Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Kura » Azure IoT hub Certificate Authority Connection(Azure IoT hub Certificate Authority Connection)
Azure IoT hub Certificate Authority Connection [message #1785771] Thu, 19 April 2018 13:27 Go to next message
Salvatore Di Liberto is currently offline Salvatore Di LibertoFriend
Messages: 6
Registered: April 2018
Junior Member
Hi,

I want to connect Kura to Azure iot hub with the ssl certificates, in particular the X.509 certificate, so without the SAS token.

So, I followed the Microsoft guide to create the X.509 CA certificates (https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-security-x509-get-started).
I added the created certificates in the SSL configuration and Server SSL certificate of Kura. I setted the cloud service with this guide: https://eclipse.github.io/kura/cloud/kura-azure.html.

But, the connection fails. I have this error in the kura.log:

o.e.k.c.d.t.m.MqttDataTransport - xxxxx Connect failed. Forcing disconnect. xxxxx {}
Not authorized to connect (5)
at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:28)
at org.eclipse.paho.client.mqttv3.internal.ClientState.notifyReceivedAck(ClientState.java:990)
at org.eclipse.paho.client.mqttv3.internal.CommsReceiver.run(CommsReceiver.java:118)
at java.lang.Thread.run(Thread.java:745)
2018-04-19 12:14:41,719 [qtp8650332-33] INFO o.e.k.c.d.t.m.MqttDataTransport - Closing client...
2018-04-19 12:14:41,720 [qtp8650332-33] INFO o.e.k.c.d.t.m.MqttDataTransport - Closed
2018-04-19 12:14:41,722 [pool-11-thread-1] INFO o.e.k.c.s.r.LogStatusRunnable - Notification LED off
2018-04-19 12:14:41,724 [pool-11-thread-1] INFO o.e.k.c.s.r.LogStatusRunnable - Notification LED slow blinking
2018-04-19 12:14:41,725 [qtp8650332-33] WARN o.e.k.w.s.GwtNetworkServiceImpl - Error connecting
org.eclipse.kura.KuraConnectException: "Connection failed. Cannot connect"
at org.eclipse.kura.core.data.transport.mqtt.MqttDataTransport.connect(MqttDataTransport.java:333)
at org.eclipse.kura.core.data.DataServiceImpl.connect(DataServiceImpl.java:493)
at org.eclipse.kura.web.server.GwtStatusServiceImpl.connectDataService(GwtStatusServiceImpl.java:93)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:587)
at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:333)
at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:303)
at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:373)
at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at org.eclipse.kura.web.server.OsgiRemoteServiceServlet.service(OsgiRemoteServiceServlet.java:41)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.equinox.http.servlet.internal.HttpServiceRuntimeImpl$LegacyServlet.service(HttpServiceRuntimeImpl.java:1223)
at org.eclipse.equinox.http.servlet.internal.registration.EndpointRegistration.service(EndpointRegistration.java:148)
at org.eclipse.equinox.http.servlet.internal.servlet.ResponseStateHandler.processRequest(ResponseStateHandler.java:62)
at org.eclipse.equinox.http.servlet.internal.context.DispatchTargets.doDispatch(DispatchTargets.java:131)
at org.eclipse.equinox.http.servlet.internal.servlet.ProxyServlet.service(ProxyServlet.java:74)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.equinox.http.jetty.internal.HttpServerManager$InternalHttpServiceServlet.service(HttpServerManager.java:284)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:841)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:535)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.eclipse.jetty.server.Server.handle(Server.java:561)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:334)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:104)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:247)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:140)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:243)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:679)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:597)
at java.lang.Thread.run(Thread.java:745)
Caused by: Not authorized to connect (5)
at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:28)
at org.eclipse.paho.client.mqttv3.internal.ClientState.notifyReceivedAck(ClientState.java:990)
at org.eclipse.paho.client.mqttv3.internal.CommsReceiver.run(CommsReceiver.java:118)

Any help is appreciated,
Salvo.

Report message to a moderator

Re: Azure IoT hub Certificate Authority Connection [message #1785838 is a reply to message #1785771] Fri, 20 April 2018 12:29 Go to previous messageGo to next message
Matteo Maiero is currently offline Matteo MaieroFriend
Messages: 393
Registered: July 2015
Location: Italy
Senior Member
Hi,
personally I've never tried connecting to Azure IoT using certificates, but only using the combination of username and password.
Few questions: did you double check to have the certificate in the keystore?
Are you sure that the keystore and the proper keys are loaded by Kura and used during handshake?
Did you try to debug the SSL session?

