Hi Sebastien,
Yes, we did manually include the DMAAP certificate into Policy drools trust
store and it resolved that issue.
The issue is with the CLAMP backend. It is not able to interact with Policy
PAP and it fails with SSH certificate validation.
I guess CLAMP backed is not able to ignore the SSL certificate exception
and proceed further. I tried to pass the following java arguments but the
same issue persists.
Is there a way to bypass this one to make Dublin CL to work.
Thanks & Regards
Vivek
*~/oom/kubernetes$ git diff clamp/templates/deployment.yaml*diff --git
a/kubernetes/clamp/templates/deployment.yaml
b/kubernetes/clamp/templates/deployment.yaml
index 4e6d1d13..f672e555 100644
--- a/kubernetes/clamp/templates/deployment.yaml
+++ b/kubernetes/clamp/templates/deployment.yaml
@@ -64,7 +64,8 @@ spec:
imagePullPolicy: {{ .Values.global.pullPolicy | default
.Values.pullPolicy }}
args:
- "-Dcom.att.eelf.logging.file=file:/opt/clamp/logback.xml"
- - ""
+ - "-*Dcom.sun.net.ssl.checkRevocation=false*"
+ - "*-Dtrust_all_cert=true*"
ports:
- containerPort: {{ .Values.service.internalPort }}
# disable liveness probe when breakpoints set in debugger
*CLAMP Logs*
08:57:12.323 [https-jsse-nio-8443-exec-5] DEBUG
org.apache.http.impl.conn.BasicHttpClientConnectionManager - Get connection
for route {s}->https://policy-pap.onap:6969
08:57:12.323 [https-jsse-nio-8443-exec-5] DEBUG
org.apache.http.impl.conn.BasicHttpClientConnectionManager - Get connection
for route {s}->https://policy-pap.onap:6969
08:57:12.323 [https-jsse-nio-8443-exec-5] DEBUG
org.apache.http.impl.conn.DefaultManagedHttpClientConnection -
http-outgoing-225: set socket timeout to 0
08:57:12.323 [https-jsse-nio-8443-exec-5] DEBUG
org.apache.http.impl.conn.DefaultManagedHttpClientConnection -
http-outgoing-225: set socket timeout to 0
08:57:12.323 [https-jsse-nio-8443-exec-5] DEBUG
org.apache.http.impl.execchain.MainClientExec - Opening connection {s}->
https://policy-pap.onap:6969
08:57:12.323 [https-jsse-nio-8443-exec-5] DEBUG
org.apache.http.impl.execchain.MainClientExec - Opening connection {s}->
https://policy-pap.onap:6969
08:57:12.324 [https-jsse-nio-8443-exec-5] DEBUG
org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - Connecting
to policy-pap.onap/10.43.6.89:6969
08:57:12.324 [https-jsse-nio-8443-exec-5] DEBUG
org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - Connecting
to policy-pap.onap/10.43.6.89:6969
08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG
org.apache.http.impl.conn.DefaultManagedHttpClientConnection -
http-outgoing-225: Shutdown connection
08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG
org.apache.http.impl.conn.DefaultManagedHttpClientConnection -
http-outgoing-225: Shutdown connection
08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG
org.apache.http.impl.execchain.MainClientExec - Connection discarded
08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG
org.apache.http.impl.execchain.MainClientExec - Connection discarded
08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG
org.apache.http.impl.conn.BasicHttpClientConnectionManager - Releasing
connection [Not bound]
08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG
org.apache.http.impl.conn.BasicHttpClientConnectionManager - Releasing
connection [Not bound]
08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG
org.apache.camel.processor.Pipeline - Message exchange has failed: so
breaking out of pipeline for exchange:
Exchange[ID-dev-clamp-clamp-697b889c49-8tf5n-1613629368511-0-412]
Exception: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: validity check failed
08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG
org.apache.camel.processor.Pipeline - Message exchange has failed: so
breaking out of pipeline for exchange:
Exchange[ID-dev-clamp-clamp-697b889c49-8tf5n-1613629368511-0-412]
Exception: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: validity check failed
08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG
org.apache.camel.processor.MulticastProcessor - Message exchange has
failed: Sequential processing failed for number 1 for exchange:
Exchange[ID-dev-clamp-clamp-697b889c49-8tf5n-1613629368511-0-412]
