Hi Dulanja, I tested the SLO flow and it works fine. AFAIU, the problem occurs as products try to access through IPs, acting as a client, while the server cert is by default 'localhost'. But, in IS I don't think we have such flows. Therefore, for IS, I don't think we should need that system property in startup scripts. Instead isn't it better if we capture this in docs and mention on the way to disable it. For products that fail we can have this in the startup script. WDYT?
Thanks, Malithi. On Mon, May 2, 2016 at 5:10 PM, Dulanja Liyanage <[email protected]> wrote: > @IS Team, I think IS will also fail in the back channel SLO flow? > > IMO, we could set that system property in the startup script, but there > should be a Production Guideline in our docs to remove that at the > production time. WDYT? > > > > On Mon, Apr 11, 2016 at 1:41 PM, Dinusha Senanayaka <[email protected]> > wrote: > >> Hi All, >> >> Getting same exception in App Manager also after updating to >> kernel-4.4.5. What is the resolution for this, can we continue with >> "-Dorg.opensaml.httpclient.https.disableHostnameVerification=true \" system >> property in startup script as Harsha suggested ? >> >> Regards, >> Dinusha. >> >> On Tue, Apr 5, 2016 at 7:18 PM, Harsha Kumara <[email protected]> wrote: >> >>> Hi IS Team, >>> >>> It seems that the issue got resolved with the system property. We will >>> needed to add it to our startup scripts. Any concerns on doing that? >>> >>> Thanks, >>> Harsha >>> >>> On Tue, Apr 5, 2016 at 6:26 PM, Harsha Kumara <[email protected]> wrote: >>> >>>> Boolean.getBoolean perform system property lookup. I'll try that >>>> solution and update. >>>> >>>> On Tue, Apr 5, 2016 at 6:20 PM, Harsha Kumara <[email protected]> wrote: >>>> >>>>> I have done some analysis on this. In API Manager initial >>>>> functionality works fine. When the access token is >>>>> generated SAML2BearerGrantHandler doing DefaultBootstrap.bootstrap(); in >>>>> opensaml library. With the new version of the opensaml library they have >>>>> perform initializeHttpClient();[1] during the bootstrap. So the underline >>>>> commons http client library socket factory has changed >>>>> from SSLProtocolSocketFactory to TLSProtocolSocketFactory. >>>>> In TLSProtocolSocketFactory it's perform host name verification which >>>>> cause >>>>> this exception. When go through their code, they have tried to disable >>>>> this >>>>> from System property. But implementation is doing Boolean.getBoolean >>>>> instead of looking from System.getPropety[2] which seems bug. If this has >>>>> worked, we could have set a system property. >>>>> >>>>> [1] >>>>> /** >>>>> * Initializes the Apache Commons HttpClient library. >>>>> */ >>>>> protected static void initializeHttpClient() { >>>>> if >>>>> (!Boolean.getBoolean(SYSPROP_HTTPCLIENT_HTTPS_DISABLE_HOSTNAME_VERIFICATION)) >>>>> { >>>>> ProtocolSocketFactory socketFactory = >>>>> new TLSProtocolSocketFactory(null, null, new >>>>> StrictHostnameVerifier()); >>>>> Protocol.registerProtocol("https", new Protocol("https", >>>>> socketFactory, 443)); >>>>> } >>>>> } >>>>> >>>>> [2] >>>>> /** System property used to disable global default HTTPS hostname >>>>> verification in Apache Commons HttpClient. */ >>>>> public static final String >>>>> SYSPROP_HTTPCLIENT_HTTPS_DISABLE_HOSTNAME_VERIFICATION = >>>>> "org.opensaml.httpclient.https.disableHostnameVerification"; >>>>> >>>>> Thanks, >>>>> Harsha >>>>> >>>>> >>>>> On Tue, Apr 5, 2016 at 5:48 PM, Nuwan Dias <[email protected]> wrote: >>>>> >>>>>> IS Team, >>>>>> >>>>>> It looks like the TLSProtocolSocketFactory isn't honouring the >>>>>> HostName verification parameter. It always tries to do the hostname >>>>>> verification. Looks like a buggy behaviour to me. >>>>>> >>>>>> This causes problems for API Manager and any other product which has >>>>>> a distributed deployment (App Manager, DAS, etc) because it prevents http >>>>>> clients within our code from accessing Admin Services of remote nodes. >>>>>> The >>>>>> http clients fail since the server cert is by default for localhost and >>>>>> whenever we try to access through IPs it fails. The only way to overcome >>>>>> this is to create the proper certs and deploy on the server. Which is a >>>>>> huge hassle for simple test scenarios. >>>>>> >>>>>> The TLSProtocolSocketFactory is being set when the SAMLBearerGrant is >>>>>> being initialized. Until then things work fine. We either have to stop it >>>>>> being set or use a version of opensaml which supports skipping the host >>>>>> name verification (like our transports allow). Otherwise this is going to >>>>>> be a huge blocker for our releases. >>>>>> >>>>>> Thanks, >>>>>> NuwanD. >>>>>> >>>>>> On Thu, Mar 17, 2016 at 7:09 PM, Sam Sivayogam <[email protected]> wrote: >>>>>> >>>>>>> HI All, >>>>>>> >>>>>>> Had a offline chat with Pulasthi and got to know that in IS 5.0.8 >>>>>>> there was opensaml upgrade from 2.4.1 to 2.6.4. After going through [1] >>>>>>> got >>>>>>> to know that there is a hostname verification introduced in opensaml >>>>>>> 2.6.4 >>>>>>> which is not there in opensaml 2.4.1 and this is why we are getting the >>>>>>> above issue after moving to carbon identity 5.0.8. >>>>>>> >>>>>>> We are using *CommonsHTTPTransportSender * to call key >>>>>>> manager internally and from what I understood if we set the >>>>>>> *HostnameVerifier >>>>>>> *parameter to *AllowAll *we should be able to get rid of this >>>>>>> issue, But still we are getting this issue. Does anyone know why >>>>>>> HostnameVerifier >>>>>>> prameter is not working as expected with CommonsHTTPTransportSender >>>>>>> ? >>>>>>> >>>>>>> [1] >>>>>>> http://grepcode.com/file_/repo1.maven.org/maven2/org.apache.servicemix.bundles/org.apache.servicemix.bundles.opensaml/2.4.1_2/org/opensaml/ws/soap/client/http/TLSProtocolSocketFactory.java/?v=diff&id2=2.6.4_1 >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> On Thu, Mar 17, 2016 at 11:12 AM, Sam Sivayogam <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi All, >>>>>>>> >>>>>>>> I'm trying to to upgrade APIM's Crabon kernel to 4.4.4. during the >>>>>>>> kernel upgrade i also upgraded the following >>>>>>>> carbon identity from 5.0.7 to 5.08 >>>>>>>> carbon commons from 4.4.8 to 4.5.2 >>>>>>>> wso2 rampart from 1.6.1-wso2v16 to 1.6.1-wso2v18 >>>>>>>> >>>>>>>> After the upgrade, when I try to generate a key from the API Store >>>>>>>> I'm getting the error [1] . I was able to get rid of this issue after >>>>>>>> replacing APIKeyValidator ip with localhost in api-manager.xml. >>>>>>>> Please note that this issue is occuring after the kernel upgrade >>>>>>>> before that we didn't encounter this issue. what i would like to know >>>>>>>> to >>>>>>>> know is there is any changes in kernel 4.4.4 or rampart 1.6.1-wso2v18 >>>>>>>> to do >>>>>>>> the hostname verification by default? >>>>>>>> >>>>>>>> [1] [2016-03-17 11:08:35,995] INFO - HTTPSender Unable to >>>>>>>> sendViaPost to url[ >>>>>>>> https://10.100.5.192:9443//services/APIKeyMgtSubscriberService] >>>>>>>> javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname >>>>>>>> validation for name: 10.100.5.192 >>>>>>>> at >>>>>>>> org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233) >>>>>>>> at >>>>>>>> org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:194) >>>>>>>> at >>>>>>>> org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) >>>>>>>> at >>>>>>>> org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) >>>>>>>> at >>>>>>>> org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) >>>>>>>> at >>>>>>>> org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) >>>>>>>> at >>>>>>>> org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) >>>>>>>> at >>>>>>>> org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:632) >>>>>>>> at >>>>>>>> org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:195) >>>>>>>> at >>>>>>>> org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:77) >>>>>>>> at >>>>>>>> org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:451) >>>>>>>> at >>>>>>>> org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:278) >>>>>>>> at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442) >>>>>>>> at >>>>>>>> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:430) >>>>>>>> at >>>>>>>> org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225) >>>>>>>> at >>>>>>>> org.apache.axis2.client.OperationClient.execute(OperationClient.java:149) >>>>>>>> at >>>>>>>> org.wso2.carbon.apimgt.keymgt.stub.subscriber.APIKeyMgtSubscriberServiceStub.retrieveOAuthApplication(APIKeyMgtSubscriberServiceStub.java:1389) >>>>>>>> at >>>>>>>> org.wso2.carbon.apimgt.keymgt.client.SubscriberKeyMgtClient.getOAuthApplication(SubscriberKeyMgtClient.java:89) >>>>>>>> at >>>>>>>> org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.retrieveApplication(AMDefaultKeyManagerImpl.java:224) >>>>>>>> at >>>>>>>> org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.getClientOfApplication(ApiMgtDAO.java:2338) >>>>>>>> at >>>>>>>> org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.getOAuthApplications(ApiMgtDAO.java:2302) >>>>>>>> at >>>>>>>> org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.getApplications(ApiMgtDAO.java:4434) >>>>>>>> at >>>>>>>> org.wso2.carbon.apimgt.impl.APIConsumerImpl.getApplications(APIConsumerImpl.java:2813) >>>>>>>> at >>>>>>>> org.wso2.carbon.apimgt.impl.UserAwareAPIConsumer.getApplications(UserAwareAPIConsumer.java:36) >>>>>>>> at >>>>>>>> org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject.getAllSubscriptions(APIStoreHostObject.java:2416) >>>>>>>> at >>>>>>>> org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject.jsFunction_getAllSubscriptionsOfApplication(APIStoreHostObject.java:2659) >>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>>>>> at >>>>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>>>>>>> at >>>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>>>>> at java.lang.reflect.Method.invoke(Method.java:601) >>>>>>>> at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126) >>>>>>>> at >>>>>>>> org.mozilla.javascript.FunctionObject.call(FunctionObject.java:386) >>>>>>>> at >>>>>>>> org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52) >>>>>>>> at >>>>>>>> org.jaggeryjs.rhino.store.modules.subscription.c1._c_anonymous_2(/store/modules/subscription/list.jag:31) >>>>>>>> at >>>>>>>> org.jaggeryjs.rhino.store.modules.subscription.c1.call(/store/modules/subscription/list.jag) >>>>>>>> at >>>>>>>> org.mozilla.javascript.ScriptRuntime.applyOrCall(ScriptRuntime.java:2430) >>>>>>>> at >>>>>>>> org.mozilla.javascript.BaseFunction.execIdCall(BaseFunction.java:269) >>>>>>>> at >>>>>>>> org.mozilla.javascript.IdFunctionObject.call(IdFunctionObject.java:97) >>>>>>>> at >>>>>>>> org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42) >>>>>>>> at >>>>>>>> org.jaggeryjs.rhino.store.modules.subscription.c0._c_anonymous_5(/store/modules/subscription/module.jag:19) >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Sam >>>>>>>> -- >>>>>>>> *Sam Sivayogam* >>>>>>>> >>>>>>>> Software Engineer >>>>>>>> Mobile : +94 772 906 439 >>>>>>>> Office : +94 112 145 345 >>>>>>>> *WSO2, Inc. :** wso2.com <http://wso2.com/>* >>>>>>>> lean.enterprise.middleware. >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Sam Sivayogam* >>>>>>> >>>>>>> Software Engineer >>>>>>> Mobile : +94 772 906 439 >>>>>>> Office : +94 112 145 345 >>>>>>> *WSO2, Inc. :** wso2.com <http://wso2.com/>* >>>>>>> lean.enterprise.middleware. >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Nuwan Dias >>>>>> >>>>>> Technical Lead - WSO2, Inc. http://wso2.com >>>>>> email : [email protected] >>>>>> Phone : +94 777 775 729 >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Harsha Kumara >>>>> Software Engineer, WSO2 Inc. >>>>> Mobile: +94775505618 >>>>> Blog:harshcreationz.blogspot.com >>>>> >>>> >>>> >>>> >>>> -- >>>> Harsha Kumara >>>> Software Engineer, WSO2 Inc. >>>> Mobile: +94775505618 >>>> Blog:harshcreationz.blogspot.com >>>> >>> >>> >>> >>> -- >>> Harsha Kumara >>> Software Engineer, WSO2 Inc. >>> Mobile: +94775505618 >>> Blog:harshcreationz.blogspot.com >>> >> >> >> >> -- >> Dinusha Dilrukshi >> Associate Technical Lead >> WSO2 Inc.: http://wso2.com/ >> Mobile: +94725255071 >> Blog: http://dinushasblog.blogspot.com/ >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Thanks & Regards, > Dulanja Liyanage > WSO2 Inc. > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- *Malithi Edirisinghe* Senior Software Engineer WSO2 Inc. Mobile : +94 (0) 718176807 [email protected]
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
