I have setted up salml2-pickup-dispatch.com sample application and when I trying to login to the application I got below errors.
WARN {org.apache.xml.security.signature.XMLSignature} - Signature verification failed.
WARN {org.wso2.carbon.identity.sso.saml.validators.SPInitSSOAuthnRequestValidator} - Signature validation for Authentication Request failed for the request of Issuer :saml2-web-app-pickup-dispatch.com in tenantDomain:carbon.super
Any solution for this?
This is due to Signature verification issue.
You can quickly fix this issue by replacing the Keystore in the salml2-pickup-dispatch sample app(<saml2-pickup-dispatch_home>/WEB-INF/classes/wso2carbon.jks) with the keystore of the WSO2 Identity Server (/repository/resources/security/wso2carbon.jks).
You can refer to the answer https://stackoverflow.com/a/61093340/9514885 for more details
Related
I am new to WSO2 API Manager. I followed the Quick Start Guide to learn by deploying sample PizzaShackAPI.
https://docs.wso2.com/display/AM210/Quick+Start+Guide
As I click "Try It Out!", I am not getting the correct response as mentioned in the guide.
I am getting the below response and there is no log in the console initially.
Response Code
0
Response Headers
{
"error": "no response from server"
}
After I added Self Signed Certificate in Firefox as Add Exception, I am getting the below error in the console,
[2017-03-01 15:06:51,309] ERROR - SourceHandler I/O error: An established connection was aborted by the software in your
host machine
java.io.IOException: An established connection was aborted by the software in your host machine
at sun.nio.ch.SocketDispatcher.read0(Native Method)
at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:43)
at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
at sun.nio.ch.IOUtil.read(IOUtil.java:197)
at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380)
at org.apache.http.nio.reactor.ssl.SSLIOSession.receiveEncryptedData(SSLIOSession.java:371)
I guess it may be a certificate configuration issue. Please help me to resolve this issue.
I tried with creating my own API. Facing the same issue.
Error message "error": "no response from server" on API console is mostly due to CORS error. Could you please check your browser console and see the error there, Most likely you will see error related to cors.
Note: these changes are not advised for production environment, for production environment you want to provide all relevant information instead of allow all (*)
To allow all headers and origin edit repository/conf/api-manager.xml and change values for following:
<Access-Control-Allow-Headers>*</Access-Control-Allow-Headers>
<Access-Control-Allow-Origin>*</Access-Control-Allow-Origin>
Second change to allow all host name and avoid any certificate host name validation.
Edit /repository/conf/axis2/axis2.xml and un comment HostnameVerifier and change value to AllowAll.
<parameter name="HostnameVerifier">AllowAll</parameter>
Restart API Manager and test again.
Using the wso2 identity server in my on production site I try to access to "dashboard jaggery apps" for manage own user account (change password, etc). But when I try to login in there (using SAML2 in the https production domain) shows the following error,
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
We write the keystore path in the auth_config.json inside repository/deployment/server/jaggeryapps/dashboard/authentication, but it does not work.
We have other application using the same fingerprint and/or x.509 hash correctly (with SAML2), but this app we can't configure.
here the complete error http://pastebin.com/tgJenydM
Any suggestions? Thanks.
update:
When I use the backend IP the error is not raised, but when I change to the domain name yes. (This error really make me crazy)
Did you change the default keystore of WSO2IS server ? If, Could you pleas let us know whether you import your new certificate in to the trust store file (client-truststore.jks) of WSO2IS server. If it is not, This can be the issue. Please export the certificate from Keystore and import it in to the trust store of the server. You can use jave keytool command to do it.
When you are working on dashboard (not in localhost), there are some few configuration you need to do . You can find them from here
I have updated WSO2 default SLL with the custom SSL certificate on my Production Server on which WSO2Api installed.
SSL issues have been fixed, but now I am getting error while re-generating access token
Logs
Caused by: org.wso2.carbon.apimgt.keymgt.APIKeyMgtException: Error in getting new accessToken
at org.wso2.carbon.apimgt.keymgt.service.APIKeyMgtSubscriberService.renewAccessToken(APIKeyMgtSubscriberService.java:281)
... 45 more
Caused by: java.lang.RuntimeException: Failed : HTTP error code : 500
at org.wso2.carbon.apimgt.keymgt.service.APIKeyMgtSubscriberService.renewAccessToken(APIKeyMgtSubscriberService.java:252)
... 45 more
TID: [0] [AM] [2014-08-27 10:57:41,440] ERROR {org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject} - Error in getting new accessToken {org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject}
If APIManager runs with a port offset,you need to do addtional changes.
Change the endpoint ports defined in default APIs shipped with APIManager
Find all default APIs of the API Manager in /repository/deployment/server/synapse-configs/default/api folder. Those are Authorize API, Login API, Token API and Revoke API. Open each of them and change the address endpoint config included port value to match with offset value.The default address endpoint config is
"address uri="https://192.168.1.7:9443/oauth2/token".If the AM standalone pack running with port offset 2 change that config as
address uri="https://192.168.1.7:9445/oauth2/token"
What I did to fix the issue was to 1) add admin user inside ApiKeyValidaor in api-manager.xml also into admin user via management console and into user-mgt.xml; 2) Inside api-manager.xml:
Change the following:
https://${carbon.local.ip}:${mgt.transport.https.port}${carbon.context}/services/
to:
https://[FQDN_OF_HOST}:${mgt.transport.https.port}${carbon.context}/services/
Reason is my server certificate only recorded the domain name, not ip address.
My setup: Product: WSO2 AM 1.10.0 DB: MSSQL Security: SAML2 integrated with PingIdentity OS: Linux
Please also refer to this question:
wso2 am 1.10.0 API Store: "Error occurred while executing the action generateApplicationKey" with " Invalid credentials provided."
