I'm trying to link WSO2 IS and Analytics.
Basically I'm following tutorial from WSO2 page(https://is.docs.wso2.com/en/5.11.0/learn/prerequisites-to-publish-statistics/). And also checked some tutorials in blog(e.g., https://medium.com/#niluka/wso2-identity-analytics-17f62176130e)
Both IS server and WSO2 IS Analytics runs well until I try to use portal. Here is my problem.
I can login at user-portal and other pages, but the log doesn't shows at portal.
When I login at portal, this error occurs from dashboard.bat.
[2020-09-05 17:52:53,381] ERROR {org.wso2.transport.http.netty.contractimpl.listener.SslHandshakeCompletionHandlerForServer} - Error while SSL handshake: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
[2020-09-05 17:52:53,381] ERROR {org.wso2.transport.http.netty.contractimpl.listener.SslHandshakeCompletionHandlerForServer} - Error while SSL handshake: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
[2020-09-05 17:52:54,514] ERROR {org.wso2.transport.http.netty.contractimpl.listener.SslHandshakeCompletionHandlerForServer} - Error while SSL handshake: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
[2020-09-05 17:52:54,690] ERROR {org.wso2.transport.http.netty.contractimpl.listener.SslHandshakeCompletionHandlerForServer} - Error while SSL handshake: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
I tried some solutions.
import the public certificate of WSO2 IS Analytics server to the client-truststore.jks of WSO2 Identity Server, and vice versa. (from this blog: https://medium.com/#niluka/wso2-identity-analytics-17f62176130e)
and solution from this link: https://github.com/wso2/docs-is/issues/1207
I tried this command keytool -import -alias <alias> -file <file_name> -keystore client-truststore.jks -storepass wso2carbon
but the response was :
C:\Program Files\WSO2\Identity Server\5.10.0\repository\resources\security>keytool -import -alias <alias> -file <file_name> -keystore client-truststore.jks -storepass wso2carbon.cer
지정된 파일을 찾을 수 없습니다.
(지정된 파일을 찾을 수 없습니다. is 'The specified file could not be found`)
But the problem remain's same. Dose anyone have other solution or tips for this error? Thanks.
This is my deployment.toml file.
[server]
hostname = "localhost"
node_ip = "127.0.0.1"
base_path = "https://$ref{server.hostname}:${carbon.management.port}"
[super_admin]
username = "admin"
password = "admin"
create_admin_account = true
[user_store]
type = "read_write_ldap_unique_id"
connection_url = "ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}"
connection_name = "uid=admin,ou=system"
connection_password = "admin"
base_dn = "dc=wso2,dc=org" #refers the base dn on which the user and group search bases will be generated
[database.identity_db]
type = "h2"
url = "jdbc:h2:./repository/database/WSO2IDENTITY_DB;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=60000"
username = "wso2carbon"
password = "wso2carbon"
[database.shared_db]
type = "h2"
url = "jdbc:h2:./repository/database/WSO2SHARED_DB;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=60000"
username = "wso2carbon"
password = "wso2carbon"
[keystore.primary]
file_name = "wso2carbon.jks"
password = "wso2carbon"
[resource.access_control]
context = "(.*)/sample-auth/(.*)"
secure = false
http_method = "all"
[[event_listener]]
id = "authn_data_publisher_proxy"
type = "org.wso2.carbon.identity.core.handler.AbstractIdentityMessageHandler"
name = "org.wso2.carbon.identity.data.publisher.application.authentication.AuthnDataPublisherProxy"
order = 11
[identity_mgt.analytics_login_data_publisher]
enable=true
[identity_mgt.analytics_session_data_publisher]
enable=true
[event.default_listener.application_authentication]
enable = true
Related
I'm trying to set an email sender (for example recovery password). I already set with a Gmail and Outlook address mail and it's work!
Now i nedd to configure an Aruba hostmail.
this is my deployment.toml configuration module
[output_adapter.email]
from_address= "****#aruba.it"
username= "*****#****.it"
password= "******"
hostname= "smtps.aruba.it"
port= 465
enable_start_tls= true
enable_authentication= true
signature = "****"
[output_adapter.email.custom_properties]
"mail.smtp.ssl.protocols"="TLSv1.2"
"mail.transport.protocol"="smtps"
Logs return
ERROR {org.wso2.carbon.event.output.adapter.email.EmailEventAdapter} - Event dropped at Output Adapter 'EmailPublisher' for tenant id '-1234', Error in message format, Could not connect to SMTP host: smtps.aruba.it, port: 465, response: -1 javax.mail.MessagingException: Could not connect to SMTP host: smtps.aruba.it, port: 465, response: -1
I tried with smpts and smpt (it should be the same port 465).
