I have installed a distributed WSO2 API Manager Componentes. This works very well but when I subscribe to an API and generate a token this error is shown:
"Token revoke failed : HTTP error code : 500"
The log :
[2015-08-12 13:28:59,623] ERROR - TargetHandler I/O error: Host name verification failed for host : 189.9.134.48
javax.net.ssl.SSLException: Host name verification failed for host : 189.9.134.48
at org.apache.synapse.transport.http.conn.ClientSSLSetupHandler.verify(ClientSSLSetupHandler.java:152)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:285)
at org.apache.http.nio.reactor.ssl.SSLIOSession.outboundTransport(SSLIOSession.java:420)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.outputReady(AbstractIODispatch.java:150)
at org.apache.http.impl.nio.reactor.BaseIOReactor.writable(BaseIOReactor.java:181)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:346)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:320)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:280)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:106)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:604)
at java.lang.Thread.run(Thread.java:745)
[2015-08-12 13:28:59,627] WARN - EndpointContext Endpoint : AnonymousEndpoint will be marked SUSPENDED as it failed
[2015-08-12 13:28:59,628] WARN - EndpointContext Suspending endpoint : AnonymousEndpoint - last suspend duration was : 30000ms and current suspend duration is : 30000ms - Next retry after : Wed Aug 12 13:29:29 BRT 2015
[2015-08-12 13:28:59,629] INFO - LogMediator STATUS = Executing token 'fault' sequence, ERROR_CODE = 101500, ERROR_MESSAGE = Error in Sender
[2015-08-12 13:28:59,635] ERROR - subscription-add:jag java.lang.RuntimeException: Token revoke failed : HTTP error code : 500
[2015-08-12 13:29:09,641] ERROR - SourceHandler I/O error: Conexão fechada pela outra ponta
How can I solve this problem? I'm using APIM 1.9.
You have two ways to solve this issue. The following is recommended in production environment. The second way isn't recommanded in production environment
Way 1
You are having issue with verifying hostname "189.9.134.48". 189.9.134.48 should be your Common Name (CN) when generating your keys. You have to import your public key certificate of WSO2 IS server into WSO2 APIM server. You may use the following command inorder to extract the public key certificate from your keystore. Go inside <IS_HOME>/repository/resources/security/ directory
keytool -export -keystore <IS_Store> -alias <alias_of_IS_certificate> -file <IS_certificate>.cer
This SSL Ceritificate of the IS should be imported into the client-truststore.jks of APIM server.
Shutdown the APIM server if it's up.
Go to <APIM_HOME>/repository/resources/security/ directory.
Import the public key of appserver to the client-truststore.jks file using the following command
in terminal.
keytool -import -alias <alias_of_IS_certificate> -file <IS_certificate>.cer -keystore client-truststore.jks -storepass wso2carbon
Restart the APIM server.
Way 2
Set the <parameter name="HostnameVerifier"> element to AllowAll in <APIM_HOME>/repository/conf/axis2/axis2.xml file's HTTPS transport sender configuration. For example, <parameter name="HostnameVerifier">AllowAll</parameter>.
This parameter verifies the hostname of the certificate of a server when the API Manager acts as a client and does outbound service calls.
Related
I am using JMeter to run some POST requests to CloudRun for my API. When I run the process, the POST returns the error:
javax.net.ssl|DEBUG|12|Single Insert 1-1|2022-04-22 17:39:28.479 BST|Alert.java:238|Received alert message (
"Alert": {
"level" : "fatal",
"description": "unexpected_message"
}
)
javax.net.ssl|ERROR|12|Single Insert 1-1|2022-04-22 17:39:28.479 BST|TransportContext.java:363|Fatal (UNEXPECTED_MESSAGE): Received fatal alert: unexpected_message (
"throwable" : {
javax.net.ssl.SSLProtocolException: Received fatal alert: unexpected_message
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:129)
...etc...
I have created a certificate with:
keytool -keystore clientkeystore -genkey -alias client -keyalg RSA
then copied the file clientkeystore under the bin folder and added in the system.properties file:
javax.net.ssl.keyStore=clientkeystore
javax.net.ssl.keyStorePassword=mypassword
but nothing changes when it run versus a GCP/CloudRun instance. Any idea?
If your application requires a client-side certificate you need to get the appropriate one and not to generate a new random one so if this is the case you will need to import the relevant certificate into keystore
keytool -import -alias your-certificate-alias -file /path/to/your/certificate.cer -keystore clientkeystore.p12-storepass mypassword
and change the javax.net.ssl.keyStore to include the file extension:
javax.net.ssl.keyStore=clientkeystore.p12
More information: How to Set Your JMeter Load Test to Use Client Side Certificates
If your application can be accessed by anyone without having to provide the client-side certificate just remove the properties as you don't need them.
