5 1 0:Configuring SSL Secured Communication for SEP sesam Backup Network
Overview
SEP sesam uses SSL (Secure Sockets Layer) protocol to authenticate identities, encrypt and securely transfer data. SSL requires certificates to authenticate clients and establish a secure and trusted communication channel between SBC (sesam backup client) and STPD (sesam Transfer Protocol Server), thus preventing unauthorized access from clients to STPD. SEP sesam backup environment is protected with self-signed certificates, based on OpenSSL. SEP sesam does not provide certificates by default; they have to be created by an administrator and copied to clients and RDSs in the backup network.
- Create self-signed root Certificate Authority (CA) on the SEP sesam Server
- Create server and client certificates on the SEP sesam Server and copy them to server and clients
- Generate and copy server certificate for each RDS
- Edit configuration file on each client and server or RDS
- In case a client certificate cannot be trusted anymore, revoke the certificate.
- Call a function on SEP sesam Server to get authorization.
Directory structure for the SSL certificates
The following directory structure is used for storing the SSL certificates and related parameters:
What |
Where |
---|---|
SEP sesam configuration files: sm.ini and stpd.ini |
|
Root SSL certificate and master key: rootCA.pem and rootCA.key |
|
Generated client certificate and key: client.pem and client.key |
|
Generated server certificate and key: server.pem and server.key |
|
Steps
Creating self-signed root Certificate Authority (CA) on the SEP sesam Server
- On the SEP sesam Server, remove any old self-generated SSL keys from:
/var/opt/sesam/var/ini/ssl
- Then create directories /ca and /x.509 to store your keys and certificates:
/var/opt/sesam/var/ini/ca /var/opt/sesam/var/ini/x.509
- To create the root certificate, run the sm_ssl_cert ca command line utility as shown:
/opt/sesam/bin/sms/sm_ssl_cert ca
In the folder /var/opt/sesam/var/ini/ca, the process creates two files:
- A master key, also known as rootCA.key; keep this key private as it is needed for generation of new server and client certificates and is the basis of trust for all your certificates.
- A root SSL certificate rootCA.pem; it is used to verify existing server and client certificates. Make sure that the root CA has a long expiry date. Once it is expired, all certificates signed by it become invalid. This certificate must be present on all clients connecting to servers signed with the CA certificate.
Note | |
After generating server and client keys, you should remove the rootCA.key from the server and keep it in a safe place. |
Once you have created the CA certificate and key, you can create and sign certificates.
Creating server and client certificates on the SEP sesam Server
- First, you have to create the server certificate on the SEP sesam Server:
- For each server, copy the files as follows:
/opt/sesam/bin/sms/sm_ssl_cert server --common-name=''<hostname>''
where <hostname> must be the same as the name specified in the interface settings in GUI (Main Selection -> Components -> Topology -> Clients, <server_name> -> field Interfaces).
You can also use the IP address for <hostname> or use an * (asterisk) in the hostname, e.g., *.serverdomain.com or 192.168.1.*. Multiple server or domain names must be separated by a comma, e.g.:
/opt/sesam/bin/sms/sm_ssl_cert server --common-name=myserver,myserver.domain.com
Once done, there are two new files in the folder /var/opt/sesam/var/ini/ssl:
server.pem server.key
- copy rootCA.pem to /var/opt/sesam/var/ini/ca
- copy client.pem to /var/opt/sesam/var/ini/x.509
- copy client.key to /var/opt/sesam/var/ini/x.509
/opt/sesam/bin/sms/sm_ssl_cert client
Optionally, you can create client.pem/client key with unique subject field by using:
/opt/sesam/bin/sms/sm_ssl_cert client --oid={options}
{options}: comma separated list of C:{country_name} - country name CN:{common_name} - common name DQ:{dn_qualifier} - dn qualifier GN:{given_name} - given name GQ:{generation_qualifier} - generation qualifier I:{initials} - initials of some or all of an individual's names, but not the surname(s) L:{locality_name} - locality name N:{name} - name O:{organization_name}: - organization name OU:{organizational_unit_name} - organization unit name P:{pseudonym} - pseudonym PC:{postalcode} - postalcode S:{surname} - surname T:{title} - title
Once done, there are two new files in the folder /var/opt/sesam/var/ini/x.509:
client.pem client.key
- copy rootCA.pem to /var/opt/sesam/var/ini/ca
- copy client.pem to /var/opt/sesam/var/ini/x.509
- copy client.key to /var/opt/sesam/var/ini/x.509
Generating and copying server certificates for each RDS
If you want your RDSs to have its own server certificate, you have to generate server certificate for each RDS. In this case, the SEP sesam Server and every RDS have its own server certificate signed with the same self-signed root CA. This configuration allows to back up a client either to SEP sesam Server or any RDS.
