org.apache.http.conn.HttpHostConnectException - ibm-mobilefirst

I am getting the following error when i am trying to connect to a url https://jazz.net on worklight 5.0.6..
Procedure invocation error. Runtime: Http request failed:
org.apache.http.conn.HttpHostConnectException: Connection to
https://jazz.net refused
This is the response I am getting in log:
{"responseID":"6","errors":["Runtime: Http request failed:
org.apache.http.conn.HttpHostConnectException: Connection to
https://jazz.net
refused"],"isSuccessful":false,"warnings":[],"info":[]}*/
Here is the adapter xml code:
<connectivity>
<connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
<protocol>https</protocol>
<domain>jazz.net</domain>
</connectionPolicy>
<loadConstraints maxConcurrentConnectionsPerNode="2" />
</connectivity>


You need to also add a child-element port with the value 443.

Related

SSL config for outbound connections doesn't work in websphere-liberty 17.0.0.2

I'm trying to configure websphere-liberty server to use default keystore and trustore for all outbound connections (actually REST calls) and for inbound use a custom key and trust stores. But it fails with SSLHandshakeException when try to make a call to external REST service. In logs I can see that it uses my custom truststore instead of default one.
Below is my server.xml
<?xml version="1.0" encoding="UTF-8"?>
<server description="Default server">
<featureManager>
<feature>appSecurity-2.0</feature>
<feature>transportSecurity-1.0</feature>
<feature>jaxrs-2.0</feature>
<feature>json-1.0</feature>
<feature>javaMail-1.5</feature>
<!--<feature>ssl-1.0</feature>-->
</featureManager>
<sslDefault sslRef="saasSSLConfig" outboundSSLRef="outboundSSLConfig" />
<ssl id="saasSSLConfig" keyStoreRef="saasKeyStore" trustStoreRef="saasTrustStore" clientAuthentication="true" sslProtocol="TLSv1" />
<keyStore id="saasKeyStore" location="/opt/ibm/wlp/output/defaultServer/resources/security/sbs_endpoint_keystore.jks" password="pwd" />
<keyStore id="saasTrustStore" location="/opt/ibm/wlp/output/defaultServer/resources/security/serverTruststore.jks" password="pwd" />
<ssl id="outboundSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" />
<basicRegistry id="basic" realm="BasicRealm">
<!-- <user name="yourUserName" password="" /> -->
</basicRegistry>
<httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080" httpsPort="9443" />
<applicationManager autoExpand="true"/>
</server>
BTW if change saasSSLConfig to use defaultTrustStore instead of saasTrustStore then everything works fine.
Server version:
WebSphere Application Server 17.0.0.2 (1.0.17.cl170220170523-1818) on IBM J9 VM, version pxa6480sr4fp7-20170627_02 (SR4 FP7) (en_US)
Error:
[ERROR] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN CN=*.api.ibm.com, O=International Business Machines, L=Armonk, ST=New York, C=US was sent from the target host. The signer might need to be added to local trust store /opt/ibm/wlp/output/defaultServer/resources/security/serverTruststore.jks, located in SSL configuration alias saasSSLConfig. The extended error message from the SSL handshake exception is: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.;
SSLHandshakeException invoking https://dev.api.ibm.com/scx/test/sbs/customer/222222222: java.security.cert.CertificateException: PKIXCertPathBuilderImpl could not build a valid CertPath.

Liberty does not load cacerts automatically. You can create a keyStore element to point to it if desired. So in your case above you can create a configuration like this.
<ssl id="outboundSSLConfig" keyStoreRef="cacertKeyStore" />
<keyStore id="cacertKeyStore" location=<fill in path to your jdk cacerts file> password="changeit" />
I am assuming you do not need a key for this configuration so I simplified to just a keyStoreRef on outboundSSLConfig. It will use what is pointed to by keyStoreRef for both key and trust.

In your configuration I do not see keyStore elements for defaultKeyStore and defaultTrustStore. If they are missing that will cause outboundSSLConfig to be an invalid SSL configuration. Can you please add them and see if things work.

