Telit Cinterion IoT Developer Community
Internet Services with SSL/TLS
Tutorial, December 3, 2014 - 11:34am, 15783 views
Introduction
This document contains a short description of how to setup an EHS5 module to run a HTTPS Demo Java Midlet that securely communicates with Application Engineering’s test server ae.c-wm.net using mutual authentication.
Infrastructure
Certificate hierarchy
· rootCA is a self signed certification authority (CA)
· rootCA signs second level intermediate CAs serverCA and clientCA
· serverCA signs third level server endpoint certificate ae.c-wm.net
· clientCA signs third level client endpoint certificates client01 and client02
The Apache server sends the complete certificate chain. In addition to its client certificate, the module stores the root certificate to validate this chain. Because of the module doesn't send the entire certificate chain, but only it's endpoint certificate, the apache server must store the clientCA as well.
Certificate creation with OpenSSL
automated script
In order to create your own certificate chain, you can use the certs.sh script in a cygwin environment with openssl and ssh installed. You can find the script and all its dependencies in the attached archive in the subdirectory Certs.
The instructions below contain the following placeholders:
· <comport> - the COM port to with the module is attached
· <server> - the web server you want create the certificates for
· <user> - a user which can ssh into the <server>
step-by-step
- create new certificate chain:
- run ./certs.sh create <server>
- export client and root certificate to other formats:
- .der-files are used by the module, .p12-files are for the use in web browsers
- run ./certs.sh export
- install the certs to a EHSX module at modem port COM103:
- Please replace COM103 with your modem port.
- run ./certs.sh moduleDeploy <comport>
- install certs on server:
- You need to be able to ssh to the server without password. You can use ssh-keygen and ssh-copy-id for this.
- run ./certs.sh serverDeploy <user> <server>
- (optional) remove all created certificates:
- run ./certs.sh clean
all-in-one
Running ./certs.sh all will execute the above standing steps. Before running please adjust the COM port, user and server in the script according to the step-by-step instructions above.
GUI
If you prefer a graphical user interface instead of OpenSSL, I recommend using the cross platform tool XCA (http://sourceforge.net/projects/xca/ ).
Web server setup
Step 1
The following listing contains an example configuration for an apache2 webserver.
$ cat /etc/apache2/sites-enabled/ssl_demo_mutual_443
NameVirtualHost *:443
<virtualhost *:443>
ServerName ae.c-wm.net
SSLEngine On
SSLVerifyClient require
SSLVerifyDepth 10
# server certs
SSLCertificateFile /etc/apache2/ssl/serverEP.crt
SSLCertificateKeyFile /etc/apache2/ssl/serverEP.key
SSLCertificateChainFile /etc/apache2/ssl/serverChain.crt
SSLCACertificateFile /etc/apache2/ssl/clientChain.crt
DocumentRoot /var/wwws/
SSLOptions +ExportCertData
</virtualhost>
Step 2
A server script displaying the available and currently used cipher suites and protocols can be found in this archive in the subdirectory Server.
Step 3
Please note that this script ***** read-permissions for the file /var/log/apache2/ssl_engine.log and read- and execute-permissions on all parent directories. The file's permissions will be reset, when the log is rotated. To prevent this, you can adjust your /etc/logrotate.conf or /etc/logrotate.d./apache2.
$ cat /etc/logrotate.d/apache2
/var/log/apache2/*.log {
weekly
missingok
rotate 52
compress
delaycompress
notifempty
create 644 root adm
sharedscripts
postrotate
if [ -f "`. /etc/apache2/envvars ; echo ${APACHE_PID_FILE:-/var/run/apache2.pid}`" ]; then
/etc/init.d/apache2 reload > /dev/null
fi
endscript
}
Step 4
Also you have to enable debug logging for the ssl engine:
$ cat /etc/apache2/conf.d/ssl_log
<IfModule mod_ssl.c>
ErrorLog /var/log/apache2/ssl_engine.log
LogLevel debug
</IfModule>
Demonstration
This chapter contains a short description of how to setup an EHS5 module in order to show a HTTPS Demo using Internet Service Commands. The Demo securely communicates with Application Engineering’s test server ae.c-wm.net under mutual authentication. If you don't want to use Java for this, you can skip all steps marked with "(java only)". All files mentioned here and for further information is contained in this archive.
Prerequisites
· SIM card (tested with German provider T-D1)
· EHSx Rev 2 or higher
· Gemalto Module Exchange Suite (MES)
· Gemalto IMP Debug Connection for EHSx (optional)
· Gemalto EHSx Software Development Kit (optional)
Setup
· Transfer Java Midlet and Security Command files to the module's root directory
o https_demo.zip\HttpsDemo\.mtj.tmp\emulation\HttpsDemo.jad (java only)
o https_demo.zip\HttpsDemo\.mtj.tmp\emulation\HttpsDemo.jar (java only)
o https_demo.zip\Certs\AddHttpsCertificateUntrusted.bin (create with certs.sh)
o https_demo.zip\Certs\AddHttpsClientCertificateUntrusted.bin (create with certs.sh)
· Install certificates and activate server authentification (note: this can be skipped if "./certs.sh moduleDeploy" was executed for the current module)
at^sjmsec="cmd",0B00310001000500020001
at^sjmsec="file",AddHttpsCertificateUntrusted.bin
at^sjmsec="file",AddHttpsClientCertificateUntrusted.bin
· Test if HTTPS is setup correctly:
at^sjmsec?
