Hi Pubudu, Whenever you access a Https endpoint, you have to import back-end's certificate to client-truststore. That is the default requirement if you are using SSL between back-end and ESB.
Thanks. On Mon, Aug 8, 2016 at 10:13 AM, Pubudu Priyashan <[email protected]> wrote: > Hi ESB team, > > I have observed the following behaviour when invoking a secure proxy in a > clustered setup which calls an external http endpoint [1] with ESB 5.0.0 > (Tested with RC1). Can you please inform if this behaviour is correct or > are there any alternative methods? > > I have a secure proxy in my ESB cluster where it calls an external https > endpoint [1]. When I invoked this in a single node in my local machine, it > returned the response as expected. When I created the same secure proxy in > a Cluster, I received this error [2]. I was able to get rid of this error > by adding the certificate of the endpoint to client-truststore.jks file of > each ESB node of the cluster. > > My question is, is this behaviour correct? Should we have to always add > the https endpoint certificate every time we need to use an external > endpoint in a secure proxy? Or is there another approach where we don't > have to do this and not required to add the keys to client-truststore.jks > and restart ESB nodes? This might not be convenient if we have a lot of > https endpoints being called via a secure proxy in ESB. Can you please > advice? > > Thanks! > > [1] https://demo5224632.mockable.io/test123 > > [2] Exception in ESB worker node:- > > TID: [-1] [] [2016-08-04 05:34:33,682] DEBUG > {org.apache.synapse.transport.http.wire} > - HTTPS-Listener I/O dispatcher-1 >> "GET /services/SecureP1 > HTTP/1.1[\r][\n]" {org.apache.synapse.transport.http.wire} > TID: [-1] [] [2016-08-04 05:34:33,683] DEBUG > {org.apache.synapse.transport.http.wire} > - HTTPS-Listener I/O dispatcher-1 >> "X-Forwarded-Host: > wrk.esb500.wso2.com[\r][\n]" {org.apache.synapse.transport.http.wire} > TID: [-1] [] [2016-08-04 05:34:33,683] DEBUG > {org.apache.synapse.transport.http.wire} > - HTTPS-Listener I/O dispatcher-1 >> "X-Forwarded-Server: > wrk.esb500.wso2.com[\r][\n]" {org.apache.synapse.transport.http.wire} > TID: [-1] [] [2016-08-04 05:34:33,683] DEBUG > {org.apache.synapse.transport.http.wire} > - HTTPS-Listener I/O dispatcher-1 >> "X-Forwarded-For: > 10.100.7.95[\r][\n]" {org.apache.synapse.transport.http.wire} > TID: [-1] [] [2016-08-04 05:34:33,683] DEBUG > {org.apache.synapse.transport.http.wire} > - HTTPS-Listener I/O dispatcher-1 >> "Connection: upgrade[\r][\n]" > {org.apache.synapse.transport.http.wire} > TID: [-1] [] [2016-08-04 05:34:33,683] DEBUG > {org.apache.synapse.transport.http.wire} > - HTTPS-Listener I/O dispatcher-1 >> "Host: ssl.esb500.com[\r][\n]" > {org.apache.synapse.transport.http.wire} > TID: [-1] [] [2016-08-04 05:34:33,684] DEBUG > {org.apache.synapse.transport.http.wire} > - HTTPS-Listener I/O dispatcher-1 >> "Authorization: Basic > YWRtaW5lc2I1MDA6ZXNiNTAwQERhcw==[\r][\n]" {org.apache.synapse.transport. > http.wire} > TID: [-1] [] [2016-08-04 05:34:33,684] DEBUG > {org.apache.synapse.transport.http.wire} > - HTTPS-Listener I/O dispatcher-1 >> "Cache-Control: no-cache[\r][\n]" > {org.apache.synapse.transport.http.wire} > TID: [-1] [] [2016-08-04 05:34:33,684] DEBUG > {org.apache.synapse.transport.http.wire} > - HTTPS-Listener I/O dispatcher-1 >> "User-Agent: Mozilla/5.0 (X11; Linux > x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 > Safari/537.36[\r][\n]" {org.apache.synapse.transport.http.wire} > TID: [-1] [] [2016-08-04 05:34:33,684] DEBUG > {org.apache.synapse.transport.http.wire} > - HTTPS-Listener I/O dispatcher-1 >> "Postman-Token: > 60dc8ef4-36b0-03bd-5841-7efad2189071[\r][\n]" > {org.apache.synapse.transport.http.wire} > TID: [-1] [] [2016-08-04 05:34:33,684] DEBUG > {org.apache.synapse.transport.http.wire} > - HTTPS-Listener I/O dispatcher-1 >> "Accept: */*[\r][\n]" > {org.apache.synapse.transport.http.wire} > TID: [-1] [] [2016-08-04 05:34:33,685] DEBUG > {org.apache.synapse.transport.http.wire} > - HTTPS-Listener I/O dispatcher-1 >> "Accept-Encoding: gzip, deflate, > sdch[\r][\n]" {org.apache.synapse.transport.http.wire} > TID: [-1] [] [2016-08-04 05:34:33,685] DEBUG > {org.apache.synapse.transport.http.wire} > - HTTPS-Listener I/O dispatcher-1 >> "Accept-Language: > en-US,en;q=0.8[\r][\n]" {org.apache.synapse.transport.http.wire} > TID: [-1] [] [2016-08-04 05:34:33,685] DEBUG > {org.apache.synapse.transport.http.wire} > - HTTPS-Listener I/O dispatcher-1 >> "[\r][\n]" > {org.apache.synapse.transport.http.wire} > TID: [-1] [] [2016-08-04 05:34:33,813] DEBUG > {org.apache.synapse.transport.http.wire} > - HTTPS-Sender I/O dispatcher-1 << "CONNECT demo5224632.mockable.io:443 > HTTP/1.1[\r][\n]" {org.apache.synapse.transport.http.wire} > TID: [-1] [] [2016-08-04 05:34:33,814] DEBUG > {org.apache.synapse.transport.http.wire} > - HTTPS-Sender I/O dispatcher-1 << "Host: > demo5224632.mockable.io:443[\r][\n]" > {org.apache.synapse.transport.http.wire} > TID: [-1] [] [2016-08-04 05:34:33,814] DEBUG > {org.apache.synapse.transport.http.wire} > - HTTPS-Sender I/O dispatcher-1 << "Proxy-Connection: Keep-Alive[\r][\n]" > {org.apache.synapse.transport.http.wire} > TID: [-1] [] [2016-08-04 05:34:33,814] DEBUG > {org.apache.synapse.transport.http.wire} > - HTTPS-Sender I/O dispatcher-1 << "Proxy-Authorization: Basic > c3F1aWQzdTpzcXVpZDN1[\r][\n]" {org.apache.synapse.transport.http.wire} > TID: [-1] [] [2016-08-04 05:34:33,814] DEBUG > {org.apache.synapse.transport.http.wire} > - HTTPS-Sender I/O dispatcher-1 << "[\r][\n]" > {org.apache.synapse.transport.http.wire} > TID: [-1] [] [2016-08-04 05:34:33,874] DEBUG > {org.apache.synapse.transport.http.wire} > - HTTPS-Sender I/O dispatcher-1 >> "HTTP/1.1 200 Connection > established[\r][\n]" {org.apache.synapse.transport.http.wire} > TID: [-1] [] [2016-08-04 05:34:33,875] DEBUG > {org.apache.synapse.transport.http.wire} > - HTTPS-Sender I/O dispatcher-1 >> "[\r][\n]" > {org.apache.synapse.transport.http.wire} > TID: [-1] [] [2016-08-04 05:34:33,998] ERROR > {org.apache.synapse.transport.passthru.TargetHandler} > - I/O error: General SSLEngine problem {org.apache.synapse.transport. > passthru.TargetHandler} > javax.net.ssl.SSLHandshakeException: General SSLEngine problem > at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431) > at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) > at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214) > at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186) > at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) > at org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap( > SSLIOSession.java:237) > at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake( > SSLIOSession.java:271) > at org.apache.http.nio.reactor.ssl.SSLIOSession. > isAppInputReady(SSLIOSession.java:410) > at org.apache.http.impl.nio.reactor.AbstractIODispatch. > inputReady(AbstractIODispatch.java:119) > at org.apache.http.impl.nio.reactor.BaseIOReactor. > readable(BaseIOReactor.java:159) > at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent( > AbstractIOReactor.java:338) > at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents( > AbstractIOReactor.java:316) > at