I want to set up two way ssl(self-signed cert) to call a webservice endpoint from wildfly to weblogic. I've tested the weblogic setting, it works fine. Now, the problem is how should I configure the wildfly in order to build the connection with weblogic. I've tried the settings in standalone.xml as below:
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="space2_identity.jks" relative-to="jboss.server.config.dir" keystore-password="password" alias="space2i" key-password="password"/>
</ssl>
</server-identities>
<authentication>
<truststore path="space2_trust.jks" relative-to="jboss.server.config.dir" keystore-password="password"/>
<local default-user="$local" skip-group-loading="true"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
<https-listener name="https" verify-client="REQUIRED" security-realm="UndertowRealm" socket-binding="https"/>
The above setting is succeeded if I use a browser to run a two way ssl with wildfly. But for my main purpose (call WS between wildfly and weblogic), I keep receiving a bad_certification error, I suspect that wildfly cannot find my keystore and trustkeystore when wildfly is acting as a client role. It's because if I put the self-sign cert into jvm cacerts file, one way ssl can be built with weblogic. However, I've tried many methods to do the two way ssl, it keeps telling me bad_certification error. I've even insert the following lines into standalone.conf.bat:
set "JAVA_OPTS=%JAVA_OPTS% -Djavax.net.debug=ssl"
set "JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.keyStore=D:/Keystore/space2_identity.jks"
set "JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStore=D:/Keystore/space2_trust.keystore"
set "JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.keyStorePassword=password"
set "JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStorePassword=password"
set "JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStoreType=jks"
set "JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.keyStoreType=jks"
Still, bad_certification received. I've tried many ways, what have I done wrong? Please kindly help. Thank you very much!
In your JAVA_OPTS the truststore is space2_trust.keystorewhile you have space2_trust.jks in your Undertow configuration.
Related
I'm playing with travelocity sample application, but I'm having a problem:
when I access the application at 10.0.3.124:8080/travelocity.com I end up at https://localhost:9444/commonauth?SAMLRequest=... even though I configured the "host" parameter in carbon.xml. I've also searched for localhost in authenticators.xml and application-authentication.xml and found IdentityProviderSSOServiceURL that i changed from localhost to machine ip.
I'm on a laptop and my application server and IS istances run on a different machine with the 10.0.3.124 IP.
I successfully access the IS admin console.
Where's the problem?
It seems that I also had to configure the <MgtHostName>10.0.3.124</MgtHostName> in carbon.xml.
Thanks
There is a file named identity.xml in side IS_HOME/repository/conf which carries following configuration.
<SSOService>
<IdentityProviderURL>https://localhost:9443/samlsso</IdentityProviderURL>
Please configuring this with your environment parameters.
Thanks,
Pushpalanka
I am configuring our API Manager, but running into troubles authenticating via OAuth, seems to be an issue with the API Key Manager. I haven't dug into it yet, but does this come with the API Manager (as I have assumed) or is this a separate installation?
I had the same issue when using the wso2 api manager on a Amazon hosted machine, turn out that Thrift was not working correctly because some problem with multicasting and broadcasting.
What I did to get it working was to switch from ThriftClient to WSClient. If you have a huge amount of requests coming in then Thrift is the recommended solution from wso2 but in any "normal" case you will not have any differences between thrift and WS.
Here is how you switch:
Shut down the API Manager
Open up <api manager install dir>\repository\conf\api-manager.xml
Find ThriftClient
Change this to
<KeyValidatorClientType>WSClient</KeyValidatorClientType>
Start the API Manager
You may get some Warnings while starting up but, try it before you jump to the conclusion that it doesn't work.
Hope it helps!
you can use APIM manager product in a distributed setup as keymanger,gateway,store,publisher..but all functionality come in a single distribution.. ..
Go through the documentation for further guides
I was facing the same issue. Everything started when I created my own jks in order to use SSL without a self-signed certificate. I successfully created the jks and changed it in the carbon file. When I started the server, everything seemed ok; but when I used SOAPUI to test an API call, I got this (in the logs of the api manager):
APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
I started digging what was the problem by enabling Debug level in the log4j.properties file, and then tried again a tested with SOAPUI and I got:
APISecurityException: Could not connect to <my api ip address> on port 10397
Then, I read the comment of OneMuppet and I checked that file and I found that the Thrift config has a host option, so I uncommented it:
<KeyValidatorClientType>ThriftClient</KeyValidatorClientType>
<ThriftClientPort>10397</ThriftClientPort>
<ThriftClientConnectionTimeOut>10000</ThriftClientConnectionTimeOut>
<ThriftServerPort>10397</ThriftServerPort>
This Line --> <ThriftServerHost>localhost</ThriftServerHost>
<EnableThriftServer>true</EnableThriftServer>
Save, restarted the server and everything start working correctly.
