Does anyone know how to use JKS Keystore files with Ensemble?

Comments

What are you trying to do with the keystore?  Are you using it as your client certificate for the SSL part of an https connection?  If so, you can't use a keystore for this and will have to convert the certificate and key to PEM format.  If not, can you give a description of what you're trying to do with it?

Thanks for the reply

I am trying to populate an SSL\TLS configuration so that I can use it in SOAP business operation to call a third party web service.

They have also supplied me with CER and PEM files (instead of JKS) which I used to populate the configuration but I am getting ERROR #988: SSL handshake failed when I test the configuration.

That error is the generic failure, so it doesn't tell us what's wrong.  You can get more information by enabling the network debug flags:

%SYS>d INTSET^REDEBUG("FFFFFFFF")

and then trying again.  Detailed errors will be printed in the cconsole.log.  This level of debug info can fill the log quickly, so remember to set the level back to "FF" after you're done testing.

Also note that the test button in a configuration can't handle any protocols where there are messages before the TLS handshake.  This shouldn't be a problem for https, but it may be an issue for SMTP, FTPS, etc.

Here is what I am seeing in the log. Does this help? 

SSL/TLS configuration: VeratoSSL
03/22/18-17:50:54:296 (15940) 0 
Cipher list: ALL:!aNULL:!eNULL:!EXP:!SSLv2
03/22/18-17:50:54:297 (15940) 0 
Certificate file: C:\Zak\verato\northwell.cer
03/22/18-17:50:54:297 (15940) 0 
Setting private key file encryption password
03/22/18-17:50:54:298 (15940) 0 
Private key file: C:\Zak\verato\northwell.pem
03/22/18-17:50:54:302 (15940) 0 
Peer verification option = 0, certificate depth = 9
03/22/18-17:50:54:302 (15940) 0 
SSL/TLS client requested.
03/22/18-17:50:54:336 (15940) 0 
SSL/TLS error return from SSL_connect().
03/22/18-17:50:54:336 (15940) 0 
SSL_ERROR_SSL: protocol error
03/22/18-17:50:54:337 (15940) 0 
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
03/22/18-17:50:54:338 (15940) 0 
TPXMIT saw TCP device fail
03/22/18-17:50:58:355 (3336) 0 tpopen for host 127.0.0.1 device number 62975 port 62975  mode 0x8088 tcpmode 0x0 terminators  ibfsz 1024 obfsz 1024 queuesize 5 timeout 4 tcpsbuf=0 tcprbuf=0, XY=on, BINDTO=
03/22/18-17:50:58:356 (3336) 0 TCPConnect: SNDBUF sys size=64512, dev size=0
03/22/18-17:50:58:357 (3336) 0 TCPConnect: RCVBUF sys size=8192, dev size=0
03/22/18-17:50:58:359 (3336) 0 
TCP connected to site 127.0.0.1 port 62975
03/22/18-17:50:58:360 (3336) 0 StreamInit: SNDBUF sys size=64512, dev size=0
03/22/18-17:50:58:361 (3336) 0 StreamInit: RCVBUF sys size=8192, dev size=0
03/22/18-17:51:08:364 (3336) 0 tpopen for host 127.0.0.1 device number 62975 port 62975  mode 0x8088 tcpmode 0x0 terminators  ibfsz 1024 obfsz 1024 queuesize 5 timeout 4 tcpsbuf=0 tcprbuf=0, XY=on, BINDTO=
03/22/18-17:51:08:366 (3336) 0 TCPConnect: SNDBUF sys size=64512, dev size=0
03/22/18-17:51:08:367 (3336) 0 TCPConnect: RCVBUF sys size=8192, dev size=0
03/22/18-17:51:08:369 (3336) 0 
TCP connected to site 127.0.0.1 port 62975
03/22/18-17:51:08:371 (3336) 0 StreamInit: SNDBUF sys size=64512, dev size=0
03/22/18-17:51:08:372 (3336) 0 StreamInit: RCVBUF sys size=8192, dev size=0
 

This isn't one of the errors that easy to diagnose based on the client log, unfortunately.  Here are a couple of the most likely things it could be:

- This error can happen when the client and server don't support compatible versions of TLS.  For example, if you're configured to use only TLS v1.0 and the server wants TLS v1.2.  This is more likely if you're using an older version of Ensemble which doesn't support TLS v1.2.  Which versions of SSL/TLS have you enabled? (Note: trying to fix this by enabling all possible versions is a bad idea.  SSLv3 should not be used.) 

- This could also mean that the server requires server name indication (SNI) and the SNI info is not being sent by your client.  SNI is supported in Ensemble 2017.2. 

This isn't causing your failure, but I would recommend that you change the value of peer certificate verification from 'none' to 'required'.  As a client, you want to check that you're connecting to the server you think you are, not another server pretending to be that one.   You will need to set a certificate authority file for this to work.

Thanks for all your help. I was finally able to get the communication working by unchecking the SSLv3 Protocol in the configuration.