HTTPS Client Configuration – SSL Error

[Rajesh Purushothaman]

Hi Clovertech Teachers,

I am pretty new to HTTP configuration. We are using Cloverleaf 6.1, will be upgrading to Cloverleaf version 6.2 pretty soon. We are running on AIX server. Within our organization we have done HTTP Client configurations previously without any issues. All the time we were provided with the Client certificate to be used when making the HTTPS call (sent by the vendor).

We never had to generate a KEY or a CSR request files for getting the certificate. But for the new HTTPS interface, the vendor asked me to generate the KEY file and a CSR (Client Signing Request) files, using which the vendor provided the Root Server Certificate and the Client Certificate.

The vendor only support TLSV1.2 protocol because of which I was forced to use Cloverleaf version 6.2 for my testing. We will be upgrading to Cloverleaf 6.2 before this project Go Live (so testing it in 6.2 version is not an issue).

I have configured the Cloverleaf thread in the following manner

Protocol: http-client

Encoding: UTF-8

URL:

Headers: {Content-Type “text/xml; charset=utf-8”} {User-Agent “CIS”}

Method: POST

cURL Options:

CURLOPT_SSL_VERIFYPEER set to 0

CURLOPT_VERBOSE set to 1

CURLOPT_SSL_VERIFYHOST set to 0

Driver Mode: Message Driven

Query TPS: httpQuery with Args set to {MSGUSE DATA}

HTTPS Configuration is done as follows

Mode: ClientAuth

SSL Protocol: All (assumption is it will resolve to TLSV1.2 during handshake)

CA File:

Certificate File:

Private Key:

This PFX file was generated using the following command using OpenSSL

pkcs12 -export -out rhapsodyHSDP.pfx -inkey client.key -in client-certificate.crt

Password: ****

When I start the thread, I can see it getting connected to the Web Service.

But when I try to send the ADT data through this thread, I am getting an error stating 400 from HTTP server (No required SSL certificate was provided).

I already confirmed it with my networks team that, there is no Firewall issue.

Here is the details from the log file

*   Trying 52.2.245.229…

* TCP_NODELAY set

* Connected to rhapsody-poc-2030c.ibe.philips-healthsuite.com (52.2.245.229) port 7972 (#0)

* ALPN, offering http/1.1

* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH

* NPN, negotiated HTTP1.1

* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384

* ALPN, server did not agree to a protocol

* Server certificate:

*  subject: C=US; ST=California; L=Foster City; O=Philips Healthcare Informatics, Inc; CN=*.ibe.philips-healthsuite.com

*  start date: May  5 00:00:00 2017 GMT

*  expire date: Jul 29 12:00:00 2020 GMT

*  issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA

*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

> POST /share/emr/Encounter HTTP/1.1

Host: rhapsody-poc-2030c.ibe.philips-healthsuite.com:7972

User-Agent: CIS

Accept: */*

From: anonymous@unknown.com

Connection: close

Content-Type: text/xml; charset=utf-8

Content-Length: 224

* upload completely sent off: 224 out of 224 bytes

< HTTP/1.1 400 Bad Request < Server: nginx < Date: Mon, 30 Oct 2017 14:59:46 GMT < Content-Type: text/html; charset=utf-8 < Content-Length: 246 < Connection: close [http:read:DBUG/3:to_hfhs_Philips_LifeLine_adt:10/30/2017 10:59:46] Got response code: 400 from HTTP server < * Curl_http_done: called premature == 0 * Closing connection 0 [http:tps :DBUG/0:to_hfhs_Philips_LifeLine_adt:10/30/2017 10:59:46] Setting HTTP Result. [http:tps :INFO/0:to_hfhs_Philips_LifeLine_adt:10/30/2017 10:59:46] HTTPResult: {STATUS {HTTP/1.1 400 Bad Request [http:tps :INFO/0:to_hfhs_Philips_LifeLine_adt:–/–/—- –:–:–] }} {HEADERS {Server: nginx [http:tps :INFO/0:to_hfhs_Philips_LifeLine_adt:–/–/—- –:–:–] Date: Mon, 30 Oct 2017 14:59:46 GMT [http:tps :INFO/0:to_hfhs_Philips_LifeLine_adt:–/–/—- –:–:–] Content-Type: text/html; charset=utf-8 [http:tps :INFO/0:to_hfhs_Philips_LifeLine_adt:–/–/—- –:–:–] Content-Length: 246 [http:tps :INFO/0:to_hfhs_Philips_LifeLine_adt:–/–/—- –:–:–] Connection: close [http:tps :INFO/0:to_hfhs_Philips_LifeLine_adt:–/–/—- –:–:–] }} {BODY {