- To generate server certificate for each RDS, run the following command:
- Copy the generated server.pem and server.key files from <RDS_server_certificate_path> to each RDS into the folder /var/opt/sesam/var/ini/ssl.
- Copy rootCA.pem to each RDS into the folder /var/opt/sesam/var/ini/ca.
/opt/sesam/bin/sms/sm_ssl_cert server --common-name=''<RDS_hostname>'' --path=''<RDS_server_certificate_path>''
Note | |
All generation is performed only on server. |
Edit configuration file on each client and server or RDS
- On SEP sesam Client
- Locate the /var/opt/sesam/var/ini/sm.ini file on the SEP sesam Client. Open the sm.ini file using a text editor and set the following:
- Once you have changed the settings, save your changes and restart the client for the changes to take effect.
[SBC_SSL] SBC_CLIENT_SSL_AUTH=1 #For client-side verification SBC_SSL_SERVER_VERIFY=1 #For server-side verification
- On SEP sesam Server or RDS
- Locate the /var/opt/sesam/var/ini/stpd.ini file on the SEP sesam Server. Open the stpd.ini file using a text editor and set the following:
- Once you have changed the settings, save your changes and restart the server for the changes to take effect.
[STPD_Server] STPD_HTTPS_USE_CLIENT_CERT=2
Possible values:
0: Do not validate 1: Validate but show warning 2: Validate and show error
Revoking client certificate
If a client certificate cannot be trusted anymore (e.g., it was leaked), then it is important to invalidate the client certificate. In case the certificate was leaked and malicious clients are using the certificate, then the server needs a way to identify the invalid certificate and prohibit clients connecting with this certificate. One option is to use Certificate Revocation Lists (CRLs). CRLs are a list of all invalid certificates.
To add client certificate (client.pem) into CRL, proceed as follows:
- Create directories:
- Create Certificate Revocation Lists (CRLs) on the server:
- In case of RDS configuration, copy also to RDS PC:
/var/opt/sesam/var/ini/revoked
/opt/sesam/bin/sms/sm_ssl_cert revoke --certificate="/var/opt/sesam/var/ini/x.509/client.pem"
Note | |
Certificate Revocation Lists creation works only on Linux. Looks like the problem on Windows is old (probably own build/configured) version of GnuTLS lib. To create CRL file on Windows, you have to download GnuTLS from the ftp gnutls. |
Two files will be created in /var/opt/sesam/var/ini/revoked:
crt certs.pem
crt ==> /var/opt/sesam/var/ini/revoked
Example
If a client with revoked certificate tries to connect to a server:
2016-08-30 18:05:01: sbc-3536: Info: # SEP XBSA, VERSION: 4.4R3 Build: e77d80b, Released: Aug 30 2016 # 2016-08-30 18:05:01: sbc-3502: Info: XBSA: XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1 2016-08-30 18:05:01: sbc-3500: Info: Verify SSL Server Cert: 1 2016-08-30 18:05:01: sbc-3502: Info: XBSA: URL: https://SEP-RDSWin10:11443 2016-08-30 18:05:01: sbc-3502: Info: XBSA: SSL integrity check enabled 2016-08-30 18:05:01: sbc-3502: Info: XBSA: SSL client authentication is enabled 2016-08-30 18:05:01: sbc-3502: Info: XBSA: BSACreateObject: Error: GNUTLS_CERT_REVOKED
20160830 18:05:01.709 [3428] ConnectionHandlerCb:: new connection 20160830 18:05:01.709 [3428] ConnectionHandlerCb:: Call connection callback 20160830 18:05:01.710 [3428] SSLConnectionCb:: Starting SSL connection 20160830 18:05:01.710 [3428] SSL mode. Checking for client certificate 20160830 18:05:01.731 [3428] SSL error: Error: GNUTLS_CERT_REVOKED
At the same time the other client with other client.pem/client.key tries to connect to a server:
2016-08-30 18:06:33: sbc-3536: Info: # SEP XBSA, VERSION: 4.4R3 Build: e77d80b, Released: Aug 30 2016 # 2016-08-30 18:06:33: sbc-3502: Info: XBSA: XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1 2016-08-30 18:06:33: sbc-3502: Info: XBSA: URL: https://SEP-RDSWin10:11443 2016-08-30 18:06:33: sbc-3502: Info: XBSA: SSL integrity check enabled 2016-08-30 18:06:33: sbc-3502: Info: XBSA: SSL client authentication is enabled ... 2016-08-30 18:06:33: sbc-3007: Info: Operation successful.
