I am trying to run Kafka producer client to publish some message to kafka broker. I have given the path to Keystore/Trust store along with Password. I was able to send the message to the broker when i deployed this on Apache tomcat. However when i tried to deploy the same application on websphere, i get error "Failed to load SSL keystore". I have given those directories read/write/execute permission. Is there something with websphere that needs different configuration / settings ?
Caused by: org.apache.kafka.common.KafkaException: org.apache.kafka.common.KafkaException: Failed to load SSL keystore /home/avaya/tcr/uc-ivr-nar-dev.dbplatform.portal.com.jks of type JKS
at org.apache.kafka.common.security.ssl.SslEngineBuilder.createSSLContext(SslEngineBuilder.java:160)
at org.apache.kafka.common.security.ssl.SslEngineBuilder.<init>(SslEngineBuilder.java:102)
at org.apache.kafka.common.security.ssl.SslFactory.configure(SslFactory.java:93)
at org.apache.kafka.common.network.SslChannelBuilder.configure(SslChannelBuilder.java:71)
... 37 more
Caused by: org.apache.kafka.common.KafkaException: Failed to load SSL keystore /home/avaya/tcr/uc-ivr-nar-dev.dbplatform.portal.com.jks of type JKS
at org.apache.kafka.common.security.ssl.SslEngineBuilder$SecurityStore.load(SslEngineBuilder.java:289)
at org.apache.kafka.common.security.ssl.SslEngineBuilder.createSSLContext(SslEngineBuilder.java:142)
... 40 more
Caused by: java.nio.file.AccessDeniedException: /home/avaya/tcr/uc-ivr-nar-dev.dbplatform.portal.com.jks
at sun.nio.fs.UnixException.translateToIOException(UnixException.java:96)
at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:114)
at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:119)
at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:226)
at java.nio.file.Files.newByteChannel(Files.java:372)
at java.nio.file.Files.newByteChannel(Files.java:418)
at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:395)
at java.nio.file.Files.newInputStream(Files.java:163)
at org.apache.kafka.common.security.ssl.SslEngineBuilder$SecurityStore.load(SslEngineBuilder.java:282)
... 41 more
Open JDK for some reason does not like JKS keystore files. Converted to PCKS12 format and it worked. Nothing to do with websphere container.
Related
I'm new in ejbca and i have to install it on a virtual machine for job
Ubuntu 20.04
ejbca_7_4_3_2
wildfly-18.0.0.Final
mariadb-server version: 10.3.32-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04
openjdk version "1.8.0_312"
Apache Ant(TM) version 1.10.7 compiled on October 24 2019
After a few try's(and a lot of virtual machines cloned and deleted), i finally get the "build successfully" message with the commands ant runinstall and ant deploy-keystore
But when i try to use the URL https://localhost:8443/ejbca/ (the certificate SuperAdmin.p12 is installed) my browser(firefox 96.0 64bits) give the message
An error occurred during a connection to localhost:8443. Cannot communicate securely with peer: no common encryption algorithm(s).
Error code: SSL_ERROR_NO_CYPHER_OVERLAP
i have this errors on my log file, the first one related with ant -q clean deployear
and the last, appear every time i try to access via URL https://localhost:8443/ejbca/
ERROR [org.jboss.as.jsf] (MSC service thread 1-1) WFLYJSF0002: Could not load JSF managed bean class: org.ejbca.ui.web.admin.peerconnector.PeerConnectorMBean
ERROR [io.undertow.request] (default I/O-2) Closing SSLConduit after exception on handshake: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.Alert.createSSLException(Alert.java:117)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
at sun.security.ssl.ServerHello$T12ServerHelloProducer.chooseCipherSuite(ServerHello.java:461)
at sun.security.ssl.ServerHello$T12ServerHelloProducer.produce(ServerHello.java:296)
at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:421)
at sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(ClientHello.java:1020)
at sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:727)
at sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:693)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:981)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:915)
at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1072)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.lang.Thread.run(Thread.java:748)
ERROR [io.undertow.request] (default I/O-2) Closing SSLConduit after exception
Sounds like a TLS configuration issue. You will find the TLS configuration you did when configuring WildFly in the commands you ran like:
/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/server-ssl-context=httpspriv:add(key-manager=httpsKM,protocols=["TLSv1.2"],use-cipher-suites-order=false,cipher-suite-filter="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",trust-manager=httpsTM,need-client-auth=true)'
The result is somewhere in standalone.xml in WildFly, and you can modify it directly in WildFly. For example if you have EC keys in the server certificate while using the above RSA algorithm selection.
