PKIX path building failed in WSO2 ESB - wso2

I'm getting below exception in WSO2 ESB when invoking REST API which suppose to invoke back end twitter API. I was following the steps given in this blog post. The twitter security certificate was successfully imported to the wso2 key store. What would be the reason for this? I'm using wso2 esb 4.8.1 version.
ERROR - TargetHandler I/O error: General SSLEngine problem
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1290)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1177)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1149)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:220)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:254)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:380)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:118)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:160)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:342)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:320)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:280)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:106)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:604)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1683)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1227)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:238)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:270)
... 9 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:138)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1328)
... 17 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doB`enter code here`uild(PKIXValidator.java:380)
... 23 more

Export Certificates
Go to https://YOUR_SERVER_HOST.com/, click on the lock icon at the address bar, click on the 'Connection' tab, then click on the link 'Certificate Information'. From the 'Certificate Viewer', select the tab 'Details' and click on the 'Export' button and download the certificate (YOUR_SERVER_HOST.com) to a preferred location.
Import to wso2esb "client-truststore" using following commands
$ cd %WSO2_HOME%/repository/resources/security
$ keytool -importcert -file $path/YOUR_SERVER_HOST.com.cer -keystore client-truststore.jks -alias "YOUR_SERVER_HOST.com"
Use Password "wso2carbon" when ask

I had a similar problem with another wso2 product. I had successfully imported the certificate into the store. It appears it only reloads the keystore on restart of the server, so yoo will have to restart your server (if you haven't already).
Also, there are 2 keystores, the wso2carbon.jks (which is what I assume you are referring to) and the client-truststore.jks. You maky need to import it into the client-truststore.jks.
Hope that is of some help.
Cheers
Matt

Related

Configure WSO2 developer studio 3.8.0 in eclipse Luna

I am trying to configure WSO2 API Manager tooling in eclipse luna, as per https://apim.docs.wso2.com/en/latest/Learn/APIGateway/MessageMediation/pass-a-custom-authorization-token-to-the-backend/, however I keep getting javax.net.ssl.SSLHandshakeException when I try to connect to API manager instance. I have added the public certificate in the java trust store, also tried pointing eclipse to custom truststore where the public cert is added, still no luck. I have java 8 installed on Mojave. Not sure, if it is related to new version of the API manager. Here is the error message and stack trace.
Error Message
Getting WS Feature Available in Regisrty check failed Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
https://pastebin.com/5bSpKJ4x Stack trace link
This is a ssl Handshake error, which usually occurs if you don't have trusted certificates in your trust store. Do the following
Download the certificate from what ever back-end service you are trying to hit.
Add it to the client-truststore.jks file in < apim-home >/repository/resources/security using the following command in cmd.
Open cmd from \jdk\bin
keytool -keystore "< apim-home >\repository\resources\security\client-truststore.jks" -storepass wso2carbon -importcert -file "< certFile-loction >"

WSO2 APIM: PKIX path building failed while configuring an endpoint with self signed certificate

I am getting the following error while trying to add an endpoint which uses self-signed ceritificate. Please find the image below
image
[2017-07-11 11:09:52,227] ERROR - APIProviderHostObject Error occurred while connecting to backend : https://mytestserver.com, reason : sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.ce
rtpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.c
ertpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Can you please let me know how to fix this issue ?
So far I have tried the following
1. adding -Dhttpclient.hostnameVerifier=AllowAll property
2. Created a new keystore and added the self-signed certificate. Also added self-signed certificate to the java keystore
You have to get the public certificate of this host, and install it to APIM's client-truststore.jks file.
keytool ­importcert ­alias MyCompany ­keystore client-truststore.jks ­­file MyCompany.crt

How to fix SSLHandshakeException

We are getting the below error when i try to parse the wsdl in Enterprise manager. How do i fix this.
The WSDL document could not be parsed.The following error occured while parsing the WSDL location - WSDLException: faultCode=PARSER_ERROR: Failed to read wsdl file at: "https:/xxx?WSDL", caused by: javax.net.ssl.SSLHandshakeException. : javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Make sure the required CA certificates are added into the required CERT db files like if the App/Web server using JDK's one then file should be ${JAVA_home}/jre/lib/security/cacerts.
You can cross check that your certificate is added or not.
keytool -list -keystore${JAVA_home}/jre/lib/security/cacerts
The keystore file path may vary based on your server configuration.

