Gemalto is now part of the Thales Group, find out more.

You are here

Internet Services with SSL/TLS

Tutorial, December 3, 2014 - 11:34am, 8542 views

Introduction

This document contains a short description of how to setup an EHS5 module to run a HTTPS Demo Java Midlet that securely communicates with Application Engineering’s test server ae.c-wm.net using mutual authentication.

Infrastructure

Certificate hierarchy

·         rootCA is a self signed certification authority (CA)

·         rootCA signs second level intermediate CAs serverCA and clientCA

·         serverCA signs third level server endpoint certificate ae.c-wm.net

·         clientCA signs third level client endpoint certificates client01 and client02

Certificate hierarchy

The Apache server sends the complete certificate chain. In addition to its client certificate, the module stores the root certificate to validate this chain. Because of the module doesn't send the entire certificate chain, but only it's endpoint certificate, the apache server must store the clientCA as well.

Certificate storage location

Certificate creation with OpenSSL

automated script

In order to create your own certificate chain, you can use the certs.sh script in a cygwin environment with openssl and ssh installed. You can find the script and all its dependencies in the attached archive in the subdirectory Certs.

The instructions below contain the following placeholders:

·         <comport> - the COM port to with the module is attached

·         <server> - the web server you want create the certificates for

·         <user> - a user which can ssh into the <server>

 

step-by-step

  • create new certificate chain:
  •       run ./certs.sh create <server>
  • export client and root certificate to other formats:
  •       .der-files are used by the module, .p12-files are for the use in web browsers
  •       run ./certs.sh export
  • install the certs to a EHSX module at modem port COM103:
  •       Please replace COM103 with your modem port.
  •       run ./certs.sh moduleDeploy <comport>
  • install certs on server:
  •       You need to be able to ssh to the server without password. You can use ssh-keygen and ssh-copy-id for this.
  •       run ./certs.sh serverDeploy <user> <server>
  • (optional) remove all created certificates:
  •       run ./certs.sh clean

all-in-one

Running ./certs.sh all will execute the above standing steps. Before running please adjust the COM port, user and server in the script according to the step-by-step instructions above.

GUI

If you prefer a graphical user interface instead of OpenSSL, I recommend using the cross platform tool XCA (http://sourceforge.net/projects/xca/ ).

Web server setup

Step 1

The following listing contains an example configuration for an apache2 webserver.

$ cat /etc/apache2/sites-enabled/ssl_demo_mutual_443
NameVirtualHost *:443
<virtualhost *:443>
        ServerName ae.c-wm.net
        SSLEngine On
        SSLVerifyClient require
        SSLVerifyDepth 10
        # server certs
        SSLCertificateFile /etc/apache2/ssl/serverEP.crt
        SSLCertificateKeyFile /etc/apache2/ssl/serverEP.key
        SSLCertificateChainFile /etc/apache2/ssl/serverChain.crt
 
        SSLCACertificateFile /etc/apache2/ssl/clientChain.crt
 
        DocumentRoot /var/wwws/
        SSLOptions +ExportCertData
</virtualhost>

Step 2

A server script displaying the available and currently used cipher suites and protocols can be found in this archive in the subdirectory Server.

Step 3

Please note that this script needs read-permissions for the file /var/log/apache2/ssl_engine.log and read- and execute-permissions on all parent directories. The file's permissions will be reset, when the log is rotated. To prevent this, you can adjust your /etc/logrotate.conf or /etc/logrotate.d./apache2.