In server.log you should also see when WildFly starts up if there are any error in parsing the values, or keystores.
Make sure that you server and client certificates have keys and algorithms that match the TLS algorithm settings, otherwise WildFly will remove those algortihms.
I am getting below certification error while i am trying to call any API https://:8243/ from a react based frontend application. I have defined my rest API in wso2 EI 6.3. I am not using wso2 APIM.
What i did to resolve this issue:
1. I created a new self signed certificate and created a new key store. Updated carbon.xml, axis2.xml file. Restart the server. I am able to see my certificate in wso2 Ei GUI.
2. I accepted the certificate in browser.
But still i am not able to get rid of this error.
Is this error coming due to self signed certificate? If i will be using any CA signed certificate then this issue will not be there?
Any help or pointer is highly appreciated.
[2020-04-07 08:54:48,841] [-1] [] [HTTPS-Listener I/O dispatcher-2] ERROR {org.apache.synapse.transport.passthru.SourceHandler} - I/O error: Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1647)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1615)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1781)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1070)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:896)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap(SSLIOSession.java:245)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:280)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:410)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:119)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:159)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:338)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:316)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:277)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:105)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:586)
at java.lang.Thread.run(Thread.java:748)
BR//
Vipin Nirwal
I was able to resolve this issue. I followed the below steps.
I created a self CA first. Then created a certificate signed by my own CA. Import the root certificate of my CA into the browser As this CA needs to be trusted by browser.
After this update carbon.xml, files inside axis2 directory and catalina-server.xml file with proper jks file and password for keystores.
Restarted the server.
You can try to debug it yourself by enabling SSL debug logs in the EI server. In the SSL logs, you can check whether the client certificate and the server certificate is matching. Have a look at the following blog.
https://medium.com/#nipunadilhara/enabling-ssl-debug-logs-for-wso2-products-30833d5de88e
I have a 3 nodes Kafka cluster. I have enabled SASL_PLAINTEXT and it is working fine with Port 6667. Now I want o enable SSL for different Port in the same cluster. I have enabled the trustore and Keystore certificates. and I did below configuration from the broker side.
listeners : SSL://localhost:6668
security.inter.broker.protocol : SSL
ssl.key.password : xxxx
ssl.keystore.location : /root/kafka.server.keystore.jks
ssl.keystore.password : xxxxx
ssl.truststore.location : /root/kafka.server.truststore.jks
ssl.truststore.password : xxxxxx
ssl.keystore.type : JKS
ssl.truststore.type : JKS
I Have given permission also. I am getting below errors
Caused by: org.apache.kafka.common.KafkaException: org.apache.kafka.common.KafkaException: Failed to load SSL keystore /root/kafka.server.keystore.jks of type JKS
Caused by: org.apache.kafka.common.KafkaException: Failed to load SSL keystore /root/kafka.server.keystore.jks of type JKS
Caused by: java.io.FileNotFoundException: /root/kafka.server.keystore.jks (Permission denied)
Caused by: java.io.FileNotFoundException:
/root/kafka.server.keystore.jks (Permission denied)
The error trace is fairly clear. /root/kafka.server.keystore.jks cannot be accessed by the process. Note that the process typically runs on a different user and I suspect that the keystore has been created by a different user.
