Hello everyone,
I'm currently trying to get an HTTPS connection working over smart-serial, to receive some asynchronous event information over HTTPS (protocol is Mediaproxy Player, ip:port configured for https smart-serial is any:5000). Type is configured as
<Type relativeTimers="true" options="" advanced="smart-serial:Events Connection">http</Type>
And I have a response set up for connection:1 and the QAction triggered on the response parameter.
Problem is, when I edit the element and try to activate SSL/TLS, I start getting a lot of these messages in stream viewer:
Couldn't locate the SSL context for <IP>. Check SLPort.txt for more info
Failed to create the client object
Socket for <IP>:56444 closed
On SLPort, there are a stream of messages mentioning a failure in setting certificates to none, but none of those messages were for my IP:port combination:
2020/08/04 10:50:53.398|SLPort.exe 10.0.2018.700|9144|28372|SLHTTPRequest::SetClientCertificateToNone|ERR|0|Failed to set client certificate to none for request to <IP>//. Error: (hr = 0x80072EF3)
Another thing, is once I remove the SSL option, I can effectively see data flowing on wireshark (although I can't make sense of it, since SSL is not working):
So this tells me that there is effectively a communication attempt from the device to DataMiner.
Are there any issues or limitations on using HTTPS / SSL/TLS over smart-serial? Maybe I'm missing something on configuration/setup? Maybe there's a better solution when using HTTPS to receive async messages?
EDIT: DMA version is 10.0.7.0-9247. I'm aware that a fix is in the works for the false SetClientCertificateToNone, but in this case, I'm actually trying to use secure connections.
EDIT 2: so, I've generated a self-signed certificate with openssl, converted it to pfx, and followed the instructions to configure it (I've actually used an automation script provided by Gelber, to configure the certificate on the DMA).
openssl req -x509 -newkey rsa:4096 -sha256 -keyout server.key -out server.crt -subj “/CN=skyline.communications” -days 600
openssl pkcs12 -export -name “skyline.communications” -out server.pfx -inkey server.key -in server.crt
However, now I'm getting a different error:
Unexpected error on <IP> during SECURE_SOCKET_CLIENT::SECURE_SOCKET_CLIENT: An invalid argument was supplied.
Connect failed for <IP>:<Port>
Failed to create the client object
Socket for <IP>:<Port> closed
Hi Miguel,
In order to use the TLS/SSL option you will need to place first a certificate in the folder C:\Skyline DataMiner\Certificates. Next, you will need to load the certificate using the steps indicated in the DataMiner Help (Enabling TLS Encryption). The certificate should be provided by the customer.
Please keep in mind that the name of the certificate must be server.pfx (if the file has another name, the DMA will not take it into account).
So the certificate has to be provided? Is there no chance to make this work with a self-signed certificate, even if generated on the customer DMA machine?
Hi Miguel,
Indeed, the certificate has to be provided. A self-signed certificate will not work (the self-signed certificate works only to communicate with the server that generated the certificate, not with the device).
So in this case, would that mean that the device owner have to provide a certificate? Or any normal signed certificate from the customer would do? I’ll need to know exactly what to request in this case.
Hi Miguel,
Indeed, the device owner has to provide a certificate. When enabling TLS/SSL on the device, the device owner should configure the certificate(s) that will be used to communicate with the device. This certificate could also be one that has been deployed in their environment.
This could perhaps be caused by a missing server certificate on the DataMiner server. Did you put one in place and configured it accordingly if it's a password protected certificate?
More information on this can be found in the section on enabling TLS encryption in the DataMiner help.
Thanks, I’ve tried following that, with a slight change (Gelber provided an automation script to configure the certificate). But I’m still not quite there.
Note, since RN23947 the certificate doesn’t need to be server.pfx. it can be any name you like as long as it is a valid PKCS12 formatted file and correctly configured in Dataminer.