It makes sense when you think in terms of dev cycles. Thanks for the clarification guys.
Cheers, Pubudu. Pubudu D.P Senior Software Engineer - QA Team | WSO2 inc. Mobile : +94775464547 Linkedin: https://uk.linkedin.com/in/pubududp Medium: https://medium.com/@pubududp On Mon, Aug 8, 2016 at 11:19 AM, Rajith Vitharana <raji...@wso2.com> wrote: > Hi Pubudu, > > On 8 August 2016 at 11:14, Pubudu Priyashan <pubu...@wso2.com> wrote: > >> Hi Jagath, >> >> So when we do that, it requires the user to restart the server every time >> they add a new https endpoint to add the keys to client-truststore. In >> production environments, this is not >> > I'm not sure people do such things directly to the production envs, I > think there are dev cycles before pushing such changes to production. Hence > will have the chance to add required certs to the product before production. > > Thanks, > >> convenient and will have to go through a long process to add a key to the >> truststore since it requires a server restart. Are there any better >> approaches we can think of to overcome this without having to restart the >> servers when we add new https endpoints? >> >> Cheers, >> >> Pubudu D.P >> Senior Software Engineer - QA Team | WSO2 inc. >> Mobile : +94775464547 >> >> Linkedin: https://uk.linkedin.com/in/pubududp >> Medium: https://medium.com/@pubududp >> >> >> On Mon, Aug 8, 2016 at 10:55 AM, Jagath Sisirakumara Ariyarathne < >> jaga...@wso2.com> wrote: >> >>> Hi Pubudu, >>> >>> Whenever you access a Https endpoint, you have to import back-end's >>> certificate to client-truststore. That is the default requirement if you >>> are using SSL between back-end and ESB. >>> >>> Thanks. >>> >>> On Mon, Aug 8, 2016 at 10:13 AM, Pubudu Priyashan <pubu...@wso2.com> >>> wrote: >>> >>>> Hi ESB team, >>>> >>>> I have observed the following behaviour when invoking a secure proxy in >>>> a clustered setup which calls an external http endpoint [1] with ESB 5.0.0 >>>> (Tested with RC1). Can you please inform if this behaviour is correct or >>>> are there any alternative methods? >>>> >>>> I have a secure proxy in my ESB cluster where it calls an external >>>> https endpoint [1]. When I invoked this in a single node in my local >>>> machine, it returned the response as expected. When I created the same >>>> secure proxy in a Cluster, I received this error [2]. I was able to get rid >>>> of this error by adding the certificate of the endpoint >>>> to client-truststore.jks file of each ESB node of the cluster. >>>> >>>> My question is, is this behaviour correct? Should we have to always add >>>> the https endpoint certificate every time we need to use an external >>>> endpoint in a secure proxy? Or is there another approach where we don't >>>> have to do this and not required to add the keys to client-truststore.jks >>>> and restart ESB nodes? This might not be convenient if we have a lot of >>>> https endpoints being called via a secure proxy in ESB. Can you please >>>> advice? >>>> >>>> Thanks! >>>> >>>> [1] https://demo5224632.mockable.io/test123 >>>> >>>> [2] Exception in ESB worker node:- >>>> >>>> TID: [-1] [] [2016-08-04 05:34:33,682] DEBUG >>>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>>> dispatcher-1 >> "GET /services/SecureP1 HTTP/1.1[\r][\n]" >>>> {org.apache.synapse.transport.http.wire} >>>> TID: [-1] [] [2016-08-04 05:34:33,683] DEBUG >>>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>>> dispatcher-1 >> "X-Forwarded-Host: wrk.esb500.wso2.com[\r][\n]" >>>> {org.apache.synapse.transport.http.wire} >>>> TID: [-1] [] [2016-08-04 05:34:33,683] DEBUG >>>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>>> dispatcher-1 >> "X-Forwarded-Server: wrk.esb500.wso2.com[\r][\n]" >>>> {org.apache.synapse.transport.http.wire} >>>> TID: [-1] [] [2016-08-04 05:34:33,683] DEBUG >>>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>>> dispatcher-1 >> "X-Forwarded-For: 10.100.7.95[\r][\n]" >>>> {org.apache.synapse.transport.http.wire} >>>> TID: [-1] [] [2016-08-04 05:34:33,683] DEBUG >>>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>>> dispatcher-1 >> "Connection: upgrade[\r][\n]" >>>> {org.apache.synapse.transport. >>>> http.wire} >>>> TID: [-1] [] [2016-08-04 05:34:33,683] DEBUG >>>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>>> dispatcher-1 >> "Host: ssl.esb500.com[\r][\n]" >>>> {org.apache.synapse.transport.http.wire} >>>> TID: [-1] [] [2016-08-04 05:34:33,684] DEBUG >>>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>>> dispatcher-1 >> "Authorization: Basic >>>> YWRtaW5lc2I1MDA6ZXNiNTAwQERhcw==[\r][\n]" >>>> {org.apache.synapse.transport.http.wire} >>>> TID: [-1] [] [2016-08-04 05:34:33,684] DEBUG >>>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>>> dispatcher-1 >> "Cache-Control: no-cache[\r][\n]" >>>> {org.apache.synapse.transport.http.wire} >>>> TID: [-1] [] [2016-08-04 05:34:33,684] DEBUG >>>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>>> dispatcher-1 >> "User-Agent: Mozilla/5.0 (X11; Linux x86_64) >>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 >>>> Safari/537.36[\r][\n]" {org.apache.synapse.transport.http.wire} >>>> TID: [-1] [] [2016-08-04 05:34:33,684] DEBUG >>>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>>> dispatcher-1 >> "Postman-Token: >>>> 60dc8ef4-36b0-03bd-5841-7efad2189071[\r][\n]" >>>> {org.apache.synapse.transport.http.wire} >>>> TID: [-1] [] [2016-08-04 05:34:33,684] DEBUG >>>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>>> dispatcher-1 >> "Accept: */*[\r][\n]" {org.apache.synapse.transport. >>>> http.wire} >>>> TID: [-1] [] [2016-08-04 05:34:33,685] DEBUG >>>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>>> dispatcher-1 >> "Accept-Encoding: gzip, deflate, sdch[\r][\n]" >>>> {org.apache.synapse.transport.http.wire} >>>> TID: [-1] [] [2016-08-04 05:34:33,685] DEBUG >>>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>>> dispatcher-1 >> "Accept-Language: en-US,en;q=0.8[\r][\n]" >>>> {org.apache.synapse.transport.http.wire} >>>> TID: [-1] [] [2016-08-04 05:34:33,685] DEBUG >>>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>>> dispatcher-1 >> "[\r][\n]" {org.apache.synapse.transport.http.wire} >>>> TID: [-1] [] [2016-08-04 05:34:33,813] DEBUG >>>> {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O >>>> dispatcher-1 << "CONNECT demo5224632.mockable.io:443 HTTP/1.1[\r][\n]" >>>> {org.apache.synapse.transport.http.wire} >>>> TID: [-1] [] [2016-08-04 05:34:33,814] DEBUG >>>> {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O >>>> dispatcher-1 << "Host: demo5224632.mockable.io:443[\r][\n]" >>>> {org.apache.synapse.transport.http.wire} >>>> TID: [-1] [] [2016-08-04 05:34:33,814] DEBUG >>>> {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O >>>> dispatcher-1 << "Proxy-Connection: Keep-Alive[\r][\n]" >>>> {org.apache.synapse.transport.http.wire} >>>> TID: [-1] [] [2016-08-04 05:34:33,814] DEBUG >>>> {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O >>>> dispatcher-1 << "Proxy-Authorization: Basic c3F1aWQzdTpzcXVpZDN1[\r][\n]" >>>> {org.apache.synapse.transport.http.wire} >>>> TID: [-1] [] [2016-08-04 05:34:33,814] DEBUG >>>> {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O >>>> dispatcher-1 << "[\r][\n]" {org.apache.synapse.transport.http.wire} >>>> TID: [-1] [] [2016-08-04 05:34:33,874] DEBUG >>>> {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O >>>> dispatcher-1 >> "HTTP/1.1 200 Connection established[\r][\n]" >>>> {org.apache.synapse.transport.http.wire} >>>> TID: [-1] [] [2016-08-04 05:34:33,875] DEBUG >>>> {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O >>>> dispatcher-1 >> "[\r][\n]" {org.apache.synapse.transport.http.wire} >>>> TID: [-1] [] [2016-08-04 05:34:33,998] ERROR >>>> {org.apache.synapse.transport.passthru.TargetHandler} - I/O error: >>>> General SSLEngine problem {org.apache.synapse.transport. >>>> passthru.TargetHandler} >>>> javax.net.ssl.SSLHandshakeException: General SSLEngine problem >>>> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431) >>>> at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl >>>> .java:535) >>>> at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl. >>>> java:1214) >>>> at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186) >>>> at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) >>>> at org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSes >>>> sion.java:237) >>>> at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSL >>>> IOSession.java:271) >>>> at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady >>>> (SSLIOSession.java:410) >>>> at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputRea >>>> dy(AbstractIODispatch.java:119) >>>> at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(Base >>>> IOReactor.java:159) >>>> at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEv >>>> ent(AbstractIOReactor.java:338) >>>> at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEv >>>> ents(AbstractIOReactor.java:316) >>>> at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(A >>>> bstractIOReactor.java:277) >>>> at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseI >>>> OReactor.java:105) >>>> at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReacto >>>> r$Worker.run(AbstractMultiworkerIOReactor.java:586) >>>> at java.lang.Thread.run(Thread.java:745) >>>> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine >>>> problem >>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) >>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304) >>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) >>>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >>>> ndshaker.java:1506) >>>> at sun.security.ssl.ClientHandshaker.processMessage(ClientHands >>>> haker.java:216) >>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) >>>> at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) >>>> at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) >>>> at java.security.AccessController.doPrivileged(Native Method) >>>> at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) >>>> at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIO >>>> Session.java:255) >>>> at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSL >>>> IOSession.java:293) >>>> ... 9 more >>>> Caused by: sun.security.validator.ValidatorException: PKIX path >>>> building failed: >>>> sun.security.provider.certpath.SunCertPathBuilderException: >>>> unable to find valid certification path to requested target >>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) >>>> at sun.security.validator.PKIXValidator.engineValidate(PKIXVali >>>> dator.java:292) >>>> at sun.security.validator.Validator.validate(Validator.java:260) >>>> at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustMana >>>> gerImpl.java:324) >>>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509Trust >>>> ManagerImpl.java:281) >>>> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X50 >>>> 9TrustManagerImpl.java:136) >>>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >>>> ndshaker.java:1493) >>>> ... 17 more >>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >>>> unable to find valid certification path to requested target >>>> at sun.security.provider.certpath.SunCertPathBuilder.build(SunC >>>> ertPathBuilder.java:146) >>>> at sun.security.provider.certpath.SunCertPathBuilder.engineBuil >>>> d(SunCertPathBuilder.java:131) >>>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) >>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) >>>> ... 23 more >>>> TID: [-1234] [] [2016-08-04 05:34:34,004] WARN >>>> {org.apache.synapse.endpoints.EndpointContext} - Endpoint : >>>> AnonymousEndpoint with address https://demo5224632.mockable.io/test123 >>>> will be marked SUSPENDED as it failed {org.apache.synapse.endpoints. >>>> EndpointContext} >>>> TID: [-1234] [] [2016-08-04 05:34:34,004] WARN >>>> {org.apache.synapse.endpoints.EndpointContext} - Suspending endpoint >>>> : AnonymousEndpoint with address https://demo5224632.mockable.i >>>> o/test123 - last suspend duration was : 30000ms and current suspend >>>> duration is : 30000ms - Next retry after : Thu Aug 04 05:35:04 UTC 2016 >>>> {org.apache.synapse.endpoints.EndpointContext} >>>> TID: [-1234] [] [2016-08-04 05:34:34,006] INFO >>>> {org.apache.synapse.mediators.builtin.LogMediator} - To: >>>> /services/SecureP1, MessageID: >>>> urn:uuid:9ee295f6-3329-4e5e-b41a-cf690d1da0f7, >>>> Direction: request, MESSAGE = Executing default 'fault' sequence, >>>> ERROR_CODE = 101500, ERROR_MESSAGE = Error in Sender, Envelope: <?xml >>>> version='1.0' encoding='utf-8'?><soapenv:Envelope xmlns:soapenv=" >>>> http://schemas.xmlsoap.org/soap/envelope/"><s >>>> oapenv:Body/></soapenv:Envelope> {org.apache.synapse.mediators. >>>> builtin.LogMediator} >>>> >>>> Cheers, >>>> Pubudu D.P >>>> Senior Software Engineer - QA Team | WSO2 inc. >>>> Mobile : +94775464547 >>>> >>>> Linkedin: https://uk.linkedin.com/in/pubududp >>>> Medium: https://medium.com/@pubududp >>>> >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> Dev@wso2.org >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> Jagath Ariyarathne >>> Technical Lead >>> WSO2 Inc. http://wso2.com/ >>> Email: jaga...@wso2.com >>> Mob : +94 77 386 7048 >>> <http://wso2.com/signature> >>> >> >> >> _______________________________________________ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Rajith Vitharana > > Senior Software Engineer, > WSO2 Inc. : wso2.com > Mobile : +94715883223 > Blog : http://lankavitharana.blogspot.com/ > <http://wso2.com/signature> >
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev