I built an API using Micro Integrator and it is calling an internal API endpoint with self-signed certificate. I am having this error message
ERROR_CODE : 101500,ERROR_MESSAGE :Error in Sender,ERROR_DETAIL : javax.net.ssl.SSLException: Host name verification failed for host : app-name.namespace.svc.cluster.local\n\tat org.apache.synapse.transport.http.conn.ClientSSLSetupHandler.verify(ClientSSLSetupHandler.java:182)\n\tat org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:371)\n\tat org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:541)\n\tat org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)\n\tat org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)\n\tat org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)\n\tat org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)\n\tat org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)\n\tat org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)\n\tat org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591)\n\tat java.base/java.lang.Thread.run(Thread.java:834)\n
Is it possible to configure the Micro Integrator to allow all for the hostname verification? I added this on my deployment.toml and still encountering the issue. This is the same code block that I added on my APIM deployment.toml to disable hostname verification.
[transport.passthru_https.sender.parameters]
HostnameVerifier = "AllowAll"
You can use the following configuration in the deployment.toml of MI.
[transport.http]
sender.hostname_verifier = "AllowAll"
Related
I have one WSO2 Identity server running on docker container and My API-Manager is configured to use it as key manager. API Manager is also running on docker.
When Iam Trying to get a token in Postman, I call this https://myhost.com:8243/token?grant_type=client_credentials with base64 encoded "client_id:secret" it gives me this exception:
[2021-04-27 17:13:21,704] ERROR - TargetHandler I/O error: Host name verification failed for host : is.com javax.net.ssl.SSLException: Host name verification failed for host : is.com
Also the [apim.key_manager] is configured like this:
[apim.key_manager]
service_url = "https://is.com:9442/services/"
username = "$ref{super_admin.username}"
password = "$ref{super_admin.password}"
type = "WSO2-IS"
"is.com" is the domain for my identity server container.
I dont know why is this happening and HostNameVerification is disabled in apim.
How can I fix it?
Thank you.
I guess you haven't disabled hostname verification in Synapse level. This can be done using the following config in the deployment.toml
[transport.passthru_https.sender.parameters]
HostnameVerifier = "AllowAll"
The recommended approach is to use the correct hostname. For this, you can use a DNS entry.
i am using api manager 3.1.0 , i have configured web socket in api publisher and configured tenant=carbon.super
i am trying to access wss with domain name., i have updated host name with deployment.toml file,the problem is unable to access wss secure socket-.wss://test.com:8099/Notification/v1?access_token=xxx123 .i am getting error in connection, please guide me, how to resolve this
[2020-09-11 14:06:17,276] ERROR - InboundWebsocketSourceHandler Endpoint not found for port : 8099 tenant domain : null
Error message screen clip
This is my first time creating a WCF service. I need to use HTTPS as I will be using MembershipBinding. The steps I have taken up to this point are:
Created a certificate authority using the makecert.exe application - from this I have created a server certificate and a client certificate.
Added the certificate authority to the Trusted Root Certification Authorities within Microsoft Management Console.
Added the client and server certificates to my personal certificates within Microsoft Management Console.
Created a https binding for the service in IIS using the server certificate.
Set the appropriate permissions for the app pool on the server certificate.
Defined the service certificate within the serviceBehaviours node in the web.config.
I am now testing the service using the WCF Test Client but I am getting the message:
Error: Cannot obtain Metadata from https://localhost:444/Service.svc If this is a Windows (R) Communication Foundation service to which you have access, please check that you have enabled metadata publishing at the specified address. For help enabling metadata publishing, please refer to the MSDN documentation at http://go.microsoft.com/fwlink/?LinkId=65455.WS-Metadata Exchange Error URI: https://localhost:444/Service.svc Metadata contains a reference that cannot be resolved: 'https://localhost:444/Service.svc'. Could not establish trust relationship for the SSL/TLS secure channel with authority 'localhost:444'. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The remote certificate is invalid according to the validation procedure.HTTP GET Error URI: https://localhost:444/Service.svc There was an error downloading 'https://localhost:444/Service.svc'. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The remote certificate is invalid according to the validation procedure.
