I need to implement local ssl for my project for an OAuth implementation. I read through the xsbt-web-plugin page (here). I created the keystore as advised here.
keytool -genkey -alias localhost -keyalg RSA -keystore localhost.jks -keysize 2048
I got it to serve https using jetty config file that I found here. This is what it looks like:
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<Arg>
<New class="org.eclipse.jetty.http.ssl.SslContextFactory">
<Set name="keyStore">localhost.jks</Set>
<Set name="keyStorePassword">password</Set>
<Set name="keyManagerPassword">password</Set>
<Set name="trustStore">localhost.jks</Set>
<Set name="trustStorePassword">password</Set>
</New>
</Arg>
<Set name="port">8443</Set>
<Set name="maxIdleTime">30000</Set>
</New>
</Arg>
</Call>
</Configure>
My SBT config looks like this:
customConfiguration in container.Configuration := true
ssl in container.Configuration := Some("127.0.0.1", 8443, "localhost.jks", "password", "password")
configurationFiles in container.Configuration := Seq(file("path\\to\\jetty.xml"))
The problem is now the server serves a 404 for every request:
Also there is this warning on console:
2017-03-13 16:06:56.819:WARN:oeji.nio:javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
Jetty: 8.1.7/Lift: 2.6.2
Please advise. Thank you.
After struggling with this for a couple of days, I just used STunnel which is basically just another server running locally that forwards all the request from 8443 to my dev server running on 8080.
Related
We have on premise WSO2 stack for managing the api subscription where there are client applications created in the wso2 store URL for generating access tokens. One of the development team in our organization is trying to generate the access token from the client id and secret by the means of javascript. The tokens are not getting generated and resulting into CORS issue. I have checked the documentations for similar issues and I have made change in the TokenAPI.xml file located under the <API_M>/repository/deployment/server/synapse-configs/default/api directory by adding the outsequence property. Unfortunately this did not solve the issue. I have read a few documentations and verified the cors configuration in the api manager.xml file it looked fine to me.
const token =
"Base64(consumer-key:consumer-secret)";
const url = "https://<gateway_Url>/token";
const res = axios({
method: "post",
url: url,
data: "grant_type=client_credentials",
headers: {
"Authorization": `Basic ${token}`,
"Content-Type": "application/x-www-form-urlencoded",
Accept: "application/json"
},
});
cat /data/wso2/wso2am-2.6.0/repository/deployment/server/synapse-configs/default/api/_TokenAPI_.xml
<api xmlns="http://ws.apache.org/ns/synapse" name="_WSO2AMTokenAPI_" context="/token">
<resource methods="POST" url-mapping="/*" faultSequence="_token_fault_">
<inSequence>
<property name="uri.var.portnum" expression="get-property('keyManager.port')"/>
<property name="uri.var.hostname" expression="get-property('keyManager.hostname')"/>
<send>
<endpoint>
<http uri-template="https://{uri.var.hostname}:{uri.var.portnum}/oauth2/token">
<timeout>
<duration>60000</duration>
<responseAction>fault</responseAction>
</timeout>
</http>
</endpoint>
</send>
</inSequence>
<outSequence>
<property name="Access-Control-Allow-Headers" scope="transport" value="authorization,Access-Control-Allow-Origin,Content-Type,Action"></property>
<send/>
</outSequence>
</resource>
<handlers>
<handler class="org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerCacheExtensionHandler"/>
<handler class="org.wso2.carbon.apimgt.gateway.handlers.common.SynapsePropertiesHandler"/>
</handlers>
</api>
Error - Access to XMLHttpRequest at 'https://api-uat.ucl.ac.uk/token' from origin 'null' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
You might have to add the CORS handler to the token API under handlers.
<handler class= "org.wso2.carbon.apimgt.gateway.handlers.security.CORSRequestHandler">
<property name="apiImplementationType" value="ENDPOINT"/>
</handler>
I have set up an ec2 instance with a java web application running on a tomcat server and an aws application load balancer which directs port 80 and 443 to port 8080 on the ec2 instance.
I have changed the server.xml configuration on tomcat to the following
<Connector port="8080" protocol="HTTP/1.1"
proxyPort="443"
proxyName="sub.mydomain.com"
scheme="https"
secure="true"
connectionTimeout="20000"
redirectPort="8443" />
Now I am able to connect go to "sub.mydomain.com" and "https ://sub.mydomain.com". But how do I redirect all "http ://sub.mydomain.com" requests to "https ://sub.mydomain.com"?
Just add this in your web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPSOnly</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
I configure the gateway cluster follow this guide:https://docs.wso2.com/display/AM210/Clustering+the+Gateway.
