Hi All,
Getting same exception in App Manager also after updating to kernel-4.4.5.
What is the resolution for this, can we continue with
"-Dorg.opensaml.httpclient.https.disableHostnameVerification=true \" system
property in startup script as Harsha suggested ?
Regards,
Dinusha.
On Tue, Apr 5, 2016 at 7:18 PM, Harsha Kumara <hars...@wso2.com> wrote:
> Hi IS Team,
>
> It seems that the issue got resolved with the system property. We will
> needed to add it to our startup scripts. Any concerns on doing that?
>
> Thanks,
> Harsha
>
> On Tue, Apr 5, 2016 at 6:26 PM, Harsha Kumara <hars...@wso2.com> wrote:
>
>> Boolean.getBoolean perform system property lookup. I'll try that solution
>> and update.
>>
>> On Tue, Apr 5, 2016 at 6:20 PM, Harsha Kumara <hars...@wso2.com> wrote:
>>
>>> I have done some analysis on this. In API Manager initial functionality
>>> works fine. When the access token is generated SAML2BearerGrantHandler
>>> doing DefaultBootstrap.bootstrap(); in opensaml library. With the new
>>> version of the opensaml library they have
>>> perform initializeHttpClient();[1] during the bootstrap. So the underline
>>> commons http client library socket factory has changed
>>> from SSLProtocolSocketFactory to TLSProtocolSocketFactory.
>>> In TLSProtocolSocketFactory it's perform host name verification which cause
>>> this exception. When go through their code, they have tried to disable this
>>> from System property. But implementation is doing Boolean.getBoolean
>>> instead of looking from System.getPropety[2] which seems bug. If this has
>>> worked, we could have set a system property.
>>>
>>> [1]
>>> /**
>>> * Initializes the Apache Commons HttpClient library.
>>> */
>>> protected static void initializeHttpClient() {
>>> if
>>> (!Boolean.getBoolean(SYSPROP_HTTPCLIENT_HTTPS_DISABLE_HOSTNAME_VERIFICATION))
>>> {
>>> ProtocolSocketFactory socketFactory =
>>> new TLSProtocolSocketFactory(null, null, new
>>> StrictHostnameVerifier());
>>> Protocol.registerProtocol("https", new Protocol("https",
>>> socketFactory, 443));
>>> }
>>> }
>>>
>>> [2]
>>> /** System property used to disable global default HTTPS hostname
>>> verification in Apache Commons HttpClient. */
>>> public static final String
>>> SYSPROP_HTTPCLIENT_HTTPS_DISABLE_HOSTNAME_VERIFICATION =
>>> "org.opensaml.httpclient.https.disableHostnameVerification";
>>>
>>> Thanks,
>>> Harsha
>>>
>>>
>>> On Tue, Apr 5, 2016 at 5:48 PM, Nuwan Dias <nuw...@wso2.com> wrote:
>>>
>>>> IS Team,
>>>>
>>>> It looks like the TLSProtocolSocketFactory isn't honouring the HostName
>>>> verification parameter. It always tries to do the hostname verification.
>>>> Looks like a buggy behaviour to me.
>>>>
>>>> This causes problems for API Manager and any other product which has a
>>>> distributed deployment (App Manager, DAS, etc) because it prevents http
>>>> clients within our code from accessing Admin Services of remote nodes. The
>>>> http clients fail since the server cert is by default for localhost and
>>>> whenever we try to access through IPs it fails. The only way to overcome
>>>> this is to create the proper certs and deploy on the server. Which is a
>>>> huge hassle for simple test scenarios.
>>>>
>>>> The TLSProtocolSocketFactory is being set when the SAMLBearerGrant is
>>>> being initialized. Until then things work fine. We either have to stop it
>>>> being set or use a version of opensaml which supports skipping the host
>>>> name verification (like our transports allow). Otherwise this is going to
>>>> be a huge blocker for our releases.
>>>>
>>>> Thanks,
>>>> NuwanD.
