powered by Jive Software

SSL Problems

I have been trying to get a Jive server up and running for a while now, and have had a lot of problems with the SSL portion. I got over one hump with the keystore problem finally…or so I thought. I used the SSL guide to install my Signed Cert, and then made the changes in the server properties as instructed…but now I cannot log into the chat server via the desktop client. I get the following error log…

line

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

at java.lang.Class.newInstance(Unknown Source)

at org.jivesoftware.messenger.starter.ServerStarter.start(ServerStarter.java:82)

at org.jivesoftware.messenger.starter.ServerStarter.main(ServerStarter.java:46)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at com.exe4j.runtime.LauncherEngine.launch(Unknown Source)

at com.exe4j.runtime.WinLauncher.main(Unknown Source)

2005.04.21 10:35:29 [org.jivesoftware.messenger.container.AdminConsolePlugin.initializePlugin(Admin ConsolePlugin.java:139)

] Trouble initializing admin console

org.mortbay.util.MultiException[java.io.FileNotFoundException: C:\Program Files\Jive Messenger\resources\security (Access is denied)]

at org.mortbay.http.HttpServer.doStart(HttpServer.java:673)

at org.mortbay.util.Container.start(Container.java:72)

at org.jivesoftware.messenger.container.AdminConsolePlugin.initializePlugin(AdminC onsolePlugin.java:122)

at org.jivesoftware.messenger.container.PluginManager.loadPlugin(PluginManager.jav a:191)

at org.jivesoftware.messenger.container.PluginManager.access$300(PluginManager.jav a:69)

at org.jivesoftware.messenger.container.PluginManager$PluginMonitor.run(PluginMana ger.java:420)

at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)

at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source)

at java.util.concurrent.FutureTask.runAndReset(Unknown Source)

at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101 (Unknown Source)

at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodi c(Unknown Source)

at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknow n Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

java.io.FileNotFoundException: C:\Program Files\Jive Messenger\resources\security (Access is denied)

at java.io.FileInputStream.open(Native Method)

at java.io.FileInputStream.(Unknown Source)

at org.mortbay.http.SunJsseListener.createFactory(SunJsseListener.java:227)

at org.mortbay.http.JsseListener.newServerSocket(JsseListener.java:193)

at org.mortbay.util.ThreadedServer.open(ThreadedServer.java:466)

at org.mortbay.util.ThreadedServer.start(ThreadedServer.java:495)

at org.mortbay.http.SocketListener.start(SocketListener.java:203)

at org.mortbay.http.HttpServer.doStart(HttpServer.java:703)

at org.mortbay.util.Container.start(Container.java:72)

at org.jivesoftware.messenger.container.AdminConsolePlugin.initializePlugin(AdminC onsolePlugin.java:122)

at org.jivesoftware.messenger.container.PluginManager.loadPlugin(PluginManager.jav a:191)

at org.jivesoftware.messenger.container.PluginManager.access$300(PluginManager.jav a:69)

at org.jivesoftware.messenger.container.PluginManager$PluginMonitor.run(PluginMana ger.java:420)

at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)

at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source)

at java.util.concurrent.FutureTask.runAndReset(Unknown Source)

at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101 (Unknown Source)

at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodi c(Unknown Source)

at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknow n Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

Anyone out there got a clue they can lend me?!?

–Justin Charles

Justing,

java.io.FileNotFoundException: C:\Program Files\Jive

Messenger\resources\security (Access is denied)

It sounds like either that directory doesn’‘t exist or Jive Messenger doesn’'t have permission to read it?

Regards,

Matt

As far as I can tell…every user on this server has now been given access to that file and all subfolders…and it still gives me the same error in the log. Do I have to add a “Jive Messenger” user somehow?!? I have had to do that for other applications, but I have never seen any documentation on that for Jive.

It wouldn’‘t make sense to me that you’'d need to create a specific user, especially for Windows. One thing you could try is backing up your existing keystore and then starting with a fresh install of Jive Messenger. Make sure that works and then try replacing the original keystore with yours. If that still fails, at least the error case should be clearer.

Regards,

Matt

Okay…

Before I do anything here…I have uninstalled, and am starting with a fresh install of Jive. Do I need to uninstall the dummy cert that is in place? Do I need to delete the existing keystore for the server?

Then…I have a signed cert already…so all I think I need to do is import my cert by using the following comand: “keytool -import -keystore keystore -alias chat.interprobps.com -file C:\cert\SSLBundle.crt”

As far as I can tell…this is all I had to do…if I am missing a step in here, or if I have forgoten to do something…let me know before I go down this tragic path again.

Thanks for your help Matt…

TTFN

–Justin Charles

As far as I know, that’‘s all you have to do. If you can verify that things work with the default keystore, you try the cert import, and then things fail, we’'ll know that something is wrong with the process.

Thanks,

Matt

Okay–

So I ran the Keytool comand line, and I can connect via secure, but, I get the following Warning message, which I get with the default Keystore as well before I make any changes…and this was the whole problem I started with…

The SSL certificate received from the server has errors.

Certificate does not match host: /C=US/ST=CA/L=San Diego/O=Jive Software/OU=XMPP/CN=John Doe

Certificate fingerprint: 20:32:22:D7:F6:9E:D3:99:74:D6:61:D2:DA:FE:22:D7

So. All I have changed from the base install until now, is the single keytool comand to import the cert.

Then I follow the directions at the end of the SSL guide, and change the server properties for xmpp.socket.ssl.keystore to be /resources/security. And then we get the same error log I started with. If I remove the keystore file path that I told it, then I go back to the same warning message as above…

So…what do you think?!?

