BGS2 AT^SBNW=is_cert,1 command fails - Cinterion Transport Layer Security for Client TCP/IP Services documentation not detailed enough | Telit Cinterion IoT Developer Community
September 24, 2014 - 6:43pm, 17158 views
I am involved in developing a tracking system using Cinterion BGS2 M2M modems and I am having problems loading TLS certificates using the Java tools provided and it has also failed when using the AT^SBNW=is_cert,1 command.
I get the following error;
AT^SBNW=is_cert,1 CONNECT
SECURE CMD READY: SEND COMMAND ...
SECURE CMD TOO MANY DATA ERROR
OK
I am having problems understanding the details of the AT^SBNW=is_cert,1 command in the TLS documentation :-
Transport Layer Security for Client
TCP/IP Services
Application Note 62
Version: 04
DocId: wm01_wm02_an62_tls_v04
This document describes the formats but is not specific about message lengths – are they word counts or byte counts?
It would also be useful for it to show an example HEX dump of a valid certificate AT^SBNW=is_cert,1 upload message.
If anybody knows the answer to these questions please let me know - Jeff White jeffrey.white@projectirongate.co.uk
I have tried with the commands that Frozenwiki outlined above. The versions of keytool have probably changed recently, because it doesn't allow different passwords for the keypass and the storepass.
I run the following commands to make a client public certificate:
"C:\Program Files\Java\jdk-10\bin\keytool.exe" -genkeypair -alias client01 -keypass pwdclient -keystore client.ks -storepass pwdclient -sigalg SHA1withRSA -keyalg RSA
"C:\Program Files\Java\jdk-10\bin\keytool.exe" -exportcert -v -keystore client.ks -storepass pwdclient -alias client01 -file client01_pub.der
java -jar keystoretools\getPrivateKey.jar -alias client01 -keypass pwdclient -keystore client.ks -storepass pwdclient -keyfile client01_priv.der
java -jar cmd_ipcertmgr\win-x86\cmd_IpCertMgr.jar -serialPort COM3 -serialSpd 115200 -cmd writecert -certfile client01_pub.der -certIndex 0 -imei 099999001234561 -alias client01 -keypass pwdclient -keystore client.ks -storepass pwdclient -keyfile client01_priv.der
but it's the cmd_IpCertMgr.jar that now crashes:
T:\Groups\Embedded\Ed\ModemEncryption\Gemalto Centerion\wm02_tls_tools>java -jar cmd_ipcertmgr\win-x86\cmd_IpCertMgr.jar -serialPort COM3 -serialSpd 115200 -cmd writecert -certfile client01_pub.der -certIndex 0 -imei 099999001234561 -alias client01 -keypass pwdclient -keystore client.ks -storepass pwdclient -keyfile client01_priv.der
Exception in thread "main" java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.base/java.lang.reflect.Method.invoke(Unknown Source)
at org.eclipse.jdt.internal.jarinjarloader.JarRsrcLoader.main(JarRsrcLoader.java:58)
Caused by: java.lang.NoClassDefFoundError: gnu/io/UnsupportedCommOperationException
at cmd_IpCertMgr.main(cmd_IpCertMgr.java:1001)
... 5 more
Caused by: java.lang.ClassNotFoundException: gnu.io.UnsupportedCommOperationException
at java.base/java.net.URLClassLoader.findClass(Unknown Source)
at java.base/java.lang.ClassLoader.loadClass(Unknown Source)
at java.base/java.lang.ClassLoader.loadClass(Unknown Source)
... 6 more
Is it saying there is something wrong with my com port? Does the serial library need an update to handle newer java?
Thanks in advance,
Ed.
I have been trying to follow the commands as modified by Frozenwiki. - The keytool seems to have been updated to be stricter on the passwords so now the keypass and storepass must be the same.
Now, it's the cmd_IpCertMgr.jar that is crashing on me. It says there's some problem with the comm. Does the RxTx serial library need to be updated due to the updates in java? or can anyone suggest what the problem might be? I have tried different COM ports, virtual ones with com0com and real ones.
