| Back | Main view
IMiS ARChive v9 common misconfiguration errors when using RFC3161 timestamp service
| Product: | IMiS/ARChive |
| Release: | All |
| Date: | 08/07/2020 |
Case:
RFC3161 timestamp service on IMiS ARChive v9 may fail due to different reasons (network error, misconfiguration ...). Here we present a few error examples, which are result of provider or certificate store misconfiguration.
Description:
Example 1:
08/06/20 08:05:13.845 [iarcd:22202:2072148800] ERR[3] Error occurred while creating timestamp. Reason: 'Error creating timestamp. Reason: com.imis.imisarc.server.tsp.TimeStampingProtocolException: java.io.IOException: unknown tag 28 encountered
com.imis.imisarc.server.tsp.impl.RFC3161Session.createTimeStamp(RFC3161Session.java:272)
Caused by: java.io.IOException: unknown tag 28 encountered
org.bouncycastle.asn1.ASN1InputStream.buildObject(Unknown Source)
org.bouncycastle.asn1.ASN1InputStream.readObject(Unknown Source)
org.bouncycastle.tsp.TimeStampResponse.readTimeStampResp(Unknown Source)
org.bouncycastle.tsp.TimeStampResponse.<init>(Unknown Source)
org.bouncycastle.tsp.TimeStampResponse.<init>(Unknown Source)
com.imis.imisarc.server.tsp.impl.RFC3161Session.createTimeStamp(RFC3161Session.java:262)' at 'src/iajtsp.cpp:320'
08/06/20 12:52:00.830 [iarcd:9379:7f78726b8700] ERR[3] Error occurred while creating timestamp. Reason: 'Error creating timestamp. Reason: com.imis.imisarc.server.tsp.TimeStampingProtocolException: java.io.EOFException: DEF length 105 object truncated by 75
com.imis.imisarc.server.tsp.impl.RFC3161Session.createTimeStamp(RFC3161Session.java:272)
Caused by: java.io.EOFException: DEF length 105 object truncated by 75
org.bouncycastle.asn1.DefiniteLengthInputStream.toByteArray(Unknown Source)
org.bouncycastle.asn1.ASN1InputStream.buildObject(Unknown Source)
org.bouncycastle.asn1.ASN1InputStream.readObject(Unknown Source)
org.bouncycastle.tsp.TimeStampResponse.readTimeStampResp(Unknown Source)
org.bouncycastle.tsp.TimeStampResponse.<init>(Unknown Source)
org.bouncycastle.tsp.TimeStampResponse.<init>(Unknown Source)
com.imis.imisarc.server.tsp.impl.RFC3161Session.createTimeStamp(RFC3161Session.java:262)' at 'src/iajtsp.cpp:316'
Solution:
This kind of errors indicates, that RFC3161 timestamp response cannot be parsed. In most cases this means that timestamp service provider address is not valid. Next configuration example represent configuration Entrust timestamp service provider:
<Class>com.imis.imisarc.server.tsp.impl.RFC3161Provider</Class>
<WorkingDirectory>/iarc/work/tsp/</WorkingDirectory>
<Service>
<Protocol>HTTP</Protocol>
<Address>http://timestamp.entrust.net/TSS/RFC3161sha2TS</Address>
<Interface>RFC3161</Interface>
<AuthType>NONE</AuthType>
</Service>
Example 2:
08/06/20 13:26:00.032 [iarcd:9379:7f7871eb7700] ERR[3] Error occurred while creating timestamp. Reason: 'Error creating timestamp. Reason: com.imis.imisarc.server.tsp.TimeStampingProtocolException:
org.apache.http.client.ClientProtocolException
com.imis.imisarc.server.tsp.impl.RFC3161Session.createTimeStamp(RFC3161Session.java:272)
Caused by: org.apache.http.client.ClientProtocolException
org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:839)
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
com.imis.imisarc.server.tsp.impl.RFC3161Session.createTimeStamp(RFC3161Session.java:219)
Caused by: org.apache.http.HttpException: Scheme 'https' not registered.
org.apache.http.impl.conn.DefaultHttpRoutePlanner.determineRoute(DefaultHttpRoutePlanner.java:111)
org.apache.http.impl.client.DefaultRequestDirector.determineRoute(DefaultRequestDirector.java:756)
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:375)
org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835)
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
com.imis.imisarc.server.tsp.impl.RFC3161Session.createTimeStamp(RFC3161Session.java:219)' at 'src/iajtsp.cpp:316'
Solution:
This kind of error indicates timestamp provider SSL misconfiguration. When using timestamp service over SSL, additional parameters must be set in timestamp provider configuration:
- Protocol: Must be set to HTTPS.
