Handshake exception in java webservice client - web-services

i am trying to implement a webclient for a secure https connection. I imported the server certificates and added it to java keystore. but when i try to run the client i got the following exceptions:--
Oct 18, 2013 3:25:25 PM org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging WARNING: Interceptor for
{http://tempuri.org/}Service#{http://tempuri.org/}GetUserInformation has thrown exception,
unwinding now org.apache.cxf.interceptor.Fault: Could not send Message.
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:64)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135)
at $Proxy29.getUserInformation(Unknown Source)
at
org.tempuri.ServiceSoap_ServiceSoap_Client.main(ServiceSoap_ServiceSoap_Client.java:78)
Caused by: java.io.IOException: IOException invoking
myurl/**/**/asmx: The https URL hostname does not
match the Common Name (CN) on the server certificate in the client's truststore. Make sure
server certificate is correct, or to disable this check (NOT recommended for production) set the CXF client TLS configuration property "disableCNCheck" to true.
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1338)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1322)
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:627)
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
... 9 more
Caused by: java.io.IOException: The https URL hostname does not match the Common Name (CN)
on the server certificate in the client's truststore. Make sure server certificate is
correct, or to disable this check (NOT recommended for production) set the CXF client TLS
configuration property "disableCNCheck" to true.
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1241) at
org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:195)
at
org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)
at
org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69) at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1295)
... 12 more
Exception in thread "main" javax.xml.ws.WebServiceException: Could not send Message.
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:146)
at $Proxy29.getUserInformation(Unknown Source)
at
org.tempuri.ServiceSoap_ServiceSoap_Client.main(ServiceSoap_ServiceSoap_Client.java:78)
Caused by: java.io.IOException: IOException invoking
myurl/**/**/asmx: The https URL hostname does not
match the Common Name (CN) on the server certificate in the client's truststore. Make sure
server certificate is correct, or to disable this check (NOT recommended for production) set
the CXF client TLS configuration property "disableCNCheck" to true.
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1338)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1322)
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:627)
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135)
... 2 more
Caused by: java.io.IOException: The https URL hostname does not match the Common Name (CN)
on the server certificate in the client's truststore. Make sure server certificate is
correct, or to disable this check (NOT recommended for production) set the CXF client TLS
configuration property "disableCNCheck" to true.
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1241)
at
org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:195)
at
org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)
at
org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69) at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1295)
Can someone help me with this. Thanks in advance...

Depending on the type of CXF client you have to options. If you have Spring-based client configuration you have to add attribute to your http:conduit configuration:
<http:conduit name="{http://apache.org/hello_world_soap_http}SoapPort.http-conduit">
<http:tlsClientParameters disableCNCheck="true">
<!-- other tls configuration parameters, like trustManagers -->
</http:tlsClientParameters>
</http:conduit>
name has to match namespace and port name from your WSDL.
If you create your client programmaticaly then use the following code:
HTTPConduit httpConduit = (HTTPConduit) ClientProxy.getClient(port).getConduit();
TLSClientParameters tlsCP = new TLSClientParameters();
// other TLS/SSL configuration like setting up TrustManagers
tlsCP.setDisableCNCheck(true);
httpConduit.setTlsClientParameters(tlsCP);
where port is actual client proxy that you call.
Both options can be found working in CXF example that I modified here
BTW. There is a real threat in using this property on production environment, so please consider issuing new certificate with correct CN for production server instead of depending on this hack.