172.19.28.71: Gateway Manager Host
172.19.28.84: Gateway Worker Host
Gateway Manager axis2.xml:
<clustering class="org.wso2.carbon.core.clustering.hazelcast.HazelcastClusteringAgent"
enable="true">
<parameter name="membershipScheme">wka</parameter>
<parameter name="domain">wso2.am.internal.domain</parameter>
<parameter name="localMemberHost">172.19.28.71</parameter>
<parameter name="localMemberPort">4500</parameter>
<members>
<member>
<hostName>172.19.28.71</hostName>
<port>4500</port>
</member>
<member>
<hostName>172.19.28.84</hostName>
<port>4200</port>
</member>
</members>
Gateway Worker axis2.xml:
<clustering class="org.wso2.carbon.core.clustering.hazelcast.HazelcastClusteringAgent"
enable="true">
<parameter name="membershipScheme">wka</parameter>
<parameter name="domain">wso2.am.internal.domain</parameter>
<parameter name="localMemberHost">172.19.28.84</parameter>
<parameter name="localMemberPort">4200</parameter>
<members>
<member>
<hostName>172.19.28.71</hostName>
<port>4500</port>
</member>
<member>
<hostName>172.19.28.84</hostName>
<port>4200</port>
</member>
</members>
Publiser and Store api-manager.xml:
<Environment type="hybrid" api-console="true">
<Name>Internal</Name>
<Description>This is a hybrid gateway that handles both production and sandbox token traffic.</Description>
<ServerURL>https://172.19.28.71:9443/services/</ServerURL>
<Username>${admin.username}</Username>
<Password>${admin.password}</Password>
<GatewayEndpoint>http://172.19.28.84:8280,https://172.19.28.84:8243</GatewayEndpoint>
</Environment>
But When I test in API Console(Gateway Worker URL:https://172.19.28.84:8243/pizzashack/3.0.0), nothing response, following is Gateway Worker's log:
[2017-05-16 10:15:57,996] INFO {org.apache.synapse.mediators.builtin.LogMediator} - STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = /pizzashack/3.0.0/menu {org.apache.synapse.mediators.builtin.LogMediator}
Gateway Manager URL (172.19.28.71:8243/pizzashack/3.0.0) is working.
You need to enable SVN based deployment synchronizer between gateways. Otherwise, pizzashack API won't be deployed in all the gateways.
When I send a request to axis2 client I get a error
Proxy:
<proxy name="SOAP_Body" startOnLoad="true">
<target>
<inSequence>
<switch xmlns:m0="http://services.samples"
source="//m0:getQuote/m0:request/m0:symbol">
<case regex="foo">
<log level="custom">
<property name="a" value="s"/>
</log>
<send>
<endpoint>
<address uri="http://localhost:9001/services/SimpleStockQuoteService?wsdl"/>
</endpoint>
</send>
</case>
<case regex="bar">
<log level="custom">
<property name="b" value="a"/>
</log>
<send>
<endpoint>
<address uri="http://localhost:9002/services/SimpleStockQuoteService?wsdl"/>
</endpoint>
</send>
</case>
<default>
<property name="symbol"
expression="fn:concat('Normal Stock - ', //m0:getQuote/m0:request/m0:symbol)"/>
</default>
</switch>
</inSequence>
<outSequence>
<send/>
</outSequence>
</target>
ELB in 9443 offset 0, ESB in 9444 offset 1
so I have sent a request to http://localhost:8280/services/SOAP_Body of ELB
and I get the following error when I have sent a request thru axis2client in esb
[java] 15/06/30 15:40:43 INFO httpclient.HttpMethodDirector: I/O exception
(java.net.ConnectException) caught when processing request: Connection refused:
connect
When I send through SOAP UI for the above endpoint I get
Wed Jul 01 10:48:06 IST 2015:ERROR:Exception in request: org.apache.http.conn.HttpHostConnectException: Connection to http://localhost:8280 refused
Wed Jul 01 10:48:06 IST 2015:ERROR:An error occured [Connection to http://localhost:8280 refused], see error log for details
Wed Jul 01 10:48:06 IST 2015:INFO:Error getting response for [SimpleStockQuoteServiceSoap11Binding.getQuote:Request 1]; org.apache.http.conn.HttpHostConnectException: Connection to http://localhost:8280 refused
I have enabled clustering and other configuration as in 1
But when I send request to ESB alone without getting through ELB I get the desired output.
When I give AllowAll in axis2.xml in ELB i get the new error in ELB server
Error - DynamicLoadbalanceEndpoint application member not available
What would be the problem? Please help me out.
Did any of you got sample 57 in wso2 esb for dynamic endpoint working? If yes please help me in configuring. I have configured as in documentation but i couldnt get it working.
Thanks.
There is not enough information in your question.
Post the full stack trace.
Where is your axis 2 service being hosted? WSO2AS?
What is your axis 2 service endpoint.
Post your send mediator xml config.
Have you checked whether the endpoint is working correctly...
Please try this on the web browser:
http://localhost:8280/services/SOAP_Body?wsdl
and see whether or not you get the wsdl of the proxy.
I'm trying to setup the jetty maven plugin for local development but I'm stuck on trusting the LDAP server's SSL which I use with spring security for authentication.
I tried creating a connector for SSL with the truststore, however I'm still getting the bind exception on login.
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<Arg>
<New class="org.eclipse.jetty.http.ssl.SslContextFactory">
<Set name="keyStore">servers/jetty/jetty.jks</Set>
<Set name="keyStorePassword">password</Set>
<Set name="keyManagerPassword">password</Set>
<Set name="trustStore">servers/trust.jks</Set>
<Set name="trustStorePassword">password</Set>
</New>
</Arg>
<Set name="port">443</Set>
<Set name="maxIdleTime">30000</Set>
</New>
</Arg>
</Call>
This is the exception:
simple bind failed: host:port; nested exception is javax.naming.CommunicationException: simple bind failed: host:port [Root exception is javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by ROOT CA is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error]
seems like the truststore for the connector is limited to incoming SSL connections. Anyway to get this working with jetty?
I solved it as follows:
<Call class="java.lang.System" name="setProperty">
<Arg>javax.net.ssl.trustStore</Arg>
<Arg>trust.jks</Arg>
</Call>
<Call class="java.lang.System" name="setProperty">
<Arg>javax.net.ssl.trustStorePassword</Arg>
<Arg>xxxx</Arg>
</Call>
For me it was:
<systemProperty>
<name>javax.net.ssl.trustStore</name>
<value>/Users/koraytugay/Desktop/cacerts.jks</value>
</systemProperty>
<systemProperty>
<name>javax.net.ssl.trustStorePassword</name>
<value>changeit</value>
</systemProperty>