T:\Groups\Embedded\Ed\ModemEncryption\Gemalto Centerion\wm02_tls_tools>"C:\Program Files\Java\jdk-10\bin\keytool.exe" -genkeypair -alias client01 -keypass pwdclient -keystore client.ks -storepass pwdclient -sigalg SHA1withRSA -keyalg RSA
T:\Groups\Embedded\Ed\ModemEncryption\Gemalto Centerion\wm02_tls_tools>"C:\Program Files\Java\jdk-10\bin\keytool.exe" -exportcert -v -keystore client.ks -storepass pwdclient -alias client01 -file client01_pub.der
Certificate stored in file <client01_pub.der>
T:\Groups\Embedded\Ed\ModemEncryption\Gemalto Centerion\wm02_tls_tools>java -jar keystoretools\getPrivateKey.jar -alias client01 -keypass pwdclient -keystore client.ks -storepass pwdclient -keyfile client01_priv.der
key saved in (client01_priv.der)
T:\Groups\Embedded\Ed\ModemEncryption\Gemalto Centerion\wm02_tls_tools>java -jar cmd_ipcertmgr\win-x86\cmd_IpCertMgr.jar -serialPort COM3 -serialSpd 115200 -cmd writecert -certfile client01_pub.der -certIndex 0 -imei 099999001234561 -alias client01 -keypass pwdclient -keystore client.ks -storepass pwdclient -keyfile client01_priv.der
Exception in thread "main" java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.base/java.lang.reflect.Method.invoke(Unknown Source)
at org.eclipse.jdt.internal.jarinjarloader.JarRsrcLoader.main(JarRsrcLoader.java:58)
Caused by: java.lang.NoClassDefFoundError: gnu/io/UnsupportedCommOperationException
at cmd_IpCertMgr.main(cmd_IpCertMgr.java:1001)
... 5 more
Caused by: java.lang.ClassNotFoundException: gnu.io.UnsupportedCommOperationException
at java.base/java.net.URLClassLoader.findClass(Unknown Source)
at java.base/java.lang.ClassLoader.loadClass(Unknown Source)
at java.base/java.lang.ClassLoader.loadClass(Unknown Source)
... 6 more
Many thanks.
Hello,
What's the result when the keypass and storepass is not the same when you run keytool? Have you compared with older Java versions?
As for cmd_ipCertMgr.jar tool it doesn't seem to have anything to do with the previous problem. It is written in the documentation that JRE6 is recommended - have you tried? Java 10 is quite fresh - maybe there is really some problem with it.
And RXTX library ***** to be copied to the same directory as the "cmd_ipCertMgr.jar" tool also.
Regards,
Bartłomiej
Hi Bartłomiej,
Below is the whole output, but here are the two errors due to the passwords.
Keytool gives:
Warning: Different store and key passwords not supported for PKCS12 KeyStores. Ignoring user-specified -keypass value.
getPrivateKey.jar gives:
Get Key failed: Given final block not properly padded. Such issues can ***** if a bad key is used during decryption.
Regarding the RXTX library, the file rxtxserial.dll was already in the \wm02_tls_tools\cmd_ipcertmgr\win-x86\ directory. Do I need anything more than that?
I will try an older version of java and let you know.
T:\Groups\Embedded\Ed\ModemEncryption\Gemalto Centerion\wm02_tls_tools>"C:\Program Files\Java\jdk-10\bin\keytool.exe" -genkeypair -alias client01 -keypass pwdclient01 -keystore client.ks -storepass pwdclient -sigalg SHA1withRSA -keyalg RSA
Warning: Different store and key passwords not supported for PKCS12 KeyStores. Ignoring user-specified -keypass value.
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: y
T:\Groups\Embedded\Ed\ModemEncryption\Gemalto Centerion\wm02_tls_tools>"C:\Program Files\Java\jdk-10\bin\keytool.exe" -exportcert -v -keystore client.ks -storepass pwdclient -alias client01 -file client01_pub.der
Certificate stored in file <client01_pub.der>
T:\Groups\Embedded\Ed\ModemEncryption\Gemalto Centerion\wm02_tls_tools>"C:\Program Files\Java\jdk-10\bin\keytool.exe" -exportcert -v -rfc -keystore client.ks -storepass pwdclient -alias client01 -file client01_pub.pem
Certificate stored in file <client01_pub.pem>
T:\Groups\Embedded\Ed\ModemEncryption\Gemalto Centerion\wm02_tls_tools>java -jar keystoretools\getPrivateKey.jar -alias client01 -keypass pwdclient01 -keystore client.ks -storepass pwdclient -keyfile client01_priv.der
Get Key failed: Given final block not properly padded. Such issues can ***** if a bad key is used during decryption.