WSO2 APIM 2.0 Clustering deployment issue when generate access token

I deployed 2 keymanager nodes, 2 pub-store nodes, 1 gateway manager node and 2 gateway worker nodes in one server, and deployed nginx for load balance. When i try to generate the application access token, it reported below error:
2016-08-29 03:10:59,558 [-] [http-nio-9443-exec-5] ERROR subscription-add:jag org.jaggeryjs.scriptengine.exceptions.ScriptException: Error while obtaining the application access token for the application:DefaultApplication
2016-08-29 03:29:37,439 [-] [http-nio-9443-exec-45] ERROR AMDefaultKeyManagerImpl Error while creating tokens - sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:533)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:401)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:178)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:610)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:445)
at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
at org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.getNewApplicationAccessToken(AMDefaultKeyManagerImpl.java:360)
at org.wso2.carbon.apimgt.impl.APIConsumerImpl.renewAccessToken(APIConsumerImpl.java:867)
at org.wso2.carbon.apimgt.impl.UserAwareAPIConsumer.renewAccessToken(UserAwareAPIConsumer.java:36)
at org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject.jsFunction_refreshToken(APIStoreHostObject.java:4120)
...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
... 90 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
and in pub-store nodes, i used WSClient for key validation and used
<AuthManager>
<!-- Server URL of the Authentication service -->
<ServerURL>https://km.devzone.com/services/</ServerURL>
<!-- Admin username for the Authentication manager. -->
<Username>${admin.username}</Username>
<!-- Admin password for the Authentication manager. -->
<Password>${admin.password}</Password>
<!-- Indicates whether the permissions checking of the user (on the Publisher and Store) should be done
via a remote service. The check will be done on the local server when false. -->
<CheckPermissionsRemotely>false</CheckPermissionsRemotely>
</AuthManager>
What's the possible config issue?
This happen when you don't have keymanger certificate in store trust store. To fix this, export public certificate from Keymanager node's jks file, and import it to client-truststore.jks of store node.

generate webservice client from HTTPS wsdl using java in Axis2 Runtime

I am trying to generate (SOAP) Web-service client classes using WSDL (https://dpdmsdmmk1.fmr.com:12210/cmis/services/RepositoryService?wsdl) which is having HTTPS in the url.
Paste_WSDL_Below: https://dpdmsdmmk1.fmr.com:12210/cmis/services/RepositoryService?wsdl
Trail 1: From command Prompt wsimport -d C:\Users\A550857\Desktop\Jay
-extension -keep -p com.gatewayedi.ws -XadditionalHeaders Paste_WSDL_Below
Response on command prompt:
parsing WSDL...
[ERROR] sun.security.validator.ValidatorException: PKIX path building failed: su n.security.provider.certpath.SunCertPathBuilderException: unable to find valid c ertification path to requested target
Failed to read the WSDL document: Paste_WSDL_Below, because 1) could not find the document; /2) the documen t could not be read; 3) the root element of the document is not .
[ERROR] failed.noservice=Could not find wsdl:service in the provided WSDL(s):
At least one WSDL with at least one service definition needs to be provided.
Failed to parse the WSDL.
Trail 2: From command Prompt
{C:\Users\A550857\Desktop\Jay\Softs\axis2-1.6.2\bin>wsdl2java.bat -uri Paste_WSDL_Below
Response on command prompt:
Using AXIS2_HOME: C:\Users\A550857\Desktop\Jay\Softs\axis2-1.6.2 Using JAVA_HOME: C:\Program Files (x86)\Java\jdk1.7.0_03 log4j:WARN No appenders could be found for logger (org.apache.axis2.i18n.Project ResourceBundle). log4j:WARN Please initialize the log4j system properly. Exception in thread "main" org.apache.axis2.wsdl.codegen.CodeGenerationException : Error parsing WSDL
at org.apache.axis2.wsdl.codegen.CodeGenerationEngine.(CodeGenerat ionEngine.java:181)
at org.apache.axis2.wsdl.WSDL2Code.main(WSDL2Code.java:35)
at org.apache.axis2.wsdl.WSDL2Java.main(WSDL2Java.java:24) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.Validator Exception: PKIX path building failed: sun.security.provider.certpath.SunCertPath BuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1868)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker. java:1337)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.jav a:154)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:998)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl. java:1294)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1321 )
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1305 )
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java: 523)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect (AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLCon nection.java:1296)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:468 )
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Htt psURLConnectionImpl.java:338)
at org.apache.axis2.wsdl.codegen.CodeGenerationEngine.(CodeGenerat ionEngine.java:99)
... 2 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find vali d certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.jav a:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.j ava:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerIm pl.java:231)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustMan agerImpl.java:126)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker. java:1319)
... 15 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCert PathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 21 more }
Environment i am using: Axis2-1.6.2, Java7, WSDL:Paste_WSDL_Below
Pl suggest on this. i am able to view the WSDL in browser with proper content.
You have two options:
1) Import the server certificate to your jdk's truststore
(sample: http://www.coderanch.com/t/134619/Security/JDK-trust-Certificate). You're getting the exception because your JDK is not trusting the server certificate.
2) Download the wsdl to your local drive including the referenced xsd-files if present and run wsimport towards the local wsdl and not the wsdl from the https-page.
I'd do the second approach, as it is much simpler.