We configured the SSL for Edge UI on Private Cloud 4.16.05 based on the instructions provided here.
However, when we try to launch the UI as https://<IP address>:<port#> we got the below error in the browser:
This site can’t be reached <IP address> took too long to respond. Try: Checking the connectionChecking the proxy and the firewallRunning Network Diagnostics ERR_CONNECTION_TIMED_OUT
So we tried to run the curl command as follows:
curl -v https://0:9443/login
When we checked the edge-ui.log we saw the following exception:
java.lang.reflect.InvocationTargetException: null at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[na:1.8.0_121] at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[na:1.8.0_121] at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[na:1.8.0_121] at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[na:1.8.0_121] at play.core.server.ServerSSLEngine$.createScalaSSLEngineProvider(ServerSSLEngine.scala:82) ~[com.typesafe.play.play_2.11-2.3.10.jar:2.3.10] Caused by: java.lang.Exception: Error loading HTTPS keystore from /opt/apigee/customer/conf/keystore.jks at play.core.server.DefaultSSLEngineProvider.createSSLContext(DefaultSSLEngineProvider.scala:43) ~[com.typesafe.play.play_2.11-2.3.10.jar:2.3.10] at play.core.server.DefaultSSLEngineProvider.<init>(DefaultSSLEngineProvider.scala:19) ~[com.typesafe.play.play_2.11-2.3.10.jar:2.3.10] at services.CustomSSLEngineProvider.<init>(CustomSSLEngineProvider.scala:23) ~[enterpriseui.enterpriseui-4.16.05.06-df43663-20161229-233745.jar:4.16.05.06-df43663-20161229-233745] at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[na:1.8.0_121] at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[na:1.8.0_121] Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780) ~[na:1.8.0_121] at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) ~[na:1.8.0_121] at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224) ~[na:1.8.0_121] at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) ~[na:1.8.0_121] at java.security.KeyStore.load(KeyStore.java:1445) ~[na:1.8.0_121] Caused by: java.security.UnrecoverableKeyException: Password verification failed at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778) ~[na:1.8.0_121] at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) ~[na:1.8.0_121] at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224) ~[na:1.8.0_121] at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) ~[na:1.8.0_121] at java.security.KeyStore.load(KeyStore.java:1445) ~[na:1.8.0_121]
I have passed on the right password in the configFile while configuring the SSL.
Can someone help how to fix this issue ?
Solved! Go to Solution.
After some investigation, I found the cause for this issue as follows:
Re-created the JKS file by using the same password and then used the password as is in the configFile. Configured the SSL for Edge UI. We are no longer seeing the exception "Keystore was tampered with, or password was incorrect".
Just to re-iterate the complete steps to configure SSL for Edge UI:
Assuming you already have the certificate and private key files in PEM format, follow the below steps to configure SSL for Edge UI.
openssl pkcs12 -export -clcerts -in opdk-ui-certificate.pem -inkey opdk-ui-key.pem -out keystore.pkcs12
keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype jks
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 9443 -j ACCEPT --verbose
HTTPSPORT=9443 DISABLE_HTTP=n KEY_ALGO=JKS KEY_FILE_PATH=/tmp/mykeystore.jks KEY_PASS=keystore123
/<inst_root>/apigee/apigee-service/bin/apigee-service edge-ui configure-ssl -f configFile
After some investigation, I found the cause for this issue as follows:
Re-created the JKS file by using the same password and then used the password as is in the configFile. Configured the SSL for Edge UI. We are no longer seeing the exception "Keystore was tampered with, or password was incorrect".
Just to re-iterate the complete steps to configure SSL for Edge UI:
Assuming you already have the certificate and private key files in PEM format, follow the below steps to configure SSL for Edge UI.
openssl pkcs12 -export -clcerts -in opdk-ui-certificate.pem -inkey opdk-ui-key.pem -out keystore.pkcs12
keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype jks
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 9443 -j ACCEPT --verbose
HTTPSPORT=9443 DISABLE_HTTP=n KEY_ALGO=JKS KEY_FILE_PATH=/tmp/mykeystore.jks KEY_PASS=keystore123
/<inst_root>/apigee/apigee-service/bin/apigee-service edge-ui configure-ssl -f configFile
This works 🙂 Thanks a lot.
Regards,
Salman
Can you please update the docs with this information ?
Stephen
1. The same password should be used for both PKCS12 and JKS files
2. We should use unencrypted password in the config file
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |