Re: [onap-discuss] SDNC-->A&AI SSL authentication error

Wed, 01 Apr 2020 12:18:23 -0700 

Did you apply the patch and or use a fresh clone of the aai master branch to 
pickup the new aai certs ?

Brian


-----Original Message-----
From: [email protected] <[email protected]> On Behalf Of 
TIMONEY, DAN
Sent: Wednesday, April 1, 2020 3:00 PM
To: Henry Yu <[email protected]>; [email protected]
Cc: Hesam Rahimi <[email protected]>; Gaurav agrawal 
<[email protected]>
Subject: Re: [onap-discuss] SDNC-->A&AI SSL authentication error

*** Security Advisory: This Message Originated Outside of AT&T ***.
Reference http://cso.att.com/EmailSecurity/IDSP.html for more information.

Henry,

Are you starting ONAP using the latest helm charts in OOM?

If not, that could be the issue.  The latest version of the helm charts use an 
init container to generate new certs on startup via AAF - so those should never 
expire.

Dan

On 4/1/20, 1:41 PM, "Henry Yu" <[email protected]> wrote:

    According to this answer from stackoverflow [1], trustsore expiry
    would cause the javax.net.ssl.SSLHandshakeException exception which we
    see. Could anyone tell us how to update truststoreONAPall.jks?
    
    Thanks,
    Henry
    
    [1] 
https://urldefense.proofpoint.com/v2/url?u=https-3A__stackoverflow.com_questions_22253862_what-2Dif-2Dtruststore-2Dcertificate-2Dexpires&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=x1CgMlHWTo1epwH0SbgyEFqn6ECuNIrsZTFtNfIojO4&s=0NbaRPk-JZMB4giPTjX-lW9Ce8FMO99YQYLCJ3_l-5A&e=
 
    
    On Wed, Apr 1, 2020 at 10:39 AM Henry Yu via Lists.Onap.Org
    <[email protected]> wrote:
    >
    > Hi Dan and all,
    >
    > We are testing the SDNC changes made by the CCVPN use case on the master 
branch. We are seeing the following error [1], which occurs when SDNC DGs try 
to interact (i.e., read/write) with AAI. Note that this error was not there 
before, and it started to occur a week ago.
    >
    > The error seems to be related to the certificate expiry. I noticed the 
certificate update made in AAI 
(https://urldefense.proofpoint.com/v2/url?u=https-3A__gerrit.onap.org_r_c_aai_oom_-2B_104416&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=x1CgMlHWTo1epwH0SbgyEFqn6ECuNIrsZTFtNfIojO4&s=ZzSv3salV17vC4lpoi4g5PKtjbnfZLE9gs5qUtNsK48&e=
 ).  But it does not seem to fix the problem.
    >
    > So my question is: should we also update the following trustsotre file in 
SDNC:
    >
    > sdnc/oam/installation/sdnc/src/main/resources/truststoreONAPall.jks
    >
    > Do the certs in that file also has expiry date?  Our Frankfurt 
integration testing is blocked by this issue, so any help would be greatly 
appreciated.
    >
    > Thanks,
    > Henry
    >
    > [1]
    > 17:55:39.368 INFO [qtp446699013-295] Request Time : 
2020-03-27T17:55:39.367Z, Method : PUT
    > 17:55:39.368 INFO [qtp446699013-295] Request URL : 
https://urldefense.proofpoint.com/v2/url?u=https-3A__192.168.198.177-3A8443_aai_v19_network_pnfs_pnf_networkId-2DproviderId-2D5555-2DclientId-2D6666-2DtopologyId-2D33-2DnodeId-2D0.191.0.4_p-2Dinterfaces_p-2Dinterface_networkId-2DproviderId-2D5555-2DclientId-2D6666-2DtopologyId-2D33-2DnodeId-2D0.191.0.4-2DltpId-2D16777228&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=x1CgMlHWTo1epwH0SbgyEFqn6ECuNIrsZTFtNfIojO4&s=gLe-cvY8Rn0fSRFAoDu72kcpaReSyxs_qPRxxP2QjG4&e=
 
