we encounter a blocking error during the validation of a JWT token by the gateway.
We are testing an integration environment using two docker containers on two different virtual machines. The first vm contains the APIM 3.0.0 and the second contains the IS 5.9 as Key Manager. The IS is federated with Azure AD.
We obtain a well-formed JWT token by IS with user data from Azure, but the APIM couldn't find a public certificate to verify signature with the given alias. Both wso2 components have their own client-truststore.jks updated with re-created public certificate (we replaced localhost with the public IP of the vms).
Following some useful details:
This is the error in the log of the APIM container:
[2020-01-30 15:20:00,072] WARN - SourceHandler I/O error: Received fatal alert: certificate_unknown
[2020-01-30 15:20:00,404] ERROR - GatewayUtils Couldn't find a public certificate to verify signature with alias ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA_RS256
[2020-01-30 15:20:00,405] ERROR - APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Unclassified Authentication Failure
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody42(APIAuthenticationHandler.java:433) ~[org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:413) ~[org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody36(APIAuthenticationHandler.java:349) [org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:320) [org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.apache.synapse.rest.API.process(API.java:366) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:149) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:71) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:325) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:98) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) [axis2_1.6.1.wso2v38.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:367) [synapse-nhttp-transport_2.1.7.wso2v131.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:412) [synapse-nhttp-transport_2.1.7.wso2v131.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:181) [synapse-nhttp-transport_2.1.7.wso2v131.jar:?]
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) [axis2_1.6.1.wso2v38.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_222]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_222]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_222]
Those are the keys provided by https://my_is_ip:my_port/oauth2/jwks:
{
"keys":[
{
"kty":"RSA",
"e":"AQAB",
"use":"sig",
"kid":"ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA",
"alg":"RS256",
"n":"nwcvFrmKaAV3WLgNaronqMHZB5BK7czaRwaKAyM0PTR1KzSa3DJw3CtLtcyz6zvU72JmgFMRyu65H_ly51bCOI6UrpJrKs9bW50fVgjrlqAkCHYIP81s6YgmmLJ-LVZqhAN8g8FH_3b27zbzZ6crspaDmFjSfou4t_A6UTSvQRFbCzp9i5WmQLRHHDy74v9zJWeXCSVA9CknXV4dqpPGMVjJOQzmcaRmZs_rWpdasQUul-D59pY22FrtIziZDLVTerGDGir_dJJboFCzS_DXRch44NJk3cU4lrCcsAP2RXyNhVjJPgmilEnr1aRnxY-WNm_5QKGh37Ez8dLJVVw6LQ"
},
{
"kty":"RSA",
"e":"AQAB",
"use":"sig",
"kid":"ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA_RS256",
"alg":"RS256",
"n":"nwcvFrmKaAV3WLgNaronqMHZB5BK7czaRwaKAyM0PTR1KzSa3DJw3CtLtcyz6zvU72JmgFMRyu65H_ly51bCOI6UrpJrKs9bW50fVgjrlqAkCHYIP81s6YgmmLJ-LVZqhAN8g8FH_3b27zbzZ6crspaDmFjSfou4t_A6UTSvQRFbCzp9i5WmQLRHHDy74v9zJWeXCSVA9CknXV4dqpPGMVjJOQzmcaRmZs_rWpdasQUul-D59pY22FrtIziZDLVTerGDGir_dJJboFCzS_DXRch44NJk3cU4lrCcsAP2RXyNhVjJPgmilEnr1aRnxY-WNm_5QKGh37Ez8dLJVVw6LQ"
}
]
}
This is the result of postman call:
<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
<ams:code>900900</ams:code>
<ams:message>Unclassified Authentication Failure</ams:message>
<ams:description>Unclassified Authentication Failure</ams:description>
</ams:fault>
This is the JWT token:
HEADER
{
"x5t": "ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA",
"kid": "ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA_RS256",
"alg": "RS256"
}
PAYLOAD
{
"at_hash": "hGnuod6ShKRrlkH_P-k4QA",
"sub": "d6206844-e54b-4ec2-8ace-26b46da24df2",
"ver": "1.0",
"richAccettazionePrivacy": "***************",
"iss": "https://***************:9443/oauth2/token",
"given_name": "***************",
"richAttivazioneCarta": "***************",
"tid": "962b4d1f-a68b-433e-aa78-265ef05d1047",
"aud": [
"dSdZgafomIsRXYQr6XyxIZyjp74a",
"***************"
],
"nbf": 1580399831,
"azp": "dSdZgafomIsRXYQr6XyxIZyjp74a",
"extension_codiceFiscale": "***************",
"scope": "openid",
"auth_time": "1580399827",
"name": "***************",
"exp": 1580403431,
"iat": 1580399831,
"personaId": "***************",
"family_name": "***************",
"jti": "c3b8c9bf-029c-4e51-8969-07f898e5654f",
"email": "***************"
}
how to solve this problem?
The public certificate of the private key that is used to sign the
tokens should be added to the trust store under the
"gateway_certificate_alias" alias. For more information, see Import
the public certificate into the client trust store.
Ref: https://apim.docs.wso2.com/en/3.0.0/Learn/APISecurity/OAuth2/AccessTokenTypes/jwt-tokens/
we solved adding the Identity Server public certificate to the Api Manager client-truststore with alias equal to Kid present in the token header.
As you can see there is no public certificate for alias ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA_RS256. What you can do is
Navigate to the IS_HOME/repository/resources/security/ directory.
keytool -export -alias wso2carbon -file wso2.crt -keystore wso2carbon.jks run this code in that directory. password is wso2carbon.
This will create a copy of wsp2carbon certificate copy.
keytool -import -trustcacerts -keystore client-truststore.jks -alias ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA_RS256 -file wso2.crt run this code in API-M_HOME/repository/resources/security/to add wso2carbon public key to trust store.
Related
yesterday I saw that Gitlab has enabled OIDC JWT tokens for jobs on ci/cd. I know that CI_JOB_JWT_V2 is marked as an alpha feature.
I was trying to use it with Workflow Identity Federation(WIF) on Gitlab runner with gcloud cli but I'm getting an error. When tried to do it through STS API I'm getting the same error. What am I missing?
{
"error": "invalid_grant",
"error_description": "The audience in ID Token [https://gitlab.com] does not match the expected audience."
}
My Gitlab JWT token after decoding looks mostly like that (ofc without details)
{
"namespace_id": "1111111111",
"namespace_path": "xxxxxxx/yyyyyyyy/zzzzzzzzzzz",
"project_id": "<project_id>",
"project_path": "xxxxxxx/yyyyyyyy/zzzzzzzzzzz/hf_service",
"user_id": "<user_id>",
"user_login": "<username>",
"user_email": "<user_email>",
"pipeline_id": "456971569",
"pipeline_source": "push",
"job_id": "2019605390",
"ref": "develop",
"ref_type": "branch",
"ref_protected": "true",
"environment": "develop",
"environment_protected": "false",
"jti": "<jti>",
"iss": "https://gitlab.com",
"iat": <number>,
"nbf": <number>,
"exp": <number>,
"sub": "project_path:xxxxxxx/yyyyyyyy/zzzzzzzzzzz/hf_service:ref_type:branch:ref:develop",
"aud": "https://gitlab.com"
}
In GCP console I have WIF pool with one provider set to OIDC named gitlab and issuer url from https://gitlab.com/.well-known/openid-configuration.
I have tried to give Service Account access to whole pool but no difference. Config created for this SA looks like below
{
"type": "external_account",
"audience": "//iam.googleapis.com/projects/<projectnumber>/locations/global/workloadIdentityPools/<poolname>/providers/gitlab",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url": "https://sts.googleapis.com/v1/token",
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/gitlab-deployer#<projectid>.iam.gserviceaccount.com:generateAccessToken",
"credential_source": {
"file": "gitlab_token",
"format": {
"type": "text"
}
}
}
By default, workload identity federation expects the aud claim to contain the URL of the workload identity pool provider. This URL looks like this:
https://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID
But your token seems to use https://gitlab.com as audience.
Either reconfigure GitHub to use the workload identity pool provider URL as audience, or reconfigure the pool to use a custom audience by running
gcloud iam workload-identity-pools providers update-oidc ... \
--allowed-audiences=https://gitlab.com
I'm currently using the python-social-auth/social-core lib with a DJango app, which is configured (and working) to authenticate Wagtail CMS users with our (free) Azure Active Directory Tenant.
Our NFRs stipulate that authentication should occur using OpenID Connect and to this end we've installed "social-auth-core" with the "openidconnect" extra like this in requirements.txt:
...
social-auth-core[openidconnect]
social-auth-app-django
...
Again, things seem to work A-OK and users can login, but here's my problem - and I know I'm missing something here:
As far as I know, OpenID Connect is simply a modification/addition to OAuth2.0 that gives OAuth super powers of authentication - not just authorisation - but I don't know if my DJango+Wagtail app is now just automagically configured to "just work" as/with OpenID Connect, or whether there's some additional logic/validation/config/whatever that I need to apply to the app.
I don't see anything relevant in the official python-social-auth docs for Azure AD, and I don't see how/if I need to explicitly enable OpenID within Azure AD itself.
Can anyone help?
Thank you.
I dug into the OpenID Connect docs for Azure AD and two things I identified as being indicators of OpenID:
That state=openid is used in the MS /oauth2/authorize endpoint
That openid responses arrive back with an OpenID "id_token" key
Docs:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc
https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens
Authentication Response:
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "3599",
"expires_on": "1603915195",
"access_token": "*****",
"refresh_token": "*****",
"id_token": "*****",
"aud": "*****",
"iss": "https://sts.windows.net/*****-*****-*****-*****-*****/",
"iat": 1603911295,
"nbf": 1603911295,
"exp": 1603915195,
"amr": [
"pwd"
],
"family_name": "Joe",
"given_name": "Blow",
"ipaddr": "***.***.***.***",
"name": "Joe",
"oid": "*****-*****-*****-*****-*****",
"rh": "*****",
"sub": "*****",
"tid": "*****-*****-*****-*****-*****",
"unique_name": "joe#somedomain.onmicrosoft.com",
"upn": "joe#somedomain.onmicrosoft.com",
"uti": "*****",
"ver": "1.0"
}
I have a wso2 apim 3.2 setup up with wso2km 5.10. I have configured the Apim to pass Enduser attributes to the backend but cannot get the role claim returned. apim and the km manager are on separate machines. I seem to get just the standard claims returned. I have enable the required sections of the deployment.toml and I'm not seeing what I have wrong any help would be appreciated.
[apim.jwt]<br/>
enable = true<br/>
claim_dialect = "http://wso2.org/claims"<br/>
claims_extractor_impl = "org.wso2.carbon.apimgt.impl.token.ExtendedDefaultClaimsRetriever"
here it what is returned.
{<br/>
"http://wso2.org/claims/apiname": "xxxxxxxx",<br/>
"http://wso2.org/claims/applicationtier": "Unlimited",<br/>
"http://wso2.org/claims/version": "1.0.0",<br/>
"http://wso2.org/claims/keytype": "PRODUCTION",<br/>
"iss": "wso2.org/products/am",<br/>
"http://wso2.org/claims/applicationname": "xxxxxx",<br/>
"http://wso2.org/claims/enduser": "xxxxxx",<br/>
"http://wso2.org/claims/enduserTenantId": "-1234",<br/>
"http://wso2.org/claims/applicationUUId": "348d1ff9-06f5-4f3f-aa94-83f32f4a1f2a",<br/>
"http://wso2.org/claims/subscriber": "xxxxxxx",<br/>
"azp": "NjYtixQB4VbFLeunCrj1U1ZYcfga",<br/>
"http://wso2.org/claims/tier": "Unlimited",<br/>
"scope": "openid",<br/>
"exp": 1601500346,<br/>
"http://wso2.org/claims/applicationid": "8",<br/>
"http://wso2.org/claims/usertype": "Application_User",<br/>
"http://wso2.org/claims/apicontext": "/xxxxxxxxxxx"<br/>
}
{
"sub": "admin#carbon.super",
"aud": "eZi3HFaydfnHtlZRZDpzuz6N5pMa",
"nbf": 1602022037,
"azp": "eZi3HFaydfnHtlZRZDpzuz6N5pMa",
"scope": "am_application_scope default",
"iss": "https://xxxxxxxxxxxxxxxx",
"exp": 1602025637,
"iat": 1602022037,
"jti": "7845227d-6800-4ff2-9982-3d338e45abb6"
}
There are two ways to include user claims to the backend JWT
Implement custom token generator
Adding required claims to the JWT access token
Adding required claims to the JWT access token
With APIM 3.2.0 it supports only JWT access token for the new application it registers. To include any user claims to backend JWT, the required claims should be in the JWT access token since GW is responsible to generate backend JWT.
To include user claims to the JWT access token follow the below steps.
Identify the service provider for the application from the management console
Edit the service provide and configure requested claims under the Claim Configuration menu
Generate an access token with openid scope
curl -k -X POST https://localhost:8243/token -d
"grant_type=client_credentials&scope=openid" -H"Authorization: Basic
VEJEMXJZazZpSWVlaTlnVzRNTENBYXNEQW9JYTpkRnJ0bVJjaklqUUtkSVVYeVY4aWxlZjBQNWdh"
An access token will be issued with the requested claims
{
"sub": "admin#carbon.super",
"aud": "TBD1rYk6iIeei9gW4MLCAasDAoIa",
"nbf": 1602047260,
"azp": "TBD1rYk6iIeei9gW4MLCAasDAoIa",
"scope": "am_application_scope openid",
"iss": "https://localhost:9443/oauth2/token",
"groups": [
"Internal/subscriber",
"Internal/creator",
"Application/apim_devportal",
"Application/admin_sample_PRODUCTION",
"Internal/publisher",
"Internal/everyone",
"Internal/devops",
"Application/apim_admin_portal",
"Application/admin_key1_PRODUCTION",
"admin",
"Internal/analytics",
"Application/apim_publisher"
],
"exp": 1602050860,
"iat": 1602047260,
"jti": "d74a617e-e976-42f4-8323-c1c2271d046e"
}
Access an API with the above access token and backend JWT contains the required claims.
Trying to use Google Cloud platform with a GKE deployed backend.
I have a swagger file for the endpoints that works fine when not using security.
I added the api key definition in the swagger file:
paths:
/create:
post:
...
security:
- api_key: []
securityDefinitions:
api_key:
type: "apiKey"
name: "key"
in: "query"
and now if I try to post on I get the expected
{
"code": 16,
"message": "Method doesn't allow unregistered callers (callers without established identity). Please use API Key or other form of API consumer identity to call this API.",
"details": [
{
"#type": "type.googleapis.com/google.rpc.DebugInfo",
"stackEntries": [],
"detail": "service_control"
}
]
}
Good, now I created an API key in the credential sections of GCP
I update the post request to include ?key=API_KEY and get the following error:
{
"code": 13,
"message": "\b#The caller does not have permission",
"details": [
{
"#type": "type.googleapis.com/google.rpc.DebugInfo",
"stackEntries": [],
"detail": "service_control"
}
]
}
I can't find any info about this error, does it mean that my API key has no right for this endpoint? If so how can I fix this?
Confirm that you have the required services enabled
gcloud services enable servicemanagement.googleapis.com
gcloud services enable servicecontrol.googleapis.com
gcloud services enable endpoints.googleapis.com
Also enable your Endpoint service gcloud services enable ENDPOINTS_SERVICE_NAME
I followed the Enabling Role-Based Access Control Using XACML. I could setup all with out any issue. But when invoking the API it responds with below error.
<am:fault xmlns:am="http://wso2.org/apimanager"><am:code>0</am:code><am:type>Status report</am:type><am:message>Runtime Error</am:message><am:description>Error occurred while evaluating the policy</am:description></am:fault>
And in the APIM log I can see the below error. I'm running the APIM 2.6 and IS 5.3 in the same machine with offset of 2 in AM. It seems the issue is with the remoteServiceUrl="https://127.0.0.1:9443/services" url in EntitlementMediator.xml mentioned in the step 14 of the Given Guide.
[2019-05-28 12:33:05,162] INFO - HTTPSender Unable to sendViaPost to
url[https://127.0.0.1:9443/services/EntitlementService]
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at
sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431)
at
org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(SSLProtocolSocketFactory.java:276)
at
org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:186)
at
org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
at
org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
at
org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
at
org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at
org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:704)
at
org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:199)
at
org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:81)
at
org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:459)
at
org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:286)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442) at
org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:441)
at
org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:227)
at
org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
at
org.wso2.carbon.identity.entitlement.stub.EntitlementServiceStub.getDecision(EntitlementServiceStub.java:836)
at
org.wso2.carbon.identity.entitlement.proxy.soap.basicAuth.BasicAuthEntitlementServiceClient.getDecision(BasicAuthEntitlementServiceClient.java:259)
at
org.wso2.carbon.identity.entitlement.proxy.soap.basicAuth.BasicAuthEntitlementServiceClient.getDecision(BasicAuthEntitlementServiceClient.java:123)
at
org.wso2.carbon.identity.entitlement.proxy.PEPProxy.getDecision(PEPProxy.java:94)
at
org.wso2.carbon.identity.entitlement.proxy.PEPProxy.getDecision(PEPProxy.java:66)
at
org.wso2.carbon.identity.entitlement.mediator.EntitlementMediator.mediate(EntitlementMediator.java:203)
at
org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:108)
at
org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:70)
at
org.apache.synapse.mediators.base.SequenceMediator.mediate(SequenceMediator.java:158)
at
org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerExtensionHandler.mediate(APIManagerExtensionHandler.java:66)
at
org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerExtensionHandler.handleRequest(APIManagerExtensionHandler.java:75)
at org.apache.synapse.rest.API.process(API.java:325) at
org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:149)
at
org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95)
at
org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:71)
at
org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:303)
at
org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:92)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
at
org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:337)
at
org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:158)
at
org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745) [2019-05-28 12:33:05,164]
ERROR - EntitlementMediator Error occurred while evaluating the policy
org.apache.axis2.AxisFault: peer not authenticated at
org.apache.axis2.AxisFault.makeFault(AxisFault.java:430) at
org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:203)
at
org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:81)
at
org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:459)
at
org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:286)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442) at
org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:441)
at
org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:227)
at
org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
at
org.wso2.carbon.identity.entitlement.stub.EntitlementServiceStub.getDecision(EntitlementServiceStub.java:836)
at
org.wso2.carbon.identity.entitlement.proxy.soap.basicAuth.BasicAuthEntitlementServiceClient.getDecision(BasicAuthEntitlementServiceClient.java:259)
at
org.wso2.carbon.identity.entitlement.proxy.soap.basicAuth.BasicAuthEntitlementServiceClient.getDecision(BasicAuthEntitlementServiceClient.java:123)
at
org.wso2.carbon.identity.entitlement.proxy.PEPProxy.getDecision(PEPProxy.java:94)
at
org.wso2.carbon.identity.entitlement.proxy.PEPProxy.getDecision(PEPProxy.java:66)
at
org.wso2.carbon.identity.entitlement.mediator.EntitlementMediator.mediate(EntitlementMediator.java:203)
at
org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:108)
at
org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:70)
at
org.apache.synapse.mediators.base.SequenceMediator.mediate(SequenceMediator.java:158)
at
org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerExtensionHandler.mediate(APIManagerExtensionHandler.java:66)
at
org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerExtensionHandler.handleRequest(APIManagerExtensionHandler.java:75)
at org.apache.synapse.rest.API.process(API.java:325) at
org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:149)
at
org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95)
at
org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:71)
at
org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:303)
at
org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:92)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
at
org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:337)
at
org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:158)
at
org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745) Caused by:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at
sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431)
at
org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(SSLProtocolSocketFactory.java:276)
at
org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:186)
at
org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
at
org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
at
org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
at
org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at
org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:704)
at
org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:199)
... 31 more [2019-05-28 12:33:05,172] INFO - LogMediator STATUS =
Executing default 'fault' sequence, ERROR_CODE = 0, ERROR_MESSAGE =
Error occurred while evaluating the policy
There is a host name verification issue when entitlement mediator try to invoke EntitlementService exposed by WSO2 IS.
You need to correctly export public cert from APIM and import to WSO2 IS trust store. In public cert CN value should be equal to hostname or IP address.
As I can remember primary key store key length is different in APIM 2.6.0 and IS 5.3.0. However above step should resolve your issue.
Further more this should work out of the box if you have used later version of WSO2 IS than 5.3.0 with default host names and default public certs.