I need your help (or advise) on below issue (in bold) I am getting during Nifi v1.16 Integration for my customer:
We are using java 11 and the TLS v1.2 with the 3PP we are trying to reach here:
2023-01-20 09:48:32,777|30014|0|b27a4669|Call REST Webservice|IHTTP|pre|a11a959f|Invoke HTTP|Filename: fec58a73-6fdc-4429-b807-uuuuuuu| CUST > XX> REST WS (3rd Party API) > 3PP Check account > Call 3rd party and save req and resp > Invoke HTTP | ISL-XX.CHECK_ACCOUNT.TA -URL: POST 'https://172.21.XX.DD:8012/provisioning/getaccountholderinfo' - Request: <ns2:getaccountholderinforequest xmlns:ns2="http://3pp.ext.bj/em/emm/provisioning/v1_1"> ID:22X57XXXX60/MSISDN </ns2:getaccountholderinforequest>
2023-01-20 09:48:32,815|30052|39|b27a4669|Call REST Webservice|IHTTP|Failure|a11a959f|Invoke HTTP|Filename: fec58a73-6fdc-4429-b807-uuuuuuuu| CUST > XX> REST WS (3rd Party API) > 3PP Check account > Call 3rd party and save req and resp > Invoke HTTP | ISL-XX.ECW_CHECK_ACCOUNT.TA - InvokeHttp Failed -Hostname 172.21.XX.DD not verified:
certificate: sha256/ebhXnh4Mx6wp8Q9PsmzfnzifhfUUU/nP0sfDF1ig2s=
DN: CN=3pp.ext.bj, L=COUN, ST=COUN, C=XX
subjectAltNames: []: <ns2:getaccountholderinforequest xmlns:ns2="http://3pp.ext.bj/em/emm/provisioning/v1_1"> ID:22X57XXXX60/MSISDN </ns2:getaccountholderinforequest>
If anyone has an idea for me , I will actually appreciate.
Submitted new csr to customer to ensure we have a valid keystore with root and intermediate.
We fixed /etc/hosts to match the 3PP ns with its ip
We used cacerts from java as truststore
Use keystore as truststore since we have trusted root and int certs inside
Set the JVM property -Dcom.sun.net.ssl.checkRevocation=false (Disable SSL certificate validation in Java)
Changed java version for nifi jdk 1.8 / 11.0.4 / 17 / 11.0.11
Updated our SAN extension in our certificate to match our hostname, IP, and Subject.
Related
I am attempting to upgrade EJBCA.
I attempted to run this on ubuntu 20.04, locally, using wildfly 18. Wildfly 18 results in this error: "CAUSE: Client certificate or OAuth bearer token required."
I have tried this two ways, by importing the keystore, truststore and superadmin from another instance and by creating the CA fresh and using the resulting superadmin.p12.
The home page loads, but the administration gives me the following error:
"AUTHORIZATIONDENIED
CAUSE: Client certificate or OAuth bearer token required. "
I can really use some help with this.
Things I have tried:
(1) I have downloaded superadmin.p12 and imported it into my browsers
(2) I have attempted to upload the superdmin cert:
bin/ejbca.sh ca importcacert ${NAME} ${NAME}.cacert.pem -initauthorization -superadmincn SuperAdmin
This results in The CA certificate is already imported.
(3) Both my keystore.jks and truststore.jks are moved into /ejbca/p12 and /opt/wildfly/standalone/configuration/keystore
(4) I did set "web.reqcertindb=false"
(6) I did try to enable ssl on wildfly 14 (https://docs.bitnami.com/bch/infrastructure/wildfly/administration/enable-ssl-wildfly/)
(7) I have tried a fresh Management_CA as well
The log of /ejbca/adminweb:
"08:20:01,270 ERROR [org.ejbca.ui.web.admin.configuration.EjbcaJSFHelperImpl] (default task-4) org.cesecore.authentication.AuthenticationFailedException: Client certificate or OAuth bearer token required.
08:20:01,279 WARN [org.ejbca.ui.web.admin.configuration.EjbcaWebBeanImpl] (default task-4) Language was not initialized for this session
08:20:01,279 WARN [org.ejbca.ui.web.admin.configuration.EjbcaWebBeanImpl]
I can provide more information if needs be.