The error may be due to one of these two things:
Your admin password is not set for ApiKeyManager in api_manager.xml.
SSL is not set properly.
I am trying to add a New SOAP Project in SoapUI 4.6.4. When I create a new soap project and type the Initial WSDL url: http://xx.xxx.x.xxx/Structure/DataEx?wsdl, I get the following error.
Error loading [http://xx.xxx.x.xxx/Structure/DataEx?wsdl]:
org.apache.xmlbeans.XmlException: java.io.IOException: Server returned
HTTP response code: 401 for URL:
http://xx.xxx.x.xxx/Structure/DataEx?wsdl
When I access the URL via a browser, it prompts me to enter username and password. After I enter that information, I am able to access the WSDL. I looked at the request header and the authorization of type Digest.
My question is, where in SoapUI 4.6.4 do I get to enter the authentication/authorization information so that I can get the WSDL into SoapUI.
This was a bug in the 4.6.4 version but was solved in the maintenance build which is available # http://www.soapui.org/Downloads/soapui-pro-nightly-builds.html
This information is available on soapUI form where a user asked the same question.
Additionally, to handle authentication in your subsequent service requests you should check out soapUI's guide on the same.
I have a SOAP webservice declared using #WebService in an EJB subproject of an EAR running in GlassFish 3.1.1 using its bundled Metro runtime. It's been annotated with the usual #DeclareRoles and #RolesAllowed, on the class level.
I have a WSIT descriptor for authentication using a simple plaintext-password UsernameToken.
In the EAR's glassfish-application.xml, I specify the realm as the standard file realm that comes with GlassFish. To this realm I have added a user for testing, belonging to a specific group. This group is mapped to the role I specified in glassfish-ejb-jar.xml.
I also enabled the Security Manager in GlassFish, as well as auditing. I restarted the server after doing this.
I have generated a client and set the username and password in callback handlers. I log to make sure the credentials are indeed set. I have also tried to set the credentials like this:
Map<String, Object> requestContext = ((BindingProvider)port).getRequestContext();
requestContext.put(BindingProvider.USERNAME_PROPERTY, "myUsername");
requestContext.put(BindingProvider.PASSWORD_PROPERTY, "myPassword");
When I call the service, I get this on the server:
INFO: SEC5046: Audit: Authentication refused for [myUsername].
INFO: SEC1201: Login failed for user: myUsername
SEVERE: WSS1408: UsernameToken Authentication Failed
SEVERE: WSITPVD0035: Error in Verifying Security in Inbound Message.
com.sun.xml.wss.impl.WssSoapFaultException: Authentication of Username Password Token Failed
at com.sun.xml.ws.security.opt.impl.util.SOAPUtil.newSOAPFaultException(SOAPUtil.java:158)
at com.sun.xml.ws.security.opt.impl.incoming.UsernameTokenHeader.validate(UsernameTokenHeader.java:164)
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleSecurityHeader(SecurityRecipient.java:341)
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.cacheHeaders(SecurityRecipient.java:275)
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:225)
at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.verifyInboundMessage(WSITServerAuthContext.java:586)
at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.validateRequest(WSITServerAuthContext.java:360)
at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.validateRequest(WSITServerAuthContext.java:263)
at com.sun.enterprise.security.webservices.CommonServerSecurityPipe.processRequest(CommonServerSecurityPipe.java:173)
at com.sun.enterprise.security.webservices.CommonServerSecurityPipe.process(CommonServerSecurityPipe.java:144)
at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:119)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:641)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:600)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:585)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:482)
at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:314)
at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:608)
at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:259)
at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:162)
at org.glassfish.webservices.Ejb3MessageDispatcher.handlePost(Ejb3MessageDispatcher.java:120)
at org.glassfish.webservices.Ejb3MessageDispatcher.invoke(Ejb3MessageDispatcher.java:91)
at org.glassfish.webservices.EjbWebServiceServlet.dispatchToEjbEndpoint(EjbWebServiceServlet.java:200)
at org.glassfish.webservices.EjbWebServiceServlet.service(EjbWebServiceServlet.java:131)
(Rest is snipped away)
and I get this on the client:
Authentication of Username Password Token Failed
javax.xml.ws.soap.SOAPFaultException: Authentication of Username Password Token Failed
at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:189)
at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:189)
at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:122)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:140)
I then created a simple servlet/JSP project and added a security restriction on the realm. Authentication using the same user works in this case.
The WS-Security policy looks like this:
<ns1:Policy xmlns:ns1="http://schemas.xmlsoap.org/ws/2004/09/policy" wsu:Id="MyServicePortBindingPolicy">
<ns1:ExactlyOne>
<ns1:All>
<ns2:SupportingTokens xmlns:ns2="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<ns1:Policy>
<ns1:ExactlyOne>
<ns1:All>
<ns2:UsernameToken ns2:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<ns1:Policy>
<ns1:ExactlyOne>
<ns1:All>
<ns2:WssUsernameToken10 />
</ns1:All>
</ns1:ExactlyOne>
</ns1:Policy>
</ns2:UsernameToken>
</ns1:All>
</ns1:ExactlyOne>
</ns1:Policy>
</ns2:SupportingTokens>
<ns3:UsingAddressing xmlns:ns3="http://www.w3.org/2006/05/addressing/wsdl" />
</ns1:All>
</ns1:ExactlyOne>
</ns1:Policy>
What's going wrong here? Any suggestions highly appreciated.
This solved itself when I disabled my own homebaked programmatic authentication mechanism, which threw a disruptive exception. Can't believe that didn't strike me before.