Starting the server fails with a configuration parse error where a configuration element in ConnectionConfiguration.xml is valid but with an error similar to the following
\main: Configuration Parse failure: L529:C31 cvc-complex-type.2.4.d: Invalid content was found starting with element 'pmode:useCompression'. No child element is expected at this point. \ |
Ensure that all elements are ordered according to the schema files in the FMS install schema/FMS directory.
Sending a message with required encryption using the '-enc alias' command line argument fails with following error message
\SEVERE com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl getCertificate() - WSS0221: Unable to locate matching certificate for Key Encryption using CallbackHandler.SEVERE com.sun.xml.wss.impl.filter.EncryptionFilter process() - WSS1413: Error extracting certificate \ |
This is an indication that the alias matching the required partner public certificate in the keystore to encrypt an outbound message cannot be located in the keystore. Ensure that the certificate is installed.
Is it possible to restrict TLS ciphers ?
FMS does not have a configuration option for enabling and disabling TLS ciphers as that is handled by the default java.security configuration file which will override any setting configured in applications.
I upgraded my Java version to 1.8.0 release 222 or later and now the FMS server starts but just hangs.
This is due to a missing class file within the standard java library. A typical error output in the FMS server logs could look as follows:
\ \Exception in thread "main" java.lang.NoClassDefFoundError: sun/security/validator/KeyStores \ at com.flame.utils.FMSTrustManager$InternalX509TrustManagerImpl.<init>(FMSTrustManager.java:254) \ |
Either rollback the upgrade for Java to a previous working release or add the missing class file as follows:
\# Extract KeyStores.class from openjdk 8u212 and import into update 8u222 rt.jar \cd ~/tmp # directory where previous version of sun/security/validator/KeyStores.class was extracted \cp -pv /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/rt.jar \ \ /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/rt.jar.8u222.backup \jar uf /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/rt.jar \ \ sun/security/validator/KeyStores.class \ |
How many messages can the server handle concurrently?
This is largely dependent on the hardware deployed, the speed of the network and the size of the messages including any attachments. Suffice it to say that it can handle significant message volumes per minute.
What messaging protocols does the FMS support.
Currently the ebXML Messaging Services Version 3, the AS4 Profile of ebMS 3.0 Version 1.0, the IETF STD69 Extensible Provisioning Protocol (EPP), and RosettaNetTM Implementation Framework Version 2.
I've installed the FMS server but I can't start it up and have no idea what is happening!
Locate the log file typically located at /var/log/fms/fms.log or other log files in the same directory for Linux and unix and and at Programs/FMS/log/serviceinfo.log or other log files in the same directory for Windows.
Ensure that the certificate keystore has been setup, as per the Section called Importing Public Keys (Certificates) into the Server Keystore in the Chapter called Installation and that syslog is configured before startup as per the Section called Syslog Configuration in the Chapter called Configuring FMS.
I've setup the syslog handler but I don't see anything in the log file!
Ensure that syslog itself is configured correctly, refer to the Section called Syslog Configuration in the Chapter called Configuring FMS
I've started up the FMS server and see that /var/log/fms/fms-stderr.log contains the following error.
\ \ [INFO] is an unknown syslog facility. Defaulting to [USER]. \ \ |
Ensure that the syslog configuration matches the log4j.appender.Syslog.Facility configuration in file log4j.properties. Refer to the Section called Syslog Configuration in the Chapter called Configuring FMS for further details.
I've started up the FMS server and see that /var/log/fms/fms-stderr.log contains the following error.
\ \ log4j:WARN No appenders could be found for logger (com.flame) \ log4j:WARN Please initialize the log4j system properly \ \ |
Ensure that the log4j.properties configuration is installed in the same directory as the fms.jar file. Refer to the Section called FMS Logging Configuration in the Chapter called Configuring FMS for further details.
I can't make a connection to the remote server! Help!
I get FMS ERROR: Connection interface failed to bind to address when starting FMS.
Make sure the remote server host can be pinged first, if so, then attempt to telnet or openssl to that server on the port specified. If the telnet or openssl session succeeds then it should work, if not then ensure that a firewall is not blocking the port and that the server is indeed listening by checking the logs for any errors. Verify SSL Certificates have been set up correctly.
\ \ telnet remote.server.com 443 \ openssl s_client -connect remote.server.com:443 \ \ |
I receive a cipher suite error in the logs or on FMC when trying to connect to the FMS server.
SSLHandshakeException occurred while negotiating a connection: no cipher suites in common.
Ensure that the java java.security file entry for jdk.tls.disabledAlgorithms on both the local and remote sides do not include the required protocol. For FMC revisions prior to 5.4.2 build 7 the required transport protocol is TLSv1.
