Shibboleth 4 Jetty Invalid SNI Issue - jetty

I setup a local shibboleth IdP 4.3 instance and had to use fully qualified names for the server post setup. When trying to use the fully qualified name for the entityID / URL, I am getting the below error message in Shibboleth. In the jetty-ssl-context.xml I disable the Sni checking but still getting this error. Is there a way to turn this off in the IdP or another place to update the URL / name so fully qualified names can be used?
HTTP ERROR 400 Invalid SNI
URI: /idp/shibboleth
STATUS: 400
MESSAGE: Invalid SNI
SERVLET: -
CAUSED BY: org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
Caused by:
org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:266)
at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:207)
at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:501)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:558)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:379)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:146)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:416)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:385)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:272)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:140)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:411)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:934)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1078)
at java.base/java.lang.Thread.run(Thread.java:834)
Thanks
Nick

I figured this out. In the main jetty configuration for the install, outside the jetty-base/etc config elements, had to disable the Sni host checking in the jetty-ssl.xml and jetty-ssl-context.xml files then this is working for the fully qualified names.
Nick

Related

Change localhost to hostname in wso2 is

Good day!
I am trying to configure user invitation with email confirmation.
Invited user accept email, but when he push 'confirm account' button he get an error.
First there was a certificate error. but when I added the certificate, another error occurred. As I understand it, the error is quite logical, because the certificate was issued to our hostname. Is there any way to change localhost to our hostname? or are there other ways to solve this problem?
ERROR {org.wso2.carbon.identity.mgt.endpoint.util.client.ApiClient} - Error while performing the request method: POST on the resource: https://localhost:9443/api/identity/user/v1.0/validate-code com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching localhost found.
Editing RecoveryEndpointConfig.properties in repository/deployment/server/webapps/accountrecoveryendpoint/ dont solve this problem
You can configure the hostname by adding the following entry to the <IS_HOME>/repository/conf/deployment.toml config file,
[server]
hostname = "your_host_name"
Since by default IS uses localhost as the internal hostname, you will need to add it as a SAN for the certificate.
Another option is to define the hostname and internal_hostname both in the toml config as below,
[server]
hostname = "your_host_name"
internal_hostname = "your_host_name"
You may refer to the following official documentation to get a detail understanding of changing the hostname
https://is.docs.wso2.com/en/latest/deploy/change-the-hostname/

API Gateway configuration returns 403

I have an API Gateway configured and deployed. If I make a GET request to one of its staged endpoints, for example https://1234567890.execute-api.us-east-1.amazonaws.com/dev/doc, I get a 200 OK response.
If I take a look at the Custom Domain Names section and supplant the URL found there into my request, for example abcdefghijkl-f4cwy0d1u5.execute-api.us-east-1.amazonaws.com to make https://abcdefghijkl-f4cwy0d1u5.execute-api.us-east-1.amazonaws.com/dev/doc, I get 403 Forbidden.
Am I wrong in thinking that I should be able to make a request to the domain name - and thus use the API's Custom domain name in a CNAME record - or does the 403 indicate that a specific configuration item is missing?
you can find some response headers that come together with your 403 error here: https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-troubleshoot-403-forbidden/
this might help you to find which error you are facing!
TL;DR: When getting 403 Forbidden with API Gateway and using the Custom domain name it's important to trim the stage name because API Gateway is routing the custom name to that stage.
Using the documentation provided by #leoandreotti I was able to identify the response header:
x-amzn-ErrorType: ForbiddenException
For this, the documentation states:
Invoking a REST API that has a custom domain name using the default
execute-api endpoint - The caller uses the default execute-api
endpoint to invoke a REST API after disabling the default endpoint.
This made me think back to a header I had been recommended to use by a colleague - the Host header.
So, I added the header back into the request and got this:
x-amzn-ErrorType: MissingAuthenticationTokenException
For which the docs state:
Resource path doesn't exist - A request with no "Authorization" header
is sent to an API resource path that doesn't exist.
But the path /dev/doc absolutely does exist. Then I realised that the /dev portion is actually the stage name.
So I trimmed the /dev portion from the path and got 200 OK - then I removed the Host header and also got 200 OK!
Thanks #leoandreotti

