I am using wso2esb-4.8.1 with java web client.
I wish to do SSL mutual authentication in wso2esb.My client web as well as android app so i followed http://pathberiya.blogspot.in/2012/08/enable-mutual-ssl-for-proxy-services-in.html above blog so i created .jks file and replaced with wso2carbon.jks its working.
But how to do mutual authentication with back end server .It has its own certificate .Can i export that certificate into my wso2esb security folder.In that way is it work or not.Else i need to use same certificate with back end also help me for this.
client------------>proxy-------------->Backend
getting this error in esb starting level only
[ESB] [2014-05-29 18:56:19,653] ERROR {org.wso2.carbon.core.deployment.DeploymentInterceptor} - Error while updating wso2carbon-sts in STSDeploymentInterceptor {org.wso2.carbon.core.deployment.DeploymentInterceptor}
java.lang.NullPointerException
at org.wso2.carbon.core.util.KeyStoreUtil.getKeyStoreFileName(KeyStoreUtil.java:57)
after that one more error is
ERROR {org.wso2.carbon.tenant.mgt.internal.TenantMgtServiceComponent} - ******* Tenant Config bundle failed activating **** {org.wso2.carbon.tenant.mgt.internal.TenantMgtServiceComponent}
java.lang.NullPointerException
at java.util.Hashtable.put(Hashtable.java:514
This is about the https transport
FATAL {org.wso2.carbon.core.internal.StartupFinalizerServiceComponent} - Cannot start transports {org.wso2.carbon.core.internal.StartupFinalizerServiceComponent}
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Thanks in Advance.
Mutual authentication is not currently supported for proxy -> backend communication. See JIRA issue here.
What you need is to enable custom SSL profiles in the axis configuration. For a specific endpoint, you can specify which keystone and which truststore to use. See this post: http://nadeeshaan.blogspot.nl/2014/03/enabling-custom-ssl-in-wso2-esb-4.html
Related
I am facing issue while sending file from Sterling File Gateway to external FTP Server using FTPS Protocol setup. Recently the certificate on server side has been expired and we have added the renewed cert on our B2bi and SSP with Root,Intermediate, public cert.
From there we started to Handshake failures on Perimeter logs.
Error:
ERROR [TLSCheck.validCerta] validateErr not 0, failing check: 4
ERROR [TLSCheck. validCerts) error (s) is/are: ERR_CERT OTHER ERROR,
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
Caused by: java.security.cert.CertificateException: [TLSCheck.certificateCallback] toolkit level returns false
Please let me know what could be the issue.
Thanks in Advance
I am getting below certification error while i am trying to call any API https://:8243/ from a react based frontend application. I have defined my rest API in wso2 EI 6.3. I am not using wso2 APIM.
What i did to resolve this issue:
1. I created a new self signed certificate and created a new key store. Updated carbon.xml, axis2.xml file. Restart the server. I am able to see my certificate in wso2 Ei GUI.
2. I accepted the certificate in browser.
But still i am not able to get rid of this error.
Is this error coming due to self signed certificate? If i will be using any CA signed certificate then this issue will not be there?
Any help or pointer is highly appreciated.
[2020-04-07 08:54:48,841] [-1] [] [HTTPS-Listener I/O dispatcher-2] ERROR {org.apache.synapse.transport.passthru.SourceHandler} - I/O error: Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1647)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1615)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1781)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1070)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:896)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap(SSLIOSession.java:245)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:280)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:410)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:119)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:159)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:338)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:316)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:277)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:105)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:586)
at java.lang.Thread.run(Thread.java:748)
BR//
Vipin Nirwal
I was able to resolve this issue. I followed the below steps.
I created a self CA first. Then created a certificate signed by my own CA. Import the root certificate of my CA into the browser As this CA needs to be trusted by browser.
After this update carbon.xml, files inside axis2 directory and catalina-server.xml file with proper jks file and password for keystores.
Restarted the server.
You can try to debug it yourself by enabling SSL debug logs in the EI server. In the SSL logs, you can check whether the client certificate and the server certificate is matching. Have a look at the following blog.
https://medium.com/#nipunadilhara/enabling-ssl-debug-logs-for-wso2-products-30833d5de88e
My Setup
I am using WSO2EI version 6.4.0 to host my Rest API.
My Client --> WSO2EI --> Outside SOAP Calls
I do not have set up any mutual auth/keys etc. between WSO2EI and the outside servers.
What I am doing
When my client calls me(WSO2EI), I(WSO2EI) call other SOAP endpoints (different domains) and I(WSO2EI) am a client of these endpoints.
