Use TLS for IN-CSE and MN-CSE communication [message #1791561] |
Mon, 02 July 2018 14:12 |
Yorick Brunet Messages: 3 Registered: June 2018 |
Junior Member |
|
|
Hello,
I'm trying to use TLS to access the in-cse webpage but also to secure the communication between in-cse and mn-cse.
To do so, I read https://www.eclipse.org/jetty/documentation/current/index.html, generated two certificates using keytool (keybase for in-cse, keybase2 for mn-cse, but both using 127.0.0.1).
I configured the in-cse as follows (default OM2M configuration is kept for the rest of the configuration)
org.eclipse.equinox.http.jetty.http.enabled=true
org.eclipse.equinox.http.jetty.https.enabled=true
org.eclipse.equinox.http.jetty.https.port=8443
org.eclipse.equinox.http.jetty.ssl.password=om2mpw
org.eclipse.equinox.http.jetty.ssl.keypassword=om2mpw
org.eclipse.equinox.http.jetty.ssl.keystore=/home/ybt/keystore
org.eclipse.equinox.http.jetty.ssl.protocol=TLS
and the mn-cse as follows
org.eclipse.equinox.http.jetty.http.enabled=true
org.eclipse.equinox.http.jetty.https.enabled=true
org.eclipse.equinox.http.jetty.https.port=8444
org.eclipse.equinox.http.jetty.ssl.password=om2mpw
org.eclipse.equinox.http.jetty.ssl.keypassword=om2mpw
org.eclipse.equinox.http.jetty.ssl.keystore=/home/ybt/keystore2
org.eclipse.equinox.http.jetty.ssl.protocol=TLS
cseBaseProtocol.default is still "http".
I can successfully access https://127.0.0.1:8443/webpage/welcome/index.html?context=/~&cseId=in-cse (after having accepted the certificate) and I can access mn-cse with the button in link "in-cse -> mn-cse".
I then modified the configurations (in-cse and mn-cse were stopped and restarted to take the new configuration into account) as follows
in-cse:
org.eclipse.om2m.cseBaseProtocol.default=https #http
mn-cse:
org.eclipse.om2m.remoteCsePort=8443 #8080
org.eclipse.om2m.cseBaseProtocol.default=https #http
However, in this case, the communication between in-cse and mn-cse does not work.
When starting, mn-cse writes the following log
Starting CSE...
[INFO] - org.eclipse.om2m.core.Activator
Added Data Mapper Service: application/xml
[INFO] - org.eclipse.om2m.core.Activator
Added Data Mapper Service: application/json
[INFO] - org.eclipse.om2m.core.Activator
Rest client service discovered. Protocol: http
[INFO] - org.eclipse.om2m.webapp.resourcesbrowser.json.Activator
HttpService discovered
[INFO] - org.eclipse.om2m.webapp.resourcesbrowser.json.Activator
Register /webpage http context
osgi> [INFO] - org.eclipse.om2m.persistence.eclipselink.internal.DBServiceJPAImpl
DataBase initialized.
[INFO] - org.eclipse.om2m.persistence.eclipselink.Activator
Registering Database (JPA-EL) Service
[INFO] - org.eclipse.om2m.core.Activator
DataBase persistence service discovered
but does not continue with the normal startup as with "cseBaseProtocol.default=http" which is
[INFO] - org.eclipse.om2m.core.thread.CoreExecutor
Creating thread pool with corePoolSize=5 & maximumSize=50
[INFO] - org.eclipse.om2m.core.CSEInitializer
Initializating the cseBase
[INFO] - org.eclipse.om2m.core.CSEInitializer
cseBase already initialized
[INFO] - org.eclipse.om2m.core.Activator
Registering CseService...
[INFO] - org.eclipse.om2m.binding.http.Activator
CseService discovered
[INFO] - org.eclipse.om2m.core.Activator
CSE Started
Using 127.0.0.1 for in-cse and mn-cse is certainly not optimal, but I don't think that the issue comes from here.
Do you have any idea why both CSE do not communicate ? Of course, certificates are self-signed, thus they cannot check the certificate of the other.
Do you have any advice on how to proceed ? How can I secure an OM2M deployment from the App connected to the MN-CSE to the App connected to the IN-CSE ?
Thank you.
Yorick
|
|
|
Powered by
FUDForum. Page generated in 0.04154 seconds