I am trying to configure WSO2 API Manager tooling in eclipse luna, as per https://apim.docs.wso2.com/en/latest/Learn/APIGateway/MessageMediation/pass-a-custom-authorization-token-to-the-backend/, however I keep getting javax.net.ssl.SSLHandshakeException when I try to connect to API manager instance. I have added the public certificate in the java trust store, also tried pointing eclipse to custom truststore where the public cert is added, still no luck. I have java 8 installed on Mojave. Not sure, if it is related to new version of the API manager. Here is the error message and stack trace.
Error Message
Getting WS Feature Available in Regisrty check failed Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
https://pastebin.com/5bSpKJ4x Stack trace link
This is a ssl Handshake error, which usually occurs if you don't have trusted certificates in your trust store. Do the following
Download the certificate from what ever back-end service you are trying to hit.
Add it to the client-truststore.jks file in < apim-home >/repository/resources/security using the following command in cmd.
Open cmd from \jdk\bin
keytool -keystore "< apim-home >\repository\resources\security\client-truststore.jks" -storepass wso2carbon -importcert -file "< certFile-loction >"
Related
I'm trying to build the GraalVM compiler using the mx build tool. I've Python 3.10.4 and Java 17.0.2 in my PATH. However, when I run mx I get the following message:
Downloading COMMONS_MATH3_3_2 from ['https://repo1.maven.org/maven2/org/apache/commons/commons-math3/3.2/commons-math3-3.2.jar', 'https://search.maven.org/remotecontent?filepath=org/apache/commons/commons-math3/3.2/commons-math3-3.2.jar']
Error downloading from https://repo1.maven.org/maven2/jline/jline/2.14.6/jline-2.14.6.jar to /Users/cesarsv/.mx/cache/JLINE_c3aeac59c022bdc497c8c48ed86fa50450e4896a/jline.jar: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)>
WARNING: ** If behind a firewall without direct internet access, use the http_proxy environment variable (e.g. "env http_proxy=proxy.company.com:80 mx ...") or download manually with a web browser.
Error downloading from https://repo1.maven.org/maven2/org/scala-lang/scala-reflect/2.12.2/scala-reflect-2.12.2.jar to /Users/cesarsv/.mx/cache/SCALA_REFLECT_12_fa13c13351566738ff156ef8a56b869868f4b77e/scala-reflect-12.jar: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)>
...
The error seems to be related to an SSL certificate validation when downloading the dependencies necessary for the GraalVM build with mx. There is no clear solution for this issue in the GitHub repo of the used tools.
It seems that mx uses python to fetch the artifacts that it needs for the build from external repositories. Python 3.7 and above don't have any SSL certificates activated by default. Therefore, the scripts used by mx can't validate any SSL connections.
So I activate SSL in Python manually by creating and running the file install_certificates.command and it solved my problem.
I've tried to install an instance on AWS using aws RDS as
my datasource through the mysql-connector-java-5.1.45-bin.jar
with jdbc url
jdbc:mysql://< instance>.< zone>.rds.amazonaws.com:3306/carbon_db
i've got an exception
com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failurecom.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failure
The last packet successfully received from the server was 7 milliseconds ago. The last packet sent successfully to the server was 7 milliseconds ago.
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at com.mysql.jdbc.Util.handleNewInstance(Util.java:425)
.
.
.
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
I've tried to run
keytool -importcert -keystore <keystore> -storepass <pass> -noprompt -file rds-combined-ca-bundle.pem
on cacerts.jks in JVM and client-trustore.jks inside WSO2 repository with no effect
This happens since the public certificate from your DB connection, is not trusted by the WSO2 Identity Server.
Since you have tried adding the certificate, verify whether this has been added properly.
Get the public certificate from your DB instance.
Go to the <IS_HOME>/repository/resources/security folder. Import the public certificate to the client-truststore.jks file. Use the command below.
keytool -importcert -file certificate.cer -keystore client-truststore.jks -alias "Alias"
Restart the wso2 IS instance and check if the issue still persists.
According to the MySQL connector documentation in [1], following JDBC URL parameters should be included into the JDBC url to enable the SSL communication between MySQL server and the wso2 server.
useSSL=true
requireSSL=true
clientCertificateKeyStoreUrl
clientCertificateKeyStorePassword
I was able to successfully create the secure connection between MySQL server and the wso2 server with the below JDBC URL.
jdbc:mysql://<HOST_NAME>:<PORT>/apimgtdb?useSSL=true&requireSSL=true&clientCertificateKeyStoreUrl=file:<WSO2_HOME>/repository/resources/security/client-truststore.jks&clientCertificateKeyStorePassword=wso2carbon
I am getting the following error while trying to add an endpoint which uses self-signed ceritificate. Please find the image below
image
[2017-07-11 11:09:52,227] ERROR - APIProviderHostObject Error occurred while connecting to backend : https://mytestserver.com, reason : sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.ce
rtpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.c
ertpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Can you please let me know how to fix this issue ?
So far I have tried the following
1. adding -Dhttpclient.hostnameVerifier=AllowAll property
2. Created a new keystore and added the self-signed certificate. Also added self-signed certificate to the java keystore
You have to get the public certificate of this host, and install it to APIM's client-truststore.jks file.
keytool importcert alias MyCompany keystore client-truststore.jks file MyCompany.crt
While connecting to Amazon RedShift, I getting the below error:
2016-04-14 13:49:30 ERROR SQL Exception when connecting [Amazon](500150) Error setting/closing connection: General SSLEngine problem.
java.sql.SQLException: [Amazon](500150) Error setting/closing connection: General SSLEngine problem.
at workbench.db.DbDriver.connect(DbDriver.java:546)
at workbench.db.ConnectionMgr.connect(ConnectionMgr.java:244)
at workbench.db.ConnectionMgr.getConnection(ConnectionMgr.java:172)
at workbench.gui.components.ConnectionSelector.doConnect(ConnectionSelector.java:227)
at workbench.gui.components.ConnectionSelector$1.run(ConnectionSelector.java:131)
Caused by: java.sql.SQLException: [Amazon](500150) Error setting/closing connection: General SSLEngine problem.
at com.amazon.redshift.client.PGClient.<init>(Unknown Source)
at com.amazon.redshift.core.PGJDBCConnection.connect(Unknown Source)
at com.amazon.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.amazon.jdbc.common.AbstractDriver.connect(Unknown Source)
at workbench.db.DbDriver.connect(DbDriver.java:513)
at workbench.db.ConnectionMgr.connect(ConnectionMgr.java:244)
at workbench.db.ConnectionMgr.getConnection(ConnectionMgr.java:172)
at workbench.gui.components.ConnectionSelector.doConnect(ConnectionSelector.java:227)
I am using SQL Workbench J to connect to the database system. The strangeness here it that the connection was working fine two days ago. This problem appeared from nowhere. Any idea??
We are following the exact steps written in the setup guide to add certificates to Java.
https://community.boomi.com/docs/DOC-2381
Am I missing anything here?
UPDATE
My Redshift database is SSL configured. We use SQL Workbench J (http://www.sql-workbench.net/) client to connect to that database. The issue now is that everytime we try to connect, we are getting the error I mentioned.
Below is our URL format:
jdbc:redshift://hostname:5439/dbname?ssl=true&sslmode=verify-full
It worked for me when I followed the solution given by cfregly on databricks forum. Please follow below URL for this solution:
https://forums.databricks.com/questions/867/ssl-connection-issues-with-redshift.html
Please try appending sslfactory value in the Connection URL string like below - it might work.
ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory
Please add the following without the server certificate
ssl=true&sslfactory=com.amazon.redshift.ssl.NonValidatingFactory
The following would be the possible values for sslfactory
com.amazon.redshift.ssl.NonValidatingFactory
org.postgresql.ssl.NonValidatingFactory
Please see http://docs.aws.amazon.com/redshift/latest/mgmt/configure-jdbc-options.html
Try the following.
Run the keystore keytool based on the Java install for the environment variable JAVA_HOME (you may have multiple java installs so just use the default). Use the default cacerts keystore that comes with the JRE which will have a password of "changeit". You need to download the Redshift Certificate.
Then install the certificate for example:
C:\Program Files\Java\jdk1.8.0_25\jre\bin>keytool.exe -keystore "C:\Program Files\Java\jdk1.8.0_25\jre\lib\security\cacerts" -import -alias redshift -file redshift-ssl-ca-cert.pem
It will prompt you for the password ("changeit") and then should say the key has been added. If it fails its probably because you are not an admin user, so if in linux use sudo or in windows open the command window as administrator.
Start MYSQL Workbench using the cacerts keystore and the password entered above eg:
C:\apps\SQL-Workbench-Build118>java -Djavax.net.ssl.trustStore="C:\Program Files\Java\jdk1.8.0_25\jre\lib\security\cacerts" -Djavax.net.ssl.trustStorePassword=changeit -jar sqlworkbench.jar
You should be able to use the URL above and it should now work.
I'm getting below exception in WSO2 ESB when invoking REST API which suppose to invoke back end twitter API. I was following the steps given in this blog post. The twitter security certificate was successfully imported to the wso2 key store. What would be the reason for this? I'm using wso2 esb 4.8.1 version.
ERROR - TargetHandler I/O error: General SSLEngine problem
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1290)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1177)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1149)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:220)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:254)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:380)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:118)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:160)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:342)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:320)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:280)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:106)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:604)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1683)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1227)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:238)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:270)
... 9 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:138)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1328)
... 17 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doB`enter code here`uild(PKIXValidator.java:380)
... 23 more
Export Certificates
Go to https://YOUR_SERVER_HOST.com/, click on the lock icon at the address bar, click on the 'Connection' tab, then click on the link 'Certificate Information'. From the 'Certificate Viewer', select the tab 'Details' and click on the 'Export' button and download the certificate (YOUR_SERVER_HOST.com) to a preferred location.
Import to wso2esb "client-truststore" using following commands
$ cd %WSO2_HOME%/repository/resources/security
$ keytool -importcert -file $path/YOUR_SERVER_HOST.com.cer -keystore client-truststore.jks -alias "YOUR_SERVER_HOST.com"
Use Password "wso2carbon" when ask
I had a similar problem with another wso2 product. I had successfully imported the certificate into the store. It appears it only reloads the keystore on restart of the server, so yoo will have to restart your server (if you haven't already).
Also, there are 2 keystores, the wso2carbon.jks (which is what I assume you are referring to) and the client-truststore.jks. You maky need to import it into the client-truststore.jks.
Hope that is of some help.
Cheers
Matt