[http:tps :INFO/0:to_hfhs_Philips_LifeLine_adt:–/–/—- –:–:–]

[http:tps :INFO/0:to_hfhs_Philips_LifeLine_adt:–/–/—- –:–:–]

[http:tps :INFO/0:to_hfhs_Philips_LifeLine_adt:–/–/—- –:–:–]

400 Bad Request

[http:tps :INFO/0:to_hfhs_Philips_LifeLine_adt:–/–/—- –:–:–]

No required SSL certificate was sent

[http:tps :INFO/0:to_hfhs_Philips_LifeLine_adt:–/–/—- –:–:–]

---

nginx

[http:tps :INFO/0:to_hfhs_Philips_LifeLine_adt:–/–/—- –:–:–]

[http:tps :INFO/0:to_hfhs_Philips_LifeLine_adt:–/–/—- –:–:–]

[http:tps :INFO/0:to_hfhs_Philips_LifeLine_adt:–/–/—- –:–:–] }}

[tcl :out :INFO/0:to_hfhs_Philips_LifeLine_adt:10/30/2017 10:59:46] (httpQuery/Run) Error fetching URL https://rhapsody-poc-2030c.ibe.philips-healthsuite.com:7972/share/emr/Encounter: HTTP/1.1 400 Bad Request

My question:

Just because I generated the KEY and CSR file, should I need to add/import the KEY (using -importkeystore) and CERTificate (using -importcert) into the Keystore?

I tried to look for anything within the keystore currently using the keeytool -list command and I didnt see anything, so I am not sure if I need to add this to keystore since I generated the KEY & CSR file?

Any help in this regard would be appreciated.

Thanks in advance.

-Raj

Topic

[Robert Milfajt]

In your output as the call is being set up, I see this warning.

Quote:

*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

I’m just guessing, but did you provide full file path to the key and certificate files, or just file name in your call?  I would suggest providing full path if you did not.

If that’s not it, check the file permissions on those files to make sure the hci user has access to them.

After that, I’m stumped.

Hope this helps,

Robert Milfajt
Northwestern Medicine
Chicago, IL

[Rajesh Purushothaman]

Thanks Robert for your reply.

I am specifying the full path to the cert files however the ‘group’ user did NOT have the ‘write’ access to these files and I modified the file permissions to give all access to all users, but I am still receiving the same ‘400 No required SSL certificate was sent’ error.

I also imported the certificates to the keystore but again no luck.

Thanks

Raj

[Rajesh Purushothaman]

Hello Again,

I was checking my license file to see if we have an entry for cl-aom-ssl using the command

hcilictest cl-aom-ssl

but I didnt see an entry for this. However I see an entry for cl-aom-webservices.

Is both the same? or should I request for the SSL license?

If they are different and if I need to have the SSL license, does it have a cost factor associated with it?

Thanks

Raj

[Jim Kosloskey]

Check with support but if Web Services is CAA-WS I think the SSL support comes with it.

Besides if you were not licensed, I don’t think you would get as far as you have.

Unfortunately I do not have any suggestion to resolve your issue. The only HTTPS Client connection I ever did was without certificates.

email: jim.kosloskey@jim-kosloskey.com 30+ years Cloverleaf, 60 years IT – old fart.

[Rajesh Purushothaman]

Jim K,

I am seeing the following entry within my log file

“SSL is not licensed — ignoring SSL configuration parameters.”

which is why I was asking about the SSL certificate. I thought web-service certificate is the same as SSL certificate since the other 2 HTTPS were working within my organization. But then I wasnt sure of it.

To prove my theory, I removed the Certificate file from the HTTPS config of the other 2 ‘working’ interfaces which we have installed within our organization and they work fine even without passing the CERT files.

Jim Cobane is reaching out to Infor support to find out more information regarding this issue.

Thanks

Raj

[Jim Kosloskey]

Well that notice in the log seems to indicate a lack of licensing.

What Cloverleaf release is this?

I suspect support should be able to confirm licensing.

email: jim.kosloskey@jim-kosloskey.com 30+ years Cloverleaf, 60 years IT – old fart.