Cannot access wso2is.local:port:/carbon, can access via IP:port:/carbon

I've been attempting to set up service and identity providers within wso2is. I've been following the documentation, using the 'travelocity' sample. After having configured inbound authentication with SAML2 Web SSO (from the following documentation: https://docs.wso2.com/display/IS580/Adding+and+Configuring+a+Service+Provider#AddingandConfiguringaServiceProvider-SAML-SSOConfiguringinboundauthenticationwithSAML2WebSSO )
I've attempted to reconfigure the service providers, but the errors I get whenever I try and access ':/travelocity.com' from a remote workstation in Chrome are as follows;
using https://:8080/travelocity.com
/ Error 405 - Method Not Allowed
using https://wso2is.local:9443/travelocity.com
/ "This site can’t be reached wso2is.local’s server IP address could not be found.
DNS_PROBE_FINISHED_NXDOMAIN"
Same result without https.
using https://:9443/travelocity.com
/ "Error 405 - Method Not Allowed"
using https://wso2is.local:8080/travelocity.com
/ "This site can’t be reached wso2is.local’s server IP address could not be found.
DNS_PROBE_FINISHED_NXDOMAIN"
Same result without https.
using http://:9443/travelocity.com
/ " sent an invalid response.
ERR_INVALID_HTTP_RESPONSE"
using http://:8080/travelocity.com
/ Returns apache's default 404 page.
I'm looking for suggestions or advice, as this my first attempt at configuring a wso2is enviroment.
using https://:8080/travelocity.com / Error 405 - Method Not Allowed
This occurs because you havent specified the host.
Open etc/host file. add the following line and try the flow again.
127.0.0.1 wso2is.local
Otherwise, just try with https://localhost:8080/travelocity.com
For more information please refer
https://docs.wso2.com/display/IS580/Configuring+Single+Sign-On

Not able to access WSO2 IS 5.3.0 admin services through angular

We are not able to call the ChallengeQuestionManagementAdminService from Angular code. Getting an error stating Invalid remote address
Included the user credential in Authorization. Able to consume the service using SOAP UI but not from Angular.
Admin service : ChallengeQuestionManagementAdminService
Error:
[2019-03-26 03:33:54,314] WARN {org.wso2.carbon.core.services.authentication.AuthenticationUtil} - Could not find IP address for domain name : 10.44.1.25:51954
[2019-03-26 03:33:54,315] ERROR {org.wso2.carbon.core.services.authentication.AbstractAuthenticator} - Invalid remote address detected.
org.wso2.carbon.core.common.AuthenticationException: Authentication Failed : Invalid remote address passed - 10.44.1.25:51954
at org.wso2.carbon.core.services.authentication.AuthenticationUtil.validateRemoteAddress(AuthenticationUtil.java:178)
at org.wso2.carbon.core.services.authentication.AuthenticationUtil.getRemoteAddress(AuthenticationUtil.java:156)
at org.wso2.carbon.core.services.authentication.AbstractAuthenticator.getRemoteAddress(AbstractAuthenticator.java:304)
at org.wso2.carbon.core.services.authentication.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:136)
at org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.isAuthenticated(AuthenticationHandler.java:180)
at org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.authenticate(AuthenticationHandler.java:105)
at org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.invoke(AuthenticationHandler.java:66)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
[1] is the nearly corresponding code. You can check the logic. What is the version of Identity Server you are using ? If you are familiar with remote debugging, you can debug the code to find root cause [2].
[1] https://github.com/wso2/carbon-kernel/blob/4.4.x/core/org.wso2.carbon.core.services/src/main/java/org/wso2/carbon/core/services/authentication/AuthenticationUtil.java#L167
[2] https://medium.com/#gayanmadusanka_80721/how-to-debug-component-in-wso2-identity-server-ce15a366e9bf
Post the request you are sending from Angular through postman and check if its successful. if yes, make sure you are sending all the required headers from Angular, else you might be missing some headers in place or your request schema might miss some params.
Headers to be included
headers.set( 'Accept', '*/*');
headers.set( 'Content-Type', 'text/xml;charset=UTF-8');
headers.set( 'Authorization', `Basic ${authToken}`); <!--should send base64encode(username:password) specific to account. -->
headers.set( 'SOAPAction', 'urn:setUserChallengeAnswers');

WSO2 EI611 FTP url for inboundendpoint FILE invalid, throws error

[2017-10-31 18:38:43,008] [] ERROR - FilePollingConsumer Repeatedly
failed to resolve the file URI:
ftp://username":#"servername/folder/folder/folder/
org.apache.commons.vfs2.FileSystemException: Invalid absolute URI
"ftp://username":#"servername/folder/folder/folder/".
Caused by: org.apache.commons.vfs2.FileSystemException: Expecting / to
follow the hostname in URI
"ftp://username":***#"servername/folder/folder/folder/".
Tried several options, still not working. I used FTP url syntax/format from previous StackOverflow WSO2 postings and product documentation, but did not work. what am I doing stupid?
adding vfs.passive=true in the FTP URL did the magic. FTP inbound endpoint works fine.