>>>>
>>>> On Thu, Mar 17, 2016 at 7:09 PM, Sam Sivayogam <s...@wso2.com> wrote:
>>>>
>>>>> HI All,
>>>>>
>>>>> Had a offline chat with Pulasthi and got to know that in IS 5.0.8
>>>>> there was opensaml upgrade from 2.4.1 to 2.6.4. After going through [1]
>>>>> got
>>>>> to know that there is a hostname verification introduced in opensaml 2.6.4
>>>>> which is not there in opensaml 2.4.1 and this is why we are getting the
>>>>> above issue after moving to carbon identity 5.0.8.
>>>>>
>>>>> We are using *CommonsHTTPTransportSender * to call key
>>>>> manager internally and from what I understood if we set the
>>>>> *HostnameVerifier
>>>>> *parameter to *AllowAll *we should be able to get rid of this issue,
>>>>> But still we are getting this issue. Does anyone know why HostnameVerifier
>>>>> prameter is not working as expected with CommonsHTTPTransportSender ?
>>>>>
>>>>> [1]
>>>>> http://grepcode.com/file_/repo1.maven.org/maven2/org.apache.servicemix.bundles/org.apache.servicemix.bundles.opensaml/2.4.1_2/org/opensaml/ws/soap/client/http/TLSProtocolSocketFactory.java/?v=diff&id2=2.6.4_1
>>>>>
>>>>> Thanks,
>>>>>
>>>>> On Thu, Mar 17, 2016 at 11:12 AM, Sam Sivayogam <s...@wso2.com> wrote:
>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>> I'm trying to to upgrade APIM's Crabon kernel to 4.4.4. during the
>>>>>> kernel upgrade i also upgraded the following
>>>>>> carbon identity from 5.0.7 to 5.08
>>>>>> carbon commons from 4.4.8 to 4.5.2
>>>>>> wso2 rampart from 1.6.1-wso2v16 to 1.6.1-wso2v18
>>>>>>
>>>>>> After the upgrade, when I try to generate a key from the API Store
>>>>>> I'm getting the error [1] . I was able to get rid of this issue after
>>>>>> replacing APIKeyValidator ip with localhost in api-manager.xml.
>>>>>> Please note that this issue is occuring after the kernel upgrade
>>>>>> before that we didn't encounter this issue. what i would like to know to
>>>>>> know is there is any changes in kernel 4.4.4 or rampart 1.6.1-wso2v18 to
>>>>>> do
>>>>>> the hostname verification by default?
>>>>>>
>>>>>> [1] [2016-03-17 11:08:35,995] INFO - HTTPSender Unable to
>>>>>> sendViaPost to url[
>>>>>> https://10.100.5.192:9443//services/APIKeyMgtSubscriberService]
>>>>>> javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname
>>>>>> validation for name: 10.100.5.192
>>>>>> at
>>>>>> org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233)
>>>>>> at
>>>>>> org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:194)
>>>>>> at
>>>>>> org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
>>>>>> at
>>>>>> org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
>>>>>> at
>>>>>> org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
>>>>>> at
>>>>>> org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
>>>>>> at
>>>>>> org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
>>>>>> at
>>>>>> org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:632)
>>>>>> at
>>>>>> org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:195)
>>>>>> at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:77)
>>>>>> at
>>>>>> org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:451)
>>>>>> at
>>>>>> org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:278)
>>>>>> at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442)
>>>>>> at
>>>>>> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:430)
>>>>>> at
>>>>>> org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225)
>>>>>> at
>>>>>> org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
>>>>>> at
>>>>>> org.wso2.carbon.apimgt.keymgt.stub.subscriber.APIKeyMgtSubscriberServiceStub.retrieveOAuthApplication(APIKeyMgtSubscriberServiceStub.java:1389)
>>>>>> at
>>>>>> org.wso2.carbon.apimgt.keymgt.client.SubscriberKeyMgtClient.getOAuthApplication(SubscriberKeyMgtClient.java:89)
>>>>>> at
>>>>>> org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.retrieveApplication(AMDefaultKeyManagerImpl.java:224)
>>>>>> at
>>>>>> org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.getClientOfApplication(ApiMgtDAO.java:2338)
>>>>>> at
>>>>>> org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.getOAuthApplications(ApiMgtDAO.java:2302)
>>>>>> at
>>>>>> org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.getApplications(ApiMgtDAO.java:4434)
>>>>>> at
>>>>>> org.wso2.carbon.apimgt.impl.APIConsumerImpl.getApplications(APIConsumerImpl.java:2813)
>>>>>> at
>>>>>> org.wso2.carbon.apimgt.impl.UserAwareAPIConsumer.getApplications(UserAwareAPIConsumer.java:36)
>>>>>> at
>>>>>> org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject.getAllSubscriptions(APIStoreHostObject.java:2416)
>>>>>> at
>>>>>> org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject.jsFunction_getAllSubscriptionsOfApplication(APIStoreHostObject.java:2659)
>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>>> at
>>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>>>>> at
>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>>>> at java.lang.reflect.Method.invoke(Method.java:601)
>>>>>> at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126)
>>>>>> at org.mozilla.javascript.FunctionObject.call(FunctionObject.java:386)
>>>>>> at
>>>>>> org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52)
>>>>>> at
>>>>>> org.jaggeryjs.rhino.store.modules.subscription.c1._c_anonymous_2(/store/modules/subscription/list.jag:31)
>>>>>> at
>>>>>> org.jaggeryjs.rhino.store.modules.subscription.c1.call(/store/modules/subscription/list.jag)
>>>>>> at
>>>>>> org.mozilla.javascript.ScriptRuntime.applyOrCall(ScriptRuntime.java:2430)
>>>>>> at
>>>>>> org.mozilla.javascript.BaseFunction.execIdCall(BaseFunction.java:269)
>>>>>> at
>>>>>> org.mozilla.javascript.IdFunctionObject.call(IdFunctionObject.java:97)
>>>>>> at
>>>>>> org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42)
>>>>>> at
>>>>>> org.jaggeryjs.rhino.store.modules.subscription.c0._c_anonymous_5(/store/modules/subscription/module.jag:19)
>>>>>>
>>>>>> Thanks,
>>>>>> Sam
>>>>>> --
>>>>>> *Sam Sivayogam*
>>>>>>
>>>>>> Software Engineer
>>>>>> Mobile : +94 772 906 439
>>>>>> Office : +94 112 145 345
>>>>>> *WSO2, Inc. :** wso2.com <http://wso2.com/>*
>>>>>> lean.enterprise.middleware.
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> *Sam Sivayogam*
>>>>>
>>>>> Software Engineer
>>>>> Mobile : +94 772 906 439
>>>>> Office : +94 112 145 345
>>>>> *WSO2, Inc. :** wso2.com <http://wso2.com/>*
>>>>> lean.enterprise.middleware.
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Nuwan Dias
>>>>
>>>> Technical Lead - WSO2, Inc. http://wso2.com
>>>> email : nuw...@wso2.com
>>>> Phone : +94 777 775 729
>>>>
>>>
>>>
>>>
>>> --
>>> Harsha Kumara
>>> Software Engineer, WSO2 Inc.
>>> Mobile: +94775505618
>>> Blog:harshcreationz.blogspot.com
>>>
>>
>>
>>
>> --
>> Harsha Kumara
>> Software Engineer, WSO2 Inc.
>> Mobile: +94775505618
>> Blog:harshcreationz.blogspot.com
>>
>
>
>
> --
> Harsha Kumara
> Software Engineer, WSO2 Inc.
> Mobile: +94775505618
> Blog:harshcreationz.blogspot.com
>
--
Dinusha Dilrukshi
Associate Technical Lead
WSO2 Inc.: http://wso2.com/
Mobile: +94725255071
Blog: http://dinushasblog.blogspot.com/
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
