Hi ESB team, I have observed the following behaviour when invoking a secure proxy in a clustered setup which calls an external http endpoint [1] with ESB 5.0.0 (Tested with RC1). Can you please inform if this behaviour is correct or are there any alternative methods?
I have a secure proxy in my ESB cluster where it calls an external https endpoint [1]. When I invoked this in a single node in my local machine, it returned the response as expected. When I created the same secure proxy in a Cluster, I received this error [2]. I was able to get rid of this error by adding the certificate of the endpoint to client-truststore.jks file of each ESB node of the cluster. My question is, is this behaviour correct? Should we have to always add the https endpoint certificate every time we need to use an external endpoint in a secure proxy? Or is there another approach where we don't have to do this and not required to add the keys to client-truststore.jks and restart ESB nodes? This might not be convenient if we have a lot of https endpoints being called via a secure proxy in ESB. Can you please advice? Thanks! [1] https://demo5224632.mockable.io/test123 [2] Exception in ESB worker node:- TID: [-1] [] [2016-08-04 05:34:33,682] DEBUG {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O dispatcher-1 >> "GET /services/SecureP1 HTTP/1.1[\r][\n]" {org.apache.synapse.transport.http.wire} TID: [-1] [] [2016-08-04 05:34:33,683] DEBUG {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O dispatcher-1 >> "X-Forwarded-Host: wrk.esb500.wso2.com[\r][\n]" {org.apache.synapse.transport.http.wire} TID: [-1] [] [2016-08-04 05:34:33,683] DEBUG {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O dispatcher-1 >> "X-Forwarded-Server: wrk.esb500.wso2.com[\r][\n]" {org.apache.synapse.transport.http.wire} TID: [-1] [] [2016-08-04 05:34:33,683] DEBUG {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O dispatcher-1 >> "X-Forwarded-For: 10.100.7.95[\r][\n]" {org.apache.synapse.transport.http.wire} TID: [-1] [] [2016-08-04 05:34:33,683] DEBUG {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O dispatcher-1 >> "Connection: upgrade[\r][\n]" {org.apache.synapse.transport.http.wire} TID: [-1] [] [2016-08-04 05:34:33,683] DEBUG {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O dispatcher-1 >> "Host: ssl.esb500.com[\r][\n]" {org.apache.synapse.transport.http.wire} TID: [-1] [] [2016-08-04 05:34:33,684] DEBUG {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O dispatcher-1 >> "Authorization: Basic YWRtaW5lc2I1MDA6ZXNiNTAwQERhcw==[\r][\n]" {org.apache.synapse.transport.http.wire} TID: [-1] [] [2016-08-04 05:34:33,684] DEBUG {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O dispatcher-1 >> "Cache-Control: no-cache[\r][\n]" {org.apache.synapse.transport.http.wire} TID: [-1] [] [2016-08-04 05:34:33,684] DEBUG {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O dispatcher-1 >> "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36[\r][\n]" {org.apache.synapse.transport.http.wire} TID: [-1] [] [2016-08-04 05:34:33,684] DEBUG {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O dispatcher-1 >> "Postman-Token: 60dc8ef4-36b0-03bd-5841-7efad2189071[\r][\n]" {org.apache.synapse.transport.http.wire} TID: [-1] [] [2016-08-04 05:34:33,684] DEBUG {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O dispatcher-1 >> "Accept: */*[\r][\n]" {org.apache.synapse.transport.http.wire} TID: [-1] [] [2016-08-04 05:34:33,685] DEBUG {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O dispatcher-1 >> "Accept-Encoding: gzip, deflate, sdch[\r][\n]" {org.apache.synapse.transport.http.wire} TID: [-1] [] [2016-08-04 05:34:33,685] DEBUG {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O dispatcher-1 >> "Accept-Language: en-US,en;q=0.8[\r][\n]" {org.apache.synapse.transport.http.wire} TID: [-1] [] [2016-08-04 05:34:33,685] DEBUG {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O dispatcher-1 >> "[\r][\n]" {org.apache.synapse.transport.http.wire} TID: [-1] [] [2016-08-04 05:34:33,813] DEBUG {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O dispatcher-1 << "CONNECT demo5224632.mockable.io:443 HTTP/1.1[\r][\n]" {org.apache.synapse.transport.http.wire} TID: [-1] [] [2016-08-04 05:34:33,814] DEBUG {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O dispatcher-1 << "Host: demo5224632.mockable.io:443[\r][\n]" {org.apache.synapse.transport.http.wire} TID: [-1] [] [2016-08-04 05:34:33,814] DEBUG {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O dispatcher-1 << "Proxy-Connection: Keep-Alive[\r][\n]" {org.apache.synapse.transport.http.wire} TID: [-1] [] [2016-08-04 05:34:33,814] DEBUG {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O dispatcher-1 << "Proxy-Authorization: Basic c3F1aWQzdTpzcXVpZDN1[\r][\n]" {org.apache.synapse.transport.http.wire} TID: [-1] [] [2016-08-04 05:34:33,814] DEBUG {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O dispatcher-1 << "[\r][\n]" {org.apache.synapse.transport.http.wire} TID: [-1] [] [2016-08-04 05:34:33,874] DEBUG {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O dispatcher-1 >> "HTTP/1.1 200 Connection established[\r][\n]" {org.apache.synapse.transport.http.wire} TID: [-1] [] [2016-08-04 05:34:33,875] DEBUG {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O dispatcher-1 >> "[\r][\n]" {org.apache.synapse.transport.http.wire} TID: [-1] [] [2016-08-04 05:34:33,998] ERROR {org.apache.synapse.transport.passthru.TargetHandler} - I/O error: General SSLEngine problem {org.apache.synapse.transport.passthru.TargetHandler} javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431) at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214) at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186) at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) at org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:237) at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:271) at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:410) at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:119) at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:159) at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:338) at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:316) at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:277) at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:105) at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:586) at java.lang.Thread.run(Thread.java:745) Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1506) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:255) at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:293) ... 9 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1493) ... 17 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ... 23 more TID: [-1234] [] [2016-08-04 05:34:34,004] WARN {org.apache.synapse.endpoints.EndpointContext} - Endpoint : AnonymousEndpoint with address https://demo5224632.mockable.io/test123 will be marked SUSPENDED as it failed {org.apache.synapse.endpoints.EndpointContext} TID: [-1234] [] [2016-08-04 05:34:34,004] WARN {org.apache.synapse.endpoints.EndpointContext} - Suspending endpoint : AnonymousEndpoint with address https://demo5224632.mockable.io/test123 - last suspend duration was : 30000ms and current suspend duration is : 30000ms - Next retry after : Thu Aug 04 05:35:04 UTC 2016 {org.apache.synapse.endpoints.EndpointContext} TID: [-1234] [] [2016-08-04 05:34:34,006] INFO {org.apache.synapse.mediators.builtin.LogMediator} - To: /services/SecureP1, MessageID: urn:uuid:9ee295f6-3329-4e5e-b41a-cf690d1da0f7, Direction: request, MESSAGE = Executing default 'fault' sequence, ERROR_CODE = 101500, ERROR_MESSAGE = Error in Sender, Envelope: <?xml version='1.0' encoding='utf-8'?><soapenv:Envelope xmlns:soapenv=" http://schemas.xmlsoap.org/soap/envelope/";><soapenv:Body/></soapenv:Envelope> {org.apache.synapse.mediators.builtin.LogMediator} Cheers, Pubudu D.P Senior Software Engineer - QA Team | WSO2 inc. Mobile : +94775464547 Linkedin: https://uk.linkedin.com/in/pubududp Medium: https://medium.com/@pubududp
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
