WSO2 Dashboard SAML auth: PKIX path building failed - wso2

Using the wso2 identity server in my on production site I try to access to "dashboard jaggery apps" for manage own user account (change password, etc). But when I try to login in there (using SAML2 in the https production domain) shows the following error,
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
We write the keystore path in the auth_config.json inside repository/deployment/server/jaggeryapps/dashboard/authentication, but it does not work.
We have other application using the same fingerprint and/or x.509 hash correctly (with SAML2), but this app we can't configure.
here the complete error http://pastebin.com/tgJenydM
Any suggestions? Thanks.
update:
When I use the backend IP the error is not raised, but when I change to the domain name yes. (This error really make me crazy)

Did you change the default keystore of WSO2IS server ? If, Could you pleas let us know whether you import your new certificate in to the trust store file (client-truststore.jks) of WSO2IS server. If it is not, This can be the issue. Please export the certificate from Keystore and import it in to the trust store of the server. You can use jave keytool command to do it.
When you are working on dashboard (not in localhost), there are some few configuration you need to do . You can find them from here

Related

CodenameOne Mobile app throws SSL Exception connecting to https server with real certificates (not self signed)

I have an Amazon AWS environment running a spring boot server app with https endpoints. (https://www.myapp.com:8443) A real (not self signed) certificate for www.myapp.com has been installed on the server.
When connecting from an Android release app on a real device (installed via OTA email) I see the exception :
Exception: javax.net.ssl.SSLHandshakeException -
java.security.cert.CertPathValidatorException: Trust anchor for
certification path not found.
javax.net.ssl.SSLHandshakeException:
java.security.cert.CertPathValidatorException: Trust anchor for
certification path not found.
In the Simulator I have added my real site certificate to my IntelliJ java cacerts file and that works fine. From within the simulator all my https calls to the AWS box work fine.
When building the Android app I added the real cert to the keystore and specified that keystore via the CN1 Preferences for the Android settings. This built fine but generated the above exception when run on a real device.
Using a self signed cert via CN1 and deployed on a real device also failed in the same manner.
What am I missing here ?
The keystore in Android builds is used for signing so adding certificates to it is irrelevant as once the APK is signed it won't change anything. If the certificate isn't available to Android or Apple then it's not a great certificate to use. If you open the native browser on Android and the site loads correctly then it should work with the app as well.

WSO2 IoTS APIMClientOAuthException: failed to retrieve oauth token using jwt

I have uploaded WSO2 IoTS 3.1.0 to my remote virtual machine with static IP address.
I have unzipped zip file then run sudo ./change-ip.sh
In first step I have entered localhost
In second step I have entered my_own_ip_address
Then my hostname is my_own_ip_address
When I launch IoT Server and open device management then I login where it shows me this page:
When I try to open any other page and even try to logout it redirects me to this page.
My logs shows this:
TID[-1234] [IoT] [2017-09-09 08:32:30,079] ERROR {auth-module} -
org.wso2.carbon.apimgt.integration.client.exception.APIMClientOAuthException: failed to retrieve oauth token using jwt
org.mozilla.javascript.Context.throwAsScriptRuntimeEx(Context.java:1754)
org.mozilla.javascript.MemberBox.invoke(MemberBox.java:148)
org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:225)
org.mozilla.javascript.optimizer.OptRuntime.callProp0(OptRuntime.java:85)
It shows that there is an error in jaggery JS.
What did I miss?
One reason for the issue could be that you are having a DNS entry against that IP in /etc/hosts file. Please make sure that your /etc/hosts file does not contain any DNS entry pointing your IP to a hostname. When WSO2 IoT Server tries to resolve DNS to call the endpoints, the first thing it looks at is your local DNS setting. If your IP is pointing to a hostname, it takes that host name as the server hostname. And when IoT server tries to verify the common name of the SSL certificate, it gets conflicting information. This leads to hostname verification fail issue. And that could result in JWT token failure as it cannot access the endpoints.
Similar issue was discussed here

Using installed SSL/TLS certificate with SoapUI?