I got the same below issue after my installation, when i try to invoke the api service it is throwing below error:
900900 Unclassified Authentication Failure Error while accessing backend services for API key validation
After some random checks i have seen the axis2.xml file in /repository/conf/axis2 there it is refering a differnt ip's instead. I change these ip's to my local ip and restarted. The issue is resolved now.
I was facing the same issue. when I was trying to setup API Manager as an API Gateway in a different machine as per the steps given here,
https://docs.wso2.com/display/AM250/Publish+through+Multiple+API+Gateways
Once the setup is done and when I am trying to use this gateway URL, I was getting the below response,
{"fault":{"code":900900,"message":"Unclassified Authentication Failure","description":"Error while accessing backend services for API key validation"}}
After changing the KeyValidatorClientType value to WSClient from ThriftClient on the <api manager install dir>\repository\conf\api-manager.xml
It started working fine. And I was able to get the expected response.
If you changed the admin password, then you also have to update the repository/conf/api-manager.xml file with the new password. The 2 places I have changed (so far) are:
<AuthManager>
and
<APIKeyManager>
but there are other admin usernames in that file. No doubt, I'll get to them....
In my project i have to configure the conduit settings for web services.To communicate with the web services i have to pass through a proxy.Since , http-conf:basicAuthSupplier it's not working due to http://cxf.547215.n5.nabble.com/svn-commit-r1240059-cxf-trunk-rt-transports-http-src-main-resources-schemas-configuration-http-conf-d-td5453353.html does anybody knows how to configure a proxy setting?
<http-conf:conduit name="*.http-conduit">
<http-conf:authorization>
<sec:UserName>username</sec:UserName>
<sec:Password>password</sec:Password>
</http-conf:authorization>
<http-conf:client Connection="Keep-Alive"
AllowChunking="false"
ProxyServer=proxyIp
ProxyServerPort=proxyPort
ProxyServerType="HTTP"/>
</http-conf:conduit>
I also tried with http-conf:proxyAuthorization
but the same 407 proxy authentification error appears.
Does anybody knows how to resolve it?
Authentication supplier has to be configured as described at http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html
<http-conf:conduit name="*.http-conduit">
<http-conf:client ProxyServer="proxyIP" ProxyServerPort="proxyPort" NonProxyHosts="nonProxyHost" />
<http-conf:authSupplier class="org.apache.cxf.transport.http.auth.DefaultBasicAuthSupplier"/>
<http-conf:proxyAuthorization>
<sec:UserName>username</sec:UserName>
<sec:Password>password</sec:Password>
</http-conf:proxyAuthorization>
Also enable basic authentication for HTTPS tunneling using the below JVM flags. Details available at http://www.oracle.com/technetwork/java/javase/8u111-relnotes-3124969.html
-Djdk.http.auth.proxying.disabledSchemes="" -Djdk.http.auth.tunneling.disabledSchemes=""
I've created a contract-last web-service which is deployed on a Jboss AS on my VDI machine. I can get the WSDL just fine from localhost, but if I try to call the webservice from my laptop or any other machine I simply cannot connect to it.
I'm using SoapUI to test with and I just get a NullPointerException when I call it and if I try to get the WSDL via a browser it just times out.
I've tried to use a listener to see if I can connect to the VDI from other machines and that works just fint.
Any suggestions what I could try? - I'm thinking that it could be some property setting in some Jboss AS properties file, but the only thing I've found is "jboss.bind.name" which is set to "0.0.0.0" which should allow other machines to connect to the web-service, but no luck :/
Hilfe?
The solution was to add "-b 0.0.0.0" to my startup script
I have a WSDL for a Web Service and a Public Key Certificate in the shape of a .cer file.
I need to get SoapUI to encrypt the service request with the public key of the certificate.
How do I do this?
In SoapUI, go to the Preferences dialog, under the File menu. There's a tab/section for SSL. There you can specify the path to the .cer file. I don't have it here in front of me, and I've only done .pfx, but it should work the same. With .pfx, you need to enter the password - not sure if you do that for .cer or not. You can also convert the .cer to .pfx if that works better. But anyway, with a .pfx specified here, I was able to use https connections to our server (Cisco ACE gateway actually) which required "client certificate authentication". It was easy to do in SoapUI, proving that the infrastructure was set up right. Our app, written in Delphi2005, took another 3 weeks... But at least we knew what we were trying to do, and had a way to verify the result.
In Preferences fill in the path to your certificate in the KeyStore field and the password underneath.
I use a p12 certificate and it seems to be working fine.
If you can use WCF, just add security to the binding, and the following behavior:
<behaviors>
<behavior>
<clientCredentials>
<clientCertificate findValue= "101010101010101010101010101010000000000"
storeLocation="LocalMachine" storeName="The logic storage"
X509FindType="The cert name"/>
</clientCertificate>
</clientCredentials>
</behavior>
</behaviors>
More info about how to enable security in WCF, see: MSDN