Quarkus can't connect to Keycloak over SSL. Misconfiguration or Issue? - ssl

i have a Problem with Quarkus and Keycloak. When Quarkus tries to verify a Token with Keycloak it gives me following Error:
2019-10-01 07:40:02,353 ERROR [org.key.ada.rot.JWKPublicKeyLocator] (executor-thread-1) Error when sending request to retrieve realm keys: org.keycloak.adapters.HttpClientAdapterException: IO error
...
Caused by: java.net.ConnectException: Connection timed out (Connection timed out)
...
2019-10-01 07:40:02,359 ERROR [org.key.ada.rot.AdapterTokenVerifier] (executor-thread-1) Didn't find publicKey for kid: <some-key>
Quarkus Version: 0.22.0
Java Version:
openjdk version "1.8.0_222"
OpenJDK Runtime Environment (build 1.8.0_222-8u222-b10-1ubuntu1~18.04.1-b10)
OpenJDK 64-Bit Server VM (build 25.222-b10, mixed mode)
OS: "Ubuntu 18.04.1 LTS"
Im using Keycloak with SSL. Without SSL the Error did not happen.
I am now not sure if this is an Issue on my side, and if it is on my side, what did i do wrong?

Related

Azure Devops Self-Hosted Agent fail connecting behind corporation network - SSL Error / An existing connection was forcibly closed by the remote host

Got this problem with me for 2 weeks so far and still not figure it out yet, been trying to test on multiple computer and here is the symptom.
When setup Agent on any Computer that is using Corporation Network got SSL exception:
System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception
---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host..
---> System.Net.Sockets.SocketException (10054): An existing connection was forcibly closed by the remote host.
....
Attempt 1 of GET request to https://dev.azure.com/{org}/_apis/connectionData?connectOptions=1&lastChangeId=366981152&lastChangeId64=366981152 failed (Socket Error: ConnectionReset)
Below is what i had tried:
1). Pass the GET request directly to Browser / Postman > working fine and receive the connectionData from Azure Devops:
*Note: no proxy and no web filter applied to the site
https://dev.azure.com/{org}/_apis/connectionData?connectOptions=1&lastChangeId=366981152&lastChangeId64=366981152
2). Telnet from cmd > working fine as well
> Telnet test.dev.azure.com 443
3). Follow the instruction here https://stackoverflow.com/a/71667810/9391928 and run Debugging Script and Mitigation Script (Modify Registry) to Enforce TLS1.2 and so far all check is green but still Unknown ISSUE FOUND:
Probing: status.dev.azure.com
ISSUE FOUND: This may be TLS compatibility issue!
Probe failed when TLS-negotiating to 13.107.6.183:443. Error: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
***
TLS 1.2 client usage enabled.
***
Cipher Suite check passed: at least one of the TLS 1.2 cipher suites supported by Azure DevOps is enabled.
***
Key Exchange check passed.
***
Elliptic curve check passed: at least one elliptic curve supported by Azure DevOps is enabled
***
.NET Framework release is 4.7+ (release 528372)
TLS 1.2 enforced for applications targetting .NET Framework 4.0/4.5.x
TLS 1.2 enforced for applications targetting .NET Framework 4.0/4.5.x (32bit app on 64bit OS)
TLS 1.2 enforced for applications targetting .NET Framework 3.5
TLS 1.2 enforced for applications targetting .NET Framework 3.5 (32bit app on 64bit OS)
All mitigations required to ensure TLS 1.2-compatibility of legacy .NET applications are in place.
4). Prepare a Laptop and test register/run agent with vs without corporation network, fail whenever connect to corporation network (using non-corporation network work fine)
5). Running Client SSL check from postman / browser for both case with vs without corporation network and got return the same TLS1.3 with all similar cipher suites supported (included "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" & "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" which is used by Azure Devops)
request : https://www.howsmyssl.com/a/check
response: "given_cipher_suites": [
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_3DES_EDE_CBC_SHA"
],
"ephemeral_keys_supported": true,
"session_ticket_supported": true,
"tls_compression_supported": false,
"unknown_cipher_suite_supported": false,
"beast_vuln": false,
"able_to_detect_n_minus_one_splitting": false,
"insecure_cipher_suites": {},
"tls_version": "TLS 1.3",
"rating": "Probably Okay"
6). Change the Probing Script to probe www.google.com and fail as well (of-courses success in normal network ^_V)
7). Double check DNS resolver to IP Address > resolver work fine, azure devops ip address is and same between both networks.
8). Write a .net console app to run a test (similar to the Probing Script) and always got Exception "An existing connection was forcibly closed by the remote host" when in Corporation Network. When out of Corporation Network the run is fine and Stream return NegotiatedCipherSuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 for test.dev.azure.com (and TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for www.google.com)
client.Connect(connectHost, 443); // Success
...
var askedProtocols = System.Security.Authentication.SslProtocols.Tls12;
stream.AuthenticateAsClient(connectHost, null, askedProtocols, false); // Always throw exception "An existing connection was forcibly closed by the remote host."
return new(connectHost, true, remoteEndpoint, null);
...
Any suggestion will be much appreciate guys !

