I have the following configuration of Jetty server inside my REST layer of Apache CXF JAX-RS:
<httpj:engine-factory bus="cxf">
<!--
you just need to specify the TLS Server configuration for the certain port
-->
<httpj:engine port="${port}">
<httpj:tlsServerParameters>
<sec:keyManagers keyPassword="${keystorePassword}">
<sec:keyStore type="JKS"
password="${keystorePassword}"
file="${keystoreFile}"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS"
password="${keystorePassword}"
file="${bookshelf.portal.http.keystoreFile}"/>
</sec:trustManagers>
</httpj:tlsServerParameters>
<httpj:threadingParameters minThreads="5"
maxThreads="15" />
<httpj:sessionSupport>true</httpj:sessionSupport>
</httpj:engine>
</httpj:engine-factory>
I would like to configure Jetty to use ThrottlingFilter to throw HTTP 503 error upon a high load on server.
How do I do that?
Related
We have a Local Service Fabric Cluster running. We are using Windows Security to control who can administer the cluster.
When connecting to the Gateway Endpoint to use the configuration manager, we are currently connecting over HTTP, but we'd like to connect over HTTPS.
We have added an SSL Certificate that we use for connecting to the reverse proxy, and we'd like to use that same certificate to connect to the Gateway Endpoint.
I can see in the generated config on the cluster that the HttpApplicationGatewayEndpoint port is using https, which I think turned on because I set the "ReverseProxyCertificate" setting.
<NodeType Name="NodeType0">
<Endpoints>
<ClientConnectionEndpoint Port="19000" />
<LeaseDriverEndpoint Port="19002" />
<ClusterConnectionEndpoint Port="19001" />
<HttpGatewayEndpoint Port="19080" Protocol="http" />
<HttpApplicationGatewayEndpoint Port="19081" Protocol="https" />
<ServiceConnectionEndpoint Port="19003" />
<ApplicationEndpoints StartPort="20001" EndPort="20031" />
<EphemeralEndpoints StartPort="49152" EndPort="65535" />
</Endpoints>
<PlacementProperties>
<Property Name="NodeTypeName" Value="NodeType0" />
</PlacementProperties>
</NodeType>
How can I make the HttpGatewayEndpoint have Protocol="https" instead of "http"?
I am working with wildfly undertow load balancer , and I added following configuration in standalone-load-balancer.xml but my request is not getting redirected?
I added reverse proxy handler and host to the Undertow subsystem as :
<handlers>
<reverse-proxy name="keycloak-handler">
<host name="keycloak-host" outbound-socket-binding="remote-host" path="/auth"/>
</reverse-proxy>
</handlers>
And then I defined outbound socket bindings for remote hosts as :
<outbound-socket-binding name="remote-host">
<remote-destination host="192.168.1.5" port="8443"/>
</outbound-socket-binding>
And then added the reverse proxy to a location as :
<host name="default-host">
<location name="/auth" handler="keycloak-handler"/>
<filter-ref name="load-balancer"/>
</host>
The mistake I was doing here is , my load balancer was with ssl enabled and I was communicating with keycloak via 8443 which expecting load balancer and keycloak both with same certificates. So to get rid off this , I have connected to keycloak via 8080 port and I have enabled ssl only with load balancer . So after changing below code it worked for me:
<outbound-socket-binding name="remote-host">
<remote-destination host="192.168.1.5" port="8080"/>
</outbound-socket-binding>
My application is running in BlueMix and it has to make restful call to another application over SSL. I am wondering where and how to add these information
> trustStoreType, trustStore and trustStorePassword
So that application running in bluemix can use that ? When I am testing from my local I modified server class-path, can I do some thing similar in bluemix liberty server, where the client app is running ? Or is there any easier better way ?
You should be able to edit the server.xml in eclipse and setup something like
<server description="new server">
<!-- Enable features -->
<featureManager>
<feature>websocket-1.0</feature>
<feature>localConnector-1.0</feature>
<feature>jndi-1.0</feature>
<feature>jsp-2.2</feature>
<feature>jdbc-4.0</feature>
<feature>ejbLite-3.1</feature>
<feature>ssl-1.0</feature>
<feature>jaxb-2.2</feature>
</featureManager>
<ssl clientAuthenticationSupported="true" id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore"/>
<keyStore id="defaultKeyStore"location="${server.config.dir}/resources/security/keystore.jks" password="passw0rd" type="JKS"/>
<keyStore id="defaultTrustStore" location="${server.config.dir}/resources/security/trustStore.jks" password="passw0rd" type="JKS"/>
<ssl clientAuthenticationSupported="true" id="defaultSSLConfig" keyStoreRef="serverKeyStore" trustStoreRef="serverTrustStore"/>
<keyStore id="serverKeyStore" location="${server.config.dir}/resources/security/serverKey.jks" password="passw0rd" type="JKS"/>
<keyStore id="serverTrustStore" location="${server.config.dir}/resources/security/serverTrust.jks"> password="passw0rd" type="JKS"/>
<!-- customize SSL configuration -->
<ssl id="customizeSSLConfig" keyStoreRef="clientKeyStore" trustStoreRef="clientTrustStore"/>
<keyStore id="clientKeyStore" location="${server.config.dir}/resources/security/clientKey.jks" password="passw0rd" type="JKS"/>
<keyStore id="clientTrustStore" location="${server.config.dir}/resources/security/clientTrust.jks" password="passw0rd" type="JKS"/>
<!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
<httpEndpoint httpPort="8080" httpsPort="9443" id="defaultHttpEndpoint"/>
<applicationMonitor updateTrigger="mbean"/>
</server>
Easiest way is with the Bluemix plugin for eclipse and using Websphere Libery Profile Server
If you are depending on the Liberty server, you can customize it offline and push it to Bluemix.