I'm trying to achieve wso2 workflow implementation on WSO2 API Manager 3.1.0, I'm unable to find the request coming to the admin portal.
can anyone please help with this?
Followed WSO2 official documentation, I tried the same in WSO2 API Manager 2.6.0 it worked fine.
Versions using:
WSO2 API Manager 3.1.0 &
WSO2 EI 6.5.0
Note: No log got printed in BPS server while trying this one.
logs in APIM as follows.
[2020-09-21 21:40:59,988] ERROR - SubscriptionsApiServiceImpl Requested application not found
[2020-09-21 21:41:18,901] ERROR - SubscriptionsApiServiceImpl Requested application not found
[2020-09-21 21:42:12,318] INFO - CarbonAuthenticationUtil 'admin#carbon.super [-1234]' logged in at [2020-09-21 21:42:12,318+0530]
[2020-09-21 21:42:12,347] INFO - PermissionUpdater Permission cache updated for tenant -1234
[2020-09-21 21:42:12,387] INFO - CarbonAuthenticationUtil 'admin#carbon.super [-1234]' logged in at [2020-09-21 21:42:12,387+0530]
[2020-09-21 21:42:13,180] WARN - login:jag Not Retrieving Pending Tasks. Check BPS Connectivity. javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
[2020-09-21 21:42:13,346] WARN - login:jag Not Retrieving Pending Tasks. Check BPS Connectivity. javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
"I'm trying to achieve wso2 workflow implementation on WSO2 API
Manager 3.1.0, I'm unable to find the request coming to the admin
portal."
[2020-09-21 21:42:13,180] WARN - login:jag Not Retrieving Pending Tasks. Check BPS Connectivity. javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
[2020-09-21 21:42:13,346] WARN - login:jag Not Retrieving Pending Tasks. Check BPS Connectivity. javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
To show the task list in the Admin portal, we need to import the certificate of API Manager into the client-truststore of the EI server and also import the certificate of EI server into the client-truststore of API Manager. As per the above logs you haven't done that.
Please follow the below steps to import and export certificates among APIM and EI servers.
Paths to the directory containing the client-truststore of each product are:
API-M - '<API-M_HOME>/repository/resources/security'
EI - '<EI_HOME>/wso2/business-process/repository/resources/security
Export certificate from BPS and import to APIM
cd <EI_HOME>/wso2/business-process/repository/resources/security
keytool -export -alias wso2carbon -keystore wso2carbon.jks -file publickeyBPS.pem
Enter the password as wso2carbon when requested. This is the default password for keystores.
cp publickeyBPS.pem <AM_HOME>/repository/resources/security
cd <AM_HOME>/repository/resources/security
keytool -import -alias wso2bps -file publickeyBPS.pem -keystore client-truststore.jks -storepass wso2carbon
keytool -list -alias wso2bps -keystore client-truststore.jks -v
Export certificate from APIM and import to BPS
cd <API-M_HOME>/repository/resources/security
keytool -export -alias wso2carbon -keystore wso2carbon.jks -file publickeyAPIM.pem
Enter the password as wso2carbon when requested. This is the default password for keystores.
cp publickeyAPIM.pem <EI_HOME>/wso2/business-process/repository/resources/security
cd <EI_HOME>/wso2/business-process/repository/resources/security
keytool -import -alias wso2apim -file publickeyAPIM.pem -keystore client-truststore.jks -storepass wso2carbon
keytool -list -alias wso2bps -keystore client-truststore.jks -v
When logging into the /publisher or /store, I get the "Peer not authenticated" error.