The Issue
A call from client(postman) --> WSO2EI --> OUT_SIDE_SOAP_END_POINT_1
whereas
another call from client(postman) --> WSO2EI --> OUT_SIDE_SOAP_END_POINT_2 does not.
However, a direct call from client(postman) --> OUT_SIDE_SOAP_END_POINT_2 works
The Exception Stack
[PassThroughMessageProcessor-1] INFO {org.apache.axis2.transport.http.HTTPSender} - Unable to sendViaPost to url[https://vsb.nrt.unabdev.sprint.com/services/CloudService]
javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: null
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233)
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:194)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:704)
at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:199)
at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:81)
at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:459)
at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:286)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:442)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:228)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
at org.apache.synapse.message.senders.blocking.BlockingMsgSender.sendReceive(BlockingMsgSender.java:493)
at org.apache.synapse.message.senders.blocking.BlockingMsgSender.send(BlockingMsgSender.java:385)
at org.apache.synapse.core.axis2.Axis2FlexibleMEPClient.send(Axis2FlexibleMEPClient.java:90)
#
at org.apache.synapse.core.axis2.Axis2Sender.sendOn(Axis2Sender.java:85)
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.send(Axis2SynapseEnvironment.java:547)
at org.apache.synapse.endpoints.AbstractEndpoint.send(AbstractEndpoint.java:384)
at org.apache.synapse.endpoints.DefaultEndpoint.send(DefaultEndpoint.java:77)
at org.apache.synapse.mediators.builtin.CallMediator.handleBlockingCall(CallMediator.java:164)
at org.apache.synapse.mediators.builtin.CallMediator.mediate(CallMediator.java:119)
at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:108)
at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:70)
at org.apache.synapse.mediators.template.TemplateMediator.mediate(TemplateMediator.java:104)
at org.apache.synapse.mediators.template.InvokeMediator.mediate(InvokeMediator.java:148)
at org.apache.synapse.mediators.template.InvokeMediator.mediate(InvokeMediator.java:84)
at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:108)
at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:70)
at org.apache.synapse.config.xml.AnonymousListMediator.mediate(AnonymousListMediator.java:37)
at org.apache.synapse.mediators.filters.FilterMediator.mediate(FilterMediator.java:203)
at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:108)
at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:70)
at org.apache.synapse.mediators.base.SequenceMediator.mediate(SequenceMediator.java:158)
at org.apache.synapse.mediators.base.SequenceMediator.mediate(SequenceMediator.java:214)
at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:108)
at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:70)
at org.apache.synapse.mediators.base.SequenceMediator.mediate(SequenceMediator.java:158)
at org.apache.synapse.rest.Resource.process(Resource.java:358)
at org.apache.synapse.rest.API.process(API.java:426)
at org.apache.synapse.rest.RESTRequestHandler.apiProcess(RESTRequestHandler.java:135)
at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:113)
at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:71)
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:303)
at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:98)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:337)
at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:383)
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:151)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
What I have done and how they have faired
Setting System Property[ignoreHostnameVerification] on integrator.sh
-Dorg.wso2.ignoreHostnameVerification=true Same Exception
Setting System Property[hostnameVerifier & disableHostnameVerification] on integrator.sh
-Dhttpclient.hostnameVerifier=AllowAll \
-Dorg.opensaml.httpclient.https.disableHostnameVerification=true \
This did not work either.
Since the direct call from pos tman to OUT_SIDE_SOAP_END_POINT_2 works, I think OUT_SIDE_SOAP_END_POINT_2 is open and I should not have to do any settings on my WSO2EI instance.
Any thoughts and pointers are highly appreciated.
Thank you.
From your stacktrace, you seem to be using a Call mediator in blocking mode. There seems to an issue already reported with regards to Blocking transport. https://github.com/wso2/product-ei/issues/1501
Can you try out the workaround suggested in the issue?
As a workaround for this, we can disable switching to opensaml http
client by setting rampart.axiom.parser.pool=false in a server start
up. So removing from the backlog
The following combination worked. This allowed for the Apache HTTP client to take over from SAML. However, then I had to add the certificate into the client trust store.
-Dorg.wso2.ignoreHostnameVerification=true \
-Dorg.opensaml.httpclient.https.disableHostnameVerification=true \
This solve this particular problem.
I have done broker and client configuration on same node.
When ssl.client.auth=none it works fine but whenever I change that property to "required", ssl.client.auth=required and enabled security.inter.broker.protocol=SSL then it gives me an issue on producer side.