T:\Groups\Embedded\Ed\ModemEncryption\Gemalto Centerion\wm02_tls_tools>java -jar cmd_ipcertmgr\win-x86\cmd_IpCertMgr.jar -serialPort COM3 -serialSpd 115200 -cmd writecert -certfile client01_pub.der -certIndex 0 -imei 099999001234561 -alias client01 -keypass pwdclient -keystore client.ks -storepass pwdclient -keyfile client01_priv.der
Private key file not found!
Older Java works better. It doesn't complain about the differences in passwords. It is also a bit clearer where the error is in cmd_ipcertmgr.jar (below):
As you said, it complains about the location of the rxtxserial. this thread says the rxtxSerial.dll and the rxtxParallel.dllfiles need to be in [...]/jre7/bin/
https://stackoverflow.com/questions/8197639/java-lang-unsatisfiedlinkerr...
Now I can output serial! Wish me luck in pretending to be a modem. I already got an error: Connection error! Disable flow control on module.
Update: as Frozenwiki says here:
https://stackoverflow.com/questions/38319086/setting-cinterion-bgs2-w-mo...
You need to send OK from the terminal before you start the cmd_ipcertmgr.
It's also pretty tempremental. I got it to output once, but now it either does nothing, or just outputs a whole bunch of ATs. I think it depends on the terminal program you use.
I will try again with Java 10 so we can see if it was the TxRx location that was the problem.
T:\Groups\Embedded\Ed\ModemEncryption\Gemalto Centerion\wm02_tls_tools>java -jar cmd_ipcertmgr\win-x86\cmd_IpCertMgr.jar -serialPort COM33 -serialSpd 115200 -cmd writecert -certfile client01_pub.der -certIndex 0 -imei 099999001234561 -alias client01 -keypass pwdclient01 -keystore client.ks -storepass pwdclient -keyfile client01_priv.der
java.lang.UnsatisfiedLinkError: no rxtxSerial in java.library.path thrown while loading gnu.io.RXTXCommDriver
Exception in thread "main" java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.eclipse.jdt.internal.jarinjarloader.JarRsrcLoader.main(JarRsrcLoader.java:58)
Caused by: java.lang.UnsatisfiedLinkError: no rxtxSerial in java.library.path
at java.lang.ClassLoader.loadLibrary(Unknown Source)
at java.lang.Runtime.loadLibrary0(Unknown Source)
at java.lang.System.loadLibrary(Unknown Source)
at gnu.io.CommPortIdentifier.<clinit>(CommPortIdentifier.java:123)
at SerialComm.connectSerial(SerialComm.java:88)
at cmd_IpCertMgr.main(cmd_IpCertMgr.java:1001)
... 5 more
cmd_IpCertMgr.jar worked once, and once only. Now It doesn't send the AT^SBNW=is_cert any more.
It receives the SECURE CMD READY: SEND COMMAND ... though.
I'm just wasting so much time trying to get this java version and RxTx up and running. Everything is so dependent on specific old versions.
Can you please just post a set of the certificate files and serial output so not everyone has to set this all up on their computers?
If you add
"keytool.exe" -exportcert -v -rfc -keystore client.ks -storepass pwdclient -alias client01 -file client01_pub.pem
Then we will also have a readable format of the certificate.
Thank you.
Hello,
I've tried this with Java 9 which I have currently installed on my PC. And there was a warning
"Warning: Different store and key passwords not supported for PKCS12 KeyStores."
that you have described. So I have changed the passwords to be the same.