Related

'Read Time Out' between wso2 APIM and APIM-Analytics

Canario:
APIM and APIM-Analytics (both in 2.6.0) at the same localhost machine.
Identity Server in other Machine
Use the doc to make configuration between APIM and Analytics.
Setup te Datasources for external Oracle DB instance:
IS strat Ok, Analytics Worker start ok, Analytics Dashboard Start Ok, Analytics Manager Start Ok
After default configuration, Apim start with connection issue:
...
ERROR{org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker} -
Error while trying to connect to the endpoint. Cannot borrow client for
ssl://localhost:7712.
{org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker}
org.wso2.carbon.databridge.agent.exception.DataEndpointLoginException:
Cannot borrow client for ssl://localhost:7712.
at
org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.connect(DataEndpointConnectionWorker.java:134)
at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.run(DataEndpointConnectionWorker.java:59)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.wso2.carbon.databridge.agent.exception.DataEndpointLoginException: Error while trying to login to the data receiver.
at org.wso2.carbon.databridge.agent.endpoint.thrift.ThriftDataEndpoint.login(ThriftDataEndpoint.java:54)
at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.connect(DataEndpointConnectionWorker.java:128)
... 6 more
Caused by: org.apache.thrift.transport.TTransportException: java.net.SocketTimeoutException: Read timed out
at org.apache.thrift.transport.TIOStreamTransport.flush(TIOStreamTransport.java:161)
at org.apache.thrift.TServiceClient.sendBase(TServiceClient.java:65)
at org.wso2.carbon.databridge.commons.thrift.service.secure.ThriftSecureEventTransmissionService$Client.send_connect(ThriftSecureEventTransmissionService.java:104)
at org.wso2.carbon.databridge.commons.thrift.service.secure.ThriftSecureEventTransmissionService$Client.connect(ThriftSecureEventTransmissionService.java:95)
at org.wso2.carbon.databridge.agent.endpoint.thrift.ThriftDataEndpoint.login(ThriftDataEndpoint.java:47)
... 7 more
Caused by: java.net.SocketTimeoutException: Read timed out
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.socketRead(SocketInputStream.java:116)
at java.net.SocketInputStream.read(SocketInputStream.java:171)
at java.net.SocketInputStream.read(SocketInputStream.java:141)
at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
at sun.security.ssl.InputRecord.read(InputRecord.java:503)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:975)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:750)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at org.apache.thrift.transport.TIOStreamTransport.flush(TIOStreamTransport.java:159)
... 11 more
...
When I had access the consoles Analytics (PUBLISHER, STORE or ADMIN), the API Usage analtyics interface become stucked.
I try to mak few changes inside api-manager.xml. Now the ANALYTICS part is lik follows:
<!-- Enable Analytics for API Manager -->
<Enabled>true</Enabled>
<StreamProcessorServerURL>{tcp://localhost:7612}</StreamProcessorServerURL>
<!--StreamProcessorAuthServerURL>{ssl://localhost:7712}</StreamProcessorAuthServerURL-->
<!-- Administrator username to login to the remote StreamProcessor server. -->
<StreamProcessorUsername>admin</StreamProcessorUsername>
<!-- Administrator password to login to the remote StreamProcessor server. -->
<StreamProcessorPassword>admin</StreamProcessorPassword>
<!-- For APIM implemented Statistic client for RDBMS -->
<StatsProviderImpl>org.wso2.carbon.apimgt.usage.client.impl.APIUsageStatisticsRestClientImpl</StatsProviderImpl>
<!-- StreamProcessor REST API configuration -->
<StreamProcessorRestApiURL>https://localhost:9444</StreamProcessorRestApiURL>
<StreamProcessorRestApiUsername>admin</StreamProcessorRestApiUsername>
<StreamProcessorRestApiPassword>admin</StreamProcessorRestApiPassword>
I expect to discovery why this is happen, If i follow de default documentation (https://docs.wso2.com/display/AM260/Configuring+APIM+Analytics)
thanks
This problem it was solved by import the Analytics certificate to wso2carbon.jks and client-truststore.jks.
In the beginning I just import to client-truststore.jks and miss wso2carbon.jks.
It's important to use the full qualified name to create the new certificates and keystore, and use to make correct link between tools at api-manager.xml
Remember to add the full qualified name at hosts file.
Thanks

Import error 'FailedCheck' using SOAPUI for ERP Integration Service

I have tried automated importing of AP Invoices by using the ERP Integration Service from SOAPUI, but I am getting the 'FailedCheck' error whenever I am running a request. I have filled the necessary information, such as the base64 encoding of the CSVs.
Sample SOAP Code Request & Received Response
I have also filled in my username and password in the Outgoing WS-Security Configuration, which I have provided by double-clicking the project name.
Proof of credentials needed inserted
I also obtained a security certificate by obtaining the one used by the web service WSDL, then creating a keystore from it by the use of the tool 'keytool' from JDK. Then I used it as the keystore of my project.
Proof of keystore applied
Which I placed the necessary info for outgoing encryption.
Proof of encryption using keystore
After the steps, I run the request, to which I received the 'FailedCheck' error (see first image). Image below is the log that I received when I encounter the said error.
SoapUi log
And here is the error log:
Tue Nov 07 18:56:36 CST 2017:ERROR:java.util.zip.ZipException: Not in GZIP format
java.util.zip.ZipException: Not in GZIP format
at java.util.zip.GZIPInputStream.readHeader(Unknown Source)
at java.util.zip.GZIPInputStream.<init>(Unknown Source)
at java.util.zip.GZIPInputStream.<init>(Unknown Source)
at org.apache.http.client.entity.GzipDecompressingEntity.getContent(GzipDecompressingEntity.java:63)
at com.eviware.soapui.impl.wsdl.support.CompressionSupport.decompress(CompressionSupport.java:87)
at com.eviware.soapui.impl.wsdl.submit.transports.http.support.attachments.PostResponseDataSource.<init>(PostResponseDataSource.java:51)
at com.eviware.soapui.impl.wsdl.submit.transports.http.support.attachments.MimeMessageResponse.<init>(MimeMessageResponse.java:55)
at com.eviware.soapui.impl.wsdl.submit.transports.http.support.attachments.WsdlMimeMessageResponse.<init>(WsdlMimeMessageResponse.java:57)
at com.eviware.soapui.impl.wsdl.submit.filters.HttpPackagingResponseFilter.wsdlRequest(HttpPackagingResponseFilter.java:68)
at com.eviware.soapui.impl.wsdl.submit.filters.HttpPackagingResponseFilter.afterAbstractHttpResponse(HttpPackagingResponseFilter.java:49)
at com.eviware.soapui.impl.wsdl.submit.filters.AbstractRequestFilter.afterRequest(AbstractRequestFilter.java:64)
at com.eviware.soapui.impl.wsdl.submit.transports.http.HttpClientRequestTransport.sendRequest(HttpClientRequestTransport.java:272)
at com.eviware.soapui.impl.wsdl.WsdlSubmit.run(WsdlSubmit.java:119)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
I have also tried running a request without using keystores, but I am getting an authentication error as a response. I am a beginner in this, so any help would be appreciated.

Soap service response not being sent in Wildlfy 9.0.2 and CXF 3.0.1 environment

We have a soap service which is built on CXF 3.0.1 using java and it is deployed in Wildlfy 9.0.2. The code uses its own CXF jars and does not use the Wildfly provides CXF module.
There is a client which consumes this service. The client code also uses CXF 3.0.1 coupled with SAAJ and is deployed in a Weblogic 12 instance.
The issue is that when the client invokes this service the request is received in Wildfly, the process finishes, but no response is generated (in CXF logs) or sent back to the client.
When I inspect the TCP packets I realize the client call has the following headers:
Encoding: UTF-8 Http-Method: POST Content-Type: text/xml;
charset=UTF-8 Headers: {Accept=[/], connection=[Keep-Alive],
content-type=[text/xml; charset=UTF-8],
Host=[ws-env.applications.services.com-tech.intra],
SOAPAction=["http://path to soap action"],
transfer-encoding=[chunked], User-Agent=[Apache CXF 3.0.1]}
The client call ultimately fails with the below error:
javax.xml.ws.WebServiceException: Could not send Message.
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:148)
at com.sun.proxy.$Proxy139.processStrucutredEnvelopes(Unknown Source) ...
Caused by: java.net.SocketTimeoutException: SocketTimeoutException
invoking
http://endpointURL:
Read time out after 60000 millis
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1359)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1343)
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:638)
at
The execution of the service takes 4-5 seconds max.
The other surprising issue is that this service when invoked from SOAPUI or even a wget from the client server returns with a valid SOAP response.
I tried to set the HTTPConduit configuration as described at:https://docs.jboss.org/author/display/WFLY9/Apache+CXF+integration#ApacheCXFintegration-HTTPConduitconfiguration but that did not seem to help.
Any help would be appreciated.

