Hi Jagath, So when we do that, it requires the user to restart the server every time they add a new https endpoint to add the keys to client-truststore. In production environments, this is not convenient and will have to go through a long process to add a key to the truststore since it requires a server restart. Are there any better approaches we can think of to overcome this without having to restart the servers when we add new https endpoints?
Cheers, Pubudu D.P Senior Software Engineer - QA Team | WSO2 inc. Mobile : +94775464547 Linkedin: https://uk.linkedin.com/in/pubududp Medium: https://medium.com/@pubududp On Mon, Aug 8, 2016 at 10:55 AM, Jagath Sisirakumara Ariyarathne < jaga...@wso2.com> wrote: > Hi Pubudu, > > Whenever you access a Https endpoint, you have to import back-end's > certificate to client-truststore. That is the default requirement if you > are using SSL between back-end and ESB. > > Thanks. > > On Mon, Aug 8, 2016 at 10:13 AM, Pubudu Priyashan <pubu...@wso2.com> > wrote: > >> Hi ESB team, >> >> I have observed the following behaviour when invoking a secure proxy in a >> clustered setup which calls an external http endpoint [1] with ESB 5.0.0 >> (Tested with RC1). Can you please inform if this behaviour is correct or >> are there any alternative methods? >> >> I have a secure proxy in my ESB cluster where it calls an external https >> endpoint [1]. When I invoked this in a single node in my local machine, it >> returned the response as expected. When I created the same secure proxy in >> a Cluster, I received this error [2]. I was able to get rid of this error >> by adding the certificate of the endpoint to client-truststore.jks file of >> each ESB node of the cluster. >> >> My question is, is this behaviour correct? Should we have to always add >> the https endpoint certificate every time we need to use an external >> endpoint in a secure proxy? Or is there another approach where we don't >> have to do this and not required to add the keys to client-truststore.jks >> and restart ESB nodes? This might not be convenient if we have a lot of >> https endpoints being called via a secure proxy in ESB. Can you please >> advice? >> >> Thanks! >> >> [1] https://demo5224632.mockable.io/test123 >> >> [2] Exception in ESB worker node:- >> >> TID: [-1] [] [2016-08-04 05:34:33,682] DEBUG >> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >> dispatcher-1 >> "GET /services/SecureP1 HTTP/1.1[\r][\n]" >> {org.apache.synapse.transport.http.wire} >> TID: [-1] [] [2016-08-04 05:34:33,683] DEBUG >> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >> dispatcher-1 >> "X-Forwarded-Host: wrk.esb500.wso2.com[\r][\n]" >> {org.apache.synapse.transport.http.wire} >> TID: [-1] [] [2016-08-04 05:34:33,683] DEBUG >> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >> dispatcher-1 >> "X-Forwarded-Server: wrk.esb500.wso2.com[\r][\n]" >> {org.apache.synapse.transport.http.wire} >> TID: [-1] [] [2016-08-04 05:34:33,683] DEBUG >> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >> dispatcher-1 >> "X-Forwarded-For: 10.100.7.95[\r][\n]" >> {org.apache.synapse.transport.http.wire} >> TID: [-1] [] [2016-08-04 05:34:33,683] DEBUG >> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >> dispatcher-1 >> "Connection: upgrade[\r][\n]" {org.apache.synapse.transport. >> http.wire} >> TID: [-1] [] [2016-08-04 05:34:33,683] DEBUG >> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >> dispatcher-1 >> "Host: ssl.esb500.com[\r][\n]" >> {org.apache.synapse.transport.http.wire} >> TID: [-1] [] [2016-08-04 05:34:33,684] DEBUG >> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >> dispatcher-1 >> "Authorization: Basic >> YWRtaW5lc2I1MDA6ZXNiNTAwQERhcw==[\r][\n]" >> {org.apache.synapse.transport.http.wire} >> TID: [-1] [] [2016-08-04 05:34:33,684] DEBUG >> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >> dispatcher-1 >> "Cache-Control: no-cache[\r][\n]" >> {org.apache.synapse.transport.http.wire} >> TID: [-1] [] [2016-08-04 05:34:33,684] DEBUG >> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >> dispatcher-1 >> "User-Agent: Mozilla/5.0 (X11; Linux x86_64) >> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 >> Safari/537.36[\r][\n]" {org.apache.synapse.transport.http.wire} >> TID: [-1] [] [2016-08-04 05:34:33,684] DEBUG >> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >> dispatcher-1 >> "Postman-Token: 60dc8ef4-36b0-03bd-5841-7efad2189071[\r][\n]" >> {org.apache.synapse.transport.http.wire} >> TID: [-1] [] [2016-08-04 05:34:33,684] DEBUG >> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >> dispatcher-1 >> "Accept: */*[\r][\n]" {org.apache.synapse.transport. >> http.wire} >> TID: [-1] [] [2016-08-04 05:34:33,685] DEBUG >> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >> dispatcher-1 >> "Accept-Encoding: gzip, deflate, sdch[\r][\n]" >> {org.apache.synapse.transport.http.wire} >> TID: [-1] [] [2016-08-04 05:34:33,685] DEBUG >> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >> dispatcher-1 >> "Accept-Language: en-US,en;q=0.8[\r][\n]" >> {org.apache.synapse.transport.http.wire} >> TID: [-1] [] [2016-08-04 05:34:33,685] DEBUG >> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >> dispatcher-1 >> "[\r][\n]" {org.apache.synapse.transport.http.wire} >> TID: [-1] [] [2016-08-04 05:34:33,813] DEBUG >> {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O >> dispatcher-1 << "CONNECT demo5224632.mockable.io:443 HTTP/1.1[\r][\n]" >> {org.apache.synapse.transport.http.wire} >> TID: [-1] [] [2016-08-04 05:34:33,814] DEBUG >> {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O >> dispatcher-1 << "Host: demo5224632.mockable.io:443[\r][\n]" >> {org.apache.synapse.transport.http.wire} >> TID: [-1] [] [2016-08-04 05:34:33,814] DEBUG >> {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O >> dispatcher-1 << "Proxy-Connection: Keep-Alive[\r][\n]" >> {org.apache.synapse.transport.http.wire} >> TID: [-1] [] [2016-08-04 05:34:33,814] DEBUG >> {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O >> dispatcher-1 << "Proxy-Authorization: Basic c3F1aWQzdTpzcXVpZDN1[\r][\n]" >> {org.apache.synapse.transport.http.wire} >> TID: [-1] [] [2016-08-04 05:34:33,814] DEBUG >> {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O >> dispatcher-1 << "[\r][\n]" {org.apache.synapse.transport.http.wire} >> TID: [-1] [] [2016-08-04 05:34:33,874] DEBUG >> {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O >> dispatcher-1 >> "HTTP/1.1 200 Connection established[\r][\n]" >> {org.apache.synapse.transport.http.wire} >> TID: [-1] [] [2016-08-04 05:34:33,875] DEBUG >> {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O >> dispatcher-1 >> "[\r][\n]" {org.apache.synapse.transport.http.wire} >> TID: [-1] [] [2016-08-04 05:34:33,998] ERROR >> {org.apache.synapse.transport.passthru.TargetHandler} - I/O error: >> General SSLEngine problem {org.apache.synapse.transport. >> passthru.TargetHandler} >> javax.net.ssl.SSLHandshakeException: General SSLEngine problem >> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431) >> at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) >> at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214) >> at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186) >> at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) >> at org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSes >> sion.java:237) >> at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSL >> IOSession.java:271) >> at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady >> (SSLIOSession.java:410) >> at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputRea >> dy(AbstractIODispatch.java:119) >> at org.apache.http.impl.nio.reactor.BaseIOReactor.readable( >> BaseIOReactor.java:159) >> at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEv >> ent(AbstractIOReactor.java:338) >> at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEv >> ents(AbstractIOReactor.java:316) >> at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute( >> AbstractIOReactor.java:277) >> at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseI >> OReactor.java:105) >> at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReacto >> r$Worker.run(AbstractMultiworkerIOReactor.java:586) >> at java.lang.Thread.run(Thread.java:745) >> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304) >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) >> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >> ndshaker.java:1506) >> at sun.security.ssl.ClientHandshaker.processMessage(ClientHands >> haker.java:216) >> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) >> at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) >> at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) >> at java.security.AccessController.doPrivileged(Native Method) >> at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) >> at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIO >> Session.java:255) >> at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSL >> IOSession.java:293) >> ... 9 more >> Caused by: sun.security.validator.ValidatorException: PKIX path building >> failed: sun.security.provider.certpath.SunCertPathBuilderException: >> unable to find valid certification path to requested target >> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) >> at sun.security.validator.PKIXValidator.engineValidate(PKIXVali >> dator.java:292) >> at sun.security.validator.Validator.validate(Validator.java:260) >> at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustMana >> gerImpl.java:324) >> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509Trust >> ManagerImpl.java:281) >> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X50 >> 9TrustManagerImpl.java:136) >> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >> ndshaker.java:1493) >> ... 17 more >> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >> unable to find valid certification path to requested target >> at sun.security.provider.certpath.SunCertPathBuilder.build( >> SunCertPathBuilder.java:146) >> at sun.security.provider.certpath.SunCertPathBuilder.engineBuil >> d(SunCertPathBuilder.java:131) >> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) >> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) >> ... 23 more >> TID: [-1234] [] [2016-08-04 05:34:34,004] WARN >> {org.apache.synapse.endpoints.EndpointContext} - Endpoint : >> AnonymousEndpoint with address https://demo5224632.mockable.io/test123 >> will be marked SUSPENDED as it failed {org.apache.synapse.endpoints. >> EndpointContext} >> TID: [-1234] [] [2016-08-04 05:34:34,004] WARN >> {org.apache.synapse.endpoints.EndpointContext} - Suspending endpoint : >> AnonymousEndpoint with address https://demo5224632.mockable.io/test123 - >> last suspend duration was : 30000ms and current suspend duration is : >> 30000ms - Next retry after : Thu Aug 04 05:35:04 UTC 2016 >> {org.apache.synapse.endpoints.EndpointContext} >> TID: [-1234] [] [2016-08-04 05:34:34,006] INFO >> {org.apache.synapse.mediators.builtin.LogMediator} - To: >> /services/SecureP1, MessageID: urn:uuid:9ee295f6-3329-4e5e-b41a-cf690d1da0f7, >> Direction: request, MESSAGE = Executing default 'fault' sequence, >> ERROR_CODE = 101500, ERROR_MESSAGE = Error in Sender, Envelope: <?xml >> version='1.0' encoding='utf-8'?><soapenv:Envelope xmlns:soapenv=" >> http://schemas.xmlsoap.org/soap/envelope/";><s >> oapenv:Body/></soapenv:Envelope> {org.apache.synapse.mediators. >> builtin.LogMediator} >> >> Cheers, >> Pubudu D.P >> Senior Software Engineer - QA Team | WSO2 inc. >> Mobile : +94775464547 >> >> Linkedin: https://uk.linkedin.com/in/pubududp >> Medium: https://medium.com/@pubududp >> >> >> _______________________________________________ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Jagath Ariyarathne > Technical Lead > WSO2 Inc. http://wso2.com/ > Email: jaga...@wso2.com > Mob : +94 77 386 7048 > <http://wso2.com/signature> >
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