.
https://www.ibm.com/developerworks/community/blogs/msardana/entry/developing_with_bluemix_customizing_the_liberty_build_pack_to_add_your_configurations?lang=en
Where is your webservice running ? If it is on-premise, then you have to use cloud-integration agent available in Bluemix to make a secure tunneling and to get a proxy IP to your onpremise web service. Details of the same is available in the following link:
https://www.ibm.com/developerworks/community/blogs/96960515-2ea1-4391-8170-b0515d08e4da/entry/cloud_to_on_premise_web_services_bluemix_cloud_integrators?lang=en
Though all those I believe are valid option, but I ended up doing little differently. This is what finally worked for me
public static HttpClient getCustomClient() throws GeneralSecurityException, IOException {
KeyStore trustStore = KeyStore.getInstance("jks");
// Load the truststore from the classpath using the password
ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
InputStream resourceAsStream = classLoader.getResourceAsStream("/clienttruststore");
trustStore.load(resourceAsStream, "password".toCharArray());
SSLContext sslcontext = SSLContexts.custom().loadTrustMaterial(trustStore).build();
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslcontext);
CloseableHttpClient httpclient = HttpClients.custom().setSSLSocketFactory(sslsf).build();
resourceAsStream.close();
return httpclient;
}
//get custom httpclient
Unirest.setHttpClient(getCustomClient());
//send request...
HttpResponse<String> response =
Unirest.get("https://xyz.abc.com/").asString();
Basically packaged custom trust store with war and let application use that. I will be trying other option too, but with the previous option my custom server was crashing not sure if that was because of resources.
<camel:sslContextParameters id="sslContextParameters">
<camel:keyManagers keyPassword="changeit">
<camel:keyStore type="JKS" resource="C:\keystore.jks"
password="changeit" />
</camel:keyManagers>
<camel:trustManagers>
<camel:keyStore type="JKS" resource="C:\keystore.jks"
password="changeit" />
</camel:trustManagers>
</camel:sslContextParameters>
When I tried too load the resource like in the above xml , I still get SSL handshake exception. Please help me out the same how to set the camel http connection with the SSL parameters reference added to it , so that I can hit any secured link without any SSL handshake exceptions
From the docs, you apply the SSL context parameters against an option for the http4 component.
<to uri="https4://127.0.0.1/mail/?sslContextParametersRef=sslContextParameters"/>
We are using Camel CXF API for communicating with a secured server. This is 2-way SSL and we're talking to 3 different systems via Netscaler. 2 systems expose SOAP WS and we're able to establish 2-way SSL and exchange messages. The third system exposes REST APIs and is giving a very wierd problem at the SSL handshake. The error occurs when we Camel CXF in Fuse. A standalone Java Program running in its own JVM is able to successfully talk to the REST service.
We have enabled SSL debug flags and get the following errors in the logs.
Camel thread #0 - timer://foo, WRITE: TLSv1 Change Cipher Spec, length = 1
Camel thread #0 - timer://foo, handling exception: java.net.SocketException: Connection reset
%% Invalidated: [Session-11, SSL_RSA_WITH_RC4_128_MD5]
Camel thread #0 - timer://foo, SEND TLSv1 ALERT: fatal, description = unexpected_message
Camel thread #0 - timer://foo, WRITE: TLSv1 Alert, length = 2
Camel thread #0 - timer://foo, Exception sending alert: java.net.SocketException: Broken pipe
Camel thread #0 - timer://foo, called closeSocket()
Here's the configuration in Camel REST svc.
<!-- Key Manager & Trust Manager -->
<bean id="keyManagersBean"
class="test.IntegrationKeyManagerFactory"
factory-method="getKeyManager">
<argument value="${security.keystorepassword}"/>
<argument value="${security.keystorelocation}"/>
</bean>
<bean id="trustManagersBean"
class="test.IntegrationKeyManagerFactory"
factory-method="getTrustManager">
<argument value="${security.keystorepassword}"/>
<argument value="${security.keystorelocation}"/>
</bean>
<!-- ==================== security configuration =================== -->
<http:conduit name="*.http-conduit">
<http:tlsClientParameters>
<sec:keyManagers ref="keyManagersBean"/>
<sec:trustManagers ref="trustManagersBean"/>
</http:tlsClientParameters>
</http:conduit>
<!-- ====================== Camel Context & Routes ====================== -->
<camel:camelContext id="camel.test.context">
<camel:route id="testRoute">
<camel:from uri="timer://foo?fixedRate=true&period=30s" />
<camel:transform>
<camel:constant>""</camel:constant>
</camel:transform>
<camel:removeHeaders pattern="CamelCxfMessage" />
<camel:setHeader headerName="Exchange.HTTP_METHOD">
<camel:constant>GET</camel:constant>
</camel:setHeader>
<camel:to uri="cxfrs:{{protocol}}://{{host}}:{{port}}/{{context}}/getList" />
<camel:log message="${body}"/>
</camel:route>
</camel:camelContext>
Does anyone know what could be the problem ? The exact same configuration works for communicating with SOAP WS via netscaler but not with REST WS via netscaler.
I was able to fix the issue by switching over from camel cxf rsClient to using plain camel-http call. But think there's some issue with using HttpConduit with cxfrsClient.