@rajesh-purushothaman
Forum Replies Created
-
AuthorReplies
-
I want to post this update so that if anyone has similar issues know what exactly they should be checking for. SSL license is required for making HTTPS connection, if the web server is looking for a ‘client.key’ to be passed on.
We got a ‘trial’ license (valid for 7days) generated by Infor for SSL, once I installed this license file…my thread started receiving valid response.
This is how my thread is configured currently.
Thanks for all the help from the Clovertech Teachers.
-Rajesh
[/img]
Jim K
Yes, we do have existing working Clients on the same release of Cloverleaf as the one I am having issues with.
But as I said in my earlier post, the existing interfaces doesn’t seem to be using the CERT files, though it is configured within CA File & Certificate File. I got a valid response from the web service even after removing the certificate files from the configuration. (I null-ed out CA PATH/CA Certificate/Client Certificate with ClientAuth mode set for this testing)
I originally started my development in Cloverleaf 6.1 version but then switched to Cloverleaf 6.2 version since I can force the protocol to be TLSv1.2 using the drop-down menu (Cloverleaf 6.1 GUI version just has the option for SSL1/SSl3/TLSv1). Our Cloverleaf 6.1 version, has OpenSSL version 1.0.1e which should support TLSv1.2
We are not licensed for CAA-WS.
We have opened a INCIDENT request with Infor support and they are checking to see if we have ‘purchased’ the SSL license.
Thanks for your reply.
-Raj
Jim K,
Here is the details about the Cloverleaf Client that I am using
Current Platform:
Java version: 1.8.0_60
Java vendor: Oracle Corporation
OS type: Windows 7
OS version: 6.1
OS arch: x86
GUI Build Information:
Version: 6.2.0.2P
Date: Thu Jun 8 2017
Time: 03:03:38 AM
Platform: Windows_NT
Java Vendor: Sun Microsystems Inc.
JDK Version: 1.8.0_60
Swing Version: 1.8.0_60
RMI Version: 1.8.0_60
TCL Version: 8.6
OpenSSL Version: 1.0.1e 11 Feb 2013
I assume that OpenSSL version 1.0.1 supports TLSv1.2 (I don’t know the command to list all the protocols supported by this particular version, but Wikipedia search lists that OpenSSL 1.0.1 version supports TLS 1.2 and DTLS 1.2)
Robert,
I originally set the CA File/Certificate File to the fully defined path including the file name (Ex: /qvdx/cis6.2/integrator/demo_rp/data/certs/IOBridgeRootCertificate.cer).
I tried setting the CA Path to the directory where the cert files are placed and then set the CA/Certificate File to just the filename excluding the directory path…it still did not make any difference. I didnt see any additional information in the log file after setting CURLOPT_CERTINFO to 1.
I am still getting the same ‘SSL is not licensed — ignoring SSL configuration parameters’ error message.
Based on the reading that I have done (I may have interpreted things incorrectly), that we need SSL for any secured data transfer like SFTP, HTTPS etc..,
I might be wrong, if so please correct me.
Thanks for your replies.
Raj
Jim K,
I am seeing the following entry within my log file
“SSL is not licensed — ignoring SSL configuration parameters.”
which is why I was asking about the SSL certificate. I thought web-service certificate is the same as SSL certificate since the other 2 HTTPS were working within my organization. But then I wasnt sure of it.
To prove my theory, I removed the Certificate file from the HTTPS config of the other 2 ‘working’ interfaces which we have installed within our organization and they work fine even without passing the CERT files.
Jim Cobane is reaching out to Infor support to find out more information regarding this issue.
Thanks
Raj
Hello Again,
I was checking my license file to see if we have an entry for cl-aom-ssl using the command
hcilictest cl-aom-ssl
but I didnt see an entry for this. However I see an entry for cl-aom-webservices.
Is both the same? or should I request for the SSL license?
If they are different and if I need to have the SSL license, does it have a cost factor associated with it?
Thanks
Raj
Thanks Robert for your reply.
I am specifying the full path to the cert files however the ‘group’ user did NOT have the ‘write’ access to these files and I modified the file permissions to give all access to all users, but I am still receiving the same ‘400 No required SSL certificate was sent’ error.
I also imported the certificates to the keystore but again no luck.
Thanks
Raj
Thanks for the link Charlie.
I verified that I am passing the parameters in the same fashion as described in the link.
I need to check to see if we can either upgrade the OpenSSL or if possible just try to install a patch so that our current version of CURL supports TLS 1.1
I will read more about ieInspector, I didnt know about this. It looks more like a Windows based tool which can be used for Analyzing HTTP request and response.