Best regards,
Matteo

Report message to a moderator

Re: Azure IoT hub Certificate Authority Connection [message #1785841 is a reply to message #1785838] Fri, 20 April 2018 13:13 Go to previous messageGo to next message
Salvatore Di Liberto is currently offline Salvatore Di LibertoFriend
Messages: 6
Registered: April 2018
Junior Member
Hi Matteo,
Thanks for the reply.

>> personally I've never tried connecting to Azure IoT using certificates, but only using the combination of username and password.
I tried this type of connection (SAS token) and it works

>> did you double check to have the certificate in the keystore?
I created the keystore (in format .ks) with the certificate verified by Azure iot hub. I've included the RootCA certificate and the device certificate (created with the Azure quoted guide)

>> Are you sure that the keystore and the proper keys are loaded by Kura and used during handshake?
>> Did you try to debug the SSL session
This is precisely my main question and doubt. I've only this debug message when I try to connect to cloudservice manually: o.e.k.c.d.t.m.MqttDataTransport - xxxxx Connect failed. Forcing disconnect. xxxxx {} Not authorized to connect (5)

I'm not using a bundle created by me

Best regards,
Salvatore.

Report message to a moderator

Re: Azure IoT hub Certificate Authority Connection [message #1785843 is a reply to message #1785838] Fri, 20 April 2018 13:13 Go to previous messageGo to next message
Salvatore Di Liberto is currently offline Salvatore Di LibertoFriend
Messages: 6
Registered: April 2018
Junior Member
Hi Matteo,
Thanks for the reply.

>> personally I've never tried connecting to Azure IoT using certificates, but only using the combination of username and password.
I tried this type of connection (SAS token) and it works

>> did you double check to have the certificate in the keystore?
I created the keystore (in format .ks) with the certificate verified by Azure iot hub. I've included the RootCA certificate and the device certificate (created with the Azure quoted guide)

>> Are you sure that the keystore and the proper keys are loaded by Kura and used during handshake?
>> Did you try to debug the SSL session
This is precisely my main question and doubt. I've only this debug message when I try to connect to cloudservice manually: o.e.k.c.d.t.m.MqttDataTransport - xxxxx Connect failed. Forcing disconnect. xxxxx {} Not authorized to connect (5)

I'm not using a bundle created by me

Best regards,
Salvatore.

Report message to a moderator

Re: Azure IoT hub Certificate Authority Connection [message #1785844 is a reply to message #1785843] Fri, 20 April 2018 13:16 Go to previous messageGo to next message
Matteo Maiero is currently offline Matteo MaieroFriend
Messages: 393
Registered: July 2015
Location: Italy
Senior Member
To debug the SSL session, please have a look here: https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html

I would first check that kura has the reference and the password to load the provided keystore.

Best regards,
Matteo

Report message to a moderator

Re: Azure IoT hub Certificate Authority Connection [message #1785937 is a reply to message #1785844] Mon, 23 April 2018 10:33 Go to previous messageGo to next message
Salvatore Di Liberto is currently offline Salvatore Di LibertoFriend
Messages: 6
Registered: April 2018
Junior Member
Hi Matteo,
Thanks for the reply.

>> I would first check that kura has the reference and the password to load the provided keystore.
First of all I created a chian of certificate: x.509 CA --> Intermediate1 --> Intermediate2 --> Intermediate3 --> Device certificate. Then I put all of these in the Keystore (cacerts.ks) with a password. Moreover I put the device certificate in the Server SSL certificate.

>> To debug the SSL session, please have a look here: https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html
Sorry but, I did not understand how to apply this example to my case.

Best regards,
Salvo

Report message to a moderator

Re: Azure IoT hub Certificate Authority Connection [message #1785939 is a reply to message #1785937] Mon, 23 April 2018 10:47 Go to previous message
Matteo Maiero is currently offline Matteo MaieroFriend
Messages: 393
Registered: July 2015
Location: Italy
Senior Member
Kura, by default is not providing a keystore.
Does the SSL config page points to an existing keystore? That could be one cause why the SSL connection is not working for you.

The link provided points to an option -Djavax.net.debug=all that can be specified when starting the JVM that runs Kura to debug the SSL session.

Best regards,
Matteo

Report message to a moderator

Previous Topic:HTTPS for Kura Web UI?
Next Topic:Publish PPMP Protocol
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Mon Jul 06 13:35:24 GMT 2020

Powered by FUDForum. Page generated in 0.01435 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top

Sign up to our Newsletter

A fresh new issue delivered monthly