web stats
Mirth Connect Administrator Launcher - code signing cert error - Mirth Community

Go Back   Mirth Community > Mirth Connect > Support

Reply
 
Thread Tools Display Modes
  #1  
Old 08-27-2019, 01:50 AM
omnitux omnitux is offline
Mirth Newb
 
Join Date: Jan 2017
Posts: 15
omnitux is on a distinguished road
Default Mirth Connect Administrator Launcher - code signing cert error

Hello @all,

we have made a little jar file to handle PDF files inside a channel. We bought a code signing certificate from Thawte and build the jks. After that we sign the jar with this jks successfully. Now it is in custom-lib folder and anything works fine. No errors in mirth.log

If I use the browser to download the jnlp and start it without Mirth Connect Administrator Launcher anything is fine. No errors or warnings at all.

But if I use the Mirth Connect Administrator Launcher I get a certification warning because of our own jar file. It doesn't matter which settings I use... Every time the same popup warning: "WARNING: Untrusted Certificate Found".

I checked the cert and anything looks OK. The chain is OK, the certs of the chain CAs are from Thawte and they are OK. The expire date is in the future. The "code signing" X.509 extension (1.3.6.1.5.5.7.3.3) is there... So I try "jarsigner.exe -verify -verbose -certs my.jar" and the answer is "jar verified".

Now I am at the end of my knowledge. What do Mirth Connect Administrator Launcher expect from a code signed jar? What else should I check?

-
Reply With Quote
  #2  
Old 08-27-2019, 08:28 AM
agermano agermano is offline
Mirth Guru
 
Join Date: Apr 2017
Location: Indiana, USA
Posts: 1,112
agermano is on a distinguished road
Default

Probably has to do with the java truststore. If you set the admin launcher to use the default java instead of bundled for that connection does it work?
Reply With Quote
  #3  
Old 08-27-2019, 09:32 AM
omnitux omnitux is offline
Mirth Newb
 
Join Date: Jan 2017
Posts: 15
omnitux is on a distinguished road
Default

Thanks for your suggestion.
I tried both: my local java (1.8.0_191) and the bundled one. Both with the same result. I also checked that the Thawte CA certificates are both in the cacerts file. They are! And it doesn't matter which Mirth version I try. Every time I include my own jar I get this warning...
Reply With Quote
  #4  
Old 08-27-2019, 01:01 PM
agermano agermano is offline
Mirth Guru
 
Join Date: Apr 2017
Location: Indiana, USA
Posts: 1,112
agermano is on a distinguished road
Default

Just reread your first post... I've never developed my own jar for mirth, but I thought the client only loads the jar if you put it in client-lib or install it as an extension with a client component?

I'm pretty sure the jars you put in custom-lib or (preferably) a named resource directory for server use don't even need to be signed.

So, I'm unsure why you're getting the untrusted warning, but I'm also confused why the client is checking that jar in the first place.
Reply With Quote
  #5  
Old 08-28-2019, 12:32 AM
omnitux omnitux is offline
Mirth Newb
 
Join Date: Jan 2017
Posts: 15
omnitux is on a distinguished road
Default

Oh, I'm sorry. I have more than one project to develop for mirth and here I confound two of them. Of cause you are right: The questionable jar is an extension under the extension folder with a plugin.xml. I'm really sorry for confusing you, that was not my intention.

But the problem described in my first post still exists. What I do not understand is that everything works except the startup with the lauchner. What could be wrong with my certificate? I never developed and signed a jar for mirth before and google cannot help, too. Any ideas..?
Reply With Quote
  #6  
Old 08-29-2019, 11:54 AM
jbartels jbartels is offline
Mirth Guru
 
Join Date: Oct 2006
Posts: 728
jbartels is on a distinguished road
Default

Your means of verifying the certificate are correct.

Take a look at http://www.mirthcorp.com/community/i...wse/MIRTH-4399 I think you have the same issue. Your certificate for your plugin is valid. The Launcher isn't prompting because it is invalid, it is prompting because Java wants you to approve that you trust that certificate.

The Launcher differs from JavaWS in that JavaWS has an option to persistently store that approval. The Launcher prompts every time.

The only workaround I know of is that if you run the Launcher from the command line you can set a flag to trust everything. This is OK for development but not a good idea in production.

I am guessing that somewhere in the Launcher there is a truststore that could be updated to trust the cert but I do not know where that is.
__________________
Jon Bartels

Zen is hiring!!!!
http://consultzen.com/careers/
Talented healthcare IT professionals wanted. Engineers to sales to management.
Good benefits, great working environment, genuinely interesting work.
Reply With Quote
  #7  
Old 08-30-2019, 01:09 AM
omnitux omnitux is offline
Mirth Newb
 
Join Date: Jan 2017
Posts: 15
omnitux is on a distinguished road
Default

Hi Jon,

Thanks a lot for clarification. Good to know that anything is OK with my certificate.

The flag you mentioned is called "allow-incorrect-digest". I tried it but it makes now difference. The warning dialog remains.

So I have to wait for fixing this little bug...

Thanks again!
Reply With Quote
  #8  
Old 08-30-2019, 09:05 AM
jbartels jbartels is offline
Mirth Guru
 
Join Date: Oct 2006
Posts: 728
jbartels is on a distinguished road
Default

Dang. You are right. I tried the launcher with -d, -k, and -j and I was still prompted to accept or decline the signature for my extension.

Code:
INFO  2019-08-30 11:58:34,534 [main] com.mirth.connect.client.launcher.MirthClientLauncher: Arguments: [-?]
Unrecognized option: -?
usage: launch
 -a,--address <arg>            The address to connect to Mirth Connect
                               with.
 -d,--allow-incorrect-digest   Allows JARs that fail digest verification.
                               This should only be used for
                               development/testing purposes.
 -h,--help                     Prints this help message.
 -j,--java-console             If specified, the Administrator will be
                               launched with a Java console dialog.
 -k,--allow-self-signed        Allows JARs signed with self-signed
                               certificates to be verified. This should
                               only be used for development/testing
                               purposes.
 -m,--max-heap-size <arg>      The client-side max heap size to use when
                               launching the Administrator.
 -o,--stay-open                If specified, the launcher will stay open
                               after launching the Administrator.
 -v,--use-same-jvm             If specified, the Administrator will be
                               launched using the same JVM as the
                               launcher. Useful when you don't have access
                               to a launcher script.
__________________
Jon Bartels

Zen is hiring!!!!
http://consultzen.com/careers/
Talented healthcare IT professionals wanted. Engineers to sales to management.
Good benefits, great working environment, genuinely interesting work.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -8. The time now is 02:15 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
Mirth Corporation