Hi Dave,
This is maybe a bit of a stretch, but are you sure that your code is
able to load the jks file properly and pass it to the
"exchangeForSessionToken(String token, PrivateKey pk)" method, like
below? The "getPrivateKeyFromKeystore(..)" method should throw an
IOException if there's an error loading the file; although, if this
exception is swallowed, the AuthSub token could be signed improperly.
PrivateKey privateKey =
AuthSubUtil.getPrivateKeyFromKeystore("keystore.jks","changeme","myalias","changeme");
AuthSubUtil.exchangeForSessionToken(oneTimeToken, privateKey);
Also, are you seeing the exception during the Calendar test linkage?
Paul
On Jul 16, 11:55 am, Dave <[email protected]> wrote:
> Hi Paul,
>
> We have been using a 'real' certificate from godaddy.com since we went
> live. We've only hit this problem when we tried to renew it. I am
> receiving the same error with a self signed certificate as well. Do
> you have any other ideas for me to try? This is very frustrating.
> Here are the exact commands I used for the self signed cert:
>
> keytool -genkey -v -alias d1google -keystore d1google2010b.jks -keyalg
> RSA -sigalg SHA1withRSA -dname "CN=careopinion.com, OU=Corporate,
> O=DiagnosisONE, L=Nashua, S=New Hampshire, C=US" -storepass xxxxxxxx -
> keypass xxxxxxxx
>
> keytool -export -v -rfc -alias d1google -file d1googleselfsignedb.pem -
> keystore d1google2010b.jks -storepass xxxxxxxx
>
> then I uploaded the .pem file to the manage domains page.
>
> Thanks,
>
> -Dave-
>
> On Jul 9, 6:45 pm, "Paul (Google)" <[email protected]> wrote:
>
>
>
> > Hi Dave,
>
> > I believe that only self-signed certificates can be for signing
> > AuthSub tokens. Can you try skipping the "certreq" step and just use
> > your self-signed certificate? The following docs have the necessary
> > commands for generating self-signed certificates with keytool.
>
> >http://code.google.com/apis/gdata/docs/auth/authsub.html#keytool
>
> > I followed these steps to get a self-signed certificate with the "-
> > validity 1825 -keysize 2048" flags, and I was able to successfully
> > sign tokens. I don't believe that the extended validity is necessary,
> > however; Google doesn't check for certificate expiry.
>
> > Paul
>
> > On Jul 6, 8:27 am, Dave <[email protected]> wrote:
>
> > > Hello Paul,
>
> > > I've had no luck with this issue. We are still getting the same error
> > > no matter what SSL cert we use. 1024 or 2048 size certificates
> > > generate the same error. Here are the exact steps we are taking to
> > > generate the certificates. This is a java environment on a windows
> > > platform:
>
> > > keytool -genkey -v -alias d1google -dname "CN=careopinion.com,
> > > OU=Corporate, O=DiagnosisONE, L=Nashua, S=New Hampshire, C=US" -alias
> > > d1google -keypass xxxxx -keystore d1google2010b.jks -storepass xxxxx -
> > > keyalg "RSA" -sigalg SHA1withRSA -validity 1825 -keysize 1024
>
> > > keytool -certreq -v -alias d1google -sigalg "SHA1withRSA" -file
> > > d1google2010b.csr -keystore d1google2010b.jks -storepass xxxxx -
> > > keypass xxxxx
>
> > > Once I receive the cert back from the provider, I append it using a
> > > test editor to the bottom of the certificate chain file also received
> > > from the provider.
>
> > > keytool -import -v -file careopinion_com.txt -keypass xxxxx -keystore
> > > d1google2010b.jks -storepass xxxxx -trustcacerts -alias d1google
>
> > > I then export the certificate from the keystore:
> > > keytool -export -v -rfc -alias d1google -file d1google2010b.pem -
> > > keystore d1google2010b.jks -storepass xxxxx
>
> > > And use the resulting file to upload to the manage domain tool for our
> > > domain:
>
> > > Testing the application still results in the following exception:
>
> > > com.google.gdata.util.AuthenticationException: 401: Invalid AuthSub
> > > header.