Then I follow the directions at the end of the SSL

guide, and change the server properties for

xmpp.socket.ssl.keystore to be /resources/security.

Ah ha! I think that’‘s the core problem. I’‘m not sure what the warning message might mean, but I’‘ll investigate and post a follow-up. You definitely don’'t want to set the keystore to be /resources/security though.

Regards,

Matt

Any word my good man??

Where should I be setting the path for the keystore to then?!? That could very well be all of my problems. The error message could be because I am not using the right keystore, and then the program does not work whenI am setting the keystore to the wrong location.

So…what do we think the right file path is for the keystore?

–Justin

Hey Justin,

If you are placing your keystore file under resources\security then you don’‘t have to set the xmpp.socket.ssl.keystore property. In case you need to set that property Jive Messenger will append the home directory and a file separator at the beggining so when you set that property you don’'t have to start with a / or .

I think that your initial problem was about the host name exception. If you are using the dummy certificate I would recommend deleting it and creating a new one for the domain that you are using. Remember that when creating the new certificate you have to set the domain when answering your “First Name and Last Name”. That will do the trick to avoid the host name does not match problem.

I will add that information as a tip to the SSL guide. Let me know how it goes.

Regards,

– Gato

I already have a signed certificate, I am not trying to generate one. How do I delete the dummy certificate? How do I add mine properly if that is the problem? And…how do I tell it where to put the keystore. Your instructions in the SSL guide do not tell me where the keystore I generate goes, and where it needs to be

I did the following:


  1. Import server certificates

If you had a CA sign your server certificate, or if you have an existing SSL certificate, you must import it using the keytool.

keytool -import -keystore keystore -alias example.com -file signed_certificate_file

It is important that the alias not already have an associated key or you’'ll receive an error.


What should I have done after or before that if I am missing something?

Justin,

Since your initial error is related to the dummy certificate I recommend deleting it since the host name does not matches your hostname.

To delete the dummy certificate execute this: *keytool -delete -keystore keystore -alias 127.0.0.1 *

If you have already imported your other certificate you can execute this to get the details of such certificate: keytool -list -keystore keystore -v

Pay attention to the CN value. The CN value should be your server name!!! That is the name that is going to be used for authentication so if it does not match your XMPP server name then you will get the host name does not match warning.

Regards,

– Gato

You are awesome…and got me past one problem to the next!!

I had the wrong cert imported. I fixed that, and now I am getting the following error log:

Could not setup SSL socket

javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.

at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(Unknown Source)

at org.jivesoftware.messenger.net.SSLSocketAcceptThread.run(SSLSocketAcceptThread. java:134)

2005.04.25 15:51:47 [org.jivesoftware.messenger.net.SSLSocketAcceptThread.run(SSLSocketAcceptThread .java:151)

What did I screw up now??

Justin,

There are a couple of reasons for that error. This is what I found at Thawte’'s KB:

  1. By default, certificates created with keytool use DSA public keys.

  2. Importing the certificate into the incorrect keystore

  3. There is no trusted certificate chain present when importing the certificate

Resolution:

1. By default, certificates created with keytool use DSA public keys.

You should create certificates that use RSA-based keys.

To do this, you need to specify the -keyalg RSA option when using keytool. For example:

When you create the private key, stipulate RSA as the key algorithm:

keytool -genkey -alias test -keyalg RSA

-keystore ~/.keystore

Then when you create the certificate request, stipulate RSA as the

signature algorithm:

keytool -certreq -alias test -sigalg MD5withRSA

-keystore ~/.keystore

2. Importing the certificate into the incorrect keystore

Please import the certificate into the correct keystore file which contains the certificates corresponding private key file.

3. There is no trusted certificate chain present when importing the certificate

Please use the ‘’-trustcacerts’’ option in your command when importing the certificate into the keystore.

keytool -import -alias -trustcacerts -file mythawtecert.crt -keystore

Another reason could be that the keystore and the entries (ie. certificates) have different passwords.

Let me know how it goes,

– Gato

Okay–

We are almost there…how do I set Jive to look for the key in the Personal certificate directory? This would be xmpp.socket.ssl.keystore property I think. But I do not know the file path to the personal directory.

Am I on the right track here…or did I just walk out into left field?

Okay…I have done a lot of different things over the last day…too many to list…

Could you just let me know how I am supposed to know which keystore is the correct keystore? Which one would have the private key in it? I have the .crt file, and the .key file and I can put them anywhere…and I do not know how to change the path the Jive looks to for the correct keystore…or where to put them even if I did.

Hey Justin,

By default Messenger will use the keystore file located in the folder \resources\security. So you need to import your certificate to that keystore and that’'s it.

If you need to use other keystore file, you should specify the new path and filename. But remember that you need to specify a relative path since Messenger will search for it in the JIVE-HOME folder.

Regards,

– Gato

okay…then I have put the certificate there for sure by using the comand line…how do I make sure that the key was imported there aswell?

I’'m not sure what do you mean by key. But you can execute the following command to see the contents of the keystore file.

keytool -list -keystore keystore -v

Regards,

– Gato

okay…then I know that I have the correct certificate installed. And I have copied the text of the cert and pasted it into the GUI interface. I have told the server what the correct keystore password is…but I still get the following error message:

] Could not setup SSL socket

javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.

at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(Unknown Source)

at org.jivesoftware.messenger.net.SSLSocketAcceptThread.run(SSLSocketAcceptThread. java:127)

2005.04.26 15:37:14 [org.jivesoftware.messenger.net.SSLSocketAcceptThread.run(SSLSocketAcceptThread .java:150)

] Shutting down SSL port - suspected configuration problem