What version of openssl does DataMiner user? trying to read a certificate supplied by Techex with version 3.0 returns: -
Error outputting keys and certificates
B82A0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:346:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
As RC2-40-CBC has been deprecated, you can open it in version 1.1.1
Beyond DataMiner being able to open the certificate, how do you test the connection is working or trying to establish?
Hi Philip,
I've only set this up once and was back in early 2021 but did so using the version of OpenSLL that is deployed with Git (Git - Downloads (git-scm.com)). Looking at the properties of the openssl.exe file, it's File Version 1.1.1.11 (product version 1.1.1k). With that version I was able to combine the client.key and client.cer files provided by TechEx into the PFX file. If you need procedures for that, just let me know.
Once you have the PFX, you need to place it somewhere DataMiner can access it. I used C:\Skyline DataMiner\Documents\DMA_COMMON_DOCUMENTS. Once the file is in place, in the element you can go to Communications - IP Connection - Statistics Interface section page to setup the file path (including file name) and the PW you created for the PFX in the . If all goes well, you should see the Statistics Interface Status change to Authorized.
Hope this helps!
A few thoughts…
– make sure the file path includes the filename and extension if you haven’t. I assume you probably did, but you know what happens when you assume!
– In the past I have seen the DataMiner services have trouble accessing files not in the Skyline DataMiner folders. It might be a good test to move it in the folder just to eliminate that as a potential reason for failure to authenticate. If it works there, you can either choose to leave it there, or work out the necessary permissions in Windows to allow it to be in teh C:certs folder as desired.
– You mentioned that you got a PFX file from TechEx… they sent us .KEY and .CER files which we used to create the PFX. Maybe they did that for you, but I got the impression that the PFX file was a DataMiner specific requirement, so not something they were familiar with. As for extracting the cert and key, I’m not sure if you can go the other way around but sounds like you might be more savvy in this than I am, so will defer to you. Finally, I do believe those files are specific to the Core(s) you are configuring. Just to eliminate more potential assumptions, I don’t think reusing a cert from a different setup will work.
Hopefully this gives you a few more things to explore!
Oh, also not sure if you have checked, but is there anything interesting in the logs for when you attempt to enable the polling? Wonder if that might shed some light on what’s happening.
Yes I’ve put the full path with file name and extension in.
Moving the certificates to this folder doesn’t make a difference.
That’s what it says in their integration documentation, but they combined them into a PFX before sending them over. You can combine/extract, add a certificate name, define the encryption used and all sorts with openssl, something I had to figure out last year when securing our DataMiner instances with certificates.
This certificate was requested specifically for this instance of MWCore, so I’m hoping Techex applied the CA certificate that this client certificate belongs to to the server, but I will confirm with them.
That was one of the first things I looked at was the logs, but there’s nothing in them, I even enabled the debug logging on the element, but it didn’t create anything.
I figured you’d probably checked all of those things but thought it prudent to confirm. Let me check in tomorrow morning with a colleague who’s already left for the day to see if they have any additional thoughts and I’ll get back to you.
Thanks Jamie,
I did find that my GIT install had the same version, which could read the PFX file supplied by Techex. As a comparison I extracted the cert and key, which I then used the newer version of openssl to create a new PFX, but neither version of the cert works.
The one difference I did was place the certificates in C:certs, which I’ve used in the past for certificate access to Linux machines using the Linux ssh protocol. I can move it if needs be, but I’m guessing it’ll work this way as well?
I have set the file path and PW, unfortunately apart from when the client certificate path is updated (when it changes to Authenticating… and doesn’t change beyond that) it stays on Not Authenticated.
I have the 1.0.1.17 version of the protocol.