We Keep Coding

org.apache.karaf.jaas.modules.ldap Unable to setup SSL support for LDAP

I'm currently running an instance of OpenLDAP 2.4.45 as my authenticator for a Talend ESB container. I'm connecting to the LDAP using TLS and I've managed to get my JMS broker to connect and make use of the LDAP successfully using org.apache.activemq.jaas.LDAPLoginModule, however, when using org.apache.karaf.jaas.modules.ldap.LDAPLoginModule for web services, I get the following stack trace:
2017-08-11 19:04:13,828 | WARN | qtp272427408-140 | LDAPLoginModule | 126 - org.apache.karaf.jaas.modules - 4.0.8 | Can't connect to the LDAP server: Unable to setup SSL support for LDAP: null
javax.naming.NamingException: Unable to setup SSL support for LDAP: null
at org.apache.karaf.jaas.modules.ldap.LDAPOptions.setupSsl(LDAPOptions.java:178)
at org.apache.karaf.jaas.modules.ldap.LDAPOptions.getEnv(LDAPOptions.java:158)
at org.apache.karaf.jaas.modules.ldap.LDAPCache.open(LDAPCache.java:113)
at org.apache.karaf.jaas.modules.ldap.LDAPCache.doGetUserDnAndNamespace(LDAPCache.java:151)
at org.apache.karaf.jaas.modules.ldap.LDAPCache.getUserDnAndNamespace(LDAPCache.java:142)
at org.apache.karaf.jaas.modules.ldap.LDAPLoginModule.doLogin(LDAPLoginModule.java:115)
at org.apache.karaf.jaas.modules.ldap.LDAPLoginModule.login(LDAPLoginModule.java:54)
at org.apache.karaf.jaas.boot.ProxyLoginModule.login(ProxyLoginModule.java:83)[org.apache.karaf.jaas.boot-4.0.8.jar:]
at sun.reflect.GeneratedMethodAccessor104.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)[:1.8.0_131]
at java.lang.reflect.Method.invoke(Method.java:498)[:1.8.0_131]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)[:1.8.0_131]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)[:1.8.0_131]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)[:1.8.0_131]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)[:1.8.0_131]
at java.security.AccessController.doPrivileged(Native Method)[:1.8.0_131]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)[:1.8.0_131]
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)[:1.8.0_131]
at org.apache.cxf.interceptor.security.JAASLoginInterceptor.handleMessage(JAASLoginInterceptor.java:141)[67:org.apache.cxf.cxf-core:3.1.10]
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)[67:org.apache.cxf.cxf-core:3.1.10]
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)[67:org.apache.cxf.cxf-core:3.1.10]
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:262)[92:org.apache.cxf.cxf-rt-transports-http:3.1.10]
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)[92:org.apache.cxf.cxf-rt-transports-http:3.1.10]
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)[92:org.apache.cxf.cxf-rt-transports-http:3.1.10]
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)[92:org.apache.cxf.cxf-rt-transports-http:3.1.10]
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:180)[92:org.apache.cxf.cxf-rt-transports-http:3.1.10]
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:299)[92:org.apache.cxf.cxf-rt-transports-http:3.1.10]
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:218)[92:org.apache.cxf.cxf-rt-transports-http:3.1.10]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)[19:javax.servlet-api:3.1.0]
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:274)[92:org.apache.cxf.cxf-rt-transports-http:3.1.10]
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)[200:org.eclipse.jetty.servlet:9.2.19.v20160908]
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)[200:org.eclipse.jetty.servlet:9.2.19.v20160908]
at org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:71)[223:org.ops4j.pax.web.pax-web-jetty:4.3.0]
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)[199:org.eclipse.jetty.server:9.2.19.v20160908]
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)[198:org.eclipse.jetty.security:9.2.19.v20160908]
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)[199:org.eclipse.jetty.server:9.2.19.v20160908]
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)[199:org.eclipse.jetty.server:9.2.19.v20160908]
at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:287)[223:org.ops4j.pax.web.pax-web-jetty:4.3.0]
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)[200:org.eclipse.jetty.servlet:9.2.19.v20160908]
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)[199:org.eclipse.jetty.server:9.2.19.v20160908]
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)[199:org.eclipse.jetty.server:9.2.19.v20160908]
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)[199:org.eclipse.jetty.server:9.2.19.v20160908]
at org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:80)[223:org.ops4j.pax.web.pax-web-jetty:4.3.0]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)[199:org.eclipse.jetty.server:9.2.19.v20160908]
at org.eclipse.jetty.server.Server.handle(Server.java:499)[199:org.eclipse.jetty.server:9.2.19.v20160908]
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)[199:org.eclipse.jetty.server:9.2.19.v20160908]
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)[199:org.eclipse.jetty.server:9.2.19.v20160908]
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)[191:org.eclipse.jetty.io:9.2.19.v20160908]
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)[202:org.eclipse.jetty.util:9.2.19.v20160908]
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)[202:org.eclipse.jetty.util:9.2.19.v20160908]
at java.lang.Thread.run(Thread.java:748)[:1.8.0_131]
My configuration file for my authenticator:
<?xml version="1.0" encoding="UTF-8"?>
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0">
<jaas:config name="KarafLdapConfiguration" rank="1">
<jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required">
connection.url=ldaps://ldap:4444
connection.username=uid=user,ou=users,dc=base
connection.password=password
authentication=simple
user.base.dn=ou=users,dc=base
user.filter=(uid=%u)
user.search.subtree=true
role.base.dn=ou=groups,dc=base
role.filter=(uniquemember=%fqdn)
role.name.attribute=uid
role.search.subtree=true
ssl=true
ssl.protocol=TLS
ssl.algorithm=PKIX
ssl.keystore=store
ssl.keyalias=myalias
ssl.truststore=trust
</jaas:module>
</jaas:config>
<jaas:keystore name="store"
path="file:///some/path/keystore.jks
keystorePassword="secret"
keyPasswords="secret" />
<jaas:keystore name="trust"
path="file:///some/path/truststore.jks
keystorePassword="secret" />
</blueprint>
My suspicion here is that I'm missing the ssl.provider option in this configuration file. The documentation isn't clear on what this is expecting, though the source seems to be looking for a URI of some sort. I've spent quite a bit of time searching, but I can't find any information on what and SSL provider is outside of the companies that provide CA services. I don't know what URI this could be looking for. I'm not doing revocation checking, so not that. Any thoughts on what could be going wrong here?