Useful commands
curl -X "PUT" -F file=@c:\windows\system32\drivers\etc\hosts -H "XBSA-USER:SESAM_SECURE_AUTHENTICATION" -H "XBSA-PASS:" \ -H "XBSA-TYPE:I" -H "XBSA-CWD:." -H "XBSA-STOR:TestBak.bak" -H "XBSA-QUIT" https://aoseredchuk-PC:11443 \ --key "c:\Program Files\SEPsesam\var\ini\x.509\client.key" --cacert "c:\Program Files\SEPsesam\var\ini\ca\rootCA.pem" \ --cert "c:\Program Files\SEPsesam\var\ini\x.509\client.pem" --ipv4 --tlsv1.0 --verbose
openssl s_client -connect aoseredchuk-PC:11443 -CAfile "c:\Program Files\SEPsesam\var\ini\ca\rootCA.pem" \ -cert "c:\Program Files\SEPsesam\var\ini\x.509\client.pem" -key "c:\Program Files\SEPsesam\var\ini\x.509\client.key"
openssl x509 -in "c:\Program Files\SEPsesam\var\ini\ca\rootCA.pem" -noout -text
openssl x509 -in "c:\Program Files\SEPsesam\var\ini\x.509\client.pem" -noout -text
Certificate testing
Test with correct certificates
Clients authentication: [successful]
[SBC_SSL] SBC_CLIENT_SSL_AUTH=1 SBC_SSL_SERVER_VERIFY=0 [STPD_Server] STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:00:45: sbc-3536: Info: # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 # 2016-08-29 15:00:45: sbc-3502: Info: XBSA: XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1 2016-08-29 15:00:45: sbc-3502: Info: XBSA: URL: https://aoseredchuk-PC:11443 2016-08-29 15:00:45: sbc-3502: Info: XBSA: Warning: SSL integrity check disabled 2016-08-29 15:00:45: sbc-3502: Info: XBSA: SSL client authentication is enabled ... 2016-08-29 15:00:46: sbc-3007: Info: Operation successful.
Server authentication: [successful]
[SBC_SSL] SBC_CLIENT_SSL_AUTH=0 SBC_SSL_SERVER_VERIFY=1 [STPD_Server] STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:34:50: sbc-3536: Info: # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 # 2016-08-29 15:34:50: sbc-3502: Info: XBSA: XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1 2016-08-29 15:34:50: sbc-3502: Info: XBSA: URL: https://aoseredchuk-PC:11443 2016-08-29 15:34:50: sbc-3502: Info: XBSA: SSL integrity check enabled 2016-08-29 15:34:50: sbc-3502: Info: XBSA: SSL client authentication is disabled ... 2016-08-29 15:34:52: sbc-3007: Info: Operation successful.
