FIND Devices SOAP API Filter Issue and SSL keystore pfx file query

[RupaliYadav]

SSL keystore pfx file

SOAP API require organisation's .pfx file for authentication. If we want to build and UI Application client where users from various organisation login and make soap request on behalf of organisation. Is it required to store .pfx file (crypto material of each organisation) on user's machine? if not what are the approach's for .pfx file management for server?

FIND Devices SOAP API Filter Issue

In DeviceManagement.wsdl we have FindDevicesRequest SOAP request. In body template in ns1:DeviceFilter all tags are marked as optional But if we apply only ns1:OrganisationIdentification filter in request body we get validation error. It says other tag details are also required. Does FIND Devices SOAP API not support the filtering on only few tags?

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
   <SOAP-ENV:Header/>
   <SOAP-ENV:Body>
      <SOAP-ENV:Fault>
         <faultcode>SOAP-ENV:Client</faultcode>
         <faultstring xml:lang="en">Validation error</faultstring>
         <detail>
            <spring-ws:ValidationError xmlns:spring-ws="http://springframework.org/spring-ws">cvc-complex-type.2.4.b: The content of element 'ns1:DeviceFilter' is not complete. One of '{"http://www.opensmartgridplatform.org/schemas/devicemanagement/2014/10":DeviceIdentification, "http://www.opensmartgridplatform.org/schemas/devicemanagement/2014/10":Alias, "http://www.opensmartgridplatform.org/schemas/devicemanagement/2014/10":City, "http://www.opensmartgridplatform.org/schemas/devicemanagement/2014/10":PostalCode, "http://www.opensmartgridplatform.org/schemas/devicemanagement/2014/10":Street, "http://www.opensmartgridplatform.org/schemas/devicemanagement/2014/10":Number, "http://www.opensmartgridplatform.org/schemas/devicemanagement/2014/10":Municipality, "http://www.opensmartgridplatform.org/schemas/devicemanagement/2014/10":DeviceType, "http://www.opensmartgridplatform.org/schemas/devicemanagement/2014/10":Manufacturer, "http://www.opensmartgridplatform.org/schemas/devicemanagement/2014/10":Model, "http://www.opensmartgridplatform.org/schemas/devicemanagement/2014/10":DeviceExternalManaged, "http://www.opensmartgridplatform.org/schemas/devicemanagement/2014/10":DeviceActivated, "http://www.opensmartgridplatform.org/schemas/devicemanagement/2014/10":DeviceInMaintenance, "http://www.opensmartgridplatform.org/schemas/devicemanagement/2014/10":SortDir, "http://www.opensmartgridplatform.org/schemas/devicemanagement/2014/10":SortedBy, "http://www.opensmartgridplatform.org/schemas/devicemanagement/2014/10":HasTechnicalInstallation}' is expected.</spring-ws:ValidationError>
         </detail>
      </SOAP-ENV:Fault>
   </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

SOAP Request Passed:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="http://www.opensmartgridplatform.org/schemas/common/2014/10" xmlns:ns1="http://www.opensmartgridplatform.org/schemas/devicemanagement/2014/10">
   <soapenv:Header>
      <ns:ApplicationName>soapUI</ns:ApplicationName>
      <ns:UserName>rupali</ns:UserName>
      <ns:OrganisationIdentification>test-org</ns:OrganisationIdentification>
   </soapenv:Header>
   <soapenv:Body>
      <ns1:FindDevicesRequest>
         <!--Optional:-->
         <ns1:DeviceFilter>
            <!--Optional:-->
            <!--type: Identification-->
            <ns1:OrganisationIdentification>test-org</ns1:OrganisationIdentification>
         </ns1:DeviceFilter>
      </ns1:FindDevicesRequest>
   </soapenv:Body>
</soapenv:Envelope>

[kevinsmeets]

SSL keystore pfx file

If you were to build a client application that runs on a user's machine, the application will need the client certificate(s) for the organization identification(s) you want to use. We are using web-based applications that consist of an HTML/JS frontend and a Java backend, where the backend runs on a server and contains the client certificate(s). A basic example can be found here: https://github.com/OSGP/open-smart-grid-platform/tree/development/public-lighting-demo-app

FIND Devices SOAP API Filter Issue

The value HasTechnicalInstallation is required. I don't think this value is actually used when filtering on devices, but at this moment, this value is a non-optional part of the interface. This request works for me:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="http://www.opensmartgridplatform.org/schemas/common/2014/10" xmlns:ns1="http://www.opensmartgridplatform.org/schemas/devicemanagement/2014/10">
   <soapenv:Header>
      <ns:ApplicationName>SoapUI</ns:ApplicationName>
      <ns:UserName>Kevin</ns:UserName>
      <ns:OrganisationIdentification>test-org</ns:OrganisationIdentification>
   </soapenv:Header>
   <soapenv:Body>
      <ns1:FindDevicesRequest>
         <ns1:DeviceFilter>
            <!--Optional:-->
            <ns1:OrganisationIdentification>test-org</ns1:OrganisationIdentification>
            <ns1:HasTechnicalInstallation>true</ns1:HasTechnicalInstallation>
         </ns1:DeviceFilter>
      </ns1:FindDevicesRequest>
   </soapenv:Body>
</soapenv:Envelope>

