JiriOndrusek commented on issue #4127: URL: https://github.com/apache/camel-quarkus/issues/4127#issuecomment-2252788119
I tried to run the splunk https tests by following https://docs.splunk.com/Documentation/Splunk/9.2.0/Security/ConfigTLSCertsS2S The first task is to configure splunk server to SSL. It is possible by provide necessary config parameters and by restarting afterwards. The config parameter might by added to the configuration file by copying (overwriting following file - [/opt/splunk/etc/system/local/server.conf)](https://github.com/opt/splunk/etc/system/local/server.conf)) (see [my POC](https://github.com/JiriOndrusek/camel-quarkus/blob/splunk-ssh-POC/integration-tests/splunk/src/test/java/org/apache/camel/quarkus/component/splunk/it/SplunkTestResource.java#L104)) There are several options. (You can validate the the certificates by running `openssl s_client -connect localhost:32880` or `openssl s_client -connect localhost:32880 -CAfile cacert.pem`) • If certificates are kept as default -> splunk server generates the certificates during the start. • You can use keytool approach (similar to cxf tests) to generate certificates. Server pem has to be concatenated from private key and certificate. The proper method is to run following commands (but the same result should be also achieved when key and crt files are concatenated (I didn't verify that) ``` openssl pkcs12 -export -out combined.p12 -inkey localhost-key.pem -in localhost.pem -certfile splunkca.pem openssl pkcs12 -in combined.p12 -out combined.pem -nodes ``` • You can generate certificates via annotations -> but in this case, I encountered a problem with self-signed certificate, therefore I left that way. According to openSsl verification b**oth optoins (1 and 2) shows that server responds with a proper certificate.** ---- The second part of the job is to configure splunk client properly for ssh. The splunk component lacks ssl configuration options (I reported the issue as https://issues.apache.org/jira/browse/CAMEL-20393). Unfortunately there is no clear way of fixing the issue. The underlying splunk client (..servicemix.bundles.splunk.1.9.5_1 creates sslContext statically from javax.next.sslSSLContext.getInstance("TLS"); with no option to create a custom ssl context. In my investigation, I was setting the default sslContext during the start of the tests (which is not a nice solution, but should help with the investigation) I tried several different approaches (see [my POC](https://github.com/JiriOndrusek/camel-quarkus/blob/splunk-ssh-POC/integration-tests/splunk/src/main/java/org/apache/camel/quarkus/component/splunk/it/SplunkResource.java#L268-L275)) All my attempts failed on handshake_failure, with no information, what might be wrong. (openSsl client works successfully, so I expect an error in configuration of splunk client and its ssl. (in the logs from `-Djavax.net.debug=sll,handshake,trustmanager` I noticed that the client might not contain any common encryption -> but the problem should show a different failure reason) --- I'm keeping my POC in the branch https://github.com/JiriOndrusek/camel-quarkus/tree/splunk-ssh-POC • I copied the TestResource from the specialized module into the project (for easier modification) • I copied several files from the container, to be able to verify them (see i.e. https://github.com/JiriOndrusek/camel-quarkus/blob/splunk-ssh-POC/integration-tests/splunk/src/test/java/org/apache/camel/quarkus/component/splunk/it/SplunkTestResource.java#L126) • I added several hours wait to the tests (see https://github.com/JiriOndrusek/camel-quarkus/blob/splunk-ssh-POC/integration-tests/splunk/src/test/java/org/apache/camel/quarkus/component/splunk/it/AbstractSplunkTest.java#L53) so I can start the splunk from cmd by running the test and then I can run another test without the server (with hardcoded ports from the log of the first test) (this approach saves a lot of time, because the splunk server starts several minutes) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