I ended up solving this a few days ago, figure I'll document the solution in case it helps anyone in the future.
The issue did turn out to be a missing ssl.provider field in the configuration file. The part that took some figuring out was the actual URI that was required. In my earlier experimentation, I was missing the base DN for the LDAP. Ultimately, the field should look like
ssl.provider=ldaps://<somehostname>:<port>/<baseDN>
so what I ended up with was
<?xml version="1.0" encoding="UTF-8"?>
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0">
<jaas:config name="KarafLdapConfiguration" rank="1">
<jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required">
connection.url=ldaps://ldap:4444
connection.username=uid=user,ou=users,dc=base
connection.password=password
authentication=simple
user.base.dn=ou=users,dc=base
user.filter=(uid=%u)
user.search.subtree=true
role.base.dn=ou=groups,dc=base
role.filter=(uniquemember=%fqdn)
role.name.attribute=uid
role.search.subtree=true
ssl=true
ssl.protocol=TLS
ssl.algorithm=PKIX
ssl.provider=ldaps://ldap:4444/dc=baseDN
ssl.keystore=store
ssl.keyalias=myalias
ssl.truststore=trust
</jaas:module>
</jaas:config>
<jaas:keystore name="store"
path="file:///some/path/keystore.jks
keystorePassword="secret"
keyPasswords="secret" />
<jaas:keystore name="trust"
path="file:///some/path/truststore.jks
keystorePassword="secret" />
</blueprint>

IBM Mobilefirst: Issue in calling a service from adapter with basic auth

I have a service call thats being called from my adapter and that particular service call is being protected by Basic auth. So I am adding the following code in adapter XML to help all the service calls from this adapter to do the Basic Auth validation.
<wl:adapter name="adapter" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:wl="http://www.ibm.com/mfp/integration" xmlns:http="http://www.ibm.com/mfp/integration/http">
<displayName>adapter</displayName>
<description>adapter</description>
<connectivity>
<connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
<protocol>http</protocol>
<domain>myweb.com</domain>
<!-- <port>443</port> -->
<connectionTimeoutInMilliseconds>30000</connectionTimeoutInMilliseconds>
<socketTimeoutInMilliseconds>30000</socketTimeoutInMilliseconds>
<authentication>
<basic />
<serverIdentity>
<username>123-123-123-123</username>
<password>12334445!</password>
</serverIdentity>
</authentication>
<maxConcurrentConnectionsPerNode>50</maxConcurrentConnectionsPerNode>
<!-- Following properties used by adapter's key manager for choosing specific
certificate from key store <sslCertificateAlias></sslCertificateAlias> <sslCertificatePassword></sslCertificatePassword> -->
</connectionPolicy>
</connectivity>
<procedure name="procedure1" securityTest="wl_unprotected"
connectAs="server" />
<procedure name="procedure2" securityTest="wl_unprotected"
connectAs="server" />
</wl:adapter>
When i trying hitting service by using the above xml it gives me Invalid Authorization. But when i added it manually to the header of my service call in the js code it gets through as below.
headers: {Authorization: "Basic MTIzLTEyMy0xMjMtMTIzOjEyMzQ1NiE="}
can some body help me in understanding what could be the issue. Will there be some issue if i keep special characters in the XML. How do i make it work.
Thankyou.

An adapter request with the Authorization header will be sent only if the destination service returns 401 or 403 first. If you are able to change the response code of that service, this may be a solution for you. Otherwise, continue with adding the Authorization header as you do, which as you say seems to work.

Webservice is not working anymore after changed firewall hardware (Dell sonicwall)

We have built for a customer websiteB in c# asp.net. There is also another website in php which is builded by another company. This is websiteA. The enduser is try to log in on websiteA. Underwater there is a request to a webservice on websiteB with username/password as parameters. WebsiteB try to get authenticate the credentials and return a message. WebsiteA is running on some server of another company. WebsiteB is running on our server in the datacenter. This scenario was always working!
No we have changed the firewall hardware in our datacenter. We have now Dell SonicWall. In the beginning the certificates were not working of our webservice. We have fix this. When you run our webservice in the browser the certifcate is OK (there is no red background in the url).
This is the url of my webservice:
https://service.myCompany.com/PortalService.svc
I ask the other company to give me some logging or an exception from there side. They do not get an exception. They got an empty array. They have printed some logging for me after a request:
We have also enabled the logging on the webservice. This is the logging after trying to login on websiteA.
Request to webservice:
<MessageLogTraceRecord>
<HttpRequest xmlns="http://schemas.microsoft.com/2004/06/ServiceModel/Management/MessageTrace">
<Method>POST</Method>
<QueryString></QueryString>
<WebHeaders>
<Connection>Keep-Alive</Connection>
<Content-Length>574</Content-Length>
<Content-Type>text/xml;charset=UTF-8</Content-Type>
<Accept>*/*</Accept>
<Authorization>Basic bWlqbnNlaF9uZXRieXRlczojbjN0Ynl0MzU=</Authorization>
<Host>service.MyCompany.com</Host>
<User-Agent>Jakarta Commons-HttpClient/3.1</User-Agent>
<SOAPAction>"http://schemas.MyCompany.com/SecurityService/SecurityService/LoginUsernamePassword"</SOAPAction>
</WebHeaders>
</HttpRequest>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:test="http://schemas.MyCompany.com/SecurityService">
<soapenv:Header>
<To soapenv:mustUnderstand="1" xmlns="http://schemas.microsoft.com/ws/2005/05/addressing/none">https://mycompanyapp01.dmz.mycompany.local/SecurityService.svc</To>
<Action soapenv:mustUnderstand="1" xmlns="http://schemas.microsoft.com/ws/2005/05/addressing/none">http://schemas.MyCompany.com/SecurityService/SecurityService/LoginUsernamePassword</Action>
</soapenv:Header>
<soapenv:Body>
<test:LoginUsernamePassword>
<test:Username><![CDATA[testuser#mycompany.com]]></test:Username>
<test:Password><![CDATA[#test!]]></test:Password>
<test:ReturnToken>true</test:ReturnToken>
<test:ReturnProfile>true</test:ReturnProfile>
<test:ReturnRoles>true</test:ReturnRoles>
</test:LoginUsernamePassword>
</soapenv:Body>
</soapenv:Envelope>
</MessageLogTraceRecord>
Response from webservice:
<MessageLogTraceRecord>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
<Action s:mustUnderstand="1" xmlns="http://schemas.microsoft.com/ws/2005/05/addressing/none">http://schemas.MyCompany.com/SecurityService/SecurityService/LoginUsernamePasswordResponse</Action>
</s:Header>
<s:Body>
<LoginUsernamePasswordResponse xmlns="http://schemas.MyCompany.com/SecurityService">
<LoginUsernamePasswordResult xmlns:d4p1="http://schemas.MyCompany.com/datacontracts" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<d4p1:Token>PJ%2bNtW0Kpy%2frd945r3Q0ziQpoax%2bNIiPNXC8obx%2fl73D2MPTvwFA9TqDtHNzXPq7</d4p1:Token>
<d4p1:UserProfile>
<d4p1:DisplayNameFormal>Test</d4p1:DisplayNameFormal>
<d4p1:DisplayNameInformal>Test</d4p1:DisplayNameInformal>
<d4p1:Email>test#mycompany.com</d4p1:Email>
<d4p1:IsErkendAdviseur>false</d4p1:IsErkendAdviseur>
<d4p1:UserID>testuser#mycompany.com</d4p1:UserID>
</d4p1:UserProfile>
<d4p1:UserRoles xmlns:d5p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
<d5p1:string>Test Medewerker</d5p1:string>
</d4p1:UserRoles>
</LoginUsernamePasswordResult>
</LoginUsernamePasswordResponse>
</s:Body>
</s:Envelope>
</MessageLogTraceRecord>
I have also started the wcf client tool (wcfTestClient.exe). I add the webservice url (https://service.myCompany.com/PortalService.svc). I got this exception:
Error: Cannot obtain Metadata from https://service.MyCompany.com/SecurityService.svc?wsdl
If this is a Windows (R) Communication Foundation service to which you have access, please check that you have enabled metadata publishing at the specified address. For help enabling metadata publishing, please refer to the MSDN documentation at http://go.microsoft.com/fwlink/?LinkId=65455.WS-Metadata Exchange
Error URI: https://service.MyCompany.com/SecurityService.svc?wsdl Metadata contains a reference that cannot be resolved: 'https://service.MyCompany.com/SecurityService.svc?wsdl'.
The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Basic realm="service.MyCompany.com"'.
The remote server returned an error: (401) Unauthorized.HTTP GET Error URI: https://service.MyCompany.com/SecurityService.svc?wsdl
The document was understood, but it could not be processed. - The WSDL document contains links that could not be resolved. - There was an error downloading 'https://myCompanyapp01.dmz.myCompany.local/SecurityService.svc?wsdl=wsdl0'. - The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. - The remote certificate is invalid according to the validation procedure.
Why do I see the intern url in the exception while I testing the public url:
intern url: https://myCompanyapp01.dmz.myCompany.local/SecurityService.svc?wsdl
public url: https://service.MyCompany.com/SecurityService.svc?wsdl
The public url has a certificate. The intern url not. When you try the intern url you got a red background in the browser.
I think this whole problem is our firewall. I think there is some restricted option on SOAP outbound messages. Because websiteA which is doing the request dont get an exception. They get also an answer, but it is empty. So it looks like the firewall has make it empty.
What do you think of this problem?

Your WSDL is referencing/including files on the internal app server. Try using a flattened wsdl.

IBM Worklight 6.1 - Runtime: Http request failed: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

I'm using IBM worklight 6.1 and backbone.js for my mobile app project. I got this error message when I try invoke the adapter.
Orders.xml
<?xml version="1.0" encoding="UTF-8"?>
<wl:adapter name="Orders"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:wl="http://www.worklight.com/integration"
xmlns:http="http://www.worklight.com/integration/http">
<displayName>Orders</displayName>
<description>Orders</description>
<connectivity>
<connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
<protocol>https</protocol>
<domain>izify.com</domain>
<port>443</port>
</connectionPolicy>
<loadConstraints maxConcurrentConnectionsPerNode="2" />
</connectivity>
<procedure name="getOrders"> </procedure>
</wl:adapter>
Orders-impl.js
function getOrders() {
var input = {
method : 'get',
returnedContentType : 'json',
path : "api/izify-api/admin/get_all_orders.php",
parameters:{merchantId:"74718912a2c0d82feb2c14604efecb6d"}
};
return WL.Server.invokeHttp(input);
}
ERROR message
{
"errors": [
"Runtime: Http request failed: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated"
],
"info": [
],
"isSuccessful": false,
"warnings": [
]
}
Thanks a lot in advance.

I got the answer for my problem.
Clean worklight development server
Deploy worklight adapter
No issue regarding to SSL.
Done

Sometimes this exception occurs when the JVM doesn't trust the certificate. It's one of several symptoms of a problem negotiating the SSL/https connection.
Sometimes this happens when the remote server has an issue with its SSL certificate. However, from my end I am unable to recreate with an Oracle 1.7 JVM with unmodified trust stores - I can retrieve https://izify.com/api/izify-api/admin/get_all_orders.php and get back a response.
I also verified with a 3rd party certificate checker that there are no problems with the izify.com SSL certificate (other than it expires soon, but that won't be a problem for a few months now). Please run this from your end and confirm the IP address they resolve matches what you do.
Then, check that your WL server's HTTP requests to izify.com aren't going through some sort of proxy that is redirecting or otherwise interrupting the SSL connection (for example, Fiddler or development proxy).

I solved this problem by ensuring Eclipse is pointing to Java 7 as opposed to Java 6.

org.apache.http.conn.HttpHostConnectException: Connection to https://jazz.net refused

i have upgraded my worklight with 5.0.5 to 5.0.6 .when i have worked on 5.0.5 it worked fine but the same code when i am using in updated version worklight 5.0.6 it gives me this error
response [/apps/services/api/RTMLight/common/query] success: /-secure-
{"responseID":"2","errors":["Runtime: Http request failed: org.apache.http.conn.HttpHostConnectException: Connection to https://jazz.net refused"],"isSuccessful":false,"warnings":[],"info":[]}/
worklight.js (line 1112)
Procedure invocation error. Runtime: Http request failed: org.apache.http.conn.HttpHostConnectException: Connection to https://jazz.net refused

This does not sound related to any upgrade issue between 5.0.5 to 5.0.6. From the error message this seems more related to connectivity issues.
Make sure that your adapter's connectionPolicy uses the port child-element with value 443, like this:
<connectivity>
<connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
<protocol>https</protocol>
<domain>jazz.net</domain>
<port>443</port>
</connectionPolicy>
<loadConstraints maxConcurrentConnectionsPerNode="2" />
</connectivity>