[2017-12-13 11:06:56,106] WARN Failed to send SSL Close message (org.apache.kafka.common.network.SslTransportLayer)
java.io.IOException: Connection reset by peer
at sun.nio.ch.FileDispatcherImpl.write0(Native Method)
at sun.nio.ch.SocketDispatcher.write(SocketDispatcher.java:47)
at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.java:93)
at sun.nio.ch.IOUtil.write(IOUtil.java:65)
at sun.nio.ch.SocketChannelImpl.write(SocketChannelImpl.java:471)
at org.apache.kafka.common.network.SslTransportLayer.flush(SslTransportLayer.java:194)
at org.apache.kafka.common.network.SslTransportLayer.close(SslTransportLayer.java:161)
at org.apache.kafka.common.network.KafkaChannel.close(KafkaChannel.java:45)
at org.apache.kafka.common.network.Selector.close(Selector.java:442)
at org.apache.kafka.common.network.Selector.poll(Selector.java:310)
at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:256)
at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:216)
at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:128)
at java.lang.Thread.run(Thread.java:745)
Any solution for this?
As mentioned in the comments, the answer was found by the asker:
Its resolved.This issue comes when signed certificate of the server
did not match with client keystore. We need to generate client
keystore and import the the signed certificate of the server to client
keystore.
I have just installed Orbeon 3.9 CE on a WebSphere WAS 7.0 environment all was looking well but when I tried to add a form I got and error sating "peer not authenticated".
I turned on debugging in the log4j.xml file and this is what I got out of it:
2011-05-27 16:34:13,051 ERROR ProcessorService - Exception at oxf:/apps/fr/components/components.xsl (executing XSLT transformation)
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.ibm.jsse2.fc.getPeerCertificates(fc.java:46)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:390)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:488)
at org.apache.http.conn.scheme.SchemeSocketFactoryAdaptor.connectSocket(SchemeSocketFactoryAdaptor.java:62)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:562)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
at org.orbeon.oxf.resources.handler.HTTPURLConnection.connect(HTTPURLConnection.java:219)
at org.orbeon.oxf.util.Connection.connect(Connection.java:494)
at org.orbeon.oxf.util.Connection.open(Connection.java:94)
at org.orbeon.oxf.processor.generator.URLGenerator$URLResourceHandler.openConnection(URLGenerator.java:817)
at org.orbeon.oxf.processor.generator.URLGenerator$URLResourceHandler.getResourceMediaType(URLGenerator.java:770)
at org.orbeon.oxf.processor.generator.URLGenerator$1.readImpl(URLGenerator.java:420)
at org.orbeon.oxf.processor.impl.ProcessorOutputImpl$TopLevelOutputFilter.read(ProcessorOutputImpl.java:263)
at org.orbeon.oxf.processor.impl.ProcessorOutputImpl.read(ProcessorOutputImpl.java:406)
at org.orbeon.oxf.processor.ProcessorImpl.readInputAsSAX(ProcessorImpl.java:260)
at org.orbeon.oxf.processor.pipeline.TeeProcessor$TeeProcessorOutputImpl.readImpl(TeeProcessor.java:89)
at org.orbeon.oxf.processor.impl.ProcessorOutputImpl$TopLevelOutputFilter.read(ProcessorOutputImpl.java:263)
at org.orbeon.oxf.processor.impl.ProcessorOutputImpl.read(ProcessorOutputImpl.java:406)
at org.orbeon.oxf.processor.ProcessorImpl.readInputAsSAX(ProcessorImpl.java:260)
at org.orbeon.oxf.processor.ProcessorImpl.readInputAsTinyTree(ProcessorImpl.java:286)
at org.orbeon.oxf.processor.ProcessorImpl$3.read(ProcessorImpl.java:315)
at org.orbeon.oxf.processor.ProcessorImpl.readCacheInputAsObject(ProcessorImpl.java:365)
at org.orbeon.oxf.processor.ProcessorImpl.readCacheInputAsObject(ProcessorImpl.java:330)
at org.orbeon.oxf.processor.ProcessorImpl.readCacheInputAsTinyTree(ProcessorImpl.java:313)
This looks like an error that would happen if you use HTTPS with an invalid certificate (such as a self-signed certificate). If this is what you are doing, you can either:
Add the your certificate to your VM trust store. (I'll let you lookup how to do this on WebSphere.)
Use HTTP instead of HTTPS, at least during development where you don't have a valid certificate.
Get a real certificate, for instance from StartSSL which issues class 1 certificate for free.