Solved: SSL connection Tomcat 8.5

konyicska · ‎Feb 07, 2019

I have installed a certificate issued and signed by a trusted Certification Authority (CA) in my Tomcat 8.5.23 Ubuntu server.

I have followed these steps: https://www.ptc.com/en/support/article?n=CS193947

I can connect to Composer over https and over http it redirects me to https.

When I try the SteamSensorConsole app with this url: wss://aaa.bbb.com:433/Thingworx/WS I get this error:

[Error] Error intializing socket connection. Err = -1
[Error] twWs_Connect: Error restarting socket. Error 0

I have tried these configurations:

config.AllowSelfSignedCertificates = false;
config.DisableCertValidation = true;

And these:

config.AllowSelfSignedCertificates = false;
config.DisableCertValidation = false;

Both with same results.

Do I have to configure something else? Or I have to change something in Tomcat configuration?

konyicska · ‎Feb 08, 2019

Finally my configuration that works is this:

config.AllowSelfSignedCertificates = false;
config.DisableCertValidation = true;

server.xml

<Connector 
    	port="443" 
    	protocol="org.apache.coyote.http11.Http11NioProtocol"
		maxThreads="150"
		SSLEnabled="true" 
		scheme="https" 
		secure="true"
		keystoreFile="*"
		keystorePass="*" 
		clientAuth="false" 
		sslProtocol="TLS"
		acceptorThreadCount="2"
		socket.txBufSize="24576"
		ciphers="TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA" />

Take a look at sslProtocol, if I put TLSv1,TLSv1.1,TLSv1.2 I can´t access Composer. I get

ERR CONNECTION TIMED OUT

Differences between TLS and TLSv1, TLSv1.1, TLSv1.2: https://security.stackexchange.com/questions/705/what-are-the-differences-between-the-versions-of-tls?answertab=votes#tab-top

I have one question:

config.DisableCertValidation = true; if I change this to false I have to provide the browser/public certificate? What is the best practice in production?

Thanks @tmisner !!!

View solution in original post

tmisner · ‎Feb 07, 2019

Hello konyicska,

When looking into this error internally I believe it may a disconnect between the SSL protocols and ciphers available between the edge application and the server.

The proposed resolution is to expand the protocols and ciphers allowed by the Tomcat server by editing the server.xml file. See the following example:

<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
acceptorThreadCount="2"
maxThreads="1000"
socket.txBufSize="24576"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="Keystore_File"
keystorePass="Keystore_Password"
clientAuth="false"
sslProtocol="TLSv1,TLSv1.1,TLSv1.2"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
/>

Please refer to this article for further details:

https://www.ptc.com/en/support/article?n=CS286924

Regards,

Tyler Misner

ThingWorx Technical Support Engineer

konyicska · ‎Feb 07, 2019

I made that change and nothing, I got same results.

EDIT:

I made a mistake, I used port 433 instead 443. Now my error is:

[Error] Error intializing SSL connection
[Error] twWs_Connect: Error restarting socket.  Error 0

tmisner · ‎Feb 07, 2019

Hello again konyicska,

Thank you for the update here.

I had seen port 433 mentioned in the post and had figured that was simply a typo when submitting your initial inquiry. My apologies for not mentioning that as a potential issue in my response.

Lets verify a couple of things here:

Confirm the Application Key you are using is not expired
Provide the URI you are entering at the command line when running the application

In the meantime I will proceed to configure the SteamSensorConsole example myself and report back.

Regards,

Tyler Misner

ThingWorx Technical Support Engineer

tmisner · ‎Feb 07, 2019

Hello k,

After a bit of setup and some testing internally I was able to get the SteamSensorConsole example from the .NET SDK to work correctly.

I was able to reproduce the error you had mentioned in your latest post. The resolution for me did indeed turn out to be related to ciphers. Please try utilizing this more extensive list of ciphers in your deployment:

ciphers="TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 
	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, 
	TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, 
	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 
	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 
	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 
	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 
	TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA"

Regards,

Tyler Misner

ThingWorx Technical Support Engineer

konyicska · ‎Feb 08, 2019

Finally my configuration that works is this:

config.AllowSelfSignedCertificates = false;
config.DisableCertValidation = true;

server.xml

<Connector 
    	port="443" 
    	protocol="org.apache.coyote.http11.Http11NioProtocol"
		maxThreads="150"
		SSLEnabled="true" 
		scheme="https" 
		secure="true"
		keystoreFile="*"
		keystorePass="*" 
		clientAuth="false" 
		sslProtocol="TLS"
		acceptorThreadCount="2"
		socket.txBufSize="24576"
		ciphers="TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA" />

Take a look at sslProtocol, if I put TLSv1,TLSv1.1,TLSv1.2 I can´t access Composer. I get

ERR CONNECTION TIMED OUT

Differences between TLS and TLSv1, TLSv1.1, TLSv1.2: https://security.stackexchange.com/questions/705/what-are-the-differences-between-the-versions-of-tls?answertab=votes#tab-top

I have one question:

config.DisableCertValidation = true; if I change this to false I have to provide the browser/public certificate? What is the best practice in production?

Thanks @tmisner !!!

tmisner · ‎Feb 08, 2019

Hello konyicska,

Glad you were able to get this working.

With respect to setting config.DisableCertValidation = false in the future you will indeed need to point the edge application at a valid certificate which corresponds to the certificate used by Tomcat.

The best practice for these settings in Production is having DisableCertValidiation set to false (so that certs are checked). config.AllowSelfSignedCertificates should also be set to false (as Self Signed Certificates are not very secure).

The way to go about setting certificate validation is noted in the Dotnet Developers guide on Page 29 under the "ClientConfigurator: Client/Server CertificateValidation" section.

Regards,

Tyler Misner

ThingWorx Technical Support Engineer