I am using MobileFirst V8.0 Consumer Edition. I have setup a test server for my app. When I am calling the adapter procedure(which is protected by the security check) from the mobile app I am getting below error in the server:
[8/25/16 15:10:08:879 CDT] 0000010b com.ibm.mfp.server.az.internal.ConfidentialClientHelper E Unable to sign access token
com.ibm.mfp.server.security.shared.webtoken.WebTokenException: com.ibm.mfp.server.security.shared.webtoken.WebTokenException: Unsupported credentials type
at com.ibm.mfp.server.security.shared.webtoken.JWS.sign(JWS.java:191)
at com.ibm.mfp.server.az.internal.ConfidentialClientHelper.generateAccessToken(ConfidentialClientHelper.java:94)
at com.ibm.mfp.server.az.internal.token.TokenEndpointImpl.generateTokenResponse(TokenEndpointImpl.java:170)
at com.ibm.mfp.server.az.internal.token.TokenEndpointImpl.serveAuthorizationCodeGrantType(TokenEndpointImpl.java:147)
at com.ibm.mfp.server.az.internal.token.TokenEndpointImpl.getToken(TokenEndpointImpl.java:96)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:221)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:137)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:110)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:776)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:705)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:966)
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:868)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:595)
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:842)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1285)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:776)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:473)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1104)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:81)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:912)
at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:262)
at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:955)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: com.ibm.mfp.server.security.shared.webtoken.WebTokenException: Unsupported credentials type
at com.ibm.mfp.server.security.shared.webtoken.PKICredentials.getRsaPublicKey(PKICredentials.java:120)
at com.ibm.mfp.server.security.shared.webtoken.PKICredentials.createWebKey(PKICredentials.java:96)
at com.ibm.mfp.server.security.shared.webtoken.PKICredentials.createHeader(PKICredentials.java:48)
at com.ibm.mfp.server.security.shared.webtoken.JWS.sign(JWS.java:186)
... 32 more
Also, I am using User Defined keystore in my MFP server Instance.
I Regenerated the keystore using below command with -keyalg RSA option as described in this documentation and reconfigured the keystore and this error went away:
keytool -keystore <keystore name> -genkey -alias <alias name> -keylag RSA
Earlier I refered the guide in MFP Console named Create Your Own keystore in the MobileFirst Console from following location Runtime Settings --> Keystore and there -keyalg RSA option was missing.
Related
Downloaded wso2ei-analytics-7.1.0 and started the server and dashboard. Then I enabled statistics for the APIs and endpoints and added the following config into the embedded MI of the Integration studio:
[mediation]
flow.statistics.enable=true
stat.tracer.collect_payloads=true
stat.tracer.collect_mediation_properties=true
flow.statistics.capture_all=true
When starting the embedded MI I get the following error saying some certificate has expired:
[2022-06-23 09:47:40,001] ERROR {DataEndpointConnectionWorker} - Error while trying to connect to the endpoint. Cannot borrow client for ssl://localhost:7712. org.wso2.carbon.databridge.agent.exception.DataEndpointLoginException: Cannot borrow client for ssl://localhost:7712.
at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.connect(DataEndpointConnectionWorker.java:145)
at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.run(DataEndpointConnectionWorker.java:59)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: org.wso2.carbon.databridge.agent.exception.DataEndpointLoginException: Error while trying to login to the data receiver.
at org.wso2.carbon.databridge.agent.endpoint.thrift.ThriftDataEndpoint.login(ThriftDataEndpoint.java:54)
at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.connect(DataEndpointConnectionWorker.java:139)
... 6 more
Caused by: org.apache.thrift.transport.TTransportException: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
at org.apache.thrift.transport.TIOStreamTransport.flush(TIOStreamTransport.java:161)
at org.apache.thrift.TServiceClient.sendBase(TServiceClient.java:65)
at org.wso2.carbon.databridge.commons.thrift.service.secure.ThriftSecureEventTransmissionService$Client.send_connect(ThriftSecureEventTransmissionService.java:104)
at org.wso2.carbon.databridge.commons.thrift.service.secure.ThriftSecureEventTransmissionService$Client.connect(ThriftSecureEventTransmissionService.java:95)
at org.wso2.carbon.databridge.agent.endpoint.thrift.ThriftDataEndpoint.login(ThriftDataEndpoint.java:47)
... 7 more
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:269)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1339)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1214)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1157)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1403)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1309)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:814)
at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1184)
at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81)
at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142)
at org.apache.thrift.transport.TIOStreamTransport.flush(TIOStreamTransport.java:159)
... 11 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:369)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:275)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1323)
... 26 more
Caused by: java.security.cert.CertPathValidatorException: validity check failed
at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:237)
at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:145)
at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:84)
at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:364)
... 32 more
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Tue Jan 25 13:00:43 IST 2022
at java.base/sun.security.x509.CertificateValidity.valid(CertificateValidity.java:277)
at java.base/sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:675)
at java.base/sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190)
at java.base/sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144)
at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
I am assuming the MI trust store does not have the correct certificate. But how do I resolve this?