Since I was little familiar with .Net programming I was using it to check if my HTTP Post request format is correct.
I just wanted to post an update.
This is the version of the CURL we have in our server
Code:
curl 7.37.0 (powerpc-ibm-aix6.1.0.0) libcurl/7.37.0 OpenSSL/1.0.0g zlib/1.2.3 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: IPv6 Largefile NTLM NTLM_WB SSL libzThis version of OpenSSL makes the connection using TLS 1.0
The vendor doesnt support TLS 1.0
I was developing a .Net version of this code and I force the connection to be made using TLS 1.1 and I was able to connect to the vendor.
It looks like TLS 1.1 and TLS 1.2 are supported only from OpenSSL version 1.0.1
This means we need to upgrade. I am not sure if this will get approved by Jim Cobane 😛
Hi,
I replaced the & to %26 and ! (found in password string) to %21, I got the error message as {‘”error”:”unsupported_grant_type”,”error_description”:”grant type not supported”}
I was getting
{“error”:”invalid_grant”,”error_description”:”authentication failure”}
Vendor executed the following Curl command in his machine and he was able to connect.
curl -v POST -H –URL ‘https://test.salesforce.com/services/oauth2/token’ -H ‘Content-Type: application/x-www-form-urlencoded’ -d ‘grant_ENGINE=password&client_id=&client_secret=&username=&password=’
He is seeing my request (executing the Curl command from Cloverleaf server) making it to the server but its getting rejected with the error message ‘”Failed: Login over insecure channel”
Levy
Thanks for your reply. I downloaded the cacert.perm file from the CURL website and when I remove that option and execute the curl command, I get the following warning message
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Salesforce.com, Inc; OU=Applications; CN=test.salesforce.com
* start date: 2015-06-05 00:00:00 GMT
* expire date: 2018-06-04 23:59:59 GMT
* issuer: C=US; O=Symantec Corporation; OU=Symantec Trust Network; CN=Symantec Class 3 Secure Server CA – G4
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
There is no API documentation from the vendor. All the requirement was made in a single email 🙄 .
I have been asking him the question saying if we need to include a ‘signed’ client certificate when requesting for the token, the answer is a big NO. I have sent another email asking him to confirm the same question again. I will keep you posted once I get a response back.
This is what I have tried so far with curl::transfer
package require TclCurl
if {[catch {[curl::transfer -url https://test.salesforce.com/services/oauth2/token?
-verbose 1
-post 1
-sslverifypeer 0
-bodyvar body
-postfields “grant_ENGINE=password&client_id=xxx&client_secret=yyy&username=aaa&password=bbb”
]} ret_cd]} {
echo “return code from WebService Call is: $ret_cd”
echo “body variable output is $body”
}
This is the output I got
* Hostname was NOT found in DNS cache
* Trying 96.43.146.125…
* Connected to test.salesforce.com (96.43.146.125) port 443 (#0)
* SSL connection using TLSv1.0 / AES256-SHA
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Salesforce.com, Inc; OU=Applications; CN=test.salesforce.com
* start date: 2015-06-05 00:00:00 GMT
* expire date: 2018-06-04 23:59:59 GMT
* subjectAltName: test.salesforce.com matched
* issuer: C=US; O=Symantec Corporation; OU=Symantec Trust Network; CN=Symantec Class 3 Secure Server CA – G4
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> POST /services/oauth2/token? HTTP/1.1
Host: test.salesforce.com
Accept: */*
Content-Length: 251
Content-Type: application/x-www-form-urlencoded
* upload completely sent off: 251 out of 251 bytes
< HTTP/1.1 400 Bad Request
< Date: Fri, 07 Apr 2017 16:44:24 GMT
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Content-Security-Policy: reflected-xss block;report-uri /_/ContentDomainCSPNoAuth?ENGINE=xss
< Content-Security-Policy: referrer origin-when-cross-origin
< Set-Cookie: BrowserId=GNEuKMgvRbKSybot63DZeA;Path=/;Domain=.salesforce.com;Expires=Tue, 06-Jun-2017 16:44:24 GMT
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Pragma: no-cache
< Cache-Control: no-cache, no-store
< X-ReadOnlyMode: false
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
<
* Connection #0 to host test.salesforce.com left intact
return code from WebService Call is: invalid command name “0”
body variable output is {“error”:”invalid_grant”,”error_description”:”authentication failure”}
tcl>
Jim
We dont have license for Add-on Secure Messenger.
That is the reason why I am trying to do this using TclCurl/curl
-
AuthorReplies