Ensure that the FMS server private certificate for the relevant listener is valid and has not expired.
I receive the following error in the FMS logs when trying to connect to the server using the fmsconf utility.
SSLHandshakeException occurred while negotiating a connection: Client requested protocol TLSv1.2 is not enabled or supported in server context.
SSL Handshake Exception occurred while listening from 'localhost/127.0.0.1'. SSL_VERSION = 'TLSv1.3', SSL_NEED_CLIENT_AUTH = 'false' : Error is 'The client supported protocol versions [TLSv1.2, TLSv1.1, TLSv1] are not accepted by server preferences [TLS13]'.
Ensure that the FMS server configuration listener property SSL_VERSION is set to include TLSv1.2. Also ensure that the default java.security file does not have TLSv1.2 disabled. Note that this property can be set up to TLSv1.3 if supported by the java runtime.
I receive the following error when trying to connect to the FMS server using the fmsconf utility.
SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1487:SSL alert number 40
Ensure that the FMS server private certificate used by the Administration listener is valid and has not expired.
I receive the following error when trying to connect to the FMS server using the fmsconf utility.
ssl handshake failure
This indicates that the server has client authentication set to true for the Administration interface and therefore requires the necessary certificates on the fmsconf side. For details on key and certificate generation invoke fmsconf as follows
\ \ fmsconf -H \ \ |
I receive the following error when using the fmsconf __FMS_Admin_ListCerts command as follows
\ \fmsconf -x '__FMS_Admin_ListCerts certs JKS' \OK \ERROR \An error occurred while reading the keystore: Keystore was tampered with, or password was incorrect \ \ |
The __FMS_Admin_ListCerts requires a password field to read the contents the certificate store as follows
\ \fmsconf -x '__FMS_Admin_ListCerts certs JKS password' \ \ |
The keystore name (just the file name excluding the directory), type and password must be the same as specified for the keystore in the FMS ConnectionConfiguration.xml file. Eg.
\<cc:keystoreRef cc:ID="default"> \ <cc:name>certs</cc:name> \ <cc:type>JKS</cc:type> \ <cc:pass>password</cc:pass> \</cc:keystoreRef> \ |
I have SSL problems connecting to a remote server using the fmsclient.as4.jar and would like to see more detail in the logs
Invoke the client as follows to provide low level debugging information.
\ \java -Djavax.net.debug=ssl:handshake:verbose \ \ -Dcom.sun.xml.wss.impl.MessageConstants.debug="true" -jar fmsclient.as4.jar \ \ |
I can't make a connection to a remote FMS server! Help!
Has the remote FMS server started up correctly. Look carefully at the logs of the remote FMS server for any ERROR notifications and address these first.
If the local FMS reports an IOException while writing error followed by an Unrecognized SSL message then it is likely that the local FMS server is attempting to send an encrypted message to a remote server that is not expecting an encrypted message.
I get the following message in my server log when initiating a request or executing a synchronous trigger.
[Fatal Error] :1:1: Content is not allowed in prolog.
What is in all likelihood happening is that the the content being handed to the server is not valid XML.
I get the following message in my log when attempting to send to a remote destination using HTTPS.
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Ensure that the associated root certificate is up to date in the Java cacerts kesytore and confirm that the certificate being used validates against it's root certificate path, and that the root certificate exists and has not expired or been revoked.
The remote server SSL certificate can also be validated as follows using the openssl utility
\ \openssl s_client -connect remote.as4.server.com:443 -showcerts \# or if testing with a new root certificate \openssl s_client -CAfile /path/to/RootCA.pem -connect remote.as4.server.com:443 -showcerts \ \ |
or as follows using the FMS light client
\ \java -Djavax.net.debug=ssl:handshake:verbose .. fmsclient.as4.jar ... \ \ |
which may provide the following detail
\ \*** \%% Invalidated: [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA256] \main, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown \main, WRITE: TLSv1.2 Alert, length = 2 \main, called closeSocket() \main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: \ \ PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target \main, called close() \main, called closeInternal(true) \2019-06-17 15:57:06,006 SEVERE com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection post() \ \ - SAAJ0009: Message send failed \2019-06-17 15:57:06,007 SEVERE com.flame.client.as4.api.Client transmit() - PKIX path building failed: \ \ sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path \ \ to requested target \ \ |
I get a message send fail in my log when attempting to send to a remote destination using HTTPS.
\ \2019-08-01 21:40:05,122 SEVERE com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection post() \ \ - SAAJ0009: Message send failed \2019-08-01 21:40:05,123 SEVERE com.flame.client.as4.api.Client transmit() - Received fatal alert: handshake_failure \ |
This error occurs when the remote endpoint is not available or not in a state where it can not accept a secure connection.