Make sure that the user that is running the process has sufficient access rights for reading /root/kafka.server.keystore.jks. One way of achieving this is to change the ownership of the file:
sudo chown -R userWhoRunsTheProcess:userGroup /root/kafka.server.keystore.jks
Regarding the question, listeners takes a list of addresses,
listeners : SSL://0.0.0.0:6668,SASL_PLAINTEXT://0.0.0.0;6667
You already have sasl, so I would suggest using sasl_ssl
I have done broker and client configuration on same node.
When ssl.client.auth=none it works fine but whenever I change that property to "required", ssl.client.auth=required and enabled security.inter.broker.protocol=SSL then it gives me an issue on producer side.
[2017-12-13 11:06:56,106] WARN Failed to send SSL Close message (org.apache.kafka.common.network.SslTransportLayer)
java.io.IOException: Connection reset by peer
at sun.nio.ch.FileDispatcherImpl.write0(Native Method)
at sun.nio.ch.SocketDispatcher.write(SocketDispatcher.java:47)
at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.java:93)
at sun.nio.ch.IOUtil.write(IOUtil.java:65)
at sun.nio.ch.SocketChannelImpl.write(SocketChannelImpl.java:471)
at org.apache.kafka.common.network.SslTransportLayer.flush(SslTransportLayer.java:194)
at org.apache.kafka.common.network.SslTransportLayer.close(SslTransportLayer.java:161)
at org.apache.kafka.common.network.KafkaChannel.close(KafkaChannel.java:45)
at org.apache.kafka.common.network.Selector.close(Selector.java:442)
at org.apache.kafka.common.network.Selector.poll(Selector.java:310)
at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:256)
at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:216)
at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:128)
at java.lang.Thread.run(Thread.java:745)
Any solution for this?
As mentioned in the comments, the answer was found by the asker:
Its resolved.This issue comes when signed certificate of the server
did not match with client keystore. We need to generate client
keystore and import the the signed certificate of the server to client
keystore.
I am using wso2esb-4.8.1 with java web client.
I wish to do SSL mutual authentication in wso2esb.My client web as well as android app so i followed http://pathberiya.blogspot.in/2012/08/enable-mutual-ssl-for-proxy-services-in.html above blog so i created .jks file and replaced with wso2carbon.jks its working.
But how to do mutual authentication with back end server .It has its own certificate .Can i export that certificate into my wso2esb security folder.In that way is it work or not.Else i need to use same certificate with back end also help me for this.
client------------>proxy-------------->Backend
getting this error in esb starting level only
[ESB] [2014-05-29 18:56:19,653] ERROR {org.wso2.carbon.core.deployment.DeploymentInterceptor} - Error while updating wso2carbon-sts in STSDeploymentInterceptor {org.wso2.carbon.core.deployment.DeploymentInterceptor}
java.lang.NullPointerException
at org.wso2.carbon.core.util.KeyStoreUtil.getKeyStoreFileName(KeyStoreUtil.java:57)
after that one more error is
ERROR {org.wso2.carbon.tenant.mgt.internal.TenantMgtServiceComponent} - ******* Tenant Config bundle failed activating **** {org.wso2.carbon.tenant.mgt.internal.TenantMgtServiceComponent}
java.lang.NullPointerException
at java.util.Hashtable.put(Hashtable.java:514
This is about the https transport
FATAL {org.wso2.carbon.core.internal.StartupFinalizerServiceComponent} - Cannot start transports {org.wso2.carbon.core.internal.StartupFinalizerServiceComponent}
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Thanks in Advance.
Mutual authentication is not currently supported for proxy -> backend communication. See JIRA issue here.
What you need is to enable custom SSL profiles in the axis configuration. For a specific endpoint, you can specify which keystone and which truststore to use. See this post: http://nadeeshaan.blogspot.nl/2014/03/enabling-custom-ssl-in-wso2-esb-4.html