Configured netconf-keystore model with 2 sets of keystores. Following scenarios were tried out -
- Both sets are the same i.e, There are 2 key-id values - ODL_private_key_0 and ODL_private_key_1 and both have the same values - In such a scenario, mounting of a device using either keys was successful.
- One is a valid key and the other is invalid i.e., the valid set (client.key, client.crt and trustedCertificates.crt) was taken, a copy of it was made and the client.crt was edited to include some invalid data. Both sets (valid and invalid) were used to create entries in the netconf-keystore. In this scenario, mounting a device with either of the keys is unsuccessful. The following is the exception in the karaf.log -
2021-09-14T04:58:18,310 | INFO | nioEventLoopGroupCloseable-3-10 | AbstractNetconfSessionNegotiator | 352 - org.opendaylight.netconf.netty-util - 1.13.2 | - | Unexpected error during negotiation java.lang.IllegalStateException: java.security.cert.CertificateException: Could not parse certificate: java.io.IOException: Empty input at org.opendaylight.netconf.sal.connect.util.SslHandlerFactoryImpl.createSslHandler(SslHandlerFactoryImpl.java:82) ~[bundleFile:?] at org.opendaylight.netconf.sal.connect.util.SslHandlerFactoryImpl.createSslHandler(SslHandlerFactoryImpl.java:45) ~[bundleFile:?] at org.opendaylight.netconf.client.TlsClientChannelInitializer$ChannelActiveSentry.channelActive(TlsClientChannelInitializer.java:56) ~[bundleFile:?] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:230) [bundleFile:4.1.63.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:216) [bundleFile:4.1.63.Final] at io.netty.channel.AbstractChannelHandlerContext.fireChannelActive(AbstractChannelHandlerContext.java:209) [bundleFile:4.1.63.Final] at io.netty.channel.DefaultChannelPipeline$HeadContext.channelActive(DefaultChannelPipeline.java:1398) [bundleFile:4.1.63.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:230) [bundleFile:4.1.63.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:216) [bundleFile:4.1.63.Final] at io.netty.channel.DefaultChannelPipeline.fireChannelActive(DefaultChannelPipeline.java:895) [bundleFile:4.1.63.Final] at io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe.fulfillConnectPromise(AbstractNioChannel.java:305) [bundleFile:4.1.63.Final] at io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe.finishConnect(AbstractNioChannel.java:335) [bundleFile:4.1.63.Final] at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:707) [bundleFile:4.1.63.Final] at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:655) [bundleFile:4.1.63.Final] at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:581) [bundleFile:4.1.63.Final] at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493) [bundleFile:4.1.63.Final] at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) [bundleFile:4.1.63.Final] at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [bundleFile:4.1.63.Final] at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [bundleFile:4.1.63.Final] at java.lang.Thread.run(Unknown Source) [?:?] Caused by: java.security.cert.CertificateException: Could not parse certificate: java.io.IOException: Empty input at sun.security.provider.X509Factory.engineGenerateCertificate(Unknown Source) ~[?:?] at java.security.cert.CertificateFactory.generateCertificate(Unknown Source) ~[?:?] at org.opendaylight.netconf.sal.connect.netconf.sal.NetconfKeystoreAdapter.getCertificateChain(NetconfKeystoreAdapter.java:159) ~[bundleFile:?] at org.opendaylight.netconf.sal.connect.netconf.sal.NetconfKeystoreAdapter.getJavaKeyStore(NetconfKeystoreAdapter.java:113) ~[bundleFile:?] at org.opendaylight.netconf.sal.connect.util.SslHandlerFactoryImpl.createSslHandler(SslHandlerFactoryImpl.java:51) ~[bundleFile:?] ... 19 more
Expectation - When the key-id from the valid set is used, mounting of the device should be successful.
- blocks
-
NETCONF-596 No documentation of Netconf over TLS
- Confirmed
- is blocked by
-
NETCONF-1284 Cannot connect device over TLS
- In Progress
- relates to
-
NETCONF-1205 Support private keys and trusted certificates configuration on per TLS device basis
- Open