Cannot acces to localhost:8443/ejbca

I'm new in ejbca and i have to install it on a virtual machine for job
Ubuntu 20.04
ejbca_7_4_3_2
wildfly-18.0.0.Final
mariadb-server version: 10.3.32-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04
openjdk version "1.8.0_312"
Apache Ant(TM) version 1.10.7 compiled on October 24 2019
After a few try's(and a lot of virtual machines cloned and deleted), i finally get the "build successfully" message with the commands ant runinstall and ant deploy-keystore
But when i try to use the URL https://localhost:8443/ejbca/ (the certificate SuperAdmin.p12 is installed) my browser(firefox 96.0 64bits) give the message
An error occurred during a connection to localhost:8443. Cannot communicate securely with peer: no common encryption algorithm(s).
Error code: SSL_ERROR_NO_CYPHER_OVERLAP
i have this errors on my log file, the first one related with ant -q clean deployear
and the last, appear every time i try to access via URL https://localhost:8443/ejbca/
ERROR [org.jboss.as.jsf] (MSC service thread 1-1) WFLYJSF0002: Could not load JSF managed bean class: org.ejbca.ui.web.admin.peerconnector.PeerConnectorMBean
ERROR [io.undertow.request] (default I/O-2) Closing SSLConduit after exception on handshake: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.Alert.createSSLException(Alert.java:117)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
at sun.security.ssl.ServerHello$T12ServerHelloProducer.chooseCipherSuite(ServerHello.java:461)
at sun.security.ssl.ServerHello$T12ServerHelloProducer.produce(ServerHello.java:296)
at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:421)
at sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(ClientHello.java:1020)
at sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:727)
at sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:693)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:981)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:915)
at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1072)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.lang.Thread.run(Thread.java:748)
ERROR [io.undertow.request] (default I/O-2) Closing SSLConduit after exception
Sounds like a TLS configuration issue. You will find the TLS configuration you did when configuring WildFly in the commands you ran like:
/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/server-ssl-context=httpspriv:add(key-manager=httpsKM,protocols=["TLSv1.2"],use-cipher-suites-order=false,cipher-suite-filter="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",trust-manager=httpsTM,need-client-auth=true)'
The result is somewhere in standalone.xml in WildFly, and you can modify it directly in WildFly. For example if you have EC keys in the server certificate while using the above RSA algorithm selection.
In server.log you should also see when WildFly starts up if there are any error in parsing the values, or keystores.
Make sure that you server and client certificates have keys and algorithms that match the TLS algorithm settings, otherwise WildFly will remove those algortihms.

Timeout while waiting for the management service to start up.120 secs

I am using the following on Linux
MFP 6.3
WAS Libery 8.5.5.6 (core trial)
Tried with JDK1.7 and JDK1.6 but nothing worked out
MySQL
I could not see any other error/exception in messages.log except this and I am not sure where to change the 'timeout' value in WAS Liberty profile.
http://pastebin.com/7uuVtjHL (server.xml)
http://pastebin.com/2ScrUQLa (messages.log)
Exception thrown by application class
'com.worklight.core.auth.impl.AuthenticationFilter.isWaitingForSynchronization:598'
javax.servlet.ServletException: java.lang.RuntimeException: Timeout
while waiting for the management service to start up.120 secs. at
com.worklight.core.auth.impl.AuthenticationFilter.isWaitingForSynchronization(AuthenticationFilter.java:598)
at
com.worklight.core.auth.impl.AuthenticationFilter.doFilter(AuthenticationFilter.java:141)
at
com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207)
at [internal classes] Caused by: java.lang.RuntimeException: Timeout
while waiting for the management service to start up.120 secs. at
com.worklight.core.init.WorklightServletInitializer$1.run(WorklightServletInitializer.java:121)
at java.lang.Thread.run(Thread.java:798)
Right now it does seem like you are experiencing the same issue as mentioned here: How to solve management service not starting up in Worklight 6.2
You are currently using IBM Java 1.7 per the messages.log file:
java.home = /usr/lib/jvm/java-1.7.0-ibm-1.7.0.9.0.x86_64/jre
Download Oracle Java 1.7 and make sure your java.home points to it. Start the server and see if there are any differences.
Instead, or in addition, you can try this: https://developer.ibm.com/answers/questions/184195/no-runtime-can-be-found-and-failed-to-obtain-jmx-c.html
In server.xml find the following:
<jndiEntry jndiName="ibm.worklight.admin.jmx.host" value="localhost"/>
Replace "localhost" with the Public IP address of the host machine and start the server.

JMX connection to access MBean

My environment:
O/S: Windows 8.1
JRE: 1.7
Eclipse: Luna, 4.4
Worklight: 6.2 (build 6.2.0.00-20140801-1709)
I have encountered the following error when Run As > Run on Worklight Development Server.
I've re-installed several times, but the error persist.
Another strange thing noted: Need to change the <httpEndpoint host="*" to host="hostname" ...> in the server.xml before the Worklight Server can be started.
Questions:
Is there any similar problem?
Is Worklight Studio tested on Windows 8.1? (based on Announcement Letter, Worklight is only supported on Windows 8)?
[ERROR ] Failed to obtain JMX connection to access an MBean. There
might be a JMX configuration error: Connection refused: connect
[ERROR ] Failed to obtain JMX connection to access an MBean. There
might be a JMX configuration error: FWLSE3012E: JMX configuration
error. Unable to obtain MBeans. Reason: "Connection refused: connect".
[ERROR ] FWLSE3000E: A server error was detected. FWLSE3012E: JMX
configuration error. Unable to obtain MBeans. Reason: "FWLSE3012E: JMX
configuration error. Unable to obtain MBeans. Reason: "Connection
refused: connect"
Did you try the solutions provided in the following questions?
IBM Worklight 6.2: JMX configuration error. Unable to obtain MBeans
Also try with JRE 1.6 (make sure Eclipse is configured to use it, too)

WebLogic logs containing BEA-180029 - <Caught this Ferror exception: 5 (FBADFLD). Additional exception info found: Unknown fldid32: 168877871>

may i know if someone has encountered this before? Found this in WebLogic
managed server logs.
####<Jul 15, 2011 9:59:34 AM EST> <Error> <WTC> <mi009.aiu.com> <ilpmServer3> <ExecuteThread: '58' for queue: 'weblogic.kernel.Default'> <ICO_WS1> <> <BEA-180029> <Caught this Ferror exception: 5 (FBADFLD). Additional exception info found: Unknown fldid32: 168877871>
The exception explanation at WebLogic does not provide much information about the error.
It seems that WLS is calling a TUXEDO server via WTC Tuxedo server is calling a WLS services exported via WTC.
In any of both cases the FIELDID 168877871 is not mapped to the same variable by Tuxedo server OR WLS code.
Please verify with the developers of the app if the FIELDID 168877871 correspond to the same variable for WLS and Tuxedo Server.
In Tuxedo server please check the files of)
env | egrep "FIELDTBLS|FLDTBLDIR"
In Java verify the source.