Can you tell me if it's not supported or something?
THanks, i really need help :(
I fixed it by adding these properties in deployment.toml file below this modules:
[output_adapter.email]
from_address= "***#aruba.it"
username= "****"
password= "****!"
hostname= "smtps.aruba.it"
port= 465
enable_start_tls= true
enable_authentication= true
signature = "WSO2"
[output_adapter.email.custom_properties]
"mail.smtp.ssl.protocols"="TLSv1.2"
"mail.smtp.debug"="true"
"mail.smtp.socketFactory.port"="465"
"mail.smtp.socketFactory.class"="javax.net.ssl.SSLSocketFactory"
"mail.smtp.socketFactory.fallback"="false"
After adding the following adaptive authentication script, if the username is not according to the format I should be getting the custom status message saying, Access Denied, invalid username format. But instead I get the default status message, Something went wrong during the authentication process. Please try signing in again.
function onLoginRequest(context) {
executeStep(1, {
onSuccess: function(context) {
var user = context.currentKnownSubject;
if(user!= null && user.username != null && !user.username.equals('')) {
Log.info("username: " + user.username);
} else {
sendError('',{'status':'AUTHENTICATION USERNAME ERROR', 'statusMsg': 'Access denied, invalid username format.'});
}
}
});
}
In addition, I get the following error in the wso2carbon.log file as well.
TID: [-1234] [authenticationendpoint] [2022-10-05 15:44:12,715] [37951f7d-8240-48d4-ad4f-1d4c8a6a3ec4] ERROR {org.wso2.carbon.identity.application.authentication.endpoint.util.AuthContextAPIClient} - Sending GET request to URL : https://dev.wso2istemp.com/api/identity/auth/v1.1/data/AuthenticationError/0b0efc37-819d-4b39-85b2-517126c3c9cb, failed. java.io.IOException: Server returned HTTP response code: 401 for URL: https://dev.wso2istemp.com/api/identity/auth/v1.1/data/AuthenticationError/0b0efc37-819d-4b39-85b2-517126c3c9cb
...
org.wso2.carbon.identity.application.authentication.endpoint.util.AuthContextAPIClient.getContextProperties(AuthContextAPIClient.java:70)
at org.apache.jsp.retry_jsp._jspService(retry_jsp.java:194)
...
org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter.doFilter(ContentTypeBasedCachePreventionFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
...
org.wso2.carbon.identity.application.authentication.endpoint.util.filter.AuthenticationEndpointFilter.doFilter(AuthenticationEndpointFilter.java:190)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
...
The <IS_HOME>/repository/conf/deployment.toml configurations for [server] are as follows.
[server]
hostname = "dev.wso2istemp.com"
node_ip = "127.0.0.1"
base_path = "https://$ref{server.hostname}:${carbon.management.port}"
What is the reason for the following issue in the wso2carbon.log and why the custom status message is not shown properly?
When the adaptive authentication script is running, the values are passed to the Identity Server(IS) encrypted. In above case, the encrypted data chunk is passed to the IS,
https://dev.wso2istemp.com/api/identity/auth/v1.1/data/AuthenticationError/24e56d99-9494-4989-a3e2-4008b73ebd9b
with the last segment of the URL is being the data chunk. When the server tries to get that data chunk with a GET request, java.io.IOException: Server returned HTTP response code: 401 for URL which is the code for unauthorized is thrown. Since that data chunk is not properly received, the default status message is shown instead of the custom status message. The steps to resolve this are given below.
First clarify whether the dev.wso2istemp.com which you were using is not mapped with the localhost in /etc/hosts file.
Go to <IS_HOME>/repository/conf/deployment.toml file and check for the following configuration [identity.auth_framework.endpoint] and check whether the mutual SSL is set to false via mutual_ssl_manager_enabled=false
If so, enable that by commenting the mutual_ssl_manager_enabled=false, since using mutual SSL is recommended for IS. If you go to the <IS_HOME>/repository/resources/conf/default.json file, you can notice that the default value for mutual_ssl_manager_enabled is true
In a multi-node situation, the above error can occur if the mutual SSL is not enabled, If that does not resolves the issue, then you have to check whether the internal_hostname has been set properly so that the internal API calls are being sent properly.