$ cat /etc/logrotate.d/apache2
/var/log/apache2/*.log {
        weekly
        missingok
        rotate 52
        compress
        delaycompress
        notifempty
        create 644 root adm
        sharedscripts
        postrotate
                if [ -f "`. /etc/apache2/envvars ; echo ${APACHE_PID_FILE:-/var/run/apache2.pid}`" ]; then
                        /etc/init.d/apache2 reload > /dev/null
                fi
        endscript
}

Step 4

Also you have to enable debug logging for the ssl engine:

$ cat /etc/apache2/conf.d/ssl_log
<IfModule mod_ssl.c>
        ErrorLog /var/log/apache2/ssl_engine.log
        LogLevel debug
</IfModule>

Demonstration

This chapter contains a short description of how to setup an EHS5 module in order to show a HTTPS Demo using Internet Service Commands. The Demo securely communicates with Application Engineering’s test server ae.c-wm.net under mutual authentication. If you don't want to use Java for this, you can skip all steps marked with "(java only)". All files mentioned here and for further information is contained in this archive.

Prerequisites

·         SIM card (tested with German provider T-D1)

·         EHSx Rev 2 or higher

·         Gemalto Module Exchange Suite (MES)

·         Gemalto IMP Debug Connection for EHSx (optional)

·         Gemalto EHSx Software Development Kit (optional)

Setup

·         Transfer Java Midlet and Security Command files to the module's root directory

o   https_demo.zip\HttpsDemo\.mtj.tmp\emulation\HttpsDemo.jad (java only)

o   https_demo.zip\HttpsDemo\.mtj.tmp\emulation\HttpsDemo.jar (java only)

o   https_demo.zip\Certs\AddHttpsCertificateUntrusted.bin (create with certs.sh)

o   https_demo.zip\Certs\AddHttpsClientCertificateUntrusted.bin (create with certs.sh)

·         Install certificates and activate server authentification (note: this can be skipped if "./certs.sh moduleDeploy" was executed for the current module)

at^sjmsec="cmd",0B00310001000500020001
at^sjmsec="file",AddHttpsCertificateUntrusted.bin
at^sjmsec="file",AddHttpsClientCertificateUntrusted.bin

 

·         Test if HTTPS is setup correctly:

at^sjmsec? 
^SJMSEC: 1,1,1,1 
OK 

 

·         Install HTTPS Demo Midlet (java only)

at^sjam=0,"a:/HttpsDemo.jad",""

Run

You can demonstrate HTTPS communication with a Java Midlet or with Internet Service Commands.

Java Midlet

·         Redirect Java’s stdout to the serial console at asc0

at^scfg="userware/stdout","asc0" 
^SCFG: "Userware/Stdout","asc0",,,,"off" 
OK

·         Run HTTPS Demo Midlet

at^sjam=1,"a:/HttpsDemo.jad","" 

·         You should see something similar to the following lines on stdout

started HTTPS Demo app 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" 
       "http://www.w3.org/TR/html4/loose.dtd"> 
<html> 
        <head> 
                <title>Gemalto M2M HTTPS demo</title> 
        </head> 
        <body> 
                Welcome to the Gemalto M2M HTTPS demo page. 
Sending dispose command to the VM. 
        </body> 
</html> 
MIDlet:HttpsDemo exited 

Internet Service Commands

at+cops? 
+COPS: 0,0,"Telekom.de",2 
OK 
at^sici? 
OK 
at^sics? 
^SICS: 0,"conType","" 
^SICS: 1,"conType","" 
^SICS: 2,"conType","" 
^SICS: 3,"conType","" 
^SICS: 4,"conType","" 
^SICS: 5,"conType","" 
OK 
+PBREADY 
at^sics=1,contype,GPRS0 
OK 
at^sics=1,inactTO,2000 
OK 
at^sics=1,passwd,t-d1 
OK 
at^sics=1,user,internet 
OK 
at^sics=1,apn,"internet.t-d1.de" 
OK 
at^sics? 
^SICS: 0,"conType","" 
^SICS: 1,"conType","GPRS0" 
^SICS: 1,"inactTO","2000" 
^SICS: 1,"user","internet" 
^SICS: 1,"passwd","*****" 
^SICS: 1,"apn","internet.t-d1.de" ^SICS: 2,"conType","" 
^SICS: 3,"conType","" 
^SICS: 4,"conType","" 
^SICS: 5,"conType","" 
OK 
at^siss=1,srvtype,http 
OK 
at^siss=1,conid,1 
OK 
at^siss=1,cmd,"get" 
OK 
at^siss=1,address,"https://ae.c-wm.net/ssltest/?format=plaintext" 
OK 
at^siso=1 
OK 
^SIS: 1,0,2200,"Http ae.c-wm.net:443" 
^SISR: 1,1 
at^sist=1 
CONNECT 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" 
       "http://www.w3.org/TR/html4/loose.dtd"> 
<html> 
        <head> 
                <title>Gemalto M2M HTTPS demo</title> 
        </head> 
        <body> 
                Welcome to the Gemalto M2M HTTPS demo page. 
        </body> 
</html> 
NO CARRIER 
^SISR: 1,2 

