Hi IS Team, It seems that the issue got resolved with the system property. We will needed to add it to our startup scripts. Any concerns on doing that?
Thanks, Harsha On Tue, Apr 5, 2016 at 6:26 PM, Harsha Kumara <[email protected]> wrote: > Boolean.getBoolean perform system property lookup. I'll try that solution > and update. > > On Tue, Apr 5, 2016 at 6:20 PM, Harsha Kumara <[email protected]> wrote: > >> I have done some analysis on this. In API Manager initial functionality >> works fine. When the access token is generated SAML2BearerGrantHandler >> doing DefaultBootstrap.bootstrap(); in opensaml library. With the new >> version of the opensaml library they have >> perform initializeHttpClient();[1] during the bootstrap. So the underline >> commons http client library socket factory has changed >> from SSLProtocolSocketFactory to TLSProtocolSocketFactory. >> In TLSProtocolSocketFactory it's perform host name verification which cause >> this exception. When go through their code, they have tried to disable this >> from System property. But implementation is doing Boolean.getBoolean >> instead of looking from System.getPropety[2] which seems bug. If this has >> worked, we could have set a system property. >> >> [1] >> /** >> * Initializes the Apache Commons HttpClient library. >> */ >> protected static void initializeHttpClient() { >> if >> (!Boolean.getBoolean(SYSPROP_HTTPCLIENT_HTTPS_DISABLE_HOSTNAME_VERIFICATION)) >> { >> ProtocolSocketFactory socketFactory = >> new TLSProtocolSocketFactory(null, null, new >> StrictHostnameVerifier()); >> Protocol.registerProtocol("https", new Protocol("https", >> socketFactory, 443)); >> } >> } >> >> [2] >> /** System property used to disable global default HTTPS hostname >> verification in Apache Commons HttpClient. */ >> public static final String >> SYSPROP_HTTPCLIENT_HTTPS_DISABLE_HOSTNAME_VERIFICATION = >> "org.opensaml.httpclient.https.disableHostnameVerification"; >> >> Thanks, >> Harsha >> >> >> On Tue, Apr 5, 2016 at 5:48 PM, Nuwan Dias <[email protected]> wrote: >> >>> IS Team, >>> >>> It looks like the TLSProtocolSocketFactory isn't honouring the HostName >>> verification parameter. It always tries to do the hostname verification. >>> Looks like a buggy behaviour to me. >>> >>> This causes problems for API Manager and any other product which has a >>> distributed deployment (App Manager, DAS, etc) because it prevents http >>> clients within our code from accessing Admin Services of remote nodes. The >>> http clients fail since the server cert is by default for localhost and >>> whenever we try to access through IPs it fails. The only way to overcome >>> this is to create the proper certs and deploy on the server. Which is a >>> huge hassle for simple test scenarios. >>> >>> The TLSProtocolSocketFactory is being set when the SAMLBearerGrant is >>> being initialized. Until then things work fine. We either have to stop it >>> being set or use a version of opensaml which supports skipping the host >>> name verification (like our transports allow). Otherwise this is going to >>> be a huge blocker for our releases. >>> >>> Thanks, >>> NuwanD. >>> >>> On Thu, Mar 17, 2016 at 7:09 PM, Sam Sivayogam <[email protected]> wrote: >>> >>>> HI All, >>>> >>>> Had a offline chat with Pulasthi and got to know that in IS 5.0.8 there >>>> was opensaml upgrade from 2.4.1 to 2.6.4. After going through [1] got to >>>> know that there is a hostname verification introduced in opensaml 2.6.4 >>>> which is not there in opensaml 2.4.1 and this is why we are getting the >>>> above issue after moving to carbon identity 5.0.8. >>>> >>>> We are using *CommonsHTTPTransportSender * to call key >>>> manager internally and from what I understood if we set the >>>> *HostnameVerifier >>>> *parameter to *AllowAll *we should be able to get rid of this issue, >>>> But still we are getting this issue. Does anyone know why HostnameVerifier >>>> prameter is not working as expected with CommonsHTTPTransportSender ? >>>> >>>> [1] >>>> http://grepcode.com/file_/repo1.maven.org/maven2/org.apache.servicemix.bundles/org.apache.servicemix.bundles.opensaml/2.4.1_2/org/opensaml/ws/soap/client/http/TLSProtocolSocketFactory.java/?v=diff&id2=2.6.4_1 >>>> >>>> Thanks, >>>> >>>> On Thu, Mar 17, 2016 at 11:12 AM, Sam Sivayogam <[email protected]> wrote: >>>> >>>>> Hi All, >>>>> >>>>> I'm trying to to upgrade APIM's Crabon kernel to 4.4.4. during the >>>>> kernel upgrade i also upgraded the following >>>>> carbon identity from 5.0.7 to 5.08 >>>>> carbon commons from 4.4.8 to 4.5.2 >>>>> wso2 rampart from 1.6.1-wso2v16 to 1.6.1-wso2v18 >>>>> >>>>> After the upgrade, when I try to generate a key from the API Store I'm >>>>> getting the error [1] . I was able to get rid of this issue after >>>>> replacing >>>>> APIKeyValidator ip with localhost in api-manager.xml. >>>>> Please note that this issue is occuring after the kernel upgrade >>>>> before that we didn't encounter this issue. what i would like to know to >>>>> know is there is any changes in kernel 4.4.4 or rampart 1.6.1-wso2v18 to >>>>> do >>>>> the hostname verification by default? >>>>> >>>>> [1] [2016-03-17 11:08:35,995] INFO - HTTPSender Unable to sendViaPost >>>>> to url[https://10.100.5.192:9443//services/APIKeyMgtSubscriberService] >>>>> javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname >>>>> validation for name: 10.100.5.192 >>>>> at >>>>> org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233) >>>>> at >>>>> org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:194) >>>>> at >>>>> org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) >>>>> at >>>>> org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) >>>>> at >>>>> org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) >>>>> at >>>>> org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) >>>>> at >>>>> org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) >>>>> at >>>>> org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:632) >>>>> at >>>>> org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:195) >>>>> at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:77) >>>>> at >>>>> org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:451) >>>>> at >>>>> org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:278) >>>>> at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442) >>>>> at >>>>> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:430) >>>>> at >>>>> org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225) >>>>> at >>>>> org.apache.axis2.client.OperationClient.execute(OperationClient.java:149) >>>>> at >>>>> org.wso2.carbon.apimgt.keymgt.stub.subscriber.APIKeyMgtSubscriberServiceStub.retrieveOAuthApplication(APIKeyMgtSubscriberServiceStub.java:1389) >>>>> at >>>>> org.wso2.carbon.apimgt.keymgt.client.SubscriberKeyMgtClient.getOAuthApplication(SubscriberKeyMgtClient.java:89) >>>>> at >>>>> org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.retrieveApplication(AMDefaultKeyManagerImpl.java:224) >>>>> at >>>>> org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.getClientOfApplication(ApiMgtDAO.java:2338) >>>>> at >>>>> org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.getOAuthApplications(ApiMgtDAO.java:2302) >>>>> at >>>>> org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.getApplications(ApiMgtDAO.java:4434) >>>>> at >>>>> org.wso2.carbon.apimgt.impl.APIConsumerImpl.getApplications(APIConsumerImpl.java:2813) >>>>> at >>>>> org.wso2.carbon.apimgt.impl.UserAwareAPIConsumer.getApplications(UserAwareAPIConsumer.java:36) >>>>> at >>>>> org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject.getAllSubscriptions(APIStoreHostObject.java:2416) >>>>> at >>>>> org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject.jsFunction_getAllSubscriptionsOfApplication(APIStoreHostObject.java:2659) >>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>> at >>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>>>> at >>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>> at java.lang.reflect.Method.invoke(Method.java:601) >>>>> at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126) >>>>> at org.mozilla.javascript.FunctionObject.call(FunctionObject.java:386) >>>>> at >>>>> org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52) >>>>> at >>>>> org.jaggeryjs.rhino.store.modules.subscription.c1._c_anonymous_2(/store/modules/subscription/list.jag:31) >>>>> at >>>>> org.jaggeryjs.rhino.store.modules.subscription.c1.call(/store/modules/subscription/list.jag) >>>>> at >>>>> org.mozilla.javascript.ScriptRuntime.applyOrCall(ScriptRuntime.java:2430) >>>>> at >>>>> org.mozilla.javascript.BaseFunction.execIdCall(BaseFunction.java:269) >>>>> at >>>>> org.mozilla.javascript.IdFunctionObject.call(IdFunctionObject.java:97) >>>>> at >>>>> org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42) >>>>> at >>>>> org.jaggeryjs.rhino.store.modules.subscription.c0._c_anonymous_5(/store/modules/subscription/module.jag:19) >>>>> >>>>> Thanks, >>>>> Sam >>>>> -- >>>>> *Sam Sivayogam* >>>>> >>>>> Software Engineer >>>>> Mobile : +94 772 906 439 >>>>> Office : +94 112 145 345 >>>>> *WSO2, Inc. :** wso2.com <http://wso2.com/>* >>>>> lean.enterprise.middleware. >>>>> >>>> >>>> >>>> >>>> -- >>>> *Sam Sivayogam* >>>> >>>> Software Engineer >>>> Mobile : +94 772 906 439 >>>> Office : +94 112 145 345 >>>> *WSO2, Inc. :** wso2.com <http://wso2.com/>* >>>> lean.enterprise.middleware. >>>> >>> >>> >>> >>> -- >>> Nuwan Dias >>> >>> Technical Lead - WSO2, Inc. http://wso2.com >>> email : [email protected] >>> Phone : +94 777 775 729 >>> >> >> >> >> -- >> Harsha Kumara >> Software Engineer, WSO2 Inc. >> Mobile: +94775505618 >> Blog:harshcreationz.blogspot.com >> > > > > -- > Harsha Kumara > Software Engineer, WSO2 Inc. > Mobile: +94775505618 > Blog:harshcreationz.blogspot.com > -- Harsha Kumara Software Engineer, WSO2 Inc. Mobile: +94775505618 Blog:harshcreationz.blogspot.com
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