Error when calling web service from Domino

I need to connect to a .net application via it's SOAP Web Service but can't get it working from Domino. Using XPages I want to connect to the web service to return data to the xpage. I tried creating an agent to make the call, but that hasn't worked. I receive the following java StackTrace when I run the agent:
WebServiceEngineFault
faultCode: {http://www.lotus.com/domino/ws/}HTTP
faultSubcode:
faultString: (401) Unauthorized
faultActor:
faultNode:
faultDetail:
{}string:
(401) Unauthorized
at lotus.domino.axis.transport.http.HTTPSender.readFromSocket(Unknown Source)
at lotus.domino.axis.transport.http.HTTPSender.invoke(Unknown Source)
at lotus.domino.axis.strategies.InvocationStrategy.visit(Unknown Source)
at lotus.domino.axis.SimpleChain.doVisiting(Unknown Source)
at lotus.domino.axis.SimpleChain.invoke(Unknown Source)
at lotus.domino.axis.client.AxisClient.invoke(Unknown Source)
at lotus.domino.axis.client.Call.invokeEngine(Unknown Source)
at lotus.domino.axis.client.Call.invoke(Unknown Source)
at lotus.domino.axis.client.Call.invoke(Unknown Source)
at lotus.domino.axis.client.Call.invoke(Unknown Source)
at lotus.domino.axis.client.Call.invoke(Unknown Source)
at lotus.domino.websvc.client.Call.invoke(Unknown Source)
at com.imanage.worksite.IWOVServicesSoapStub.getFolders(Unknown Source)
at JavaAgent.NotesMain(Unknown Source)
at lotus.domino.AgentBase.runNotes(Unknown Source)
at lotus.domino.NotesThread.run(Unknown Source)
I am able to call it successfully from soapUI passing in the user id, password and domain credentials.
I set credentials in the agent that consumes the web service:
String arg0 = "DOMAINNAME\\USERID";
String arg1 = "PASSWORD";
stub.setCredentials(arg0, arg1);
and also in the web service consumer itself (in the SoapStub class - within the getFolders call):
_call.setUsername("DOMAINNAME\\USERID");
_call.setPassword("PASSWORD");
I'm new to XPages and Java. Does anyone have any ideas what I might be missing or should check for?
(I can't use Lotusscript for the web service consumer as the variable names generated by the WSDL are too long, so I have to use java in this case).
In these situations to help narrow down it is better to let SOAPUI do the full testing.
So do the following.
Create a mock service in SOAPUI from the WSDL of the provider.
Point your agent to the mock service so that you can capture what is being sent from your agent. (ie. Capture the SOAP request).
Using that same SOAP request send it via SOAPUI to the .NET server. It should reproduce the issue and give you back some more information as to what is failing.
The following wiki article explains how to do this.
http://www-10.lotus.com/ldd/ddwiki.nsf/dx/Testing_your_Domino_web_service_provider_and_consumer_using_SoapUI._
I would use CXF, it seems better supported in XPages. What authentication are you using? I found that a digest authentication might not work with some services in .net (Sharepoint data being one) and you need to call another end-point to get a digest token. I use TCPMon (Cross platform) or Fiddler to see what is on the wire (You configure these tools as proxy, so you can watch) AD107 might have additional information, have a look.

Weblogic web service + SSL

i currently have a webservice deployed on a weblogic 10.3 server whit 1-way ssl enabled, the problem is that wen i test the webservice using the weblogic's test page, i get this error:
avax.net.ssl.SSLException: Handshake has been interrupted, can't find trusted CA certificates file trusted-ca.pem
but all the client applications are not having problem using the service over https (they are allready configured tho thrust the server cert), i dig on the weblogic's log and found this stack trace:
at com.certicom.net.ssl.HttpsClient.doConnect(Unknown Source)
at com.certicom.net.ssl.internal.NetworkClient.openServer(Unknown Source)
at com.certicom.net.ssl.internal.HttpClient.openServer(Unknown Source)
at com.certicom.net.ssl.HttpsClient.<init>(Unknown Source)
at com.certicom.net.ssl.HttpsURLConnection.connect(Unknown Source)
at com.certicom.net.ssl.internal.HttpURLConnection.getInputStream(Unknown Source)
(this is an extract of the whole stack trace) for what i see, is that the test page interally uses the certicom ssl implementation to make the requests and it is not using the weblogic's SSL configuration, so how can i get the test page working whit ssl enabled?, is there any way to get certicom ssl implementation to use the weblogic's ssl settings?
thank you for your time
Did you follow the steps described in Testing a Secure WebLogic Web Service From Its Home Page?