    > 17:55:39.369 DEBUG [qtp446699013-295] MetricLogger requestId = 
7e494f9f-e08a-4d5e-848d-9a4a2173bc9c
    > 17:55:39.371 INFO [qtp446699013-295] Input - data : 
{"interface-name":"networkId-providerId-5555-clientId-6666-topologyId-33-nodeId-0.191.0.4-ltpId-16777228","speed-value":"10000000","in-maint":true,"operational-status":"down"}
    > 17:55:39.371 INFO [qtp446699013-295] Invoke
    > 17:55:39.375 WARN [qtp446699013-295] AAIRequestExecutor.post
    > javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path validation failed: 
java.security.cert.CertPathValidatorException: validity check failed
    > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:?]
    > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946) ~[?:?]
    > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316) ~[?:?]
    > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310) ~[?:?]
    > at 
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639) 
~[?:?]
    > at 
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) 
~[?:?]
    > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:?]
    > at sun.security.ssl.Handshaker.process_record(Handshaker.java:965) ~[?:?]
    > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) 
~[?:?]
    > at 
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) 
~[?:?]
    > at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) 
~[?:?]
    > at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) 
~[?:?]
    > at 
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) ~[?:?]
    > at 
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
 ~[?:?]
    > at 
sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1340)
 ~[?:?]
    > at 
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1315)
 ~[?:?]
    > at 
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:264)
 ~[?:?]
    > at 
org.onap.ccsdk.sli.adaptors.aai.AAIClientRESTExecutor.post(AAIClientRESTExecutor.java:383)
 [467:org.onap.ccsdk.sli.adaptors.aai-service-provider:1.0.0.SNAPSHOT]
    > at 
org.onap.ccsdk.sli.adaptors.aai.AAIDeclarations.newModelSave(AAIDeclarations.java:1448)
 [467:org.onap.ccsdk.sli.adaptors.aai-service-provider:1.0.0.SNAPSHOT]
    > at 
org.onap.ccsdk.sli.adaptors.aai.AAIDeclarations.save(AAIDeclarations.java:501) 
[467:org.onap.ccsdk.sli.adaptors.aai-service-provider:1.0.0.SNAPSHOT]
    > at org.onap.ccsdk.sli.adaptors.aai.AAIService.save(AAIService.java:1375) 
[467:org.onap.ccsdk.sli.adaptors.aai-service-provider:1.0.0.SNAPSHOT]
    > at sun.reflect.GeneratedMethodAccessor47.invoke(Unknown Source) ~[?:?]
    > at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 ~[?:?]
    > at java.lang.reflect.Method.invoke(Method.java:498) ~[?:?]
    > at 
org.apache.aries.proxy.impl.ProxyHandler$1.invoke(ProxyHandler.java:54) 
[92:org.apache.aries.proxy:1.1.4]
    > at org.apache.aries.proxy.impl.ProxyHandler.invoke(ProxyHandler.java:119) 
[92:org.apache.aries.proxy:1.1.4]
    > at org.onap.ccsdk.sli.adaptors.aai.$AAIService1830433421.save(Unknown 
Source) [467:org.onap.ccsdk.sli.adaptors.aai-service-provider:1.0.0.SNAPSHOT]
    > at 
org.onap.ccsdk.sli.core.sli.provider.base.SaveNodeExecutor.execute(SaveNodeExecutor.java:73)
 
[435:wrap_file__opt_opendaylight_system_org_onap_ccsdk_sli_core_sli-provider-base_1.0.0-SNAPSHOT_sli-provider-base-1.0.0-SNAPSHOT.jar:0.0.0]
    > 
    





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#20455): https://lists.onap.org/g/onap-discuss/message/20455
Mute This Topic: https://lists.onap.org/mt/72702035/21656
Group Owner: [email protected]
Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub  
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to