Eclipse Community Forums: Kura » Azure IoT hub Certificate Authority Connection

Home » Eclipse Projects » Kura » Azure IoT hub Certificate Authority Connection(Azure IoT hub Certificate Authority Connection)

Azure IoT hub Certificate Authority Connection [message #1785771]

Thu, 19 April 2018 09:27

Eclipse User

Hi,

I want to connect Kura to Azure iot hub with the ssl certificates, in particular the X.509 certificate, so without the SAS token.

So, I followed the Microsoft guide to create the X.509 CA certificates (https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-security-x509-get-started).
I added the created certificates in the SSL configuration and Server SSL certificate of Kura. I setted the cloud service with this guide: https://eclipse.github.io/kura/cloud/kura-azure.html.

But, the connection fails. I have this error in the kura.log:

o.e.k.c.d.t.m.MqttDataTransport - xxxxx Connect failed. Forcing disconnect. xxxxx {}
Not authorized to connect (5)
at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:28)
at org.eclipse.paho.client.mqttv3.internal.ClientState.notifyReceivedAck(ClientState.java:990)
at org.eclipse.paho.client.mqttv3.internal.CommsReceiver.run(CommsReceiver.java:118)
at java.lang.Thread.run(Thread.java:745)
2018-04-19 12:14:41,719 [qtp8650332-33] INFO o.e.k.c.d.t.m.MqttDataTransport - Closing client...
2018-04-19 12:14:41,720 [qtp8650332-33] INFO o.e.k.c.d.t.m.MqttDataTransport - Closed
2018-04-19 12:14:41,722 [pool-11-thread-1] INFO o.e.k.c.s.r.LogStatusRunnable - Notification LED off
2018-04-19 12:14:41,724 [pool-11-thread-1] INFO o.e.k.c.s.r.LogStatusRunnable - Notification LED slow blinking
2018-04-19 12:14:41,725 [qtp8650332-33] WARN o.e.k.w.s.GwtNetworkServiceImpl - Error connecting
org.eclipse.kura.KuraConnectException: "Connection failed. Cannot connect"
at org.eclipse.kura.core.data.transport.mqtt.MqttDataTransport.connect(MqttDataTransport.java:333)
at org.eclipse.kura.core.data.DataServiceImpl.connect(DataServiceImpl.java:493)
at org.eclipse.kura.web.server.GwtStatusServiceImpl.connectDataService(GwtStatusServiceImpl.java:93)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:587)
at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:333)
at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:303)
at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:373)
at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at org.eclipse.kura.web.server.OsgiRemoteServiceServlet.service(OsgiRemoteServiceServlet.java:41)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.equinox.http.servlet.internal.HttpServiceRuntimeImpl$LegacyServlet.service(HttpServiceRuntimeImpl.java:1223)
at org.eclipse.equinox.http.servlet.internal.registration.EndpointRegistration.service(EndpointRegistration.java:148)
at org.eclipse.equinox.http.servlet.internal.servlet.ResponseStateHandler.processRequest(ResponseStateHandler.java:62)
at org.eclipse.equinox.http.servlet.internal.context.DispatchTargets.doDispatch(DispatchTargets.java:131)
at org.eclipse.equinox.http.servlet.internal.servlet.ProxyServlet.service(ProxyServlet.java:74)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.equinox.http.jetty.internal.HttpServerManager$InternalHttpServiceServlet.service(HttpServerManager.java:284)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:841)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:535)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.eclipse.jetty.server.Server.handle(Server.java:561)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:334)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:104)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:247)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:140)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:243)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:679)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:597)
at java.lang.Thread.run(Thread.java:745)
Caused by: Not authorized to connect (5)
at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:28)
at org.eclipse.paho.client.mqttv3.internal.ClientState.notifyReceivedAck(ClientState.java:990)
at org.eclipse.paho.client.mqttv3.internal.CommsReceiver.run(CommsReceiver.java:118)

Any help is appreciated,
Salvo.

Re: Azure IoT hub Certificate Authority Connection [message #1785838 is a reply to message #1785771]

Fri, 20 April 2018 08:29

Eclipse User

Hi,
personally I've never tried connecting to Azure IoT using certificates, but only using the combination of username and password.
Few questions: did you double check to have the certificate in the keystore?
Are you sure that the keystore and the proper keys are loaded by Kura and used during handshake?
Did you try to debug the SSL session?

Best regards,
Matteo

Re: Azure IoT hub Certificate Authority Connection [message #1785841 is a reply to message #1785838]

Fri, 20 April 2018 09:13

Eclipse User

Hi Matteo,
Thanks for the reply.

>> personally I've never tried connecting to Azure IoT using certificates, but only using the combination of username and password.
I tried this type of connection (SAS token) and it works

>> did you double check to have the certificate in the keystore?
I created the keystore (in format .ks) with the certificate verified by Azure iot hub. I've included the RootCA certificate and the device certificate (created with the Azure quoted guide)

>> Are you sure that the keystore and the proper keys are loaded by Kura and used during handshake?
>> Did you try to debug the SSL session
This is precisely my main question and doubt. I've only this debug message when I try to connect to cloudservice manually: o.e.k.c.d.t.m.MqttDataTransport - xxxxx Connect failed. Forcing disconnect. xxxxx {} Not authorized to connect (5)

I'm not using a bundle created by me

Best regards,
Salvatore.

Re: Azure IoT hub Certificate Authority Connection [message #1785843 is a reply to message #1785838]

Fri, 20 April 2018 09:13

Eclipse User

Re: Azure IoT hub Certificate Authority Connection [message #1785844 is a reply to message #1785843]

Fri, 20 April 2018 09:16

Eclipse User

To debug the SSL session, please have a look here: https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html

I would first check that kura has the reference and the password to load the provided keystore.

Best regards,
Matteo

Re: Azure IoT hub Certificate Authority Connection [message #1785937 is a reply to message #1785844]

Mon, 23 April 2018 06:33

Eclipse User

Hi Matteo,
Thanks for the reply.

>> I would first check that kura has the reference and the password to load the provided keystore.
First of all I created a chian of certificate: x.509 CA --> Intermediate1 --> Intermediate2 --> Intermediate3 --> Device certificate. Then I put all of these in the Keystore (cacerts.ks) with a password. Moreover I put the device certificate in the Server SSL certificate.

>> To debug the SSL session, please have a look here: https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html
Sorry but, I did not understand how to apply this example to my case.

Best regards,
Salvo

Re: Azure IoT hub Certificate Authority Connection [message #1785939 is a reply to message #1785937]

Mon, 23 April 2018 06:47

Eclipse User

Kura, by default is not providing a keystore.
Does the SSL config page points to an existing keystore? That could be one cause why the SSL connection is not working for you.

The link provided points to an option -Djavax.net.debug=all that can be specified when starting the JVM that runs Kura to debug the SSL session.

Best regards,
Matteo

Previous Topic:	HTTPS for Kura Web UI?
Next Topic:	Publish PPMP Protocol

Goto Forum:

-=] Back to Top [=-

Current Time: Tue Jul 08 09:51:34 EDT 2025

.:: Contact :: Home ::.

Breadcrumbs

Sign up to our Newsletter