https://jira.opendaylight.org This file is an XML representation of an issue en-us 8.20.10 820010 22-06-2022 https://jira.opendaylight.org/browse/NETCONF-821 netconf <p>Configured netconf-keystore model with 2 sets of keystores. Following scenarios were tried out -</p> <ol> <li>Both sets are the same i.e, There are 2 key-id values - ODL_private_key_0 and ODL_private_key_1 and both have the same values  - In such a scenario, mounting of a device using either keys was successful.</li> <li>One is a valid key and the other is invalid i.e., the valid set (client.key, client.crt and trustedCertificates.crt) was taken, a copy of it was made and the client.crt was edited to include some invalid data. Both sets (valid and invalid) were used to create entries in the netconf-keystore. In this scenario, mounting a device with either of the keys is unsuccessful. The following is the exception in the karaf.log -</li> </ol> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>2021-09-14T04:58:18,310 | INFO | nioEventLoopGroupCloseable-3-10 | AbstractNetconfSessionNegotiator | 352 - org.opendaylight.netconf.netty-util - 1.13.2 | - | Unexpected error during negotiation java.lang.IllegalStateException: java.security.cert.CertificateException: Could not parse certificate: java.io.IOException: Empty input at org.opendaylight.netconf.sal.connect.util.SslHandlerFactoryImpl.createSslHandler(SslHandlerFactoryImpl.java:82) ~[bundleFile:?] at org.opendaylight.netconf.sal.connect.util.SslHandlerFactoryImpl.createSslHandler(SslHandlerFactoryImpl.java:45) ~[bundleFile:?] at org.opendaylight.netconf.client.TlsClientChannelInitializer$ChannelActiveSentry.channelActive(TlsClientChannelInitializer.java:56) ~[bundleFile:?] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:230) [bundleFile:4.1.63.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:216) [bundleFile:4.1.63.Final] at io.netty.channel.AbstractChannelHandlerContext.fireChannelActive(AbstractChannelHandlerContext.java:209) [bundleFile:4.1.63.Final] at io.netty.channel.DefaultChannelPipeline$HeadContext.channelActive(DefaultChannelPipeline.java:1398) [bundleFile:4.1.63.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:230) [bundleFile:4.1.63.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:216) [bundleFile:4.1.63.Final] at io.netty.channel.DefaultChannelPipeline.fireChannelActive(DefaultChannelPipeline.java:895) [bundleFile:4.1.63.Final] at io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe.fulfillConnectPromise(AbstractNioChannel.java:305) [bundleFile:4.1.63.Final] at io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe.finishConnect(AbstractNioChannel.java:335) [bundleFile:4.1.63.Final] at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:707) [bundleFile:4.1.63.Final] at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:655) [bundleFile:4.1.63.Final] at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:581) [bundleFile:4.1.63.Final] at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493) [bundleFile:4.1.63.Final] at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) [bundleFile:4.1.63.Final] at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [bundleFile:4.1.63.Final] at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [bundleFile:4.1.63.Final] at java.lang.Thread.run(Unknown Source) [?:?] Caused by: java.security.cert.CertificateException: Could not parse certificate: java.io.IOException: Empty input at sun.security.provider.X509Factory.engineGenerateCertificate(Unknown Source) ~[?:?] at java.security.cert.CertificateFactory.generateCertificate(Unknown Source) ~[?:?] at org.opendaylight.netconf.sal.connect.netconf.sal.NetconfKeystoreAdapter.getCertificateChain(NetconfKeystoreAdapter.java:159) ~[bundleFile:?] at org.opendaylight.netconf.sal.connect.netconf.sal.NetconfKeystoreAdapter.getJavaKeyStore(NetconfKeystoreAdapter.java:113) ~[bundleFile:?] at org.opendaylight.netconf.sal.connect.util.SslHandlerFactoryImpl.createSslHandler(SslHandlerFactoryImpl.java:51) ~[bundleFile:?] ... 19 more </pre> </div></div> <p>Expectation - When the key-id from the valid set is used, mounting of the device should be successful.</p> NETCONF-821

Mounting a device does not work when multiple TLS Certificates are present

Bug Medium In Progress Unresolved Ruslan Kashapov Ravi Pendurty pick-next pt Wed, 15 Sep 2021 05:38:27 +0000 Mon, 22 Jan 2024 21:59:48 +0000 1.13.2 7.0.0 6.0.7 netconf 0 4 <p><a href="https://jira.opendaylight.org/secure/ViewProfile.jspa?name=pendurty" class="user-hover" rel="pendurty">pendurty</a>, Can you please refer further details about issue:<br/> 1. What is the type of device in which you wanted to create mount point?<br/> 2. What is the version of ONAP where you found out issue?<br/>     I assume you have been following this guide: <br/>     <a href="https://docs.onap.org/projects/onap-sdnc-oam/en/istanbul/cert_installation.html," class="external-link" target="_blank" rel="nofollow noopener">https://docs.onap.org/projects/onap-sdnc-oam/en/istanbul/cert_installation.html,</a> where is<br/>     mentioned: <br/>     "Client.crt represents the client certificate and the client.key is the private key that is to be<br/>     used. Only a single client/client cert is supported as of the Dublin release and multiple clients<br/>     are not supported."