I need to be able to hit a web service using SoapUI to inspect the request and response. I was previously provided with a certificate in the form of a .PFX file, along with the keystore password, which I could import into SoapUI and successfully hit the service.
The certificate I was provided recently expired, and my company has now deployed a new certificate via SCCM to my machine. I have the certificate installed in both Local Machine and Current User.
My question is:
Is there a way to use an installed certificate (meaning I can't export it first) to complete the SSL/TLS handshake when making a request via SoapUI?
Everything I've been able to find on the web has referenced exporting the certificate and setting the SSL settings in SoapUI (like I did before). Unfortunately, I do not have required authority to export the certificate to a .PFX file with a keystore password...
I assume there has to be a configuration setting of some sort in SoapUI that will let me hit the service with my installed certificate, but I can't find it for the life of me. Any help is greatly appreciated!
Even confirmation that it's impossible is appreciated; just not as much as I would appreciate a solution ;)
Thanks in advance!

WSO2API Manager : Api Store Error: Error in getting new access token

I have updated WSO2 default SLL with the custom SSL certificate on my Production Server on which WSO2Api installed.
SSL issues have been fixed, but now I am getting error while re-generating access token
Logs
Caused by: org.wso2.carbon.apimgt.keymgt.APIKeyMgtException: Error in getting new accessToken
at org.wso2.carbon.apimgt.keymgt.service.APIKeyMgtSubscriberService.renewAccessToken(APIKeyMgtSubscriberService.java:281)
... 45 more
Caused by: java.lang.RuntimeException: Failed : HTTP error code : 500
at org.wso2.carbon.apimgt.keymgt.service.APIKeyMgtSubscriberService.renewAccessToken(APIKeyMgtSubscriberService.java:252)
... 45 more
TID: [0] [AM] [2014-08-27 10:57:41,440] ERROR {org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject} - Error in getting new accessToken {org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject}
If APIManager runs with a port offset,you need to do addtional changes.
Change the endpoint ports defined in default APIs shipped with APIManager
Find all default APIs of the API Manager in /repository/deployment/server/synapse-configs/default/api folder. Those are Authorize API, Login API, Token API and Revoke API. Open each of them and change the address endpoint config included port value to match with offset value.The default address endpoint config is
"address uri="https://192.168.1.7:9443/oauth2/token".If the AM standalone pack running with port offset 2 change that config as
address uri="https://192.168.1.7:9445/oauth2/token"
What I did to fix the issue was to 1) add admin user inside ApiKeyValidaor in api-manager.xml also into admin user via management console and into user-mgt.xml; 2) Inside api-manager.xml:
Change the following:
https://${carbon.local.ip}:${mgt.transport.https.port}${carbon.context}/services/
to:
https://[FQDN_OF_HOST}:${mgt.transport.https.port}${carbon.context}/services/
Reason is my server certificate only recorded the domain name, not ip address.
My setup: Product: WSO2 AM 1.10.0 DB: MSSQL Security: SAML2 integrated with PingIdentity OS: Linux
Please also refer to this question:
wso2 am 1.10.0 API Store: "Error occurred while executing the action generateApplicationKey" with " Invalid credentials provided."
The error may be due to one of these two things:
Your admin password is not set for ApiKeyManager in api_manager.xml.
SSL is not set properly.

jaxws client get https wsdl errors

I am testing a web service hosted on https. I use jaxws for the connection.
This retrieves the wsdl first but that's where the error occurs. I saved the certificate in IE on my local machine and created a keystore from it, as described in JAX-WS-https-client and changed JVM arguments so that the keystore loads.
This did achieve that the url used to retrieve the wsdl contained protocol https instead of http, so things started to look better. But now I get the following error:
SystemException: PropagatedException: WSDLException: faultCode=OTHER_ERROR: Unable to resolve imported document at 'https://www.eway.com.au/gateway/rebill/test/manageRebill_test.asmx?wsdl'.: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Does this mean that the certificate was copied to filesystem incorrectly?
Is something else wrong? What to do?
I should note that when exporting a certificate from IE, the option is given to export the private key or not. When not exporting the private key, then it can be saved as .cer file which is necessary for creating the keystore. On the other hand, when I try to export the private key, the file extension is .pfx and this cannot be converted to a keystore.
My bad - I had Fiddler running and thus used a certificate issued by Fiddler.
When I added the real certificate to the keystore, the webservice call was OK.