Double authentication: [successful]
[SBC_SSL] SBC_CLIENT_SSL_AUTH=1 SBC_SSL_SERVER_VERIFY=1 [STPD_Server] STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:01:13: sbc-3536: Info: # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 # 2016-08-29 15:01:13: sbc-3502: Info: XBSA: XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1 2016-08-29 15:01:13: sbc-3502: Info: XBSA: URL: https://aoseredchuk-PC:11443 2016-08-29 15:01:13: sbc-3502: Info: XBSA: SSL integrity check enabled 2016-08-29 15:01:13: sbc-3502: Info: XBSA: SSL client authentication is enabled ... 2016-08-29 15:01:13: sbc-3007: Info: Operation successful.
Test with wrong client.key/pem certificates
Clients authentication: [failed]
[SBC_SSL] SBC_CLIENT_SSL_AUTH=1 SBC_SSL_SERVER_VERIFY=0 [STPD_Server] STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:01:59: sbc-3536: Info: # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 # 2016-08-29 15:01:59: sbc-3502: Info: XBSA: XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1 2016-08-29 15:01:59: sbc-3502: Info: XBSA: URL: https://aoseredchuk-PC:11443 2016-08-29 15:01:59: sbc-3502: Info: XBSA: Warning: SSL integrity check disabled 2016-08-29 15:01:59: sbc-3502: Info: XBSA: SSL client authentication is enabled 2016-08-29 15:01:59: sbc-3502: Info: XBSA: BSACreateObject: Error: GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND 2016-08-29 15:01:59: sbc-3500: Info: XBSA returned: Cannot create object with given descriptor. 2016-08-29 15:01:59: sbc-1009: Error: XBSA Call BSACreateObject failed with message: Access to the requested object is not possible. Error: GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND 2016-08-29 15:01:59: sbc-3005: Info: Closing saveset. 2016-08-29 15:01:59: sbc-3310: Info: Checksum (adler32): 1. (test) 2016-08-29 15:01:59: sbc-3052: Info: Items processed correctly: [0]. Not processed or incorrectly processed items: [0]. (test) 2016-08-29 15:01:59: sbc-1156: Error: Operation failed!
20160829 15:01:59.878 [16340] ConnectionHandlerCb:: new connection 20160829 15:01:59.878 [16340] ConnectionHandlerCb:: Call connection callback 20160829 15:01:59.879 [16340] SSLConnectionCb:: Starting SSL connection 20160829 15:01:59.879 [16340] SSL mode. Checking for client certificate 20160829 15:01:59.880 [16340] SSL error: Error: GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
Server authentication: [successful]
[SBC_SSL] SBC_CLIENT_SSL_AUTH=0 SBC_SSL_SERVER_VERIFY=1 [STPD_Server] STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:33:05: sbc-3536: Info: # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 # 2016-08-29 15:33:05: sbc-3502: Info: XBSA: XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1 2016-08-29 15:33:05: sbc-3502: Info: XBSA: URL: https://aoseredchuk-PC:11443 2016-08-29 15:33:05: sbc-3502: Info: XBSA: SSL integrity check enabled 2016-08-29 15:33:05: sbc-3502: Info: XBSA: SSL client authentication is disabled ... 2016-08-29 15:33:07: sbc-3007: Info: Operation successful.
Double authentication: [failed]
[SBC_SSL] SBC_CLIENT_SSL_AUTH=1 SBC_SSL_SERVER_VERIFY=1 [STPD_Server] STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:01:46: sbc-3536: Info: # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 # 2016-08-29 15:01:46: sbc-3502: Info: XBSA: XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1 2016-08-29 15:01:46: sbc-3502: Info: XBSA: URL: https://aoseredchuk-PC:11443 2016-08-29 15:01:46: sbc-3502: Info: XBSA: SSL integrity check enabled 2016-08-29 15:01:46: sbc-3502: Info: XBSA: SSL client authentication is enabled 2016-08-29 15:01:47: sbc-3502: Info: XBSA: BSACreateObject: Error: GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND 2016-08-29 15:01:47: sbc-3500: Info: XBSA returned: Cannot create object with given descriptor. 2016-08-29 15:01:47: sbc-1009: Error: XBSA Call BSACreateObject failed with message: Access to the requested object is not possible. Error: GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND 2016-08-29 15:01:47: sbc-3005: Info: Closing saveset. 2016-08-29 15:01:47: sbc-3310: Info: Checksum (adler32): 1. (test) 2016-08-29 15:01:47: sbc-3052: Info: Items processed correctly: [0]. Not processed or incorrectly processed items: [0]. (test) 2016-08-29 15:01:47: sbc-1156: Error: Operation failed!