I get the one of following messages in my server log when attempting to listen from a remote destination.
SSL Handshake Exception occurred while listening from 'remote_host/remote_host_address' : Received fatal alert: certificate_unknown SSL Handshake Exception occurred while listening from 'remote.host' : null cert chain.
Ensure that the SSL client certificate chain is in the server truststore and that the certificate validates against it's root certificate path in the server truststore. The certificate chain is presented to the remote client from the server and the client can only respond with the appropriate certificate if the certificate authority is correctly presented to it. The null cert chain error will occur when the listener property SSL_NEED_CLIENT_AUTH is set to true for the server listener interface on which an incoming connection occurs.
The certificate_unknown error can also occur if the keystore contains two private keys with one of the private keys having expired.
TLSv1 requires a certificate in its keystore that was signed directly or indirectly by any of the signers mentioned in the SSL CertificateRequest handshake message.
For TLSv1.1 or later if a certificate_authorities list is empty then the client MAY send any certificate of the appropriate ClientCertificateType, unless there is some external arrangement to the contrary.
Also see the paragraph under certificate_authorities at https://tools.ietf.org/html/rfc4346#section-7.4.4.
I get the following error in my server log when attempting to start the server when I have two or more private keys in the keystore.
Failed to load FMS KeyManager. Could not recover key with password "keypassword": Cannot recover key
Ensure that all private keys share the same password.
I can't start the server because the java command cannot be found!
Ensure Java is installed and setup correctly. Open a console and type java -version it should return version 1.8.0 or higher.
I'm getting validation errors on the RosettaNet DTD headers (Preamble, Delivery, and Service), but my XML looks perfectly valid, whats wrong?!
The DTD validation of RosettaNet headers is very strict. To force validation to relax disable it by setting the configuration option ROSETTANET_HEADER_VALIDATION to false. This configuration option is located in the section Package Configuration in the ConnectionConfiguration.xml file.
I receive namespace errors on the RosettaNet DTD headers (Preamble, Delivery, and Service), but my XML looks perfectly valid, whats wrong?!
The DTD namespace implementation is probematic and should be disabled, by setting the configuration option ROSETTANET_HEADER_NAMESPACE_AWARE to false it will be disabled, this configuration option is located in the section Package Configuration in the ConnectionConfiguration.xml file.
I get a "com.flame.client.as4.api.Client transmit SEVERE: For input string:" error when specifying an IPv6 address for the host argument.
Ensure that the IPv6 address is encapsulated within square brackets as follows
\ \ -h https://[fe80:8::106a:9125:18a9:9f64%en0]:6443/as4s \ \ |
I get a "java.net.BindException?: Cannot assign requested address exception"
If you get an exception like this, then, switch to IPv4 by assigning an IPv4 address in the configuration file. This is quite likely due to trying to use IPv6 in Linux but Sun's JDK (pre version 6) has a bug.
I get a SecurityException: cannot verify signature block file META-INF/BCKEY exception on the server.
This exception generally occurs when verifying the signature of a signed jar. Try restarting the server to reload the library jar files.
I get a java.security.NoSuchProviderException: JCE cannot authenticate the provider BC error log entry.
This exception generally occurs when verifying the signature of a signed jar. Try restarting the server to reload the library jar files.
I get an UnrecoverableKeyException when starting the server yet the alias and the password are correct.
Ensure that the password is not shared in that keystore, the SSL Key management requires a master key for encryption, this master key's password must be unique.
I get an exception Key inappropriate for algorithm or Illegal key size or default parameters. What causes it and how do I fix it?
This means that the unrestricted Java policy files have not been installed. Refer to the Section called Encryption in the Chapter called Configuring FMS
Various default passwords are used in generating keys and keystores. Do I need to stick to these?
It is highly recommended that no default passwords are used. Remember to first change the configuration files before invoking the key generation utility and the server.
I have a problem importing certificates supplied in pkcs7 format into our java key store (JKS).
It seems that to import it using the Java keytool you need to use the exact alias as supplied in the pkcs7 format but which is unfortunately not visible when viewing the certificate.
Use the following process to import it.
Convert supplied pkcs7 certificate to an x509 certificate
\ \openssl pkcs7 -print_certs -in pkcs7certs.txt -out x509cert.cer \ \ |
Import supplied converted x509 certificate
\ \keytool -import -trustcacerts -keystore certs -storepass changeit -file x509cert.cer -alias remotepartneralias \ \ |
| <<< Previous | Home | Next >>> |
| RosettaNet Example | Client and FMC |