To do that, if you have not added the following configuration to <IS_HOME>/repository/conf/deployment.toml file, you can check whether it has been properly applied to the <IS_HOME>/repository/conf/identity/identity.xml by checking for <ServerHostName>localhost</ServerHostName>
[server]
internal_hostname="localhost"
If you are using a multi-node deployment, this localhost value should be added to the SAN for the certificate when the certificate is generated (-ext SAN=dns:localhost)
keytool -genkey -alias newcert -keyalg RSA -keysize 2048 -keystore newkeystore.jks -dname "CN=dev.wso2istemp.com, OU=Is,O=Wso2,L=SL,S=WS,C=LK" -storepass mypassword -keypass mypassword -ext SAN=dns:localhost
But if you are using a single node you can add the following configuration to the deployment.toml and check whether it resolves things. (In single node case the internal_hostname should be similar to hostname)
[server]
hostname = "dev.wso2istemp.com"
internal_hostname = "dev.wso2istemp.com"
If that is not working[https://github.com/wso2/product-is/issues/11878] then go to <IS_HOME>/repository/deployment/server/webapps/authenticationendpoint/WEB-INF/web.xml and uncomment the following commented snippet.
<!--context-param>
<param-name>AuthenticationRESTEndpointURL</param-name>
<param-value>https://localhost:9443/api/identity/auth/v1.1/</param-value>
</context-param-->
This might route the internal_hostname being reflected on the request since the internal API calls are blocked when hostname of the server being replaced instead of the internal_hostname for the internal API calls(https://dev.wso2istemp.com/api/identity/auth/v1.1/data/AuthenticationError/24e56d99-9494-4989-a3e2-4008b73ebd9b).
I have created a MI project using Hello World Docker template using Integration Studio 7.2.0. I want to setup mTLS for the service. I have configured the keystore like below.
deployment.toml
[keystore.tls]
file_name = "interceptor.jks"
password = "wso2carbon"
alias = "interceptor"
key_password = "wso2carbon"
[truststore]
file_name = "interceptor.jks"
password = "wso2carbon"
alias = "mg"
algorithm="AES"
interceptor.jks contains client cert with alias mg and privateKey with alias interceptor. This service is invoked using cURL as below.
curl --cacert interceptor.pem --cert mg.pem --key mg.key "https://xml-interceptor:8253/api/v1/handle-request" -H "content-type: application/json" -H "accept: application/json" -d '{"requestBody": "eyJuYW1lIjoiVGhlIFByaXNvbmVyIn0="}' -v
And it fails. While it is successful with -k option I noticed that the cert received to the client is below and not the one I configured in deployment.toml
* Server certificate:
* subject: C=US; ST=CA; L=Mountain View; O=WSO2; OU=WSO2; CN=localhost
* start date: Oct 23 07:30:43 2019 GMT
* expire date: Jan 25 07:30:43 2022 GMT
* issuer: C=US; ST=CA; L=Mountain View; O=WSO2; OU=WSO2; CN=localhost
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> POST /api/v1/handle-request HTTP/1.1
I get this in Micro Integrator logs,
[2022-06-15 13:38:29,417] WARN {SourceHandler} - I/O error: Received fatal alert: unknown_ca
Seems it is unable to read the cert I configured. Any idea how to sort out this issue?
I have already tried importing the privateKey to wso2carbon.jks as well.
In your case, it seems the keystore is not getting updated.
You can build the docker image from the Integration Studio as specified in here[1].
Then you can mount the new keystore to the MI container [2].
[1] - https://apim.docs.wso2.com/en/latest/integrate/develop/create-docker-project/#build-and-push-docker-images
[2] - https://docs.docker.com/storage/volumes/#start-a-container-with-a-volume
I have a few questions regarding the upgrade of wso2 IS-
can we directly upgrade wso2 IS 5.7.0 to 5.11.0?
I'm using Postgres for wso2 IS 5.7.0, can I get some reference to changes I need to do in the wso2 configuration while preparing for migration?
Do I need to create another database in Postgres for 5.11.0 and then configure it as a datasource in IS?
update:
Im getting following error while performing upgrade-
erver/
[2021-09-20 12:49:26,279] [] INFO {org.wso2.carbon.core.multitenancy.eager.TenantLoadingConfig} - Using tenant lazy loading policy...
[2021-09-20 12:49:26,315] [] ERROR {org.wso2.carbon.core.internal.permission.update.PermissionUpdater} - Error when updating the permission cache for tenant : -1234 java.lang.NullPointerException
at org.wso2.carbon.core.internal.permission.update.PermissionUpdater.update(PermissionUpdater.java:72)
at org.wso2.carbon.core.internal.permission.update.PermissionUpdateServiceComponent.activate(PermissionUpdateServiceComponent.java:65)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.eclipse.equinox.internal.ds.model.ServiceComponent.activate(ServiceComponent.java:260)
at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.activate(ServiceComponentProp.java:146)
at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.build(ServiceComponentProp.java:345)
at org.eclipse.equinox.internal.ds.InstanceProcess.buildComponent(InstanceProcess.java:620)
at org.eclipse.equinox.internal.ds.InstanceProcess.buildComponents(InstanceProcess.java:197)
at org.eclipse.equinox.internal.ds.Resolver.getEligible(Resolver.java:343)
at org.eclipse.equinox.internal.ds.SCRManager.serviceChanged(SCRManager.java:222)
at org.eclipse.osgi.internal.serviceregistry.FilteredServiceListener.serviceChanged(FilteredServiceListener.java:113)
at org.eclipse.osgi.internal.framework.BundleContextImpl.dispatchEvent(BundleContextImpl.java:985)
at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:234)
at org.eclipse.osgi.framework.eventmgr.ListenerQueue.dispatchEventSynchronous(ListenerQueue.java:151)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.publishServiceEventPrivileged(ServiceRegistry.java:866)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.publishServiceEvent(ServiceRegistry.java:804)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistrationImpl.register(ServiceRegistrationImpl.java:130)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.registerService(ServiceRegistry.java:228)
at org.eclipse.osgi.internal.framework.BundleContextImpl.registerService(BundleContextImpl.java:525)
at org.eclipse.osgi.internal.framework.BundleContextImpl.registerService(BundleContextImpl.java:544)
at org.wso2.carbon.core.init.CarbonServerManager.initializeCarbon(CarbonServerManager.java:529)
at org.wso2.carbon.core.init.CarbonServerManager.removePendingItem(CarbonServerManager.java:305)
at org.wso2.carbon.core.init.PreAxis2ConfigItemListener.bundleChanged(PreAxis2ConfigItemListener.java:118)
at org.eclipse.osgi.internal.framework.BundleContextImpl.dispatchEvent(BundleContextImpl.java:973)
at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:234)
at org.eclipse.osgi.framework.eventmgr.EventManager$EventThread.run(EventManager.java:345)
[2021-09-20 12:49:29,790] [] INFO {org.wso2.carbon.identity.core.internal.IdentityCoreServiceComponent} - Executing Migration client : org.wso2.carbon.is.migration.MigrationClientImpl
[2021-09-20 12:49:29,853] [] INFO {org.wso2.carbon.is.migration.config.Config} - WSO2 Product Migration Service Task : Loading Migration Configs, PATH:C:\Users\msingh11\DOWNLO~1\WSO2IS~1.0\bin..\migration-resources\migration-config.yaml
[2021-09-20 12:49:29,951] [] INFO {org.wso2.carbon.is.migration.config.Config} - WSO2 Product Migration Service Task : Successfully loaded the config file.
[2021-09-20 12:49:29,952] [] INFO {org.wso2.carbon.is.migration.Mi}
The deployemnt.toml file is-
[server]
hostname = "localhost"
node_ip = "127.0.0.1"
base_path = "https://$ref{server.hostname}:${carbon.management.port}"
[super_admin]
username = "wso2admin"
password = "admin"
create_admin_account = false
[user_store]
class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager"
connection_url = "ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}"
connection_name = "uid=admin,ou=system"
connection_password = "admin"
user_search_base="ou=Users,dc=wso2,dc=org"
user_name_list_filter="(objectClass\u003dperson)"
user_name_search_filter="(\u0026amp;(objectClass\u003dperson)(uid\u003d?)"
user_name_attribute= "uid"
user_entry_object_class= "identityPerson"
group_entry_object_class= "groupOfNames"
group_name_attribute= "cn"
group_name_search_filter= "(\u0026amp;(objectClass\u003dgroupOfNames)(cn\u003d?))"
group_name_list_filter= "(objectClass\u003dgroupOfNames)"
group_search_base="ou=Groups,dc=wso2,dc=org"
membership_attribute= "member"
anonymous_bind= "false"
display_name_attribute= ""
back_links_enabled= "false"
is_bulk_import_supported= "false"
empty_roles_allowed= "true"
password_hash_method= "PLAIN_TEXT"
kdc_enabled= "false"
default_realm_name= "WSO2.ORG"
connection_pooling_enabled= "true"
lDAP_connection_timeout= "5000"
base_dn = "dc=wso2,dc=org" #refers the base dn on which the user and group search bases will be generated
[user_store.properties]
TenantManager="org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager"
[database.carbon_db]
type = "RDBMS"
url = "jdbc:postgresql://localhost:5432/wso2"
username = "wso2admin"
password = "admin"
driver="org.postgresql.Driver"
[database.identity_db]
type = "RDBMS"
url = "jdbc:postgresql://localhost:5432/wso2"
username = "wso2admin"
password = "admin"
driver="org.postgresql.Driver"
[database.shared_db]
type = "RDBMS"
url = "jdbc:postgresql://localhost:5432/wso2"
username = "wso2admin"
password = "admin"
driver="org.postgresql.Driver"
[keystore.primary]
file_name = "wso2carbon.jks"
password = "wso2carbon"
[truststore]
file_name="client-truststore.jks"
password="wso2carbon"
type="JKS"
[account_recovery.endpoint.auth]
hash= "66cd9688a2ae068244ea01e70f0e230f5623b7fa4cdecb65070a09ec06452262"
[identity.auth_framework.endpoint]
app_password= "dashboard"
[[datasource]]
id="source"
url="jdbc:postgresql://localhost:5432/wso2"
username="wso2admin"
password="admin"
driver="org.postgresql.Driver"
[datasource.pool_options]
maxActive="80"
maxWait="60000"
minIdle="5"
testOnBorrow="true"
validationQuery="SELECT 1"
validationInterval="30000"
defaultAutoCommit="false"
[[datasource]]
id="target"
url="jdbc:postgresql://localhost:5432/wso2_new"
username="wso2admin"
password="admin"
driver="org.postgresql.Driver"
[datasource.pool_options]
maxActive="80"
maxWait="60000"
minIdle="5"
testOnBorrow="true"
validationQuery="SELECT 1"
validationInterval="30000"
defaultAutoCommit="false"
# The KeyStore which is used for encrypting/decrypting internal data. By default the primary keystore is used as the internal keystore.
#[keystore.internal]
#file_name = "$ref{keystore.primary.file_name}"
#type = "$ref{keystore.primary.type}"
#password = "$ref{keystore.primary.password}"
#alias = "$ref{keystore.primary.alias}"
#key_password = "$ref{keystore.primary.key_password}"
# The KeyStore which is used for tls communication. By default the primary keystore is used as the tls keystore.
#[keystore.tls]
#file_name = "$ref{keystore.primary.file_name}"
#type = "$ref{keystore.primary.type}"
#password = "$ref{keystore.primary.password}"
#alias = "$ref{keystore.primary.alias}"
#key_password = "$ref{keystore.primary.key_password}"
#Google reCAPTCHA settings.
#[recaptcha]
#enabled = "true"
#api_url = "https://www.google.com/recaptcha/api.js"
#verify_url = "https://www.google.com/recaptcha/api/siteverify"
#site_key = ""
#secret_key = ""
# SMTP email sender settings.
#[output_adapter.email]
#from_address= "abcd#gmail.com"
#username= "abcd"
#password= "xxxx"
#hostname= "smtp.gmail.com"
#port= 587
what I'm missing in the config?
Can we directly upgrade wso2is-5.7.0 to wso2is-5.11.0?
Yes, but you need to do few steps to configure the migration from wso2is-5.7.0 to wso2is-5.11.0
Make sure that all the prerequisites are met, you can see the prerequisites from here
Next do the pre-steps for the migration by following the details in here
For the resources like the custom components, custom libraries, Keystore managers, tenants, etc. follow the link in here
I'm using Postgres for wso2is-5.7.0, can I get some reference >to changes I need to do in the wso2 configuration while preparing >for migration?
If you are using the Postgres, during the migration, uuid-ossp extension is created in the database. In order to create this extension, the database user should have the superuser permission. If the user is not already a superuser, assign the permission before starting the migration.
ALTER USER <user> WITH SUPERUSER;
Do I need to create another database in Postgres for wso2is-5.11.0 and then
configure it as a data source in IS?
No, you don't want to create another database in Postgres for 5.11.0 and configure it, but for the safety measures, you can have a snapshot of your 5.7.0 database and plug it in the 5.11.0
I have a created Web Service Client and Proxy from WSO2 DSS using JDeveloper 11.1.2.3.0.
My Data service secured with UsernameToken (Basic Scenario).
This my client code:
package pmis.wsdl2;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import javax.annotation.Generated;
import javax.xml.ws.BindingProvider;
import weblogic.security.SSL.TrustManager;
import weblogic.wsee.security.bst.ClientBSTCredentialProvider;
import weblogic.wsee.security.saml.SAMLTrustCredentialProvider;
import weblogic.wsee.security.unt.ClientUNTCredentialProvider;
import weblogic.wsee.security.util.CertUtils;
import weblogic.xml.crypto.wss.WSSecurityContext;
import weblogic.xml.crypto.wss.provider.CredentialProvider;
// This source file is generated by Oracle tools.
// Contents may be subject to change.
// For reporting problems, use the following:
// Generated by Oracle JDeveloper 11g Release 2 11.1.2.3.0.6276
public class SecureSOAP11EndpointClient {
public static void main(String[] args) {
IAWSDLREGISTRATIONDataService iAWSDLREGISTRATIONDataService = new IAWSDLREGISTRATIONDataService();
IAWSDLREGISTRATIONDataServicePortType iAWSDLREGISTRATIONDataServicePortType =
iAWSDLREGISTRATIONDataService.getSecureSOAP11Endpoint();
String username = "admin";
String password = "admin";
String clientKeyStore = "d:/wso2keystore.jks";
String clientKeyStorePass = "mypkpassword";
String clientKeyAlias = "wso2cert";
String clientKeyPass = "mypkpassword";
String serverCertFile = "d:/wso2cert.cer";
List credProviders = new ArrayList();
//use x509 to secure wssc handshake
try {
X509Certificate serverCert = (X509Certificate)CertUtils.getCertificate(serverCertFile);
CredentialProvider cp =
new ClientBSTCredentialProvider(clientKeyStore, clientKeyStorePass, clientKeyAlias, clientKeyPass,
"JKS", serverCert);
credProviders.add(cp);
cp = new ClientUNTCredentialProvider(username.getBytes(), password.getBytes());
credProviders.add(cp);
Map<String, Object> rc = ((BindingProvider)iAWSDLREGISTRATIONDataServicePortType).getRequestContext();
rc.put(WSSecurityContext.CREDENTIAL_PROVIDER_LIST, credProviders);
rc.put(WSSecurityContext.TRUST_MANAGER, new TrustManager() {
public boolean certificateCallback(X509Certificate[] chain, int validateErr) {
return true;
}
});
iAWSDLREGISTRATIONDataServicePortType.selectAllIAWSDLREGISTRATIONOperation();
} catch (Exception ex) {
ex.printStackTrace();
}
}
}
So, When i invoke, I'm getting following error:
com.sun.xml.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:138)
at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:187)
at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:124)
at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:121)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:866)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:815)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:778)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:680)
at com.sun.xml.ws.client.Stub.process(Stub.java:272)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:153)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:115)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:95)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:136)
at $Proxy35.selectAllIAWSDLREGISTRATIONOperation(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at weblogic.wsee.jaxws.spi.ClientInstanceInvocationHandler.invoke(ClientInstanceInvocationHandler.java:84)
at $Proxy36.selectAllIAWSDLREGISTRATIONOperation(Unknown Source)
at pmis.wsdl2.SecureSOAP11EndpointClient.main(SecureSOAP11EndpointClient.java:66)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1014)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:126)
... 20 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
... 32 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
... 38 more
I have a created my certificate following way:
keytool -genkey -alias wso2cert -keyalg RSA -keysize 1024 -keypass mypkpassword -keystore wso2keystore.jks -storepass mypkpassword
keytool -export -alias wso2cert -keystore wso2keystore.jks -storepass mypkpassword -file wso2cert.cer
keytool -import -alias wso2newcert -file wso2cert.cer -keystore client-truststore.jks -storepass wso2carbon
Please suggest me, how can i invoke? UsernameToken + SSL.
Are there any other steps required?
Regards,
Eba
After importing new certificates, you should edit the carbon.xml to point the keystore path;
<KeyStore>
<!-- Keystore file location-->
<Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location>