- SSLType: Truststore type, can be IAKS (IMiS ARChive Certificate Store), JKS (java keystore) or any other keystore supported by java.
- SSLProtocols: Enabled SSL protocols (SSL, TLS). Multiple entries can be split by ','.
- SSLTSFile (optional): If SSLTSType type is set to JKS, then SSLTSFile points to truststore file.
- SSLTSPassword (optional): If SSLTSType type is set to JKS, then SSLTSPassword contains password to access truststore.
Configuration example:
<Class>com.imis.imisarc.server.tsp.impl.RFC3161Provider</Class>
<WorkingDirectory>/iarc/work/tsp/</WorkingDirectory>
<Service>
<Protocol>HTTPS</Protocol>
<Address>https://path-to-ssl-capable-timestamp-provider-url</Address>
<Interface>RFC3161</Interface>
<AuthType>NONE</AuthType>
<SSLTSType>IAKS</SSLTSType>
<SSLProtocols>TLS</SSLProtocols>
</Service>
Example 3:
08/07/20 08:26:00.032 [iarcd:7853:7fb7ef7fe700] DBG[7] Timestamping started...
08/07/20 08:26:00.532 [iarcd:7853:7fb7ef7fe700] DBG[7] Timestamping finished.
08/07/20 08:26:00.532 [iarcd:7853:7fb7ef7fe700] DBG[7] Timestamp verification started...
08/07/20 08:26:00.533 [iarcd:7853:7fb7ef7fe700] DBG[7] Timestamp token analyze begin.
08/07/20 08:26:00.533 [iarcd:7853:7fb7ef7fe700] DBG[7] Timestamp PKCS7 token type: NID_pkcs7_signed
08/07/20 08:26:00.534 [iarcd:7853:7fb7ef7fe700] DBG[7] Number of certificates: '2'.
08/07/20 08:26:00.534 [iarcd:7853:7fb7ef7fe700] DBG[7] Timestamp token creation time: '2020-08-07T06:26:00.223Z'.
08/07/20 08:26:00.534 [iarcd:7853:7fb7ef7fe700] DBG[7] Timestamp token analyze end.
08/07/20 08:26:00.535 [iarcd:7853:7fb7ef7fe700] DBG[7] Certificate is already in cache and will replace certificate body owner. Cached instance: subject: '/C=US/O=Entrust, Inc./OU=See www.entrust.n
et/legal-terms/OU=(c) 2015 Entrust, Inc. - for authorized use only/CN=Entrust Timestamping CA - TS1', serial: '58da13ff0000000051ce0df7'.
08/07/20 08:26:00.535 [iarcd:7853:7fb7ef7fe700] DBG[7] Certificate (subject: '/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2015 Entrust, Inc. - for authorized use only/CN=Entrust
Timestamping CA - TS1', serial: '58da13ff0000000051ce0df7') revocation status is 'VALID'.
08/07/20 08:26:00.536 [iarcd:7853:7fb7ef7fe700] ERR[3] Error occurred during timestamp check. Reason: 'Certificate (subject '/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2015 Ent
rust, Inc. - for authorized use only/CN=Entrust Timestamping CA - TS1', serial '58da13ff0000000051ce0df7') is CA certificate and will not be inserted in database.'.
08/07/20 08:26:00.536 [iarcd:7853:7fb7ef7fe700] DBG[7] CleanupOnFailure started (AipQueueIds '2', CreateAipQueueIds '0', TimestampId '0').
08/07/20 08:26:00.541 [iarcd:7853:7fb7ef7fe700] DBG[7] CleanupOnFailure ended.
08/07/20 08:26:00.542 [iarcd:7853:7fb7ef7fe700] DBG[7] Timestamp job end.
08/07/20 08:26:00.542 [iarcd:7853:7fb7ef7fe700] DBG[7] Schedule finished.
Solution:
This kind of error indicates that timestamp certificate (or one of certificates in timestamp certificate chain) is marked as CA, but it is not present and trusted in server certificate store. To fix this, CA certificate must be manually added to server certificate store trough administration and must be trusted (enabled).
Related Documents:
https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext
https://docs.oracle.com/javase/9/security/java-secure-socket-extension-jsse-reference-guide.htm#JSSEC-GUID-F069F4ED-DF2C-4B3B-90FB-F89E700CF21A
https://docs.oracle.com/cd/E19509-01/820-3503/6nf1il6er/index.html
| Back | Main view