@IS Team, I think IS will also fail in the back channel SLO flow? IMO, we could set that system property in the startup script, but there should be a Production Guideline in our docs to remove that at the production time. WDYT?
On Mon, Apr 11, 2016 at 1:41 PM, Dinusha Senanayaka <[email protected]> wrote: > Hi All, > > Getting same exception in App Manager also after updating to kernel-4.4.5. > What is the resolution for this, can we continue with > "-Dorg.opensaml.httpclient.https.disableHostnameVerification=true \" system > property in startup script as Harsha suggested ? > > Regards, > Dinusha. > > On Tue, Apr 5, 2016 at 7:18 PM, Harsha Kumara <[email protected]> wrote: > >> Hi IS Team, >> >> It seems that the issue got resolved with the system property. We will >> needed to add it to our startup scripts. Any concerns on doing that? >> >> Thanks, >> Harsha >> >> On Tue, Apr 5, 2016 at 6:26 PM, Harsha Kumara <[email protected]> wrote: >> >>> Boolean.getBoolean perform system property lookup. I'll try that >>> solution and update. >>> >>> On Tue, Apr 5, 2016 at 6:20 PM, Harsha Kumara <[email protected]> wrote: >>> >>>> I have done some analysis on this. In API Manager initial functionality >>>> works fine. When the access token is generated SAML2BearerGrantHandler >>>> doing DefaultBootstrap.bootstrap(); in opensaml library. With the new >>>> version of the opensaml library they have >>>> perform initializeHttpClient();[1] during the bootstrap. So the underline >>>> commons http client library socket factory has changed >>>> from SSLProtocolSocketFactory to TLSProtocolSocketFactory. >>>> In TLSProtocolSocketFactory it's perform host name verification which cause >>>> this exception. When go through their code, they have tried to disable this >>>> from System property. But implementation is doing Boolean.getBoolean >>>> instead of looking from System.getPropety[2] which seems bug. If this has >>>> worked, we could have set a system property. >>>> >>>> [1] >>>> /** >>>> * Initializes the Apache Commons HttpClient library. >>>> */ >>>> protected static void initializeHttpClient() { >>>> if >>>> (!Boolean.getBoolean(SYSPROP_HTTPCLIENT_HTTPS_DISABLE_HOSTNAME_VERIFICATION)) >>>> { >>>> ProtocolSocketFactory socketFactory = >>>> new TLSProtocolSocketFactory(null, null, new >>>> StrictHostnameVerifier()); >>>> Protocol.registerProtocol("https", new Protocol("https", >>>> socketFactory, 443)); >>>> } >>>> } >>>> >>>> [2] >>>> /** System property used to disable global default HTTPS hostname >>>> verification in Apache Commons HttpClient. */ >>>> public static final String >>>> SYSPROP_HTTPCLIENT_HTTPS_DISABLE_HOSTNAME_VERIFICATION = >>>> "org.opensaml.httpclient.https.disableHostnameVerification"; >>>> >>>> Thanks, >>>> Harsha >>>> >>>> >>>> On Tue, Apr 5, 2016 at 5:48 PM, Nuwan Dias <[email protected]> wrote: >>>> >>>>> IS Team, >>>>> >>>>> It looks like the TLSProtocolSocketFactory isn't honouring the >>>>> HostName verification parameter. It always tries to do the hostname >>>>> verification. Looks like a buggy behaviour to me. >>>>> >>>>> This causes problems for API Manager and any other product which has a >>>>> distributed deployment (App Manager, DAS, etc) because it prevents http >>>>> clients within our code from accessing Admin Services of remote nodes. The >>>>> http clients fail since the server cert is by default for localhost and >>>>> whenever we try to access through IPs it fails. The only way to overcome >>>>> this is to create the proper certs and deploy on the server. Which is a >>>>> huge hassle for simple test scenarios. >>>>> >>>>> The TLSProtocolSocketFactory is being set when the SAMLBearerGrant is >>>>> being initialized. Until then things work fine. We either have to stop it >>>>> being set or use a version of opensaml which supports skipping the host >>>>> name verification (like our transports allow). Otherwise this is going to >>>>> be a huge blocker for our releases. >>>>> >>>>> Thanks, >>>>> NuwanD. >>>>> >>>>> On Thu, Mar 17, 2016 at 7:09 PM, Sam Sivayogam <[email protected]> wrote: >>>>> >>>>>> HI All, >>>>>> >>>>>> Had a offline chat with Pulasthi and got to know that in IS 5.0.8 >>>>>> there was opensaml upgrade from 2.4.1 to 2.6.4. After going through [1] >>>>>> got >>>>>> to know that there is a hostname verification introduced in opensaml >>>>>> 2.6.4 >>>>>> which is not there in opensaml 2.4.1 and this is why we are getting the >>>>>> above issue after moving to carbon identity 5.0.8. >>>>>> >>>>>> We are using *CommonsHTTPTransportSender * to call key >>>>>> manager internally and from what I understood if we set the >>>>>> *HostnameVerifier >>>>>> *parameter to *AllowAll *we should be able to get rid of this issue, >>>>>> But still we are getting this issue. Does anyone know why >>>>>> HostnameVerifier >>>>>> prameter is not working as expected with CommonsHTTPTransportSender ? >>>>>> >>>>>> [1] >>>>>> http://grepcode.com/file_/repo1.maven.org/maven2/org.apache.servicemix.bundles/org.apache.servicemix.bundles.opensaml/2.4.1_2/org/opensaml/ws/soap/client/http/TLSProtocolSocketFactory.java/?v=diff&id2=2.6.4_1 >>>>>> >>>>>> Thanks, >>>>>> >>>>>> On Thu, Mar 17, 2016 at 11:12 AM, Sam Sivayogam <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> I'm trying to to upgrade APIM's Crabon kernel to 4.4.4. during the >>>>>>> kernel upgrade i also upgraded the following >>>>>>> carbon identity from 5.0.7 to 5.08 >>>>>>> carbon commons from 4.4.8 to 4.5.2 >>>>>>> wso2 rampart from 1.6.1-wso2v16 to 1.6.1-wso2v18 >>>>>>> >>>>>>> After the upgrade, when I try to generate a key from the API Store >>>>>>> I'm getting the error [1] . I was able to get rid of this issue after >>>>>>> replacing APIKeyValidator ip with localhost in api-manager.xml. >>>>>>> Please note that this issue is occuring after the kernel upgrade >>>>>>> before that we didn't encounter this issue. what i would like to know to >>>>>>> know is there is any changes in kernel 4.4.4 or rampart 1.6.1-wso2v18 >>>>>>> to do >>>>>>> the hostname verification by default? >>>>>>> >>>>>>> [1] [2016-03-17 11:08:35,995] INFO - HTTPSender Unable to >>>>>>> sendViaPost to url[ >>>>>>> https://10.100.5.192:9443//services/APIKeyMgtSubscriberService] >>>>>>> javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname >>>>>>> validation for name: 10.100.5.192 >>>>>>> at >>>>>>> org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233) >>>>>>> at >>>>>>> org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:194) >>>>>>> at >>>>>>> org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) >>>>>>> at >>>>>>> org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) >>>>>>> at >>>>>>> org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) >>>>>>> at >>>>>>> org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) >>>>>>> at >>>>>>> org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) >>>>>>> at >>>>>>> org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:632) >>>>>>> at >>>>>>> org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:195) >>>>>>> at >>>>>>> org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:77) >>>>>>> at >>>>>>> org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:451) >>>>>>> at >>>>>>> org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:278) >>>>>>> at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442) >>>>>>> at >>>>>>> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:430) >>>>>>> at >>>>>>> org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225) >>>>>>> at >>>>>>> org.apache.axis2.client.OperationClient.execute(OperationClient.java:149) >>>>>>> at >>>>>>> org.wso2.carbon.apimgt.keymgt.stub.subscriber.APIKeyMgtSubscriberServiceStub.retrieveOAuthApplication(APIKeyMgtSubscriberServiceStub.java:1389) >>>>>>> at >>>>>>> org.wso2.carbon.apimgt.keymgt.client.SubscriberKeyMgtClient.getOAuthApplication(SubscriberKeyMgtClient.java:89) >>>>>>> at >>>>>>> org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.retrieveApplication(AMDefaultKeyManagerImpl.java:224) >>>>>>> at >>>>>>> org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.getClientOfApplication(ApiMgtDAO.java:2338) >>>>>>> at >>>>>>> org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.getOAuthApplications(ApiMgtDAO.java:2302) >>>>>>> at >>>>>>> org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.getApplications(ApiMgtDAO.java:4434) >>>>>>> at >>>>>>> org.wso2.carbon.apimgt.impl.APIConsumerImpl.getApplications(APIConsumerImpl.java:2813) >>>>>>> at >>>>>>> org.wso2.carbon.apimgt.impl.UserAwareAPIConsumer.getApplications(UserAwareAPIConsumer.java:36) >>>>>>> at >>>>>>> org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject.getAllSubscriptions(APIStoreHostObject.java:2416) >>>>>>> at >>>>>>> org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject.jsFunction_getAllSubscriptionsOfApplication(APIStoreHostObject.java:2659) >>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>>>> at >>>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>>>>>> at >>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>>>> at java.lang.reflect.Method.invoke(Method.java:601) >>>>>>> at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126) >>>>>>> at >>>>>>> org.mozilla.javascript.FunctionObject.call(FunctionObject.java:386) >>>>>>> at >>>>>>> org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52) >>>>>>> at >>>>>>> org.jaggeryjs.rhino.store.modules.subscription.c1._c_anonymous_2(/store/modules/subscription/list.jag:31) >>>>>>> at >>>>>>> org.jaggeryjs.rhino.store.modules.subscription.c1.call(/store/modules/subscription/list.jag) >>>>>>> at >>>>>>> org.mozilla.javascript.ScriptRuntime.applyOrCall(ScriptRuntime.java:2430) >>>>>>> at >>>>>>> org.mozilla.javascript.BaseFunction.execIdCall(BaseFunction.java:269) >>>>>>> at >>>>>>> org.mozilla.javascript.IdFunctionObject.call(IdFunctionObject.java:97) >>>>>>> at >>>>>>> org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42) >>>>>>> at >>>>>>> org.jaggeryjs.rhino.store.modules.subscription.c0._c_anonymous_5(/store/modules/subscription/module.jag:19) >>>>>>> >>>>>>> Thanks, >>>>>>> Sam >>>>>>> -- >>>>>>> *Sam Sivayogam* >>>>>>> >>>>>>> Software Engineer >>>>>>> Mobile : +94 772 906 439 >>>>>>> Office : +94 112 145 345 >>>>>>> *WSO2, Inc. :** wso2.com <http://wso2.com/>* >>>>>>> lean.enterprise.middleware. >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Sam Sivayogam* >>>>>> >>>>>> Software Engineer >>>>>> Mobile : +94 772 906 439 >>>>>> Office : +94 112 145 345 >>>>>> *WSO2, Inc. :** wso2.com <http://wso2.com/>* >>>>>> lean.enterprise.middleware. >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Nuwan Dias >>>>> >>>>> Technical Lead - WSO2, Inc. http://wso2.com >>>>> email : [email protected] >>>>> Phone : +94 777 775 729 >>>>> >>>> >>>> >>>> >>>> -- >>>> Harsha Kumara >>>> Software Engineer, WSO2 Inc. >>>> Mobile: +94775505618 >>>> Blog:harshcreationz.blogspot.com >>>> >>> >>> >>> >>> -- >>> Harsha Kumara >>> Software Engineer, WSO2 Inc. >>> Mobile: +94775505618 >>> Blog:harshcreationz.blogspot.com >>> >> >> >> >> -- >> Harsha Kumara >> Software Engineer, WSO2 Inc. >> Mobile: +94775505618 >> Blog:harshcreationz.blogspot.com >> > > > > -- > Dinusha Dilrukshi > Associate Technical Lead > WSO2 Inc.: http://wso2.com/ > Mobile: +94725255071 > Blog: http://dinushasblog.blogspot.com/ > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Thanks & Regards, Dulanja Liyanage WSO2 Inc.
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
