On Mon, Aug 8, 2016 at 11:14 AM, Pubudu Priyashan <[email protected]> wrote:
> Hi Jagath, > > So when we do that, it requires the user to restart the server every time > they add a new https endpoint to add the keys to client-truststore. In > production environments, this is not convenient and will have to go through > a long process to add a key to the truststore since it requires a server > restart. Are there any better approaches we can think of to overcome this > without having to restart the servers when we add new https endpoints? > you can you use dynamic SSL support [1] [1] https://docs.wso2.com/display/ESB500/Multi-HTTPS+Transport#Multi-HTTPSTransport-DynamicSSLprofiles > > Cheers, > > Pubudu D.P > Senior Software Engineer - QA Team | WSO2 inc. > Mobile : +94775464547 > > Linkedin: https://uk.linkedin.com/in/pubududp > Medium: https://medium.com/@pubududp > > > On Mon, Aug 8, 2016 at 10:55 AM, Jagath Sisirakumara Ariyarathne < > [email protected]> wrote: > >> Hi Pubudu, >> >> Whenever you access a Https endpoint, you have to import back-end's >> certificate to client-truststore. That is the default requirement if you >> are using SSL between back-end and ESB. >> >> Thanks. >> >> On Mon, Aug 8, 2016 at 10:13 AM, Pubudu Priyashan <[email protected]> >> wrote: >> >>> Hi ESB team, >>> >>> I have observed the following behaviour when invoking a secure proxy in >>> a clustered setup which calls an external http endpoint [1] with ESB 5.0.0 >>> (Tested with RC1). Can you please inform if this behaviour is correct or >>> are there any alternative methods? >>> >>> I have a secure proxy in my ESB cluster where it calls an external https >>> endpoint [1]. When I invoked this in a single node in my local machine, it >>> returned the response as expected. When I created the same secure proxy in >>> a Cluster, I received this error [2]. I was able to get rid of this error >>> by adding the certificate of the endpoint to client-truststore.jks file of >>> each ESB node of the cluster. >>> >>> My question is, is this behaviour correct? Should we have to always add >>> the https endpoint certificate every time we need to use an external >>> endpoint in a secure proxy? Or is there another approach where we don't >>> have to do this and not required to add the keys to client-truststore.jks >>> and restart ESB nodes? This might not be convenient if we have a lot of >>> https endpoints being called via a secure proxy in ESB. Can you please >>> advice? >>> >>> Thanks! >>> >>> [1] https://demo5224632.mockable.io/test123 >>> >>> [2] Exception in ESB worker node:- >>> >>> TID: [-1] [] [2016-08-04 05:34:33,682] DEBUG >>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>> dispatcher-1 >> "GET /services/SecureP1 HTTP/1.1[\r][\n]" >>> {org.apache.synapse.transport.http.wire} >>> TID: [-1] [] [2016-08-04 05:34:33,683] DEBUG >>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>> dispatcher-1 >> "X-Forwarded-Host: wrk.esb500.wso2.com[\r][\n]" >>> {org.apache.synapse.transport.http.wire} >>> TID: [-1] [] [2016-08-04 05:34:33,683] DEBUG >>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>> dispatcher-1 >> "X-Forwarded-Server: wrk.esb500.wso2.com[\r][\n]" >>> {org.apache.synapse.transport.http.wire} >>> TID: [-1] [] [2016-08-04 05:34:33,683] DEBUG >>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>> dispatcher-1 >> "X-Forwarded-For: 10.100.7.95[\r][\n]" >>> {org.apache.synapse.transport.http.wire} >>> TID: [-1] [] [2016-08-04 05:34:33,683] DEBUG >>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>> dispatcher-1 >> "Connection: upgrade[\r][\n]" {org.apache.synapse.transport. >>> http.wire} >>> TID: [-1] [] [2016-08-04 05:34:33,683] DEBUG >>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>> dispatcher-1 >> "Host: ssl.esb500.com[\r][\n]" >>> {org.apache.synapse.transport.http.wire} >>> TID: [-1] [] [2016-08-04 05:34:33,684] DEBUG >>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>> dispatcher-1 >> "Authorization: Basic >>> YWRtaW5lc2I1MDA6ZXNiNTAwQERhcw==[\r][\n]" >>> {org.apache.synapse.transport.http.wire} >>> TID: [-1] [] [2016-08-04 05:34:33,684] DEBUG >>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>> dispatcher-1 >> "Cache-Control: no-cache[\r][\n]" >>> {org.apache.synapse.transport.http.wire} >>> TID: [-1] [] [2016-08-04 05:34:33,684] DEBUG >>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>> dispatcher-1 >> "User-Agent: Mozilla/5.0 (X11; Linux x86_64) >>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 >>> Safari/537.36[\r][\n]" {org.apache.synapse.transport.http.wire} >>> TID: [-1] [] [2016-08-04 05:34:33,684] DEBUG >>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>> dispatcher-1 >> "Postman-Token: >>> 60dc8ef4-36b0-03bd-5841-7efad2189071[\r][\n]" >>> {org.apache.synapse.transport.http.wire} >>> TID: [-1] [] [2016-08-04 05:34:33,684] DEBUG >>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>> dispatcher-1 >> "Accept: */*[\r][\n]" {org.apache.synapse.transport. >>> http.wire} >>> TID: [-1] [] [2016-08-04 05:34:33,685] DEBUG >>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>> dispatcher-1 >> "Accept-Encoding: gzip, deflate, sdch[\r][\n]" >>> {org.apache.synapse.transport.http.wire} >>> TID: [-1] [] [2016-08-04 05:34:33,685] DEBUG >>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>> dispatcher-1 >> "Accept-Language: en-US,en;q=0.8[\r][\n]" >>> {org.apache.synapse.transport.http.wire} >>> TID: [-1] [] [2016-08-04 05:34:33,685] DEBUG >>> {org.apache.synapse.transport.http.wire} - HTTPS-Listener I/O >>> dispatcher-1 >> "[\r][\n]" {org.apache.synapse.transport.http.wire} >>> TID: [-1] [] [2016-08-04 05:34:33,813] DEBUG >>> {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O >>> dispatcher-1 << "CONNECT demo5224632.mockable.io:443 HTTP/1.1[\r][\n]" >>> {org.apache.synapse.transport.http.wire} >>> TID: [-1] [] [2016-08-04 05:34:33,814] DEBUG >>> {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O >>> dispatcher-1 << "Host: demo5224632.mockable.io:443[\r][\n]" >>> {org.apache.synapse.transport.http.wire} >>> TID: [-1] [] [2016-08-04 05:34:33,814] DEBUG >>> {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O >>> dispatcher-1 << "Proxy-Connection: Keep-Alive[\r][\n]" >>> {org.apache.synapse.transport.http.wire} >>> TID: [-1] [] [2016-08-04 05:34:33,814] DEBUG >>> {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O >>> dispatcher-1 << "Proxy-Authorization: Basic c3F1aWQzdTpzcXVpZDN1[\r][\n]" >>> {org.apache.synapse.transport.http.wire} >>> TID: [-1] [] [2016-08-04 05:34:33,814] DEBUG >>> {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O >>> dispatcher-1 << "[\r][\n]" {org.apache.synapse.transport.http.wire} >>> TID: [-1] [] [2016-08-04 05:34:33,874] DEBUG >>> {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O >>> dispatcher-1 >> "HTTP/1.1 200 Connection established[\r][\n]" >>> {org.apache.synapse.transport.http.wire} >>> TID: [-1] [] [2016-08-04 05:34:33,875] DEBUG >>> {org.apache.synapse.transport.http.wire} - HTTPS-Sender I/O >>> dispatcher-1 >> "[\r][\n]" {org.apache.synapse.transport.http.wire} >>> TID: [-1] [] [2016-08-04 05:34:33,998] ERROR >>> {org.apache.synapse.transport.passthru.TargetHandler} - I/O error: >>> General SSLEngine problem {org.apache.synapse.transport. >>> passthru.TargetHandler} >>> javax.net.ssl.SSLHandshakeException: General SSLEngine problem >>> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431) >>> at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl >>> .java:535) >>> at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl. >>> java:1214) >>> at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186) >>> at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) >>> at org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSes >>> sion.java:237) >>> at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSL >>> IOSession.java:271) >>> at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady >>> (SSLIOSession.java:410) >>> at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputRea >>> dy(AbstractIODispatch.java:119) >>> at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(Base >>> IOReactor.java:159) >>> at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEv >>> ent(AbstractIOReactor.java:338) >>> at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEv >>> ents(AbstractIOReactor.java:316) >>> at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(A >>> bstractIOReactor.java:277) >>> at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseI >>> OReactor.java:105) >>> at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReacto >>> r$Worker.run(AbstractMultiworkerIOReactor.java:586) >>> at java.lang.Thread.run(Thread.java:745) >>> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine >>> problem >>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) >>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304) >>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) >>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >>> ndshaker.java:1506) >>> at sun.security.ssl.ClientHandshaker.processMessage(ClientHands >>> haker.java:216) >>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) >>> at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) >>> at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) >>> at java.security.AccessController.doPrivileged(Native Method) >>> at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) >>> at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIO >>> Session.java:255) >>> at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSL >>> IOSession.java:293) >>> ... 9 more >>> Caused by: sun.security.validator.ValidatorException: PKIX path >>> building failed: sun.security.provider.certpath.SunCertPathBuilderException: >>> unable to find valid certification path to requested target >>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) >>> at sun.security.validator.PKIXValidator.engineValidate(PKIXVali >>> dator.java:292) >>> at sun.security.validator.Validator.validate(Validator.java:260) >>> at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustMana >>> gerImpl.java:324) >>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509Trust >>> ManagerImpl.java:281) >>> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X50 >>> 9TrustManagerImpl.java:136) >>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >>> ndshaker.java:1493) >>> ... 17 more >>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >>> unable to find valid certification path to requested target >>> at sun.security.provider.certpath.SunCertPathBuilder.build(SunC >>> ertPathBuilder.java:146) >>> at sun.security.provider.certpath.SunCertPathBuilder.engineBuil >>> d(SunCertPathBuilder.java:131) >>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) >>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) >>> ... 23 more >>> TID: [-1234] [] [2016-08-04 05:34:34,004] WARN >>> {org.apache.synapse.endpoints.EndpointContext} - Endpoint : >>> AnonymousEndpoint with address https://demo5224632.mockable.io/test123 >>> will be marked SUSPENDED as it failed {org.apache.synapse.endpoints. >>> EndpointContext} >>> TID: [-1234] [] [2016-08-04 05:34:34,004] WARN >>> {org.apache.synapse.endpoints.EndpointContext} - Suspending endpoint : >>> AnonymousEndpoint with address https://demo5224632.mockable.io/test123 >>> - last suspend duration was : 30000ms and current suspend duration is : >>> 30000ms - Next retry after : Thu Aug 04 05:35:04 UTC 2016 >>> {org.apache.synapse.endpoints.EndpointContext} >>> TID: [-1234] [] [2016-08-04 05:34:34,006] INFO >>> {org.apache.synapse.mediators.builtin.LogMediator} - To: >>> /services/SecureP1, MessageID: >>> urn:uuid:9ee295f6-3329-4e5e-b41a-cf690d1da0f7, >>> Direction: request, MESSAGE = Executing default 'fault' sequence, >>> ERROR_CODE = 101500, ERROR_MESSAGE = Error in Sender, Envelope: <?xml >>> version='1.0' encoding='utf-8'?><soapenv:Envelope xmlns:soapenv=" >>> http://schemas.xmlsoap.org/soap/envelope/";><s >>> oapenv:Body/></soapenv:Envelope> {org.apache.synapse.mediators. >>> builtin.LogMediator} >>> >>> Cheers, >>> Pubudu D.P >>> Senior Software Engineer - QA Team | WSO2 inc. >>> Mobile : +94775464547 >>> >>> Linkedin: https://uk.linkedin.com/in/pubududp >>> Medium: https://medium.com/@pubududp >>> >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Jagath Ariyarathne >> Technical Lead >> WSO2 Inc. http://wso2.com/ >> Email: [email protected] >> Mob : +94 77 386 7048 >> <http://wso2.com/signature> >> > > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- *Senduran * Senior Software Engineer, WSO2, Inc.; http://wso2.com/ <http://wso2.com/> Mobile: +94 77 952 6548
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
