On Tue, May 3, 2016 at 10:34 AM, Malithi Edirisinghe <[email protected]> wrote:
> Hi Dulanja, > > I tested the SLO flow and it works fine. > AFAIU, the problem occurs as products try to access through IPs, acting as > a client, while the server cert is by default 'localhost'. But, in IS I > don't think we have such flows. > Therefore, for IS, I don't think we should need that system property in > startup scripts. Instead isn't it better if we capture this in docs and > mention on the way to disable it. For products that fail we can have this > in the startup script. WDYT? > +1. I think the scenarios where IS acts as a client is very small in IS. So we don't need to disable by default but mention about the system property in docs. > > Thanks, > Malithi. > > On Mon, May 2, 2016 at 5:10 PM, Dulanja Liyanage <[email protected]> wrote: > >> @IS Team, I think IS will also fail in the back channel SLO flow? >> >> IMO, we could set that system property in the startup script, but there >> should be a Production Guideline in our docs to remove that at the >> production time. WDYT? >> >> >> >> On Mon, Apr 11, 2016 at 1:41 PM, Dinusha Senanayaka <[email protected]> >> wrote: >> >>> Hi All, >>> >>> Getting same exception in App Manager also after updating to >>> kernel-4.4.5. What is the resolution for this, can we continue with >>> "-Dorg.opensaml.httpclient.https.disableHostnameVerification=true \" system >>> property in startup script as Harsha suggested ? >>> >>> Regards, >>> Dinusha. >>> >>> On Tue, Apr 5, 2016 at 7:18 PM, Harsha Kumara <[email protected]> wrote: >>> >>>> Hi IS Team, >>>> >>>> It seems that the issue got resolved with the system property. We will >>>> needed to add it to our startup scripts. Any concerns on doing that? >>>> >>>> Thanks, >>>> Harsha >>>> >>>> On Tue, Apr 5, 2016 at 6:26 PM, Harsha Kumara <[email protected]> wrote: >>>> >>>>> Boolean.getBoolean perform system property lookup. I'll try that >>>>> solution and update. >>>>> >>>>> On Tue, Apr 5, 2016 at 6:20 PM, Harsha Kumara <[email protected]> >>>>> wrote: >>>>> >>>>>> I have done some analysis on this. In API Manager initial >>>>>> functionality works fine. When the access token is >>>>>> generated SAML2BearerGrantHandler doing DefaultBootstrap.bootstrap(); in >>>>>> opensaml library. With the new version of the opensaml library they have >>>>>> perform initializeHttpClient();[1] during the bootstrap. So the underline >>>>>> commons http client library socket factory has changed >>>>>> from SSLProtocolSocketFactory to TLSProtocolSocketFactory. >>>>>> In TLSProtocolSocketFactory it's perform host name verification which >>>>>> cause >>>>>> this exception. When go through their code, they have tried to disable >>>>>> this >>>>>> from System property. But implementation is doing Boolean.getBoolean >>>>>> instead of looking from System.getPropety[2] which seems bug. If this has >>>>>> worked, we could have set a system property. >>>>>> >>>>>> [1] >>>>>> /** >>>>>> * Initializes the Apache Commons HttpClient library. >>>>>> */ >>>>>> protected static void initializeHttpClient() { >>>>>> if >>>>>> (!Boolean.getBoolean(SYSPROP_HTTPCLIENT_HTTPS_DISABLE_HOSTNAME_VERIFICATION)) >>>>>> { >>>>>> ProtocolSocketFactory socketFactory = >>>>>> new TLSProtocolSocketFactory(null, null, new >>>>>> StrictHostnameVerifier()); >>>>>> Protocol.registerProtocol("https", new Protocol("https", >>>>>> socketFactory, 443)); >>>>>> } >>>>>> } >>>>>> >>>>>> [2] >>>>>> /** System property used to disable global default HTTPS hostname >>>>>> verification in Apache Commons HttpClient. */ >>>>>> public static final String >>>>>> SYSPROP_HTTPCLIENT_HTTPS_DISABLE_HOSTNAME_VERIFICATION = >>>>>> "org.opensaml.httpclient.https.disableHostnameVerification"; >>>>>> >>>>>> Thanks, >>>>>> Harsha >>>>>> >>>>>> >>>>>> On Tue, Apr 5, 2016 at 5:48 PM, Nuwan Dias <[email protected]> wrote: >>>>>> >>>>>>> IS Team, >>>>>>> >>>>>>> It looks like the TLSProtocolSocketFactory isn't honouring the >>>>>>> HostName verification parameter. It always tries to do the hostname >>>>>>> verification. Looks like a buggy behaviour to me. >>>>>>> >>>>>>> This causes problems for API Manager and any other product which has >>>>>>> a distributed deployment (App Manager, DAS, etc) because it prevents >>>>>>> http >>>>>>> clients within our code from accessing Admin Services of remote nodes. >>>>>>> The >>>>>>> http clients fail since the server cert is by default for localhost and >>>>>>> whenever we try to access through IPs it fails. The only way to overcome >>>>>>> this is to create the proper certs and deploy on the server. Which is a >>>>>>> huge hassle for simple test scenarios. >>>>>>> >>>>>>> The TLSProtocolSocketFactory is being set when the SAMLBearerGrant >>>>>>> is being initialized. Until then things work fine. We either have to >>>>>>> stop >>>>>>> it being set or use a version of opensaml which supports skipping the >>>>>>> host >>>>>>> name verification (like our transports allow). Otherwise this is going >>>>>>> to >>>>>>> be a huge blocker for our releases. >>>>>>> >>>>>>> Thanks, >>>>>>> NuwanD. >>>>>>> >>>>>>> On Thu, Mar 17, 2016 at 7:09 PM, Sam Sivayogam <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> HI All, >>>>>>>> >>>>>>>> Had a offline chat with Pulasthi and got to know that in IS 5.0.8 >>>>>>>> there was opensaml upgrade from 2.4.1 to 2.6.4. After going through >>>>>>>> [1] got >>>>>>>> to know that there is a hostname verification introduced in opensaml >>>>>>>> 2.6.4 >>>>>>>> which is not there in opensaml 2.4.1 and this is why we are getting the >>>>>>>> above issue after moving to carbon identity 5.0.8. >>>>>>>> >>>>>>>> We are using *CommonsHTTPTransportSender * to call key >>>>>>>> manager internally and from what I understood if we set the >>>>>>>> *HostnameVerifier >>>>>>>> *parameter to *AllowAll *we should be able to get rid of this >>>>>>>> issue, But still we are getting this issue. Does anyone know why >>>>>>>> HostnameVerifier >>>>>>>> prameter is not working as expected with CommonsHTTPTransportSender >>>>>>>> ? >>>>>>>> >>>>>>>> [1] >>>>>>>> http://grepcode.com/file_/repo1.maven.org/maven2/org.apache.servicemix.bundles/org.apache.servicemix.bundles.opensaml/2.4.1_2/org/opensaml/ws/soap/client/http/TLSProtocolSocketFactory.java/?v=diff&id2=2.6.4_1 >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> On Thu, Mar 17, 2016 at 11:12 AM, Sam Sivayogam <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi All, >>>>>>>>> >>>>>>>>> I'm trying to to upgrade APIM's Crabon kernel to 4.4.4. during the >>>>>>>>> kernel upgrade i also upgraded the following >>>>>>>>> carbon identity from 5.0.7 to 5.08 >>>>>>>>> carbon commons from 4.4.8 to 4.5.2 >>>>>>>>> wso2 rampart from 1.6.1-wso2v16 to 1.6.1-wso2v18 >>>>>>>>> >>>>>>>>> After the upgrade, when I try to generate a key from the API Store >>>>>>>>> I'm getting the error [1] . I was able to get rid of this issue after >>>>>>>>> replacing APIKeyValidator ip with localhost in api-manager.xml. >>>>>>>>> Please note that this issue is occuring after the kernel upgrade >>>>>>>>> before that we didn't encounter this issue. what i would like to know >>>>>>>>> to >>>>>>>>> know is there is any changes in kernel 4.4.4 or rampart 1.6.1-wso2v18 >>>>>>>>> to do >>>>>>>>> the hostname verification by default? >>>>>>>>> >>>>>>>>> [1] [2016-03-17 11:08:35,995] INFO - HTTPSender Unable to >>>>>>>>> sendViaPost to url[ >>>>>>>>> https://10.100.5.192:9443//services/APIKeyMgtSubscriberService] >>>>>>>>> javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname >>>>>>>>> validation for name: 10.100.5.192 >>>>>>>>> at >>>>>>>>> org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233) >>>>>>>>> at >>>>>>>>> org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:194) >>>>>>>>> at >>>>>>>>> org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) >>>>>>>>> at >>>>>>>>> org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) >>>>>>>>> at >>>>>>>>> org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) >>>>>>>>> at >>>>>>>>> org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) >>>>>>>>> at >>>>>>>>> org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) >>>>>>>>> at >>>>>>>>> org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:632) >>>>>>>>> at >>>>>>>>> org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:195) >>>>>>>>> at >>>>>>>>> org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:77) >>>>>>>>> at >>>>>>>>> org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:451) >>>>>>>>> at >>>>>>>>> org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:278) >>>>>>>>> at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442) >>>>>>>>> at >>>>>>>>> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:430) >>>>>>>>> at >>>>>>>>> org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225) >>>>>>>>> at >>>>>>>>> org.apache.axis2.client.OperationClient.execute(OperationClient.java:149) >>>>>>>>> at >>>>>>>>> org.wso2.carbon.apimgt.keymgt.stub.subscriber.APIKeyMgtSubscriberServiceStub.retrieveOAuthApplication(APIKeyMgtSubscriberServiceStub.java:1389) >>>>>>>>> at >>>>>>>>> org.wso2.carbon.apimgt.keymgt.client.SubscriberKeyMgtClient.getOAuthApplication(SubscriberKeyMgtClient.java:89) >>>>>>>>> at >>>>>>>>> org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.retrieveApplication(AMDefaultKeyManagerImpl.java:224) >>>>>>>>> at >>>>>>>>> org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.getClientOfApplication(ApiMgtDAO.java:2338) >>>>>>>>> at >>>>>>>>> org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.getOAuthApplications(ApiMgtDAO.java:2302) >>>>>>>>> at >>>>>>>>> org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.getApplications(ApiMgtDAO.java:4434) >>>>>>>>> at >>>>>>>>> org.wso2.carbon.apimgt.impl.APIConsumerImpl.getApplications(APIConsumerImpl.java:2813) >>>>>>>>> at >>>>>>>>> org.wso2.carbon.apimgt.impl.UserAwareAPIConsumer.getApplications(UserAwareAPIConsumer.java:36) >>>>>>>>> at >>>>>>>>> org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject.getAllSubscriptions(APIStoreHostObject.java:2416) >>>>>>>>> at >>>>>>>>> org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject.jsFunction_getAllSubscriptionsOfApplication(APIStoreHostObject.java:2659) >>>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>>>>>> at >>>>>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>>>>>>>> at >>>>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>>>>>> at java.lang.reflect.Method.invoke(Method.java:601) >>>>>>>>> at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126) >>>>>>>>> at >>>>>>>>> org.mozilla.javascript.FunctionObject.call(FunctionObject.java:386) >>>>>>>>> at >>>>>>>>> org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52) >>>>>>>>> at >>>>>>>>> org.jaggeryjs.rhino.store.modules.subscription.c1._c_anonymous_2(/store/modules/subscription/list.jag:31) >>>>>>>>> at >>>>>>>>> org.jaggeryjs.rhino.store.modules.subscription.c1.call(/store/modules/subscription/list.jag) >>>>>>>>> at >>>>>>>>> org.mozilla.javascript.ScriptRuntime.applyOrCall(ScriptRuntime.java:2430) >>>>>>>>> at >>>>>>>>> org.mozilla.javascript.BaseFunction.execIdCall(BaseFunction.java:269) >>>>>>>>> at >>>>>>>>> org.mozilla.javascript.IdFunctionObject.call(IdFunctionObject.java:97) >>>>>>>>> at >>>>>>>>> org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42) >>>>>>>>> at >>>>>>>>> org.jaggeryjs.rhino.store.modules.subscription.c0._c_anonymous_5(/store/modules/subscription/module.jag:19) >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Sam >>>>>>>>> -- >>>>>>>>> *Sam Sivayogam* >>>>>>>>> >>>>>>>>> Software Engineer >>>>>>>>> Mobile : +94 772 906 439 >>>>>>>>> Office : +94 112 145 345 >>>>>>>>> *WSO2, Inc. :** wso2.com <http://wso2.com/>* >>>>>>>>> lean.enterprise.middleware. >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> *Sam Sivayogam* >>>>>>>> >>>>>>>> Software Engineer >>>>>>>> Mobile : +94 772 906 439 >>>>>>>> Office : +94 112 145 345 >>>>>>>> *WSO2, Inc. :** wso2.com <http://wso2.com/>* >>>>>>>> lean.enterprise.middleware. >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Nuwan Dias >>>>>>> >>>>>>> Technical Lead - WSO2, Inc. http://wso2.com >>>>>>> email : [email protected] >>>>>>> Phone : +94 777 775 729 >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Harsha Kumara >>>>>> Software Engineer, WSO2 Inc. >>>>>> Mobile: +94775505618 >>>>>> Blog:harshcreationz.blogspot.com >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Harsha Kumara >>>>> Software Engineer, WSO2 Inc. >>>>> Mobile: +94775505618 >>>>> Blog:harshcreationz.blogspot.com >>>>> >>>> >>>> >>>> >>>> -- >>>> Harsha Kumara >>>> Software Engineer, WSO2 Inc. >>>> Mobile: +94775505618 >>>> Blog:harshcreationz.blogspot.com >>>> >>> >>> >>> >>> -- >>> Dinusha Dilrukshi >>> Associate Technical Lead >>> WSO2 Inc.: http://wso2.com/ >>> Mobile: +94725255071 >>> Blog: http://dinushasblog.blogspot.com/ >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Thanks & Regards, >> Dulanja Liyanage >> WSO2 Inc. >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > > *Malithi Edirisinghe* > Senior Software Engineer > WSO2 Inc. > > Mobile : +94 (0) 718176807 > [email protected] > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Thanks & Regards, *Johann Dilantha Nallathamby* Technical Lead & Product Lead of WSO2 Identity Server Governance Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+94777776950* Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