IBM Mobilefirst: Issue in calling a service from adapter with basic auth

I have a service call thats being called from my adapter and that particular service call is being protected by Basic auth. So I am adding the following code in adapter XML to help all the service calls from this adapter to do the Basic Auth validation.
<wl:adapter name="adapter" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:wl="http://www.ibm.com/mfp/integration" xmlns:http="http://www.ibm.com/mfp/integration/http">
<displayName>adapter</displayName>
<description>adapter</description>
<connectivity>
<connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
<protocol>http</protocol>
<domain>myweb.com</domain>
<!-- <port>443</port> -->
<connectionTimeoutInMilliseconds>30000</connectionTimeoutInMilliseconds>
<socketTimeoutInMilliseconds>30000</socketTimeoutInMilliseconds>
<authentication>
<basic />
<serverIdentity>
<username>123-123-123-123</username>
<password>12334445!</password>
</serverIdentity>
</authentication>
<maxConcurrentConnectionsPerNode>50</maxConcurrentConnectionsPerNode>
<!-- Following properties used by adapter's key manager for choosing specific
certificate from key store <sslCertificateAlias></sslCertificateAlias> <sslCertificatePassword></sslCertificatePassword> -->
</connectionPolicy>
</connectivity>
<procedure name="procedure1" securityTest="wl_unprotected"
connectAs="server" />
<procedure name="procedure2" securityTest="wl_unprotected"
connectAs="server" />
</wl:adapter>
When i trying hitting service by using the above xml it gives me Invalid Authorization. But when i added it manually to the header of my service call in the js code it gets through as below.
headers: {Authorization: "Basic MTIzLTEyMy0xMjMtMTIzOjEyMzQ1NiE="}
can some body help me in understanding what could be the issue. Will there be some issue if i keep special characters in the XML. How do i make it work.
Thankyou.

An adapter request with the Authorization header will be sent only if the destination service returns 401 or 403 first. If you are able to change the response code of that service, this may be a solution for you. Otherwise, continue with adding the Authorization header as you do, which as you say seems to work.

Worklight https adapter call "https refused" [duplicate]

This question already has an answer here:
Making web service calls to a HTTPS server from Worklight Adapter - javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
(1 answer)
Closed 4 years ago.
Could not able to get response from HTTPS Adapter call .
My code as follows
<connectivity>
<connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
<protocol>https</protocol>
<domain>my domain</domain>
<port>443</port>
<sslCertificateAlias>MRDSE</sslCertificateAlias>
<sslCertificatePassword>testpwd</sslCertificatePassword>
</connectionPolicy>
<loadConstraints maxConcurrentConnectionsPerNode="2" />
</connectivity>
Getting error as
""errors": [
"Runtime: Http request failed: javax net SSLPeerUnverifiedException: peer not authenticated"
],"
I Have also mentioned in work light properties
ssl.keystore.path=conf/rc.keystore
ssl.keystore.type=jks
ssl.keystore.password=mypwd
Please suggest to get HTTPS response

Did you put the certificate in the keystore?
Also, please refer to this answer to an almost identical question: https://stackoverflow.com/a/21914147/2245921

org.apache.http.conn.HttpHostConnectException: Connection to https://jazz.net refused

i have upgraded my worklight with 5.0.5 to 5.0.6 .when i have worked on 5.0.5 it worked fine but the same code when i am using in updated version worklight 5.0.6 it gives me this error
response [/apps/services/api/RTMLight/common/query] success: /-secure-
{"responseID":"2","errors":["Runtime: Http request failed: org.apache.http.conn.HttpHostConnectException: Connection to https://jazz.net refused"],"isSuccessful":false,"warnings":[],"info":[]}/
worklight.js (line 1112)
Procedure invocation error. Runtime: Http request failed: org.apache.http.conn.HttpHostConnectException: Connection to https://jazz.net refused

This does not sound related to any upgrade issue between 5.0.5 to 5.0.6. From the error message this seems more related to connectivity issues.
Make sure that your adapter's connectionPolicy uses the port child-element with value 443, like this:
<connectivity>
<connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
<protocol>https</protocol>
<domain>jazz.net</domain>
<port>443</port>
</connectionPolicy>
<loadConstraints maxConcurrentConnectionsPerNode="2" />
</connectivity>

Worklight [adapter-deployer] SEVERE: Element <port> must be a number

Currently in the environment being used, the port is not available to be specified all the time. Within my xml <connectivity> settings, the <port> will be blank.
<connectivity>
<connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
<protocol>http</protocol>
<domain>worklightserver.test.com</domain>
<port></port>
</connectionPolicy>
<loadConstraints maxConcurrentConnectionsPerNode="2" />
</connectivity>
When calling
<adapter-deployer deployable="test.adapter" worklightServerHost="http://192.168.1.9:8080"/>
I get the error:
[adapter-deployer] SEVERE: Element <port> must be a number.
Is this a bug in worklight? I would assume that if a port is not specified, it would use the proper port depending on the protocol specified. With a port specified, it works as it should

HTTP protocol can work on any port, not necessarily 80.
Port must be always specified.