[Robert Milfajt]

So curiosity got the best of me.  In your original, you said you set CA File, but nothing about setting CA Path.  In reading some TCL cURL stuff, it indicates you might need both.  Did you set both CA PATH to the directory where the CA File resides and then CA FILE to the name of the CA FILE, or did you set CA FILE to the full name to the file including directory?

Robert Milfajt
Northwestern Medicine
Chicago, IL

[Robert Milfajt]

Maybe set CURLOPT_CERTINFO to 1 to get some additional debug information.

Quote:

      -certinfo

             Set  to  ‘1’ to enable TclCurl’s certificate chain

             info gatherer.  With  this  enabled,  TclCurl  (if

             built   with   OpenSSL)   will   extract  lots  of

             information and data about the certificates in the

             certificate chain used in the SSL connection. This

             data can then be to  extracted  after  a  transfer

             using the getinfo command and its option certinfo.

Robert Milfajt
Northwestern Medicine
Chicago, IL

[Rajesh Purushothaman]

Jim K,

Here is the details about the Cloverleaf Client that I am using

Current Platform:

Java version: 1.8.0_60

 Java vendor: Oracle Corporation

     OS type: Windows 7

  OS version: 6.1

     OS arch: x86

GUI Build Information:

     Version: 6.2.0.2P

        Date: Thu Jun 8 2017

        Time: 03:03:38 AM

    Platform: Windows_NT

 Java Vendor: Sun Microsystems Inc.

 JDK Version: 1.8.0_60

Swing Version: 1.8.0_60

 RMI Version: 1.8.0_60

TCL Version: 8.6

OpenSSL Version: 1.0.1e 11 Feb 2013

I assume that OpenSSL version 1.0.1 supports TLSv1.2 (I don’t know the command to list all the protocols supported by this particular version, but Wikipedia search lists that OpenSSL 1.0.1 version supports TLS 1.2 and DTLS 1.2)

Robert,

I originally set the CA File/Certificate File to the fully defined path including the file name (Ex: /qvdx/cis6.2/integrator/demo_rp/data/certs/IOBridgeRootCertificate.cer).

I tried setting the CA Path to the directory where the cert files are placed and then set the CA/Certificate File to just the filename excluding the directory path…it still did not make any difference. I didnt see any additional information in the log file after setting CURLOPT_CERTINFO to 1.

I am still getting the same ‘SSL is not licensed — ignoring SSL configuration parameters’ error message.

Based on the reading that I have done (I may have interpreted things incorrectly), that we need SSL for any secured data transfer like SFTP, HTTPS etc..,

I might be wrong, if so please correct me.

Thanks for your replies.

Raj

[Jim Kosloskey]

You do need a license for the Secure Data (SSL) addin but if you have other https Client connections working you should be good.

Are the existing working Clients on the same release of Cloverleaf as the one you are having issues with?

Do you know if you are licensed for CAA-WS That is the Cloverleaf Web Services addin. If you are I thought that was supposed to include licensing for SSL.

Again support should be able to tell you what you are licensed for.

email: jim.kosloskey@jim-kosloskey.com 30+ years Cloverleaf, 60 years IT – old fart.

[Rajesh Purushothaman]

Jim K

Yes, we do have existing working Clients on the same release of Cloverleaf as the one I am having issues with.

But as I said in my earlier post, the existing interfaces doesn’t seem to be using the CERT files, though it is configured within CA File & Certificate File. I got a valid response from the web service even after removing the certificate files from the configuration. (I null-ed out CA PATH/CA Certificate/Client Certificate with ClientAuth mode set for this testing)

I originally started my development in Cloverleaf 6.1 version but then switched to Cloverleaf 6.2 version since I can force the protocol to be TLSv1.2 using the drop-down menu (Cloverleaf 6.1 GUI version just has the option for SSL1/SSl3/TLSv1). Our Cloverleaf 6.1 version, has OpenSSL version 1.0.1e which should support TLSv1.2

We are not licensed for CAA-WS.

We have opened a INCIDENT request with Infor support and they are checking to see if we have ‘purchased’ the SSL license.

Thanks for your reply.

-Raj

[Rajesh Purushothaman]

I want to post this update so that if anyone has similar issues know what exactly they should be checking for. SSL license is required for making HTTPS connection, if the web server is looking for a ‘client.key’ to be passed on.

We got a ‘trial’ license (valid for 7days) generated by Infor for SSL, once I installed this license file…my thread started receiving valid response.

This is how my thread is configured currently.

Thanks for all the help from the Clovertech Teachers.

-Rajesh

[/img]

[Author]

Replies