup$6.get(JawsStartup.java:1244)
at com.termalabs.client.main.JawsStartup$6.get(JawsStartup.java:1240)
at com.termalabs.client.model.ModelManagerUtil$1.processRequest(ModelManagerUtil.java:46)
at com.termalabs.client.util.request.RequestWorker$1.construct(RequestWorker.java:107)
at com.termalabs.client.util.SwingWorker$2.run(SwingWorker.java:130)
at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(Unknown Source)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(Unknown Source)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(Unknown Source)
at sun.security.ssl.SSLHandshake.consume(Unknown Source)
at sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown Source)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(Unknown Source)
at org.xnio.ssl.JsseSslConduitEngine.handleHandshake(JsseSslConduitEngine.java:543)
at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:314)
at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:204)
at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:98)
at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:72)
at org.xnio.conduits.ConduitStreamSinkChannel.write(ConduitStreamSinkChannel.java:150)
at org.xnio.http.HttpUpgrade$HttpUpgradeState$StringWriteListener.handleEvent(HttpUpgrade.java:385)
at org.xnio.http.HttpUpgrade$HttpUpgradeState$StringWriteListener.handleEvent(HttpUpgrade.java:372)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65)
at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:93)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 27 more
17:59:12.466 ERROR [ui.common.RequestHandling] Error occurred in processing request: Connecting to the Automic Automation Intelligence Server.
java.lang.IllegalStateException: EJBCLIENT000025: No EJB receiver available for handling [appName:jaws, moduleName:jaws-server-ejb3, distinctName:] combination for invocation context org.jboss.ejb.client.EJBClientInvocationContext@1d07804f
at org.jboss.ejb.client.EJBClientContext.requireEJBReceiver(EJBClientContext.java:798)
at org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(ReceiverInterceptor.java:128)
at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:186)
at org.jboss.ejb.client.EJBInvocationHandler.sendRequestWithPossibleRetries(EJBInvocationHandler.java:255)
at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:200)
at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:183)
at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:146)
at com.sun.proxy.$Proxy3.getCurrentJawsLicense(Unknown Source)
at com.termalabs.client.main.JawsStartup$6.get(JawsStartup.java:1244)
at com.termalabs.client.main.JawsStartup$6.get(JawsStartup.java:1240)
at com.termalabs.client.model.ModelManagerUtil$1.processRequest(ModelManagerUtil.java:46)
at com.termalabs.client.util.request.RequestWorker$1.construct(RequestWorker.java:107)
at com.termalabs.client.util.SwingWorker$2.run(SwingWorker.java:130)
at java.lang.Thread.run(Unknown Source)
```
Environment
AAI Server version : 6.4.5
JDK version 1.8.0.
Resolution
Situation at the beginning of the case :
> The keystore that was build contained only the key/pair of the host certificate.
The server jboss was able to start with this keystore, and browser connections showed the "lock" and the certificate chain.
At this point, the javaws client fails with the PKIX exception.
It was wrongly supposed that the host certificate was sufficient in the keystore and the chain was validated with the intermediate CA and the root CA in the windows trust store and the jvm trust store, but this is "WRONG" in java application.
Web browsers tries to rebuild the chain in case of "wrong configuration" and usually succeed to do that. Java application are adamant.
The client will only validate the self signed root authority certificate, and won't identify the intermediate certificate from local trust stores.
This means that the intermediate CA MUST be included in the keystore on the server (jboss).
Feedback
