Hi Nuwan, With the earlier packs we used the default values for the <PolicyDeployer> config in api-manager.xml and we didn't encounter this issue. Have there been any changes they might have made this configuration relevant to RC4 ? As of now we are using the default values. Do we have to update it?
Thanks, On Wed, Jul 27, 2016 at 7:21 PM, Kavitha Subramaniyam <[email protected]> wrote: > Hi > Nuwan, I have checked the <PolicyDeployer> config in api-mgt.xml and it > is a default config for all nodes. I don't understand why this is looking > for server certificate though I have added cert it self to relevant > node(publisher cert added to publisher's key store too). > > @Amila, I have done setting BlockCondition element to false to other > nodes and, now I can't see the above error in both Publisher & Store nodes. > But anyway it is a need to fix this issue on GW nodes. I'm attaching conf > and key store/certs of one of GW node here with. Please have a look.. > > > Thanks, > Kavitha > > > On Wed, Jul 27, 2016 at 4:38 PM, Amila De Silva <[email protected]> wrote: > >> Hi Kavitha, >> >> KeyTemplate Retriever only needs to run on GW nodes. You can disable this >> on other nodes by setting BlockCondition element to false. >> For retrieving KeyTemplates, the retriever uses url of the KM to call the >> endpoint. One reason for this error occurring could be not having Certs of >> the Nginx in the client-truststore. >> Can you also share the Key Stores/Certs and the configurations? >> >> >> >> >> >> >> On Wed, Jul 27, 2016 at 4:06 PM, Kavitha Subramaniyam <[email protected]> >> wrote: >> >>> Hi apim team, >>> >>> I'm getting a certification issue [1]in cluster nodes (every nodes: >>> publisher, store, gateway) which configured with APIM2.0.0RC4 pack. I have >>> imported all relevant certs to keystore properly as per below steps: >>> - Created certs in nginx and copied to /etc/nginx/ssl >>> - Updated relevant conf in /etc/nginx/conf.d >>> - Copied those certs in to each node respectively >>> /repository/resources/security >>> - Imported certs to client-truststore.jks using below command >>> >>> keytool -import -alias apimpublisher -file apimpublisher.crt -keystore >>> client-truststore.jks >>> >>> >>> Cluster details: clustered following the doc [2] >>> 1 Publisher, 2 Store, 2 gateway workers and 2 IS keymanager nodes >>> fronted by nginx >>> >>> >>> Further I tried this also: added certificate for apim to the keystore of >>> used java as below and checked it; *but the issue is still there*. >>> keytool -export -alias wso2carbon -keystore >>> <APIM_HOME>/repository/resources/security/wso2carbon.jks -storepass >>> wso2carbon -file mycert.pem >>> keytool -import -trustcacerts -file mycert.pem -alias wso2carbon >>> -keystore $JAVA_HOME/jre/lib/security/cacerts >>> >>> >>> Observed below Warn and Error on server startup. Please see the attached >>> log from publisher node (server startup with -Djavax.net.debug=all) >>> >>> Could you please have a look into this and give your feedback? >>> >>> [1] >>> >>> TID: [-1] [] [2016-07-27 10:14:50,813] WARN >>> {org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever} - >>> Failed retrieving throttling data from remote endpoint: >>> sun.security.validator.ValidatorException: PKIX path building failed: >>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>> valid certification path to requested target. Retrying after 15 seconds... >>> {org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever} >>> TID: [-1] [] [2016-07-27 10:15:05,854] ERROR >>> {org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever} - >>> Exception when retrieving throttling data from remote endpoint >>> {org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever} >>> javax.net.ssl.SSLHandshakeException: >>> sun.security.validator.ValidatorException: PKIX path building failed: >>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>> valid certification path to requested target >>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) >>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) >>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) >>> at >>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) >>> at >>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) >>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) >>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) >>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) >>> at >>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) >>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) >>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) >>> at >>> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:533) >>> at >>> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:401) >>> at >>> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:178) >>> at >>> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) >>> at >>> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131) >>> at >>> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:610) >>> at >>> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:445) >>> at >>> org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863) >>> at >>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) >>> at >>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106) >>> at >>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57) >>> at >>> org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever.retrieveKeyTemplateData(KeyTemplateRetriever.java:83) >>> at >>> org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever.loadKeyTemplatesFromWebService(KeyTemplateRetriever.java:111) >>> at >>> org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever.run(KeyTemplateRetriever.java:54) >>> at java.util.TimerThread.mainLoop(Timer.java:555) >>> at java.util.TimerThread.run(Timer.java:505) >>> Caused by: sun.security.validator.ValidatorException: PKIX path building >>> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable >>> to find valid certification path to requested target >>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) >>> at >>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) >>> at sun.security.validator.Validator.validate(Validator.java:260) >>> at >>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) >>> at >>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) >>> at >>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) >>> at >>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) >>> ... 23 more >>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >>> unable to find valid certification path to requested target >>> at >>> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) >>> at >>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) >>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) >>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) >>> ... 29 more >>> >>> >>> >>> [2] >>> https://docs.wso2.com/display/CLUSTER44x/Clustering+API+Manager+1.10.0 >>> >>> >>> >>> >>> >>> >>> -- >>> Kavitha.S >>> *Software Engineer -QA* >>> Mobile : +94 (0) 771538811 <%2B94%20%280%29%20773%20451194> >>> [email protected] <[email protected]> >>> >> >> >> >> -- >> *Amila De Silva* >> >> WSO2 Inc. >> mobile :(+94) 775119302 >> >> > > > -- > Kavitha.S > *Software Engineer -QA* > Mobile : +94 (0) 771538811 <%2B94%20%280%29%20773%20451194> > [email protected] <[email protected]> > -- Kavitha.S *Software Engineer -QA* Mobile : +94 (0) 771538811 <%2B94%20%280%29%20773%20451194> [email protected] <[email protected]>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