Go to your Analytics server and then export the public key from the Keytore with the following command. The default password is wso2carbon
keytool -export -alias wso2carbon -keystore wso2carbon.jks -file <public key name>.pem
Then in your MI server, import the public key that you extracted to the client-trustore.
keytool -import -alias analyticskey -file <public key name>.pem -keystore client-truststore.jks -storepass wso2carbon
I recently set up my jenkins ci server, and I wanted to add HTTPS SSL certification. I got a certificate from Let's Encrypt and I have the certificate and private key as PEM files, according to the documentation, I can pass the paths of the two files to jenkins by command-line arguments(I use the integrated Winston server in the jenking WAR file). My startup command looks like this:
java -jar jenkins.war
--httpPort=8080
--httpsPort=443
--httpsCertificate=path/to/certificate.pem
--httpsPrivateKey=path/to/key.pem
But when I start jenkins I get this error:
java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
at winstone.Launcher.spawnListener(Launcher.java:212)
at winstone.Launcher.<init>(Launcher.java:172)
at winstone.Launcher.main(Launcher.java:355)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at Main._main(Main.java:375)
at Main.main(Main.java:151)
Caused by: winstone.WinstoneException: Cannot load private key; try using a Java keystore instead.
at winstone.AbstractSecuredConnectorFactory.readPEMRSAPrivateKey(AbstractSecuredConnectorFactory.java:156)
at winstone.AbstractSecuredConnectorFactory.configureSsl(AbstractSecuredConnectorFactory.java:81)
at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:33)
at winstone.Launcher.spawnListener(Launcher.java:210)
... 8 more
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at winstone.AbstractSecuredConnectorFactory.readPEMRSAPrivateKey(AbstractSecuredConnectorFactory.java:151)
... 11 more
Caused by: java.io.IOException: DerValue.getBigInteger, not an int 48
at sun.security.util.DerValue.getBigInteger(DerValue.java:545)
... 16 more
2020-05-02 16:14:21.351+0000 [id=1] SEVERE winstone.Logger#logInternal: Container startup failed
java.io.IOException: DerValue.getBigInteger, not an int 48
at sun.security.util.DerValue.getBigInteger(DerValue.java:545)
Caused: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at winstone.AbstractSecuredConnectorFactory.readPEMRSAPrivateKey(AbstractSecuredConnectorFactory.java:151)
Caused: winstone.WinstoneException: Cannot load private key; try using a Java keystore instead.
at winstone.AbstractSecuredConnectorFactory.readPEMRSAPrivateKey(AbstractSecuredConnectorFactory.java:156)
at winstone.AbstractSecuredConnectorFactory.configureSsl(AbstractSecuredConnectorFactory.java:81)
at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:33)
at winstone.Launcher.spawnListener(Launcher.java:210)
Caused: java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
at winstone.Launcher.spawnListener(Launcher.java:212)
at winstone.Launcher.<init>(Launcher.java:172)
at winstone.Launcher.main(Launcher.java:355)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at Main._main(Main.java:375)
at Main.main(Main.java:151)
The old jenkins documentation has notes on using java keystore, not sure why the latest (2.235.3) has changed HTTPS notes to using pem/key files.
You may refer to https://github.com/garyttt/unattended_jenkins_image_build, pick up the shell functions and run the generate_self_signed_jks.sh to generate a testing .jks file.