Thank you
So, I have it running today. Here is what I learned:
It seems that if you set wildfly up as a service (per instructions) it is going to set up wildfly to run with launch.sh. Launch.sh is going to result in a cipher mistmatch. I needed to run the standalone.sh file instead
Adminweb must be contacted on 8443
if you need to run this thing on domain setup your going to need to post another question
Best,
I am trying to call a WSO2 API through https port 8243. However, when I make a call, the client app (web app) gets a 502 bad gateway error (which is logged inside WSO2 apim server carbon log file).
I see the exception below.
Please Note that, I have received a CA signed cert inside a jks from my networking team... I imported It through management console into keystore... I can view the company certs as well from the console:
TID: [-1] [] [2018-12-19 16:51:12,890] ERROR {org.apache.synapse.transport.passthru.SourceHandler} -
I/O error: Received fatal alert: unknown_ca {org.apache.synapse.transport.passthru.SourceHandler}
javax.net.ssl.SSLException: Received fatal alert: unknown_ca
If you are trying to update the certificate of API Manager, importing the certificate to existing keystore will not work.
Please have a look at the documentation[1] on creating a keystore with a CA signed certificate when you create the new keystore with updated certificate.
The main keystore of WSO2 products is wso2carbon.jks file which holds private certificate entry. When you update the certificate with keystore you have to update all the configuration files listed in documentation[2] to refer to new keystore file and also you will have to update related properties(i.e: keystore password, key password, alias).
[1] https://docs.wso2.com/display/Carbon443/Creating+New+Keystores
[2] https://docs.wso2.com/display/Carbon443/Configuring+Keystores+in+WSO2+Products
I am getting
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
while calling identity server endpoint from enterprise integrator, although we have generated the SSL certificate and it is imported in the truststore.jks but still getting this error.
While testing the connection it says Successfully connected to identity server but while calling the endpoint it gives SSL exception on the console.
Message = Going to send Request to IS.,MessageCode = null,ErrorMessage = null,ErrorDetail = null,ErrorException = null {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1] [] [2017-11-07 07:14:54,841] ERROR {org.apache.synapse.transport.passthru.TargetHandler} - I/O error: Received fatal alert: certificate_unknown {org.apache.synapse.transport.passthru.TargetHandler}
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
Try setting the truststore manually. Open wso2ei-6.1.1/bin/integrator.sh and add javax.net.ssl.trustStore like this.
-Dorg.wso2.ignoreHostnameVerification=true \
-Djavax.net.ssl.trustStore="$CARBON_HOME/repository/resources/security/client-truststore.jks"
org.wso2.carbon.bootstrap.Bootstrap $*
status=$?
done
I hope you found the issue. I faced the same problem some days ago, so I'm writing the solution for the record.
To solve this you need to import each product certificate in the truststore of the other.
Go to WSO2 EI and extract the certificate from wso2carbon.jks
Add the certificate to the client-truststore.jks file in the WSO2
IS
Go to WSO2 IS and extract the certificate from wso2carbon.jks
Add the certificate to the client-truststore.jks file in the WSO2
EI
We faced the same problem, when WSO2 IS version was prior to v5.4.0, but instead of extracting the certificate from wso2carbon.jks as Gabriel said, we extracted the certificates from the browser, opening the carbon console on both WSO2 EI and WSO2 IS. For some reason, the localhost certificate returned in the browser is different than the one stored in the wso2carbon.jks for WSO2 EI (tested on version 6.1.0 and 6.1.1). One reason could be that it's returning the localhost certificate from the JVM's keystore. That's why it's better to get it from the browser.
Open in browser https://localhost:9443/carbon of WOS2 IS. (Firefox: Click on locker in the address bar -> Connection -> details -> More Information -> Security tab -> view Certificate -> Details tab -> Export... -> save as X.509 Certificate (PEM); Chrome: click on Not Secure warning in address bar -> Certificate -> Details tab -> Copy to File ... -> Next -> Select the format -> Base-64 encoded X.509 (.CER) -> Next ...)
Import the certificate into {WSO2_IS_HOME}/repository/resources/security/client-truststore.jks. Eventually use KeyStore Explorer tool for easier way.
Open in browser https://localhost:9444/carbon of WOS2 IS (we have offset 1 for WSO2 IS) and do the same as at point 1.
Import the certificate into {WSO2_EI_HOME}/repository/resources/security/client-truststore.jks.