To give more context, I created a new keystore and imported its .pem certificate into the client-trustore.jks and finally updated the SSL keystore configuration to use this new one, as written here: https://docs.wso2.com/display/ADMIN44x/Configuring+Keystores+in+WSO2+Products#Configuring%20keystores%20for%20SSL%20connections
WSO2 Log with SSL Debug enabled:
%% Invalidated: [Session-11, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
http-nio-9443-exec-25, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
http-nio-9443-exec-25, WRITE: TLSv1.2 Alert, length = 2
http-nio-9443-exec-25, called closeSocket()
http-nio-9443-exec-25, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
http-nio-9443-exec-25, IOException in getSession(): javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
http-nio-9443-exec-45, READ: TLSv1.2 Alert, length = 2
http-nio-9443-exec-45, RECV TLSv1.2 ALERT: fatal, certificate_unknown
http-nio-9443-exec-45, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
http-nio-9443-exec-45, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
http-nio-9443-exec-45, called closeOutbound()
http-nio-9443-exec-45, closeOutboundInternal()
http-nio-9443-exec-45, SEND TLSv1.2 ALERT: warning, description = close_notify
http-nio-9443-exec-45, WRITE: TLSv1.2 Alert, length = 2
TID: [-1234] [] [2020-03-10 15:03:32,866] INFO {org.wso2.carbon.core.internal.permission.update.PermissionUpdater} - Permission cache updated for tenant -1234 {org.wso2.carbon.core.internal.permission.update.PermissionUpdater}
TID: [-1234] [] [2020-03-10 15:03:32,898] INFO {org.apache.axis2.transport.http.HTTPSender} - Unable to sendViaPost to url[https://<serverPublicIP>:9443/services/AuthenticationAdmin] {org.apache.axis2.transport.http.HTTPSender}
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:450)
at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(SSLProtocolSocketFactory.java:276)
at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:186)
The keytool commands I used:
// Create the keystore
$ keytool -genkey -alias custom -keyalg RSA -keysize 2048 -keystore custom.jks -dname "CN=<myhostdomain>, OU=Home,O=Home,L=SL,S=WS,C=LK" -storepass wso2carbon -keypass wso2carbon
// Export the new keystore certificate
$ keytool -export -alias custom -keystore custom.jks -file custom.pem
// Import the new certificate into the client-truststore
$ keytool -import -alias custom -file custom.pem -keystore client-truststore.jks -storepass wso2carbon
Product Version:
APIM 2.6 (not using IS as Key Manager, just the stock WSO2 API Manager)
Consistently reproduced the issue on a clean installation. The problem was that I enabled the H2 database visualization in the browser, by changing this config in the carbon.xml (it was commented):
<H2DatabaseConfiguration>
<property name="web" />
<property name="webPort">8082</property>
<property name="webAllowOthers" />
For some reason, this causes the Peer not authenticated error, when logging to the publisher or store.
I am trying to configure WSO2 API Manager tooling in eclipse luna, as per https://apim.docs.wso2.com/en/latest/Learn/APIGateway/MessageMediation/pass-a-custom-authorization-token-to-the-backend/, however I keep getting javax.net.ssl.SSLHandshakeException when I try to connect to API manager instance. I have added the public certificate in the java trust store, also tried pointing eclipse to custom truststore where the public cert is added, still no luck. I have java 8 installed on Mojave. Not sure, if it is related to new version of the API manager. Here is the error message and stack trace.
Error Message
Getting WS Feature Available in Regisrty check failed Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
https://pastebin.com/5bSpKJ4x Stack trace link
This is a ssl Handshake error, which usually occurs if you don't have trusted certificates in your trust store. Do the following
Download the certificate from what ever back-end service you are trying to hit.
Add it to the client-truststore.jks file in < apim-home >/repository/resources/security using the following command in cmd.
Open cmd from \jdk\bin
keytool -keystore "< apim-home >\repository\resources\security\client-truststore.jks" -storepass wso2carbon -importcert -file "< certFile-loction >"
I've tried to install an instance on AWS using aws RDS as
my datasource through the mysql-connector-java-5.1.45-bin.jar
with jdbc url
jdbc:mysql://< instance>.< zone>.rds.amazonaws.com:3306/carbon_db
i've got an exception
com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failurecom.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failure
The last packet successfully received from the server was 7 milliseconds ago. The last packet sent successfully to the server was 7 milliseconds ago.
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at com.mysql.jdbc.Util.handleNewInstance(Util.java:425)
.
.
.
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
I've tried to run
keytool -importcert -keystore <keystore> -storepass <pass> -noprompt -file rds-combined-ca-bundle.pem
on cacerts.jks in JVM and client-trustore.jks inside WSO2 repository with no effect
This happens since the public certificate from your DB connection, is not trusted by the WSO2 Identity Server.
Since you have tried adding the certificate, verify whether this has been added properly.
Get the public certificate from your DB instance.
Go to the <IS_HOME>/repository/resources/security folder. Import the public certificate to the client-truststore.jks file. Use the command below.
keytool -importcert -file certificate.cer -keystore client-truststore.jks -alias "Alias"
Restart the wso2 IS instance and check if the issue still persists.
According to the MySQL connector documentation in [1], following JDBC URL parameters should be included into the JDBC url to enable the SSL communication between MySQL server and the wso2 server.
useSSL=true
requireSSL=true
clientCertificateKeyStoreUrl
clientCertificateKeyStorePassword
I was able to successfully create the secure connection between MySQL server and the wso2 server with the below JDBC URL.
jdbc:mysql://<HOST_NAME>:<PORT>/apimgtdb?useSSL=true&requireSSL=true&clientCertificateKeyStoreUrl=file:<WSO2_HOME>/repository/resources/security/client-truststore.jks&clientCertificateKeyStorePassword=wso2carbon