Further info

Please also see our Java Users Guide on your EHSX install CD\program files\Cinterion\CMTK\EHS5\Documentation\wm02_java_usersguide_v04.pdf

pfuccell's picture
pfuccell

Please remove links to internal wikipage (i.e. images) because this is public content.

fherm5's picture
fherm5

Hi

One question, I have saw this is with http(https), I wonder if you can give a example with sockets, I mean to do a conexion with sockets using SSL/TLS.

Thanks in advance.

vutu0001@e.ntu.edu.sg's picture
vutu0001@e.ntu....

Hi

vutu0001@e.ntu.edu.sg's picture
vutu0001@e.ntu....

Hi,

I dont have apache server now then use this ae.c-wm.net example, however when tried to deploy server certificater chain it ask password to do "scp" command. Could someone tell me how to use ssh-keygen and ssh-copy-id to create account on ae.c-wm.net?

Thanks in advance

esiflis's picture
esiflis

Hi! I have the same problem, cannot login with ssh to ae.c-wm.net apache server. Did you found the solution  (by using  ssh-keygen and ssh-copy-id ) to "let yourself in"?

Thank you in advance.

Endre

fabianeccel's picture
fabianeccel

Could anybody run Https_demo ?? I had many problem with it:
>Run cert.sh all (or any other command) does not run, i went into the file and ran the instructions one by one.
After doing this, i mean generating all respective files, tried to load files into module using jseccmd.jar,  device (EHS6) returned "Parameter IMEI is missing", once again i went into cert.sh to add -IMEI parameter according the structure described at "Java UsersGuide v19Sect 11.5.3. But trying loading files into module again, i got:

starting certificate deployment

opened serial port COM32

set options for //./COM32

waiting for: [ "OK" "ERROR" ]

read line: "at"

read line: ""

read line: "OK"

found OK

connection established

waiting for: [ "CONNECT" ]

read line: "AT^SJDL=1,1070,"AddHttpsCertificateUntrusted.bin""

read line: ""

read line: "CONNECT"

found CONNECT

sending 1070 bytes

sent 1070 bytes

waiting for: [ "JDL CRC32" ]

read line: ""

read line: "OK"

read line: ""

java.io.IOException: Underlying input stream returned zero bytes

        at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)

        at sun.nio.cs.StreamDecoder.implRead(Unknown Source)

        at sun.nio.cs.StreamDecoder.read(Unknown Source)

        at java.io.InputStreamReader.read(Unknown Source)

        at java.io.BufferedReader.fill(Unknown Source)

        at java.io.BufferedReader.readLine(Unknown Source)

        at java.io.BufferedReader.readLine(Unknown Source)

        at copyCerts.waitFor(copyCerts.java:296)

        at copyCerts.checkCRC32(copyCerts.java:262)

        at copyCerts.copyFile(copyCerts.java:254)

        at copyCerts.copyFiles(copyCerts.java:217)

        at copyCerts.main(copyCerts.java:37)

Didi anybody experience something like? Any suggest? Thanks

Henning's picture
Henning

moved to a separate topic.

Paul Mock