Need your help in setting the SSL manager in Jmeter for performance testing with IBM datapower.
I tried the below steps to Add cert.
• Added (* .jks /*.p12 ) file in the jmeter GUI > Options > SSL Manager.
• I tried the setting the jks file in system.properties file too.
Path : *\jMETER\apache-jmeter-3.0\apache-jmeter-3.0\bin\system.properties
# Truststore properties (trusted certificates)
#javax.net.ssl.trustStore=/path/to/[jsse]cacerts
#javax.net.ssl.trustStorePassword
#javax.net.ssl.trustStoreProvider
#javax.net.ssl.trustStoreType [default = KeyStore.getDefaultType()]
# Keystore properties (client certificates)
# Location
javax.net.ssl.keyStore=****.jks -- Added
#
#The password to your keystore
javax.net.ssl.keyStorePassword=****-- Added
#
#javax.net.ssl.keyStoreProvider
#javax.net.ssl.keyStoreType [default = KeyStore.getDefaultType()]
I dont see the SSL handshake jMETER and datapower even after i followed ablove steps. Getting below error from datapower.
12:47:26 AM ssl error 51751363 10.123.98.73 0x806000ca valcred (###_CVC_Reverse_Server): SSL Proxy Profile '###_SSLPP_Reverse_Server': connection error: peer did not send a certificate
12:47:26 AM mpgw error 51751363 10.123.98.73 0x80e00161 source-https (###_HTTPS_FSH_CON_****): Request processing failed: Connection terminated before request headers read because of the connection error occurs, from URL: 10.123.98.73:58394
12:47:26 AM ssl error 51751363 10.123.98.73 0x8120002f sslproxy (####_SSLPP_Reverse_Server): SSL library error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
Can you please advice how to send the cert(.jks/ .p12) file from jmeter.
Change "Implementation" of your HTTP Request sampler(s) to Java. The fastest and the easiest way of doing this is using HTTP Request Defaults.
If you're using .p12 keystores you will need an extra line in the system.properties file like:
javax.net.ssl.keyStoreType=pkcs12
JMeter restart is required to pick the properties up.
See How to Set Your JMeter Load Test to Use Client Side Certificates article for more information.
I constructed a apache mod_perl web service based on SSL.Of course, From my browser, I can access the web service using https (Of cource,I add my self-signed CA cert to brower's trust list) access the web service,but when using SOAP::Lite , I failed.
This is my source code:
$ENV{HTTPS_CERT_FILE} = '/etc/pki/tls/mycerts/client.crt';
$ENV{HTTPS_KEY_FILE} = '/etc/pki/tls/mycerts/client.key';
#$ENV{HTTPS_CA_FILE} = '/etc/pki/tls/mycerts/ca.crt';
#$ENV{HTTPS_CA_DIR} = '/etc/pki/tls/mycerts/ca.key';
#$ENV{HTTPS_VERSION} = 3;
$ENV{SSL_ca_file}='/etc/pki/tls/mycerts/ca.crt';
$ENV{SSL_ca_pah}='/etc/pki/tls/mycerts/';
#$ENV{SSL_cert_file}='/etc/pki/tls/mycerts/client.key';
#$ENV{SSL_key_file}='/etc/pki/tls/mycerts/client.crt';
$ENV{PERL_LWP_SSL_CA_FILE}='/etc/pki/tls/mycerts/ca.crt';
$ENV{PERL_LWP_SSL_VERIFY_HOSTNAME}=1;
#$ENV{PERL_LWP_SSL_CA_PATH}='/etc/pki/tls/mycerts/';
use SOAP::Lite;
my $name = "wuchang";
print "\n\nCalling the SOAP Server to say hello\n\n";
print SOAP::Lite
-> uri('http://localhost/mod_perl_rules1')
-> proxy('https://localhost/mod_perl_rules1')
-> result;
I get the response:
500 Can't connect to localhost:443 (certificate verify failed) at /root/Desktop/test.pl line 18
I really cannot debug this.I don't know if my certificate format is incorrect.I use openssl to generate my cert,including client cert ,server cert and my self-signed ca cert and I make CA sign the client and server cert.I really don't know what is going wrong/.
Simply tell it not to check the certificate. Set SSL Verify to zero like this:
$ENV{PERL_LWP_SSL_VERIFY_HOSTNAME}=0;