The error suggests that there is an issue trusting the certificate but I have trusted the certificate authority used to create it so I don't know how to resolve it. The service worked fine when I was using http.
Thanks in advance.
As your certificate is self-signed, you need to add a hack to your client call :
using (MyWCFServiceClient client = new MyWCFServiceClient())
{
#if DEBUG
ServicePointManager.ServerCertificateValidationCallback = TrustAllCertificatesCallback;
#endif
client.MyCall();
}
And the definition for TrustAllCertificatesCallback :
internal static bool TrustAllCertificatesCallback(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors errors)
{
bool isValid = true;
// TODO logic to check your self-signed certifiacte
return isValid;
}
The TrustAllCertificatesCallback callback should be deactivated on your production environement.
I have updated WSO2 default SLL with the custom SSL certificate on my Production Server on which WSO2Api installed.
SSL issues have been fixed, but now I am getting error while re-generating access token
Logs
Caused by: org.wso2.carbon.apimgt.keymgt.APIKeyMgtException: Error in getting new accessToken
at org.wso2.carbon.apimgt.keymgt.service.APIKeyMgtSubscriberService.renewAccessToken(APIKeyMgtSubscriberService.java:281)
... 45 more
Caused by: java.lang.RuntimeException: Failed : HTTP error code : 500
at org.wso2.carbon.apimgt.keymgt.service.APIKeyMgtSubscriberService.renewAccessToken(APIKeyMgtSubscriberService.java:252)
... 45 more
TID: [0] [AM] [2014-08-27 10:57:41,440] ERROR {org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject} - Error in getting new accessToken {org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject}
If APIManager runs with a port offset,you need to do addtional changes.
Change the endpoint ports defined in default APIs shipped with APIManager
Find all default APIs of the API Manager in /repository/deployment/server/synapse-configs/default/api folder. Those are Authorize API, Login API, Token API and Revoke API. Open each of them and change the address endpoint config included port value to match with offset value.The default address endpoint config is
"address uri="https://192.168.1.7:9443/oauth2/token".If the AM standalone pack running with port offset 2 change that config as
address uri="https://192.168.1.7:9445/oauth2/token"
What I did to fix the issue was to 1) add admin user inside ApiKeyValidaor in api-manager.xml also into admin user via management console and into user-mgt.xml; 2) Inside api-manager.xml:
Change the following:
https://${carbon.local.ip}:${mgt.transport.https.port}${carbon.context}/services/
to:
https://[FQDN_OF_HOST}:${mgt.transport.https.port}${carbon.context}/services/
Reason is my server certificate only recorded the domain name, not ip address.
My setup: Product: WSO2 AM 1.10.0 DB: MSSQL Security: SAML2 integrated with PingIdentity OS: Linux
Please also refer to this question:
wso2 am 1.10.0 API Store: "Error occurred while executing the action generateApplicationKey" with " Invalid credentials provided."
The error may be due to one of these two things:
Your admin password is not set for ApiKeyManager in api_manager.xml.
SSL is not set properly.
I am getting the below exception when I invoke a jax ws webservice from my application deployed in WebSphere Application Server 6.1
SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=yyy.com, OU=For Intranet Use Only, OU=Web Hosting, O=xx, L=xx, ST=xx, C=xx" was sent from target host:port "*:9445". The signer may need to be added to local trust store "F://../trust.p12" . The extended error message from the SSL handshake exception is: "No trusted certificate found".
The enpoint url has https.
With the same enpoint url I am able to get a response from SOAP UI(Tool) without any certificate configuration etc..
Could you help me on this ?
I finally was able to fix this small issue.The Server certificate needs to be added to the websphere appserver truststore.This can be done from the admin console of websphere by providing the server domain and port.