[RupaliYadav]

Extended key usage does not permit use for TLS server authentication

We build an spring boot application which acts as a SOAP client to OSGP platform API. But In FindDevicesRequest
Soap request we get Extended key usage does not permit use for TLS server authentication error. The trust.jks and test-org.pfx files which are added in HttpComponentsMessageSender are same present in https://github.com/OSGP/open-smart-grid-platform/tree/development/public-lighting-demo-app example.
note : The extendedKeyUsage attribute in osgp-ca.cfg file is only set to clientAuth.
Are there additional steps required after Creating a certificate for the new organisation using create_client_cert.sh script

2021-01-09 06:54:08.566 ERROR 18629 --- [nio-9090-exec-1] o.a.c.c.C.[.[.[/].[dispatcherServlet]    : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is org.springframework.ws.client.WebServiceIOException: I/O error: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS server authentication; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS server authentication] with root cause

sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS server authentication

trust.jks has:

eytool -v -list -keystore ./trust.jks
Enter keystore password:  
Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: localhost
Creation date: Apr 29, 2015
Entry type: trustedCertEntry

Owner: CN=localhost
Issuer: EMAILADDRESS=address@OSGP.com, CN=OSGP, OU=OSGP, O=OSGP, L=Arnhem, ST=Gelderland, C=NL
Serial number: 1
Valid from: Tue Apr 28 16:24:33 UTC 2015 until: Fri Apr 27 16:24:33 UTC 2018
Certificate fingerprints:
	 MD5:  E8:4D:D6:CD:9C:1B:84:7F:A6:B8:97:9C:C0:A3:3D:DB
	 SHA1: 57:08:5D:B4:F1:BA:52:8C:D0:D5:3D:AA:18:9B:E5:A5:AB:74:8B:8B
	 SHA256: 61:49:2A:1E:89:AA:45:61:8D:07:CC:DC:04:4C:4B:18:A9:FA:84:0A:E5:EA:0D:01:73:AF:77:48:0D:BE:27:A9
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions: 

#1: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#2: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
]

#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Non_repudiation
  Key_Encipherment
  Data_Encipherment
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 7E 55 C3 18 31 5F 85 BA   9D 0F 74 77 AA D3 D2 05  .U..1_....tw....
0010: FA F9 FD 06                                        ....
]
]



*******************************************
*******************************************


Alias name: osgp-ca
Creation date: Apr 29, 2015
Entry type: trustedCertEntry

Owner: EMAILADDRESS=address@OSGP.com, CN=OSGP, OU=OSGP, O=OSGP, L=Arnhem, ST=Gelderland, C=NL
Issuer: EMAILADDRESS=address@OSGP.com, CN=OSGP, OU=OSGP, O=OSGP, L=Arnhem, ST=Gelderland, C=NL
Serial number: 83643e5f90533700
Valid from: Tue Apr 28 14:24:51 UTC 2015 until: Fri Apr 25 14:24:51 UTC 2025
Certificate fingerprints:
	 MD5:  71:CF:2C:D9:11:66:70:5A:45:43:64:C8:53:C0:21:D9
	 SHA1: 93:D9:AD:44:A7:35:DC:E5:F1:15:0D:12:91:03:7E:D2:E3:BF:FF:1B
	 SHA256: 3D:2C:0B:09:F5:BD:60:D5:EF:90:5F:FE:89:4C:3D:CF:C7:E4:9C:AA:93:E6:E8:81:1A:14:33:29:CF:80:F3:17
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

Extensions: 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 42 47 3F AB B8 66 32 A6   14 15 99 78 7E 73 25 32  BG?..f2....x.s%2
0010: A9 95 8F 13                                        ....
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 42 47 3F AB B8 66 32 A6   14 15 99 78 7E 73 25 32  BG?..f2....x.s%2
0010: A9 95 8F 13                                        ....
]
]

*******************************************
*******************************************

[kevinsmeets]

I think you are connecting directly from your client application to the platform web service. I guess you need extendedKeyUsage = clientAuth, serverAuth (and perhaps different settings for keyUsage, even though I suspect that is not needed).

We use Apache HTTPD as a webserver in front of the platform web service, and this webserver handles the server certificate, which is different from your setup, I think.