<br/> 3. If you do not use ONAP, which requests have you issued with ODL RESTCONF/NETCONF?</p> <p>Hi <a href="https://jira.opendaylight.org/secure/ViewProfile.jspa?name=ivanm1996" class="user-hover" rel="ivanm1996">ivanm1996</a> ,</p> <ol> <li>What is the type of device in which you wanted to create mount point?  <span class="error">&#91;RAVI&#93;</span> I was trying on an O-RAN device. It supports NETCONF</li> <li>What is the version of ONAP where you found out issue? - Honolulu and Istanbul. Yes I have seen the guide earlier. However releases after Dublin support multiple zip files to be provided and the InstallCerts.py script ([https://gerrit.onap.org/r/gitweb?p=sdnc/oam.git;a=blob;f=installation/sdnc/src/main/scripts/installCerts.py) installs multiple keys into the netconf-keystore.</li> <li>I used SDNC component to issue the requests to ODL</li> </ol> <p>I believe using ONAP is not the problem. When there are multiple keys configured in the netconf-keystore model, ODL fails to mount even though a valid key is passed while creating the mountpoint.</p> <p><a href="https://jira.opendaylight.org/secure/ViewProfile.jspa?name=pendurty" class="user-hover" rel="pendurty">pendurty</a> what do you mean by " was edited to include some invalid data"? Was it still valid certificate?</p> <p><a href="https://jira.opendaylight.org/secure/ViewProfile.jspa?name=pendurty" class="user-hover" rel="pendurty">pendurty</a> How did you specify which key should be used when mounting a device? Can you provide requests/steps to reproduce?</p> <p>Instead of creating a new valid certificate, I replicated an existing certificate and edited it. The edited certificate is not valid, however the basic structure of the certificate is intact, i.e., it is enclosed between  ----<del>BEGIN CERTIFICATE</del>---- and ----<del>END CERTIFICATE</del>---- but the contents in between are modified.</p> <p>Following is the request URL and the payload -</p> <p><a href="http://172.18.0.3:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=TLS_Device" class="external-link" target="_blank" rel="nofollow noopener">http://172.18.0.3:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=TLS_Device</a></p> <p>Payload - (The key is specified in the &lt;key-id&gt; element. This key is added to the netconf-keystore model using the installCerts.py script that I shared earlier)</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> &lt;node xmlns=<span class="code-quote">"urn:TBD:params:xml:ns:yang:network-topology"</span>&gt; &lt;node-id&gt;TLS_Device&lt;/node-id&gt; &lt;key-based xmlns=<span class="code-quote">"urn:opendaylight:netconf-node-topology"</span>&gt; &lt;key-id xmlns=<span class="code-quote">"urn:opendaylight:netconf-node-topology"</span>&gt;ODL_private_key_0&lt;/key-id&gt; &lt;username xmlns=<span class="code-quote">"urn:opendaylight:netconf-node-topology"</span>&gt;netconf&lt;/username&gt; &lt;/key-based&gt; &lt;host xmlns=<span class="code-quote">"urn:opendaylight:netconf-node-topology"</span>&gt;172.18.0.4&lt;/host&gt; &lt;port xmlns=<span class="code-quote">"urn:opendaylight:netconf-node-topology"</span>&gt;831&lt;/port&gt; &lt;tcp-only xmlns=<span class="code-quote">"urn:opendaylight:netconf-node-topology"</span>&gt;<span class="code-keyword">false</span>&lt;/tcp-only&gt; &lt;protocol xmlns=<span class="code-quote">"urn:opendaylight:netconf-node-topology"</span>&gt; &lt;name xmlns=<span class="code-quote">"urn:opendaylight:netconf-node-topology"</span>&gt;TLS&lt;/name&gt; &lt;/protocol&gt; &lt;max-connection-attempts xmlns=<span class="code-quote">"urn:opendaylight:netconf-node-topology"</span>&gt;2&lt;/max-connection-attempts&gt; &lt;/node&gt;</pre> </div></div> <p>Few issues here </p> <p>While key-based/key-id is eligible option in topology node configuration the purpose of this option is key based authentication for SSH transport, not TLS. It means the key-id value is ignored if protocol value is TLS. See <a href="https://github.com/opendaylight/netconf/blob/82a4a9b7371aa8e8f4a13aef73cafb75891d568f/apps/netconf-topology/src/main/java/org/opendaylight/netconf/topology/spi/DefaultNetconfClientConfigurationBuilderFactory.java#L73" class="external-link" target="_blank" rel="nofollow noopener">DefaultNetconfClientConfigurationBuilderFactory</a> invoking <a href="https://github.com/opendaylight/netconf/blob/82a4a9b7371aa8e8f4a13aef73cafb75891d568f/plugins/netconf-client-mdsal/src/main/java/org/opendaylight/netconf/client/mdsal/impl/DefaultSslHandlerFactoryProvider.java#L152" class="external-link" target="_blank" rel="nofollow noopener">DefaultSslHandlerFactoryProvider</a></p> <p>While no specific key is expected on per device basis the SslHandler is built based on KeyStore instance containing ALL the configured keys and trusted certificates. Upon KeyStore preparation all the defined private keys and certificates are parsed from binary form into Java objects. As result any single invalid (non-parseable) entry will cause SslHandler build failure for every TLS device unless this entry is removed from datastore.</p> <p> </p> Relates NETCONF-1205 Development Rank 0|i03zk7: