I try to add (and consume) an REST api on HTTPS through API Manager.
So, with a little schema :
Client (SoapUi) --HTTPS--> APIM --HTTPS--> REST API
Result: Failed
Client (SoapUi) --HTTP--> APIM --HTTPS--> REST API
Result: Failed
Here the stack :
2019-05-17 10:31:02,090 [-] [HTTPS-Listener I/O dispatcher-1] ERROR SourceHandler I/O error: Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap(SSLIOSession.java:245)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:280)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:410)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:119)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:159)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:338)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:316)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:277)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:105)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:586)
at java.lang.Thread.run(Thread.java:745)
I think the problem is between API Manager and the REST API
The REST API Certificate is composed like this :
CA Root Sectigo
|
--> Gandi
|
--> wildcard's Company
I try to add (via publisher's site) the Wildcard's company => no change
I try to add CA root to jvm keystore => no change
Actually, API Manager had the default Self Signed certificate.
Maybe it's a part of the problem.
Any ideas?
Regards,
Mike
Related
I'm trying to create a new API from a rest service in WSO2 Publisher and I'm getting an error when I try to validate the endpoint:
When I go to log it shows the message:
[2021-03-30 22:09:54,744] ERROR - ApisApiServiceImpl Error occurred while sending the HEAD request to the given endpoint url:
java.net.ConnectException: Connection refused (Connection refused)
What am I doing wrong?
If I progress the creation when I try to test I get another error:
[2021-03-30 22:15:31,311] WARN - SourceHandler I/O error: Received fatal alert: certificate_unknown
[2021-03-30 22:15:31,351] WARN - ConnectCallback Connection refused or failed for : localhost/127.0.0.1:8888
[2021-03-30 22:15:31,353] WARN - EndpointContext Endpoint : CpoExecutorAPI--v1.0.0_APIproductionEndpoint with address http://localhost:8888/cpo-executor/dev will be marked SUSPENDED as it failed
Apart from the certificate issue, another possible cause for this error is network connectivity. Please make sure that there weren't any network issues while invoking the request and the network connectivity was stable. Also, please check whether you can directly connect to the provided endpoint URL and get the responses without any issues.
WARN - SourceHandler I/O error: Received fatal alert: certificate_unknown
With the above-mentioned warning, we can suspect there is an issue with certificates.
Therefore, if you have made any recent certificate changes in your environment can you check whether the required certs are available in the API Manager Keystore?
I have a docker environment running openldap, mysql, wso2is and wso2am. I'm trying to publish an API using API Manager Publisher and I'm facing the following error:
docker log:
[2021-03-18 21:40:32,764] INFO - CarbonAuthenticationUtil 'admin#wso2.com#carbon.super [-1234]' logged in at [2021-03-18 21:40:32,764+0000]
[2021-03-18 21:40:32,899] ERROR - APIGatewayManager Error occurred when publish to gateway Production and Sandbox
org.apache.axis2.AxisFault: Error while Deploying API
at org.wso2.carbon.apimgt.impl.utils.APIGatewayAdminClient.deployAPI_aroundBody14(APIGatewayAdminClient.java:215) ~[org.wso2.carbon.apimgt.impl_6.7.206.jar:?]
Caused by:
at java.lang.Thread.run(Thread.java:834) [?:?]
Caused by: org.apache.axis2.AxisFault: Error while obtaining API information from gateway. null
at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:531) ~[axis2_1.6.1.wso2v41.jar:?]
More info:
[2021-03-18 21:40:33,178] INFO - DataBridge user admin#wso2.com connected
[2021-03-18 21:40:33,187] ERROR - DataEndpointConnectionWorker Error while trying to connect to the endpoint. Cannot borrow client for ssl://172.29.0.5:9712.
org.wso2.carbon.databridge.agent.exception.DataEndpointLoginException: Cannot borrow client for ssl://172.29.0.5:9712.
[2021-03-18 21:40:33,234] INFO - CarbonAuthenticationUtil 'admin#wso2.com#carbon.super [-1234]' logged in at [2021-03-18 21:40:33,233+0000]
[2021-03-18 21:40:33,264] ERROR - APIGatewayManager Error occurred when check api is published on gatewayProduction and Sandbox
Where is defined port 9712 for ssl? Because I don't have this port available on docker:
wso2am:3.2.0-alpine "/home/wso2carbon/wa…" 7 days ago Up 12 minutes (healthy) 0.0.0.0:8243->8243/tcp, 5672/tcp, 9099/tcp, 0.0.0.0:8280->8280/tcp, 9443/tcp, 9611/tcp, 9711/tcp, 9763/tcp, 9999/tcp, 11111/tcp, 0.0.0.0:9444->9444/tcp
I'm using WSO2 IS as key manager and the integration is working. Now my problem is only when I try to publish an API.
wso2is:5.10.0-alpine
wso2am:3.2.0-alpine
PS: I have disabled network from docker-compose to not have host problems.
Issue 01:
Caused by: org.apache.axis2.AxisFault: Error while obtaining API information from gateway. null
The above error can be seen most probably due to a connection issue between the Publisher and the Gateway server/s.
To resolve this, you may need to validate the Gateway configuration in the Publisher node. To do that, open the <PUBLISHER_HOME>/repository/conf/deployment.toml file and
check whether the following configuration is correct.
[[apim.gateway.environment]]
service_url = "https://<hostname_of_the_GW>:9443/services/"
Issue 02:
ERROR - DataEndpointConnectionWorker Error while trying to connect to the endpoint. Cannot borrow client for ssl://172.29.0.5:9712.
org.wso2.carbon.databridge.agent.exception.DataEndpointLoginException: Cannot borrow client for ssl://172.29.0.5:9712.
The above error indicates that the 9712 port is not accessible. This 9712 is the default port which is started by BinaryDataReceiver for Binary SSL Transport and it will be used to authenticate data published to the Traffic Manager. Therefore, you need to make this port available.
Installed wso2am 2.6.0.
Created and published API - Myapi. Myapi is visible in API store and it can be invoked from there (receives correct response).
Created my own custom class demo mediator (nothing fancy, just outputs some information) and uploaded it to <API-M_HOME>/repository/components/lib.
Created sequence xml with my own custom class and manually uploaded it for Myapi (in API publisher 'Enabled message Mediation', for 'In Flow').
Restarted server and it looks like registered my custom class mediator successfully.
But now then i try to invoke this API through API store it throws such exception:
[2019-03-23 21:04:00,858] ERROR - SourceHandler I/O error: Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap(SSLIOSession.java:245)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:280)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:410)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:119)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:159)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:338)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:316)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:277)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:105)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:586)
at java.lang.Thread.run(Thread.java:748)
[2019-03-23 21:04:00,874] INFO - LogMediator IN_MESSAGE = json_validator
[2019-03-23 21:04:00,879] INFO - LogMediator STATUS = Executing default 'fault' sequence, ERROR_CODE = 0, ERROR_MESSAGE = Error occured in the mediation of the class mediator
Same issue happens when i selected another i.e. json_validator mediator (which is not my custom, so issue is not just in my custom mediator), but i.e. with debug_in_flow mediator everything works.
It seems that this issue appears when mediator uses some class mediator and then it throws this SSL exception.
Any ideas where certificate should be added? As I understand inner service tries to invoke custom java class without certificate and fails.
Exception is throwing, but it doesn't affect custom mediator flow.
Using WSO2 API Manager (V1.10), I published a API and I imported the SSL certificate to client-truststore.jks. But When I call this API, I 'm receving this error:
2016-07-11 11:42:11,296 [-] [HTTPS-Sender I/O dispatcher-7] ERROR TargetHandler I/O error: Received fatal alert: handshake_failure
javax.net.ssl.SSLException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1650)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1618)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1787)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1071)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:893)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:767)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap(SSLIOSession.java:228)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:263)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:391)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:119)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:159)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:338)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:316)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:277)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:105)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:586)
at java.lang.Thread.run(Thread.java:745)
I suspect your API calling client program does not have the API server's certificate. (Usually you import your certificate into your JRE's jacerts or other trust store)
But When I call this API, I 'm receving this error:
When you call this API, did this API calling client program (Java, for example) also get this WSO2 server's certificate imported? This may solve your problem.
According to the error log this happens in http sender. i.e when api manger invokes the back-end . if your backend is "HTTPS" you need to import its public certificate to trustore of APIM
Had same issue in Java 1.7. Java 1.8 has resolved my problem
I have an axis2 service deployed on WSO2 AS 5 which I've secured with UT basic auth using the server. I want to invoke the service with an Axis client. I generated the stub and tried this,
String trustStore = "/home/dumidu/wso2carbon.jks";
System.setProperty("javax.net.ssl.trustStore", trustStore );
System.setProperty("javax.net.ssl.trustStorePassword", "test123");
HttpTransportProperties.Authenticator basicAuthentication = new HttpTransportProperties.Authenticator();
basicAuthentication.setUsername("admin");
basicAuthentication.setPassword("admin");
OrderProcessorStub ordPros = new OrderProcessorStub();
ordPros._getServiceClient().getOptions().setProperty(org.apache.axis2.transport.http.HTTPConstants.AUTHENTICATE, basicAuthentication);
OrderProcessorStub.GetOrder req = new OrderProcessorStub.GetOrder();
req.setOrdID(1);
OrderProcessorStub.GetOrderResponse resp = ordPros.getOrder(req);
System.out.println("resp \t"+resp.get_return());
Im getting this error on client side,
INFO: basic authentication scheme selected
Apr 30, 2015 6:02:58 PM org.apache.axis2.engine.AxisEngine receive
SEVERE: Must Understand check failed for header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd : Security
org.apache.axis2.AxisFault: Must Understand check failed for header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd : Security
at org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:105)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:171)
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:364)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:421)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
....
....
and this on server,
[2015-04-30 18:02:58,250] ERROR - AxisEngine System error
org.apache.axis2.AxisFault: System error
at org.wso2.carbon.security.pox.POXSecurityHandler.invoke(POXSecurityHandler.java:303)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)
at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146)
at org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:231)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:755)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
....
....
what am i doing wrong here? how can i write an axis client for a service secured with UT in WSO2 AS? Thanks in advance.
According to the your error, It seems to be bug in the product. In this jira, It says that there is an issue with POX handler.. WSO2AS also using same handler and it must be the reason for your issue as well. In jira it says If client request does not include empty soap header, that conversion fails with following error. So as a workaround, you can try with empty SOAP header.