20160829 15:01:46.987 [18740] ConnectionHandlerCb:: new connection 20160829 15:01:46.987 [18740] ConnectionHandlerCb:: Call connection callback 20160829 15:01:46.987 [18740] SSLConnectionCb:: Starting SSL connection 20160829 15:01:46.988 [18740] SSL mode. Checking for client certificate 20160829 15:01:46.989 [18740] SSL error: Error: GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
Test with wrong rootCA.pem certificates
Clients authentication: [successful]
[SBC_SSL] SBC_CLIENT_SSL_AUTH=1 SBC_SSL_SERVER_VERIFY=0 [STPD_Server] STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:28:21: sbc-3536: Info: # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 # 2016-08-29 15:28:21: sbc-3502: Info: XBSA: XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1 2016-08-29 15:28:21: sbc-3502: Info: XBSA: URL: https://aoseredchuk-PC:11443 2016-08-29 15:28:21: sbc-3502: Info: XBSA: Warning: SSL integrity check disabled 2016-08-29 15:28:21: sbc-3502: Info: XBSA: SSL client authentication is enabled ... 2016-08-29 15:28:26: sbc-3007: Info: Operation successful.
Server authentication: [failed]
[SBC_SSL] SBC_CLIENT_SSL_AUTH=0 SBC_SSL_SERVER_VERIFY=1 [STPD_Server] STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:48:54: sbc-3536: Info: # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 # 2016-08-29 15:48:54: sbc-3502: Info: XBSA: XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1 2016-08-29 15:48:54: sbc-3502: Info: XBSA: URL: https://aoseredchuk-PC:11443 2016-08-29 15:48:54: sbc-3502: Info: XBSA: SSL integrity check enabled 2016-08-29 15:48:54: sbc-3502: Info: XBSA: SSL client authentication is disabled 2016-08-29 15:48:57: sbc-3502: Info: XBSA: BSACreateObject: Client SSL certificate is missing or invalid 2016-08-29 15:48:57: sbc-3500: Info: XBSA returned: Cannot create object with given descriptor. 2016-08-29 15:48:57: sbc-1009: Error: XBSA Call BSACreateObject failed with message: Access to the requested object is not possible. Client SSL certificate is missing or invalid
20160829 15:48:54.800 [2808] ConnectionHandlerCb:: new connection 20160829 15:48:54.800 [2808] ConnectionHandlerCb:: Call connection callback 20160829 15:48:54.801 [2808] SSLConnectionCb:: Starting SSL connection 20160829 15:48:56.218 [2808] SSL mode. Checking for client certificate 20160829 15:48:57.028 [2808] SSL error: Client SSL certificate is missing or invalid
Double authentication: [successful]
[SBC_SSL] SBC_CLIENT_SSL_AUTH=1 SBC_SSL_SERVER_VERIFY=1 [STPD_Server] STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:49:56: sbc-3536: Info: # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 # 2016-08-29 15:49:56: sbc-3502: Info: XBSA: XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1 2016-08-29 15:49:56: sbc-3502: Info: XBSA: URL: https://aoseredchuk-PC:11443 2016-08-29 15:49:56: sbc-3502: Info: XBSA: SSL integrity check enabled 2016-08-29 15:49:56: sbc-3502: Info: XBSA: SSL client authentication is enabled ... 2016-08-29 15:50:03: sbc-3007: Info: Operation successful.
