09-30-2014 08:34 AM - edited 07-05-2021 01:36 AM
Getting error when Context Aware Notifications are being sent from our Cisco MSE to our cloud Service. It looks to be a ssl error from the logs. The cert is valid from what I can tell, tested it at https://www.sslshopper.com/ssl-checker.html and it says:
The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed).
The certificate was issued by GoDaddy.
Write review of GoDaddy
The certificate will expire in 127 days.
Remind me
The hostname is correctly listed in the certificate.
Here is an error message that download from the Cisco MSE Logs (cfx.log):
javax.net.ssl.SSLException: java.lang.RuntimeException: Failed to throw Invalid Parameter Spec exception due to invalid parameter type.
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1747)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1708)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1691)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1617)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:105)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
at org.apache.commons.httpclient.methods.StringRequestEntity.writeRequest(StringRequestEntity.java:146)
at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:499)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at com.aes.common.net.HttpsTransportProvider.sendMessage(HttpsTransportProvider.java:168)
at com.aes.location.intf.track.AesEventGen.fireEventNow(AesEventGen.java:705)
at com.aes.location.intf.track.DestinationHandler$EventProcessor.send(DestinationHandler.java:843)
at com.aes.location.intf.track.DestinationHandler$EventProcessor.retrySend(DestinationHandler.java:827)
at com.aes.location.intf.track.DestinationHandler$EventProcessor.watchDest(DestinationHandler.java:774)
at com.aes.location.intf.track.DestinationHandler$EventProcessor.run(DestinationHandler.java:688)
at java.lang.Thread.run(Thread.java:662)
Caused by: java.lang.RuntimeException: Failed to throw Invalid Parameter Spec exception due to invalid parameter type.
at com.cisco.ciscossl.provider.ciscojce.trust.ECKeyPairGenerator.initialize(ECKeyPairGenerator.java:370)
at java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:627)
at com.sun.net.ssl.internal.ssl.ECDHCrypt.<init>(ECDHCrypt.java:58)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:568)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:198)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:943)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:654)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:100)
... 18 more
09-30-2014 09:24 AM
More Info:
INFO com.cisco.ciscossl.provider.ciscojce.CiscoJCEFirewall - allowing EC because CISCOJ_PERMIT_UNIMPLEMENTED_KEYFACTORY_EC set
INFO com.cisco.ciscossl.provider.ciscojce.CiscoJCEFirewall - allowing EC because CISCOJ_PERMIT_UNIMPLEMENTED_KEYFACTORY_EC set
INFO com.cisco.ciscossl.provider.ciscojce.trust.ECKeyFactory - CiscoJCE creating EC public key based on ECPublicKeySpec
INFO com.cisco.ciscossl.provider.ciscojce.trust.ECKeyFactory - CiscoJCE Find curve name: checking prime curves.
INFO com.cisco.ciscossl.provider.ciscojce.trust.ECKeyFactory - CiscoJCE Find curve name: checking sec curves.
INFO com.cisco.ciscossl.provider.ciscojce.trust.FECPublicKeySpec - CiscoJCE assigning EC public key with curve secp384r1
INFO com.cisco.ciscossl.provider.ciscojce.trust.ECKeyPairGenerator - Separate source of randomness not supported.
ERROR com.cisco.ciscossl.provider.ciscojce.trust.ECKeyPairGenerator - Invalid parameter type. Only ECGenParameterSpec supported
ERROR com.cisco.ciscossl.provider.ciscojce.trust.ECKeyPairGenerator - Failed to throw Invalid Parameter Spec exception due to invalid parameter type.
09-30-2014 11:46 AM
Cause
The JVM cannot find the javax.net.ssl.trustStore
required for SSL, or it does not contain the required certificates.
For standard installations, we do not recommend this JVM argument is used, and rather your certificates are added to the JVM's default keystore, which is typically located in $JAVA_HOME/jre/lib/security/cacerts
or the keystore used by your Tomcat, as in our Running JIRA over SSL or HTTPS documentation.
Follow our Connecting to SSL services documentation. This will guide you through obtaining the certificate of the service you're accessing and importing it into the recommended Java keystore.
If you're using a non-standard keystore, such as the one specified in Tomcat, please import the certificate into that keystore.
for more detail please see the below link
https://confluence.atlassian.com/display/JIRAKB/Unable+to+Access+SSL+Services+due+to+java.security.InvalidAlgorithmParameterException
10-14-2014 01:12 PM
Ok following this is what I have found, $JAVA_HOME is set from the shell script that is starting the process that is writing the log file that I found the error in. The JRE that it is using has a cacerts in the path $JAVA_HOME/lib/security/. What this tells me that it should be working.
There error you are referencing somes different than the error I am seeing.
After following the cmd from the link :
openssl s_client -connect google.com:443 <
/dev/null
|
sed
-
ne
'/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
> public.crt
<JAVA_HOME>
/keytool
-
import
-
alias
<server_name> -keystore <JAVA_HOME>
/lib/security/cacerts
-
file
public.crt
I get the following error message:
[root@localhost bin]# keytool -import -alias "service" -keystore ../lib/security/cacerts -file public.crt
Exception in thread "main" java.lang.UnsatisfiedLinkError: /opt/mse/framework/jre/lib/ext/libCiscoJCEJNI.so: libCiscoJSafeC_mem.so: cannot open shared object file: No such file or directory
at java.lang.ClassLoader$NativeLibrary.load(Native Method)
at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1807)
at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1716)
at java.lang.Runtime.loadLibrary0(Runtime.java:823)
at java.lang.System.loadLibrary(System.java:1028)
at com.cisco.ciscossl.provider.ciscojce.CiscoJCEProvider.loadGlue(CiscoJCEProvider.java:166)
at com.cisco.ciscossl.provider.ciscojce.CiscoJCEProvider.<clinit>(CiscoJCEProvider.java:126)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at java.lang.Class.newInstance0(Class.java:357)
at java.lang.Class.newInstance(Class.java:310)
at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:240)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:225)
at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:205)
at sun.security.jca.ProviderList.getProvider(ProviderList.java:215)
at sun.security.jca.ProviderList.getService(ProviderList.java:313)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:140)
at java.security.Security.getImpl(Security.java:659)
at java.security.KeyStore.getInstance(KeyStore.java:584)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:594)
at sun.security.tools.KeyTool.run(KeyTool.java:172)
at sun.security.tools.KeyTool.main(KeyTool.java:166)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide