Hi Paul, We have been using a 'real' certificate from godaddy.com since we went live. We've only hit this problem when we tried to renew it. I am receiving the same error with a self signed certificate as well. Do you have any other ideas for me to try? This is very frustrating. Here are the exact commands I used for the self signed cert:
keytool -genkey -v -alias d1google -keystore d1google2010b.jks -keyalg RSA -sigalg SHA1withRSA -dname "CN=careopinion.com, OU=Corporate, O=DiagnosisONE, L=Nashua, S=New Hampshire, C=US" -storepass xxxxxxxx - keypass xxxxxxxx keytool -export -v -rfc -alias d1google -file d1googleselfsignedb.pem - keystore d1google2010b.jks -storepass xxxxxxxx then I uploaded the .pem file to the manage domains page. Thanks, -Dave- On Jul 9, 6:45 pm, "Paul (Google)" <[email protected]> wrote: > Hi Dave, > > I believe that only self-signed certificates can be for signing > AuthSub tokens. Can you try skipping the "certreq" step and just use > your self-signed certificate? The following docs have the necessary > commands for generating self-signed certificates with keytool. > > http://code.google.com/apis/gdata/docs/auth/authsub.html#keytool > > I followed these steps to get a self-signed certificate with the "- > validity 1825 -keysize 2048" flags, and I was able to successfully > sign tokens. I don't believe that the extended validity is necessary, > however; Google doesn't check for certificate expiry. > > Paul > > On Jul 6, 8:27 am, Dave <[email protected]> wrote: > > > > > Hello Paul, > > > I've had no luck with this issue. We are still getting the same error > > no matter what SSL cert we use. 1024 or 2048 size certificates > > generate the same error. Here are the exact steps we are taking to > > generate the certificates. This is a java environment on a windows > > platform: > > > keytool -genkey -v -alias d1google -dname "CN=careopinion.com, > > OU=Corporate, O=DiagnosisONE, L=Nashua, S=New Hampshire, C=US" -alias > > d1google -keypass xxxxx -keystore d1google2010b.jks -storepass xxxxx - > > keyalg "RSA" -sigalg SHA1withRSA -validity 1825 -keysize 1024 > > > keytool -certreq -v -alias d1google -sigalg "SHA1withRSA" -file > > d1google2010b.csr -keystore d1google2010b.jks -storepass xxxxx - > > keypass xxxxx > > > Once I receive the cert back from the provider, I append it using a > > test editor to the bottom of the certificate chain file also received > > from the provider. > > > keytool -import -v -file careopinion_com.txt -keypass xxxxx -keystore > > d1google2010b.jks -storepass xxxxx -trustcacerts -alias d1google > > > I then export the certificate from the keystore: > > keytool -export -v -rfc -alias d1google -file d1google2010b.pem - > > keystore d1google2010b.jks -storepass xxxxx > > > And use the resulting file to upload to the manage domain tool for our > > domain: > > > Testing the application still results in the following exception: > > > com.google.gdata.util.AuthenticationException: 401: Invalid AuthSub > > header. > > at > > com.google.gdata.client.http.AuthSubUtil.exchangeForSessionToken(Unknown > > Source) > > at > > com.google.gdata.client.http.AuthSubUtil.exchangeForSessionToken(Unknown > > Source) > > at > > d1.process.HealthSample.exchangeAuthSubToken(HealthSample.java:91) > > at hlink.GoogleHandler.AddProfile(GoogleHandler.java:1017) > > at sun.reflect.GeneratedMethodAccessor377.invoke(Unknown > > Source) > > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImp > > l.java: > > 25) > > at java.lang.reflect.Method.invoke(Method.java:585) > > at > > org.apache.beehive.netui.pageflow.FlowController.invokeActionMethod(FlowCon > > troller.java: > > 879) > > at > > org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(Flo > > wController.java: > > 809) > > at > > org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowContro > > ller.java: > > 478) > > at > > org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFl > > owController.java: > > 306) > > at > > org.apache.beehive.netui.pageflow.FlowController.execute(FlowController.jav > > a: > > 336) > > at > > org.apache.beehive.netui.pageflow.internal.FlowControllerAction.execute(Flo > > wControllerAction.java: > > 52) > > at > > org.apache.struts.action.RequestProcessor.processActionPerform(RequestProce > > ssor.java: > > 431) > > at > > org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access > > $201(PageFlowRequestProcessor.java:97) > > at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor > > $ActionRunner.execute(PageFlowRequestProcessor.java:2044) > > at > > org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterce > > ptors > > $WrapActionInterceptorChain.continueChain(ActionInterceptors.java:64) > > at > > org.apache.beehive.netui.pageflow.interceptor.action.ActionInterceptor.wrap > > Action(ActionInterceptor.java: > > 184) > > at > > org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterce > > ptors > > $WrapActionInterceptorChain.invoke(ActionInterceptors.java:50) > > at > > org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterce > > ptors > > $WrapActionInterceptorChain.continueChain(ActionInterceptors.java:58) > > at > > org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterce > > ptors.wrapAction(ActionInterceptors.java: > > 87) > > at > > org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPer > > form(PageFlowRequestProcessor.java: > > 2116) > > at > > org.apache.struts.action.RequestProcessor.process(RequestProcessor.java: > > 236) > > at > > org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal( > > PageFlowRequestProcessor.java: > > 556) > > at > > org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlow > > RequestProcessor.java: > > 853) > > at > > org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoReg > > isterActionServlet.java: > > 631) > > at > > org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowAct > > ionServlet.java: > > 158) > > at > > org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java: > > 727) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java: > > 820) > > at weblogic.servlet.internal.StubSecurityHelper > > $ServletServiceAction.run(StubSecurityHelper.java:226) > > at > > weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelp > > er.java: > > 124) > > at > > weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java: > > 283) > > at > > weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26) > > at > > weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java: > > 42) > > at > > com.bea.portal.tools.servlet.http.HttpContextFilter.doFilter(HttpContextFil > > ter.java: > > 60) > > at > > weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java: > > 42) > > at > > com.bea.p13n.servlets.PortalServletFilter.doFilter(PortalServletFilter.java > > : > > 336) > > at > > weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java: > > 42) > > at > > com.bea.jsptools.servlet.PagedResultServiceFilter.doFilter(PagedResultServi > > ceFilter.java: > > 82) > > at > > weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java: > > 42) > > at weblogic.servlet.internal.WebAppServletContext > > $ServletInvocationAction.run(WebAppServletContext.java:3393) > > at > > weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubje > > ct.java: > > 321) > > at weblogic.security.service.SecurityManager.runAs(Unknown > > Source) > > at > > weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServlet > > Context.java: > > 2140) > > at > > weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext > > .java: > > 2046) > > at > > weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java: > > 1366) > > at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200) > > at weblogic.work.ExecuteThread.run(ExecuteThread.java:172) > > Add Profile exception: Problem while exchanging AuthSub token. > > > Any ideas on what is going wrong here? Am I missing something very > > basic? This is very frustrating.... > > > Thanks, > > > -Dave- > > > On Jun 24, 8:43 pm, "Paul (Google)" <[email protected]> wrote: > > > > Hi Dave, > > > > I'm still investigating 2048 bit key support. I'll definitely post an > > > update once I have a definitive answer. > > > > When you click the link for the domains management test using Google > > > Calendar, you'll be directed to the Calendar authorization page, and > > > then back to your app with an authorized single-use token in the URL. > > > You will be redirected back to the URL you have specified in the > > > "Target URL path prefix" field, and the token will be a GET parameter > > > on the URL. To verify that the signature was successful, you'll need > > > to have your web application retrieve the token from the URL and > > > attempt to upgrade it to a session token, which is what you're > > > currently doing with Health. If you're able to exchange the single- > > > use token for an session token, then the 2048 bit key should be > > > useable. If you get same error that's in the initial post, then it's > > > unlikely that the 2048 bit key can be used at this time. > > > > In any event, I'll let you know what I find out about 2048 bit keys! > > > > Paul > > > > On Jun 22, 12:08 pm, Dave <[email protected]> wrote: > > > > > Hi Paul, > > > > > It won't be possible to get a 1024 length key now. All of the key > > > > issuers are using 2048 as the default key size now. > > > > > Is there any way for you to verify if google will support the 2048 > > > > key? > > > > > Also, I'm not clear how to test the key using the google calendar > > > > link. When I click on it, it asks: > > > > > The site CareOpinion is requesting access to your Google Account > > > > for the product(s) listed below. > > > > Google Calendar > > > > > When I click "Grant Access" it immediately takes me to my > > > > caropinion.com application page. Does this mean that the certificate > > > > works? > > > > > I am still getting the following error after I try to connect to > > > > google health through our application: I've imported the google > > > > health cert into our- Hide quoted text - > > - Show quoted text -... > > read more » -- You received this message because you are subscribed to the Google Groups "Google Health Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/googlehealthdevelopers?hl=en.