^SJMSEC: 1,1,1,1
OK
· Install HTTPS Demo Midlet (java only)
at^sjam=0,"a:/HttpsDemo.jad",""
Run
You can demonstrate HTTPS communication with a Java Midlet or with Internet Service Commands.
Java Midlet
· Redirect Java’s stdout to the serial console at asc0
at^scfg="userware/stdout","asc0"
^SCFG: "Userware/Stdout","asc0",,,,"off"
OK
· Run HTTPS Demo Midlet
at^sjam=1,"a:/HttpsDemo.jad",""
· You should see something similar to the following lines on stdout
started HTTPS Demo app
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Gemalto M2M HTTPS demo</title>
</head>
<body>
Welcome to the Gemalto M2M HTTPS demo page.
Sending dispose command to the VM.
</body>
</html>
MIDlet:HttpsDemo exited
Internet Service Commands
at+cops?
+COPS: 0,0,"Telekom.de",2
OK
at^sici?
OK
at^sics?
^SICS: 0,"conType",""
^SICS: 1,"conType",""
^SICS: 2,"conType",""
^SICS: 3,"conType",""
^SICS: 4,"conType",""
^SICS: 5,"conType",""
OK
+PBREADY
at^sics=1,contype,GPRS0
OK
at^sics=1,inactTO,2000
OK
at^sics=1,passwd,t-d1
OK
at^sics=1,user,internet
OK
at^sics=1,apn,"internet.t-d1.de"
OK
at^sics?
^SICS: 0,"conType",""
^SICS: 1,"conType","GPRS0"
^SICS: 1,"inactTO","2000"
^SICS: 1,"user","internet"
^SICS: 1,"passwd","*****"
^SICS: 1,"apn","internet.t-d1.de" ^SICS: 2,"conType",""
^SICS: 3,"conType",""
^SICS: 4,"conType",""
^SICS: 5,"conType",""
OK
at^siss=1,srvtype,http
OK
at^siss=1,conid,1
OK
at^siss=1,cmd,"get"
OK
at^siss=1,address,"https://ae.c-wm.net/ssltest/?format=plaintext"
OK
at^siso=1
OK
^SIS: 1,0,2200,"Http ae.c-wm.net:443"
^SISR: 1,1
at^sist=1
CONNECT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Gemalto M2M HTTPS demo</title>
</head>
<body>
Welcome to the Gemalto M2M HTTPS demo page.
</body>
</html>
NO CARRIER
^SISR: 1,2
Further info
Please also see our Java Users Guide on your EHSX install CD\program files\Cinterion\CMTK\EHS5\Documentation\wm02_java_usersguide_v04.pdf
Please remove links to internal wikipage (i.e. images) because this is public content.
Hi
One question, I have saw this is with http(https), I wonder if you can give a example with sockets, I mean to do a conexion with sockets using SSL/TLS.
Thanks in advance.
Hi
Hi,
I dont have apache server now then use this ae.c-wm.net example, however when tried to deploy server certificater chain it ask password to do "scp" command. Could someone tell me how to use ssh-keygen and ssh-copy-id to create account on ae.c-wm.net?
Thanks in advance
Hi! I have the same problem, cannot login with ssh to ae.c-wm.net apache server. Did you found the solution (by using ssh-keygen and ssh-copy-id ) to "let yourself in"?
Thank you in advance.
Endre
Could anybody run Https_demo ?? I had many problem with it:
>Run cert.sh all (or any other command) does not run, i went into the file and ran the instructions one by one.
After doing this, i mean generating all respective files, tried to load files into module using jseccmd.jar, device (EHS6) returned "Parameter IMEI is missing", once again i went into cert.sh to add -IMEI parameter according the structure described at "Java UsersGuide v19" Sect 11.5.3. But trying loading files into module again, i got:
starting certificate deployment
opened serial port COM32
set options for //./COM32
waiting for: [ "OK" "ERROR" ]
read line: "at"
read line: ""
read line: "OK"
found OK
connection established
waiting for: [ "CONNECT" ]
read line: "AT^SJDL=1,1070,"AddHttpsCertificateUntrusted.bin""
read line: ""
read line: "CONNECT"
found CONNECT
sending 1070 bytes
sent 1070 bytes
waiting for: [ "JDL CRC32" ]
read line: ""
read line: "OK"
read line: ""
java.io.IOException: Underlying input stream returned zero bytes
at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
at sun.nio.cs.StreamDecoder.read(Unknown Source)
at java.io.InputStreamReader.read(Unknown Source)
at java.io.BufferedReader.fill(Unknown Source)
at java.io.BufferedReader.readLine(Unknown Source)
at java.io.BufferedReader.readLine(Unknown Source)
at copyCerts.waitFor(copyCerts.java:296)
at copyCerts.checkCRC32(copyCerts.java:262)
at copyCerts.copyFile(copyCerts.java:254)
at copyCerts.copyFiles(copyCerts.java:217)
at copyCerts.main(copyCerts.java:37)
Didi anybody experience something like? Any suggest? Thanks
moved to a separate topic.