org.apache.http.impl.nio.reactor.AbstractIOReactor. > execute(AbstractIOReactor.java:277) > at org.apache.http.impl.nio.reactor.BaseIOReactor.execute( > BaseIOReactor.java:105) > at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$ > Worker.run(AbstractMultiworkerIOReactor.java:586) > at java.lang.Thread.run(Thread.java:745) > Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) > at sun.security.ssl.ClientHandshaker.serverCertificate( > ClientHandshaker.java:1506) > at sun.security.ssl.ClientHandshaker.processMessage( > ClientHandshaker.java:216) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) > at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) > at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) > at java.security.AccessController.doPrivileged(Native Method) > at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) > at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask( > SSLIOSession.java:255) > at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake( > SSLIOSession.java:293) > ... 9 more > Caused by: sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) > at sun.security.validator.PKIXValidator.engineValidate( > PKIXValidator.java:292) > at sun.security.validator.Validator.validate(Validator.java:260) > at sun.security.ssl.X509TrustManagerImpl.validate( > X509TrustManagerImpl.java:324) > at sun.security.ssl.X509TrustManagerImpl.checkTrusted( > X509TrustManagerImpl.java:281) > at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted( > X509TrustManagerImpl.java:136) > at sun.security.ssl.ClientHandshaker.serverCertificate( > ClientHandshaker.java:1493) > ... 17 more > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > at sun.security.provider.certpath.SunCertPathBuilder. > build(SunCertPathBuilder.java:146) > at sun.security.provider.certpath.SunCertPathBuilder.engineBuild( > SunCertPathBuilder.java:131) > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) > ... 23 more > TID: [-1234] [] [2016-08-04 05:34:34,004] WARN > {org.apache.synapse.endpoints.EndpointContext} - Endpoint : > AnonymousEndpoint with address https://demo5224632.mockable.io/test123 > will be marked SUSPENDED as it failed {org.apache.synapse.endpoints. > EndpointContext} > TID: [-1234] [] [2016-08-04 05:34:34,004] WARN > {org.apache.synapse.endpoints.EndpointContext} - Suspending endpoint : > AnonymousEndpoint with address https://demo5224632.mockable.io/test123 - > last suspend duration was : 30000ms and current suspend duration is : > 30000ms - Next retry after : Thu Aug 04 05:35:04 UTC 2016 > {org.apache.synapse.endpoints.EndpointContext} > TID: [-1234] [] [2016-08-04 05:34:34,006] INFO > {org.apache.synapse.mediators.builtin.LogMediator} - To: > /services/SecureP1, MessageID: urn:uuid:9ee295f6-3329-4e5e-b41a-cf690d1da0f7, > Direction: request, MESSAGE = Executing default 'fault' sequence, > ERROR_CODE = 101500, ERROR_MESSAGE = Error in Sender, Envelope: <?xml > version='1.0' encoding='utf-8'?><soapenv:Envelope xmlns:soapenv=" > http://schemas.xmlsoap.org/soap/envelope/";><soapenv:Body/></soapenv:Envelope> > {org.apache.synapse.mediators.builtin.LogMediator} > > Cheers, > Pubudu D.P > Senior Software Engineer - QA Team | WSO2 inc. > Mobile : +94775464547 > > Linkedin: https://uk.linkedin.com/in/pubududp > Medium: https://medium.com/@pubududp > > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Jagath Ariyarathne Technical Lead WSO2 Inc. http://wso2.com/ Email: [email protected] Mob : +94 77 386 7048 <http://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