> > > at
> > > com.google.gdata.client.http.AuthSubUtil.exchangeForSessionToken(Unknown
> > > Source)
> > > at
> > > com.google.gdata.client.http.AuthSubUtil.exchangeForSessionToken(Unknown
> > > Source)
> > > at
> > > d1.process.HealthSample.exchangeAuthSubToken(HealthSample.java:91)
> > > at hlink.GoogleHandler.AddProfile(GoogleHandler.java:1017)
> > > at sun.reflect.GeneratedMethodAccessor377.invoke(Unknown
> > > Source)
> > > at
> > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImp
> > > l.java:
> > > 25)
> > > at java.lang.reflect.Method.invoke(Method.java:585)
> > > at
> > > org.apache.beehive.netui.pageflow.FlowController.invokeActionMethod(FlowCon
> > > troller.java:
> > > 879)
> > > at
> > > org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(Flo
> > > wController.java:
> > > 809)
> > > at
> > > org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowContro
> > > ller.java:
> > > 478)
> > > at
> > > org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFl
> > > owController.java:
> > > 306)
> > > at
> > > org.apache.beehive.netui.pageflow.FlowController.execute(FlowController.jav
> > > a:
> > > 336)
> > > at
> > > org.apache.beehive.netui.pageflow.internal.FlowControllerAction.execute(Flo
> > > wControllerAction.java:
> > > 52)
> > > at
> > > org.apache.struts.action.RequestProcessor.processActionPerform(RequestProce
> > > ssor.java:
> > > 431)
> > > at
> > > org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access
> > > $201(PageFlowRequestProcessor.java:97)
> > > at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor
> > > $ActionRunner.execute(PageFlowRequestProcessor.java:2044)
> > > at
> > > org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterce
> > > ptors
> > > $WrapActionInterceptorChain.continueChain(ActionInterceptors.java:64)
> > > at
> > > org.apache.beehive.netui.pageflow.interceptor.action.ActionInterceptor.wrap
> > > Action(ActionInterceptor.java:
> > > 184)
> > > at
> > > org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterce
> > > ptors
> > > $WrapActionInterceptorChain.invoke(ActionInterceptors.java:50)
> > > at
> > > org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterce
> > > ptors
> > > $WrapActionInterceptorChain.continueChain(ActionInterceptors.java:58)
> > > at
> > > org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterce
> > > ptors.wrapAction(ActionInterceptors.java:
> > > 87)
> > > at
> > > org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPer
> > > form(PageFlowRequestProcessor.java:
> > > 2116)
> > > at
> > > org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:
> > > 236)
> > > at
> > > org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(
> > > PageFlowRequestProcessor.java:
> > > 556)
> > > at
> > > org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlow
> > > RequestProcessor.java:
> > > 853)
> > > at
> > > org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoReg
> > > isterActionServlet.java:
> > > 631)
> > > at
> > > org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowAct
> > > ionServlet.java:
> > > 158)
> > > at
> > > org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
> > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:
> > > 727)
> > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:
> > > 820)
> > > at weblogic.servlet.internal.StubSecurityHelper
> > > $ServletServiceAction.run(StubSecurityHelper.java:226)
> > > at
> > > weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelp
> > > er.java:
> > > 124)
> > > at
> > > weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:
> > > 283)
> > > at
> > > weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
> > > at
> > > weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:
> > > 42)
> > > at
> > > com.bea.portal.tools.servlet.http.HttpContextFilter.doFilter(HttpContextFil
> > > ter.java:
> > > 60)
> > > at
> > > weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:
> > > 42)
> > > at
> > > com.bea.p13n.servlets.PortalServletFilter.doFilter(PortalServletFilter.java
> > > :
> > > 336)
> > > at
> > > weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:
> > > 42)
> > > at
> > > com.bea.jsptools.servlet.PagedResultServiceFilter.doFilter(PagedResultServi
> > > ceFilter.java:
> > > 82)
> > > at
> > > weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:
> > > 42)
> > > at weblogic.servlet.internal.WebAppServletContext
> > > $ServletInvocationAction.run(WebAppServletContext.java:3393)
> > > at
> > > weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubje
> > > ct.java:
> > > 321)
> > > at weblogic.security.service.SecurityManager.runAs(Unknown
> > > Source)
> > > at
> > > weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServlet
> > > Context.java:
> > > 2140)
> > > at
> > > weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext
> > > .java:
> > > 2046)
> > > at
> > > weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:
> > > 1366)
> > > at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200)
> > > at weblogic.work.ExecuteThread.run(ExecuteThread.java:172)
> > > Add Profile exception: Problem while exchanging AuthSub token.
>
> > > Any ideas on what is going wrong here? Am I missing something very
> > > basic? This is very frustrating....
>
> > > Thanks,
>
> > > -Dave-
>
> > > On Jun 24, 8:43 pm, "Paul (Google)" <[email protected]> wrote:
>
> > > > Hi Dave,
>
> > > > I'm still investigating 2048 bit key support. I'll definitely post an
> > > > update once I have a definitive answer.
>
> > > > When you click the link for the domains management test using Google
> > > > Calendar, you'll be directed to the Calendar authorization page, and
> > > > then back to your app with an authorized single-use token in the URL.
> > > > You will be redirected back to the URL you have specified in the
> > > > "Target URL path prefix" field, and the token will be a GET parameter
> > > > on the URL. To verify that the signature was successful, you'll need
> > > > to have your web application retrieve the token from the URL and
> > > > attempt to upgrade it to a session token, which is what you're
> > > > currently doing with Health. If you're able...
>
> read more »
--
You received this message because you are subscribed to the Google Groups
"Google Health Developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/googlehealthdevelopers?hl=en.