Test with wrong rootCA.pem and client.key/pem certificates
Clients authentication: [failed]
[SBC_SSL] SBC_CLIENT_SSL_AUTH=1 SBC_SSL_SERVER_VERIFY=0 [STPD_Server] STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:44:50: sbc-3536: Info: # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 # 2016-08-29 15:44:50: sbc-3502: Info: XBSA: XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1 2016-08-29 15:44:50: sbc-3502: Info: XBSA: URL: https://aoseredchuk-PC:11443 2016-08-29 15:44:50: sbc-3502: Info: XBSA: Warning: SSL integrity check disabled 2016-08-29 15:44:50: sbc-3502: Info: XBSA: SSL client authentication is enabled 2016-08-29 15:44:53: sbc-3502: Info: XBSA: BSACreateObject: Error: GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
20160829 15:44:50.877 [18796] ConnectionHandlerCb:: new connection 20160829 15:44:50.878 [18796] ConnectionHandlerCb:: Call connection callback 20160829 15:44:50.878 [18796] SSLConnectionCb:: Starting SSL connection 20160829 15:44:52.451 [18796] SSL mode. Checking for client certificate 20160829 15:44:53.158 [18796] SSL error: Error: GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
Server authentication: [failed]
[SBC_SSL] SBC_CLIENT_SSL_AUTH=0 SBC_SSL_SERVER_VERIFY=1 [STPD_Server] STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:42:36: sbc-3536: Info: # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 # 2016-08-29 15:42:36: sbc-3502: Info: XBSA: XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1 2016-08-29 15:42:36: sbc-3502: Info: XBSA: URL: https://aoseredchuk-PC:11443 2016-08-29 15:42:36: sbc-3502: Info: XBSA: SSL integrity check enabled 2016-08-29 15:42:36: sbc-3502: Info: XBSA: SSL client authentication is disabled 2016-08-29 15:42:39: sbc-3502: Info: XBSA: BSACreateObject: Client SSL certificate is missing or invalid 2016-08-29 15:42:39: sbc-3500: Info: XBSA returned: Cannot create object with given descriptor. 2016-08-29 15:42:39: sbc-1009: Error: XBSA Call BSACreateObject failed with message: Access to the requested object is not possible. Client SSL certificate is missing or invalid
20160829 15:42:37.051 [11924] ConnectionHandlerCb:: new connection 20160829 15:42:37.052 [11924] ConnectionHandlerCb:: Call connection callback 20160829 15:42:37.052 [11924] SSLConnectionCb:: Starting SSL connection 20160829 15:42:38.363 [11924] SSL mode. Checking for client certificate 20160829 15:42:39.072 [11924] SSL error: Client SSL certificate is missing or invalid
Double authentication: [failed]
[SBC_SSL] SBC_CLIENT_SSL_AUTH=1 SBC_SSL_SERVER_VERIFY=1 [STPD_Server] STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:41:39: sbc-3536: Info: # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 # 2016-08-29 15:41:39: sbc-3502: Info: XBSA: XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1 2016-08-29 15:41:39: sbc-3502: Info: XBSA: URL: https://aoseredchuk-PC:11443 2016-08-29 15:41:39: sbc-3502: Info: XBSA: SSL integrity check enabled 2016-08-29 15:41:39: sbc-3502: Info: XBSA: SSL client authentication is enabled 2016-08-29 15:41:42: sbc-3502: Info: XBSA: BSACreateObject: Error: GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND 2016-08-29 15:41:42: sbc-3500: Info: XBSA returned: Cannot create object with given descriptor. 2016-08-29 15:41:42: sbc-1009: Error: XBSA Call BSACreateObject failed with message: Access to the requested object is not possible. Error: GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
20160829 15:41:39.831 [0728] ConnectionHandlerCb:: new connection 20160829 15:41:39.831 [0728] ConnectionHandlerCb:: Call connection callback 20160829 15:41:39.832 [0728] SSLConnectionCb:: Starting SSL connection 20160829 15:41:41.218 [0728] SSL mode. Checking for client certificate 20160829 15:41:41.927 [0728] SSL error: Error: GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
See also
About Authentication and Authorization – How to Replace the REST Server HTTPS Certificate and Private Key - Disabling unsecure transport modes