cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Help us improve the PTC Community by taking this short Community Survey! X

SSL configuration for Azure IoT Hub connector configuration

vi1
16-Pearl
16-Pearl

SSL configuration for Azure IoT Hub connector configuration

Hi,

 I have enabled https configuration in server.xml in Tomcat folder. What are steps to follow in Azure IoT Hub configuration to enable the https? I am using Thingworx 8.5.1 version and IoT Hub 3.0.2.

I have added below configuration in environment variable. azre-iot service is not running if set below configuration. Azure IoTHub connector was working correctly without enable https and also receiving the data correctly from Azure IoT Hub to Thingworx. I have followed Thingworx help document.

 

 

"AZURE_IOT_OPTS=-Djavax.net.ssl.trustStore=
C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf\cacerts-customized -Djavax.net.ssl.trustStorePassword=xxxxxxx"

 

Also, I have updated in conf. "platforms = "wss://localhost:443/Thingworx/WS"

 

Regards,

Latha

ACCEPTED SOLUTION

Accepted Solutions
vi1
16-Pearl
16-Pearl
(To:nmilleson)

Hi,

 

This issue resolved through support ticket. We have added SSL certificate into Java trust store. After that, its established connection between thingworx and azure IoT Hub.

 

Thank you

Latha

View solution in original post

9 REPLIES 9

Hi @vi1 

 

What is the error you are getting in cxserver.log file located at Azure-IoT-Hub-Connector-<ver>\connector\bin\ when you are trying to connect using SSL?

 

Regards,

Sachin

Hi,

 

Thank you for replay.

 

I am getting below error in cxserver log. what is the configuration in environment variable for ssl. Below is the configuartion in environment variable.

AZURE_IOT_OPTS=-Djavax.net.ssl.trustStore=C:\\Program Files\\Apache Software Foundation\\Tomcat 9.0\\conf\\cerificatename.pfx -Djavax.net.ssl.trustStorePassword=xxxxx

 

2021-04-12T01:52:01.779 [NettyClient-NIO-1] ERROR c.t.s.i.t.netty.NettyChannelHandler - [ClientHandler: b17106b7] WebSocket error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, closing connection!
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:353)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:296)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:291)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:652)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:471)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:367)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:983)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:970)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:917)
at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1510)
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1524)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1408)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1235)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1282)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:498)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:437)
... 16 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at sun.security.validator.Validator.validate(Validator.java:271)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:312)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:275)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:140)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:630)
... 31 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
... 37 common frames omitted

 

Regards,

Latha

@vi 

 

Refer following help center guide, navigate to section When Using SSL/TLS and set the environment variable as mentioned there. Make sure that you do NOT use double quotation marks when setting the environment variable on Windows. If you use them, the Connector will fail to start.

 

Regards,

Sachin

Hi,

I have followed same as mentioned in document. Here  'cacerts-customized' means is it certification name?

 

set AZURE_IOT_OPTS=-Djavax.net.ssl.trustStore=
<your-connector-path-to-certs>cacerts-customized
-Djavax.net.ssl.trustStorePassword=new-password
below is my configuration:
AZURE_IOT_OPTS=-Djavax.net.ssl.trustStore=C:\\Program Files\\Apache Software Foundation\\Tomcat 9.0\\conf\\cerificatename.pfx -Djavax.net.ssl.trustStorePassword=xxxxx

 

Regards,

Latha

vi1
16-Pearl
16-Pearl
(To:vi1)

Hi,

 

I have copied same certification which it is available in Tomcat conf folder  into IoT Hbb connector conf folder. After placed the certification into IoT Hub conf folder, updated path in environment variable.

Azure connector service is started but its not connected connection server and getting below errors in cxserver.

 

Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching localhost found.
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:219)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:101)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:441)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:422)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:282)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:140)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:630)
... 31 common frames omitted
2021-04-12T02:50:46.579 [NettyClient-NIO-4] ERROR c.t.s.i.t.netty.NettyChannelHandler - [ClientHandler: 0abe5beb] WebSocket error: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching localhost found., closing connection!
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching localhost found.
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching localhost found.
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:353)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:296)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:291)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:652)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:471)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:367)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:983)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:970)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:917)
at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1510)
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1524)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1408)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1235)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1282)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:498)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:437)
... 16 common frames omitted
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching localhost found.
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:219)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:101)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:441)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:422)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:282)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:140)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:630)
... 31 common frames omitted

 

Regards,

Latha

nmilleson
17-Peridot
(To:vi1)

Assuming you're using a self-signed cert, I ran into this same issue.  You'll need to recreate your cert and make sure you include a SAN.

 

When you create the cert using keytool, include

 

-ext "SAN=IP:<your twx ip>"

OR

 -ext "SAN=DNS:<twx dns>"

 

vi1
16-Pearl
16-Pearl
(To:nmilleson)

Hi,

 

Thank you for response.

I have added domain name. Connection server is established but IoT Hub connector thing is not connected. I am using same certification for Thingwox and IoT Hub connector. 

 

Regards,

Latha

nmilleson
17-Peridot
(To:vi1)

Can you share the log output again?

vi1
16-Pearl
16-Pearl
(To:nmilleson)

Hi,

 

This issue resolved through support ticket. We have added SSL certificate into Java trust store. After that, its established connection between thingworx and azure IoT Hub.

 

Thank you

Latha

Announcements


Top Tags