The syntax is for example:
JENKINS_OPTS="--prefix=/jenkins --httpPort=-1 --httpsPort=8083 --httpsKeyStore=/var/jenkins_home/selfsigned.jks --httpsKeyStorePassword=secret"
In case you need the content of the shell function, it is:
$ display_shell_function generate_self_signed_jks
generate_self_signed_jks ()
{
keytool -genkey -keyalg RSA -alias selfsigned -keystore selfsigned.jks -validity 365 -keysize 4096;
keytool -export -alias selfsigned -keystore selfsigned.jks -rfc -file selfsigned.cer;
keytool -list -v -keystore selfsigned.jks;
keytool -importkeystore -srckeystore selfsigned.jks -destkeystore selfsigned.p12 -deststoretype pkcs12
}
OR
You may convert .pem file to .jks as per convert certificate from pem into jks
I have setup solr on local system. It works fine without ssl however for SSL solr gives exception:
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.eclipse.jetty.start.Main.invokeMain(Main.java:214)
at org.eclipse.jetty.start.Main.start(Main.java:457)
at org.eclipse.jetty.start.Main.main(Main.java:75)
Caused by: java.io.IOException: Invalid keystore format
I have generated p12 and jks using commands:
“C:\Program Files\Java\jdk-10.0.1\bin\keytool.exe” -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass secret -storepass secret -validity 9999 -keystore solr-ssl.keystore.jks -ext SAN=DNS:localhost,IP:127.0.0.1 -dname “CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country”
and
“C:\Program Files\Java\jdk-10.0.1\bin\keytool.exe” -importkeystore -srckeystore solr-ssl.keystore.jks -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype pkcs12
Kept secret as password for all phrases. Copied the jks and p12 file to solr-6.6.2/server/etc folder. Updated the solr.in.cmd file and uncommented these lines:
SET SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
SET SOLR_SSL_KEY_STORE_PASSWORD=secret
SET SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
SET SOLR_SSL_TRUST_STORE_PASSWORD=secret
SET SOLR_SSL_NEED_CLIENT_AUTH=false
SET SOLR_SSL_WANT_CLIENT_AUTH=false
SET SOLR_SSL_KEY_STORE_TYPE=JKS
SET SOLR_SSL_TRUST_STORE_TYPE=JKS
When I try to run with: solr -p 8984 it gives the above said exception.
Can you please help me out with the setup. Been googling but can't seem to find the resolution.
Ok I have resolved the issue. Seems like my java version was
"1.8.0 ea"
. When I uninstalled and reinstalled the new version
"1.8.0_171"
, solr started in https.
I also tried java version 10 and it had the same issue with solr 6.6.2
I am not very much familiar with HermesJMS.
I have HermesJMS configured to connect some MQs sometime back and it was working fine. then I stopped using it. Now I am trying to connect to the same set of MQs, I am getting below error.
com.ibm.mq.MQException: MQJE001: Completion Code 2, Reason 2397
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:282)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:301)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:323)
at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:84)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:173)
at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:795)
at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:709)
at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:664)
at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:160)
at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:554)
at com.ibm.mq.MQSPIQueueManager.<init>(MQSPIQueueManager.java:62)
at com.ibm.mq.jms.MQConnection.createQM(MQConnection.java:2513)
at com.ibm.mq.jms.MQConnection.createQMNonXA(MQConnection.java:1936)
at com.ibm.mq.jms.MQQueueConnection.<init>(MQQueueConnection.java:161)
at com.ibm.mq.jms.MQQueueConnectionFactory.createQueueConnection(MQQueueConnectionFactory.java:222)
at com.ibm.mq.jms.MQQueueConnectionFactory.createConnection(MQQueueConnectionFactory.java:1077)
at hermes.impl.jms.ConnectionManagerSupport.createConnection(ConnectionManagerSupport.java:126)
at hermes.impl.jms.ConnectionSharedManager.reconnect(ConnectionSharedManager.java:77)
at hermes.impl.jms.ThreadLocalSessionManager.reconnect(ThreadLocalSessionManager.java:148)
at hermes.impl.DefaultHermesImpl.reconnect(DefaultHermesImpl.java:130)
at hermes.impl.DefaultHermesImpl.getDestination(DefaultHermesImpl.java:364)
at hermes.browser.tasks.BrowseDestinationTask.invoke(BrowseDestinationTask.java:141)
at hermes.browser.tasks.TaskSupport.run(TaskSupport.java:175)
at hermes.browser.tasks.ThreadPool.run(ThreadPool.java:170)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.ibm.mq.SSLHelper.configureSSLSocket(SSLHelper.java:768)
at com.ibm.mq.SSLHelper.createSSLSocket(SSLHelper.java:154)
at com.ibm.mq.MQInternalCommunications.createSocketConnection(MQInternalCommunications.java:2335)
at com.ibm.mq.MQv6InternalCommunications$1.run(MQv6InternalCommunications.java:169)
at java.security.AccessController.doPrivileged(Native Method)
at com.ibm.mq.MQv6InternalCommunications.initialize(MQv6InternalCommunications.java:166)
at com.ibm.mq.MQv6InternalCommunications.<init>(MQv6InternalCommunications.java:114)
at com.ibm.mq.MQSESSIONClient.MQCONNX(MQSESSIONClient.java:1458)
at com.ibm.mq.MQSESSIONClient.spiConnect(MQSESSIONClient.java:4610)
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:246)
... 24 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 42 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 48 more
I know this is something to do with the certificate as it is giving SSLHandshakeException, but I am not pretty sure where I should be checking the configuration.
As per my knowledge there is no change in the configuration. (I can't be sure about it as MQs are managed by a different team and they don't bother to communicate the changes to rest of the world).
How can I verify and confirm if it is the certificate issue and no other configuration problem.
If you doesn't change nothing in your configuration the most probably thing is that the service endpoint change or renew its server domain certificate and due this it's not a trusted certificate for your configuration anymore.
To solve the problem you need to add the certificate authority in your truststore (or directly the server domain certificate for a selfsigned certs).
SOAPUI it's Java based, and Java comes with its own truststore. The good practice is to add the CA certificates to your truststore (however it's possible to only add the server certificate). You can add it using keytool with the follow command:
keytool -import -alias <someAlias> -file <certificatePath> -keystore <trustStorePath>
Depends on your SOAPUI installation the truststore location can differs, if you have a JRE bundled inside SOAPUI then your truststore are in SOAPUI_HOME/jre/lib/security/cacerts if not, then is in your Java installation which runs SOAPUI in $JAVA_HOME/JRE/Security/cacerts (default password for both are changeit).
Hope it helps,
I have been trying to enable client-to-node ssl communication in a single node cluster running Datastax (DSE) version 4.6 with Cassandra 2.0.11
After following the steps in the datastax documentation documentation
I keep on getting the following error message;
INFO [Thread-3] 2015-01-25 09:00:21,383 ThriftServer.java (line 135) Listening for thrift clients...
ERROR [Thrift:1] 2015-01-25 09:00:30,486 TNegotiatingServerTransport.java (line 523) Failed to open server transport.
org.apache.thrift.transport.TTransportException: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at org.apache.thrift.transport.TIOStreamTransport.read(TIOStreamTransport.java:129)
at com.datastax.bdp.transport.server.TPreviewableTransport.readUntilEof(TPreviewableTransport.java:79)
at com.datastax.bdp.transport.server.TPreviewableTransport.preview(TPreviewableTransport.java:55)
at com.datastax.bdp.transport.server.TNegotiatingServerTransport.open(TNegotiatingServerTransport.java:186)
at com.datastax.bdp.transport.server.TNegotiatingServerTransport$Factory.getTransport(TNegotiatingServerTransport.java:516)
at com.datastax.bdp.transport.server.TNegotiatingServerTransport$Factory.getTransport(TNegotiatingServerTransport.java:405)
at org.apache.cassandra.thrift.CustomTThreadPoolServer$WorkerProcess.run(CustomTThreadPoolServer.java:196)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:671)
at sun.security.ssl.InputRecord.read(InputRecord.java:504)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:882)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:102)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:235)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:275)
at java.io.BufferedInputStream.read(BufferedInputStream.java:334)
at org.apache.thrift.transport.TIOStreamTransport.read(TIOStreamTransport.java:127)
... 9 more
ERROR [Thrift:1] 2015-01-25 09:00:30,513 CustomTThreadPoolServer.java (line 222) Error occurred during processing of message.
java.lang.RuntimeException: Failed to open server transport: unknown
at com.datastax.bdp.transport.server.TNegotiatingServerTransport$Factory.getTransport(TNegotiatingServerTransport.java:524)
at com.datastax.bdp.transport.server.TNegotiatingServerTransport$Factory.getTransport(TNegotiatingServerTransport.java:405)
at org.apache.cassandra.thrift.CustomTThreadPoolServer$WorkerProcess.run(CustomTThreadPoolServer.java:196)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Here is my cassandra.yaml file
client_encryption_options:
enabled: true
keystore: /home/ubuntu/.keystore
keystore_password: ****
truststore: /home/ubuntu/.truststore
truststore_password: ****
protocol: ssl
store_type: JKS
cipher_suites:
[TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA]
Steps followed to create the keystore and truststore
keytool -genkey -keyalg RSA -alias node0 -keystore .keystore (used the hostname for first name & last name)
keytool -export -alias node0 -file node0.cer -keystore .keystore
keytool -import -v -trustcacerts -alias node0 -file node0.cer -keystore .truststore
I already fix the TLS_RSA_WITH_AES_256_CBC_SHA bug they have in their documentation by downloading the required jar files from the oracle website http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
This message shows that a client is trying to open an unencrypted connection.
First thought is check if client certificate auth is enabled. Read this: http://www.datastax.com/documentation/datastax_enterprise/4.6/datastax_enterprise/sec/secRunCqlsh.html
Here is a walkthrough for enabling cqlsh ssl connection: https://github.com/PatrickCallaghan/datastax-ssl-example