Then I have also faced the exception:
Exception in thread "main" java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.base/java.lang.reflect.Method.invoke(Unknown Source)
at org.eclipse.jdt.internal.jarinjarloader.JarRsrcLoader.main(JarRsrcLoader.java:58)
Caused by: java.lang.NoClassDefFoundError: gnu/io/UnsupportedCommOperationException
at cmd_IpCertMgr.main(cmd_IpCertMgr.java:1001)
... 5 more
Caused by: java.lang.ClassNotFoundException: gnu.io.UnsupportedCommOperationException
at java.base/java.net.URLClassLoader.findClass(Unknown Source)
at java.base/java.lang.ClassLoader.loadClass(Unknown Source)
at java.base/java.lang.ClassLoader.loadClass(Unknown Source)
... 6 more
Having in mind that the recommended Java version is 6 I've checked the installed Java versions first and found that the oldest installed version that I have is 7. So I decided to try with Java 7. I have used the following script to configure the Java version for my session:
@echo off
set JAVA_VERSION=jdk1.7.0_80
echo Setting JAVA_HOME
set JAVA_HOME="C:\Program Files (x86)\Java\%JAVA_VERSION%"
setx JAVA_HOME "C:\Program Files (x86)\Java\%JAVA_VERSION%" /m
echo Setting JDK_HOME
set JDK_HOME="C:\Program Files (x86)\Java\%JAVA_VERSION%"
setx JDK_HOME "C:\Program Files (x86)\Java\%JAVA_VERSION%" /m
echo setting PATH
set PATH="C:\Program Files (x86)\Java\%JAVA_VERSION%\bin";%PATH%
echo Display java version
java -version
I didn't do anything more with RXTX library besides placing the dll in the same directory.
Then it worked as below:
C:\Data\TLS>java -jar cmd_IpCertMgr.jar -serialPort COM45 -serialSpd 115200 -cmd writecert -certfile client01_pub.der -certIndex 0 -imei *************** -alias client01 -keypass pwdclient -keystore client.ks -storepass pwdclient -keyfile client01_priv.der
SECURE CMD READY: SEND COMMAND...
SECURE CMD END OK
C:\Data\TLS>java -jar cmd_IpCertMgr.jar -serialPort COM45 -serialSpd 115200 -cmd delcert -certIndex 0 -imei *************** -alias client01 -keypass pwdclient -keystore client.ks -storepass pwdclient
SECURE CMD READY: SEND COMMAND...
SECURE CMD END OK
Please try.
At the moment I don't have the AT command prepared for sending this certificate.
Best regards,
Bartłomiej
Hi Bartłomiej,
I have tried with different versions of java, locations of the rxtxserial, virtual com ports and real comports.
WIth real comports, I get the below, and only "AT" output to the terminal.
T:\Groups\Embedded\Ed\ModemEncryption\Gemalto Centerion\wm02_tls_tools>"java.exe" -jar cmd_ipcertmgr\win-x86\cmd_IpCertMgr.jar -serialPort COM3 -serialSpd 115200 -cmd writecert -certfile client01_pub.der -certIndex 0 -imei 099999001234561 -alias client01 -keypass pwdclient01 -keystore client.ks -storepass pwdclient -keyfile client01_priv.der
Connection error! Disable flow control on module.
Seriously, I'm not getting anywhere with this. I don't need you to document the commands, I just need the serial output and the certificate to match. The com0com works fine, it's just a java library compatibility issue.
Hello,
Generally on the port that you are using for this command you should be able to execute AT commands. So if you connect to it with a terminal program and it does not work the cmd_IpCertMgr.jar tool will also fail. As for the flow control for BGS2 module the factory setting is no flow control. You may try to read this setting with AT&V (if you succeed with the terminal) and set it with AT\Q (AT\Q0 for no flow control, AT\Q3 for RTS/CTS hardware flow control).
Regards,
Bartłomiej
I found on http://rxtx.qbang.org/wiki/index.php/Download that RxTx does not work on 64 bit machines. There are links to builds for 64 bit machines, but I still can't get it to work due to compatibility with an older jdk.
I haven't even started to connect to a modem. I can't get reliable output from cmd_IpCertMgr.jar
I have tried on a 32 bit machine and still can't get any output.