Exception: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: validity check failed
08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG
org.apache.camel.processor.MulticastProcessor - Message exchange has
failed: Sequential processing failed for number 1 for exchange:
Exchange[ID-dev-clamp-clamp-697b889c49-8tf5n-1613629368511-0-412]
Exception: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: validity check failed
08:57:12.342 [https-jsse-nio-8443-exec-5] INFO
remove-all-policy-from-active-pdp-group - Endpoint to delete policy from
PDP Group:
https4://policy-pap.onap:6969/pdps/policies/tca_k8s_dcae1_v1_0_vFWCL_vPKG23ec14e8-ae1b0_tca_dublin/versions/1.0.0
08:57:12.343 [https-jsse-nio-8443-exec-5] DEBUG
org.apache.camel.spring.SpringCamelContext - Loading component JSON Schema
for: https4 using class resolver:
org.apache.camel.impl.DefaultClassResolver@cdb2d95 ->
org.springframework.boot.loader.jar.ZipInflaterInputStream@68c5fbe0
08:57:12.343 [https-jsse-nio-8443-exec-5] DEBUG
org.apache.camel.spring.SpringCamelContext - Loading component JSON Schema
for: https4 using class resolver:
org.apache.camel.impl.DefaultClassResolver@cdb2d95 ->
org.springframework.boot.loader.jar.ZipInflaterInputStream@68c5fbe0
08:57:12.345 [https-jsse-nio-8443-exec-5] DEBUG
org.apache.camel.spring.SpringCamelContext - Loading component JSON Schema
for: https4 using class resolver:
org.apache.camel.impl.DefaultClassResolver@cdb2d95 ->
org.springframework.boot.loader.jar.ZipInflaterInputStream@5ed719c
08:57:12.345 [https-jsse-nio-8443-exec-5] DEBUG
org.apache.camel.spring.SpringCamelContext - Loading component JSON Schema
for: https4 using class resolver:
org.apache.camel.impl.DefaultClassResolver@cdb2d95 ->
org.springframework.boot.loader.jar.ZipInflaterInputStream@5ed719c
*Policy PAP SSL Certificate*
$ echo "" | openssl s_client -showcerts -connect 10.43.6.89:6969
2>/dev/null | openssl x509 -inform pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6453580827895746706 (0x598fb99207ff5092)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = ONAP, OU = OSAAF, CN = intermediateCA_9
Validity
Not Before: Apr 15 22:02:48 2019 GMT
Not After : Apr 15 22:02:48 2020 GMT
Subject: CN = policy, emailAddress = , OU = [email protected],
OU = OSAAF, O = ONAP, C = US
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:ac:5c:11:e7:e5:1b:2e:0d:2b:22:ea:bf:85:7f:
b7:93:84:ad:d2:22:9f:55:50:0a:ce:29:81:b4:21:
db:0e:8e:dc:bf:aa:f3:a5:13:6a:a2:96:6b:24:6e:
3c:79:db:1d:ab:90:5a:6f:6b:1b:47:ee:33:81:9e:
f6:c6:5a:c4:07:0f:7f:93:c4:dd:fa:b0:e0:ca:05:
46:d4:e1:7d:35:6f:3e:f0:a2:17:6c:15:e2:b7:31:
df:11:29:e1:8a:6e:f4:27:c3:cd:4c:9f:c2:52:af:
80:17:14:a5:ea:6b:a8:d0:94:53:4b:bf:16:77:69:
30:bd:81:5d:67:77:d3:16:3a:91:bc:bd:38:9b:8c:
42:34:26:3d:51:ae:c5:bc:18:a8:47:22:49:63:31:
ef:7c:53:6d:06:50:ec:9f:00:ca:29:7f:11:eb:87:
e3:cb:67:9a:7d:a4:41:17:d2:4b:4a:8c:b3:34:b9:
de:33:a8:27:f9:a3:1a:c2:0f:9d:72:e3:1c:a5:79:
0d:2f:52:83:ef:9b:17:b0:6f:6f:7c:4e:51:75:ce:
dc:6d:f5:96:e9:50:f6:47:c8:51:c3:51:1f:5b:9c:
f3:db:5d:23:0d:49:1b:a1:83:82:5a:90:85:8c:32:
9f:f3:fb:68:9c:67:37:b5:4a:1a:24:d3:f7:a8:59:
d6:a1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage: critical
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Authority Key Identifier:
keyid:81:F7:99:5B:10:B9:C8:8C:DE:F3:52:5E:EA:4E:69:A0:43:3E:AC:DD
DirName:/OU=OSAAF/O=ONAP/C=US
serial:07
X509v3 Subject Key Identifier:
4E:95:D6:FA:CC:2A:16:C5:89:34:67:C1:55:35:36:B1:0B:50:B2:E0
X509v3 Subject Alternative Name:
DNS:policy, DNS:*.pdp, DNS:*.pdp.onap.svc.cluster.local,
DNS:brmsgw, DNS:brmsgw.onap, DNS:drools, DNS:drools.onap, DNS:pap,
DNS:pap.onap, DNS:pdp, DNS:pdp.onap, DNS:policy-apex-pdp,
DNS:policy-apex-pdp.onap, DNS:policy-api, DNS:policy-api.onap,
DNS:policy-distribution, DNS:policy-distribution.onap, DNS:policy-pap,
DNS:policy-pap.onap, DNS:policy-xacml-pdp, DNS:policy-xacml-pdp.onap, DNS:
policy.api.simpledemo.onap.org
Signature Algorithm: sha256WithRSAEncryption
8c:27:99:b2:08:db:b1:68:18:03:7e:e2:e1:37:4d:5c:48:5b:
e5:ad:02:33:f2:9a:cd:44:e6:b8:82:84:0f:d2:44:66:55:3c:
8d:ea:a5:39:45:ec:63:5c:aa:51:dd:9a:a5:f6:2d:cc:f4:8a:
f4:1e:fd:d9:30:a7:9b:b0:0a:f2:7b:ae:d1:c4:2b:c6:1f:d0:
99:e6:ef:23:f2:7a:07:cb:f5:5e:6c:36:15:27:4a:a2:24:88:
51:af:0b:c4:99:0b:bd:1c:c1:96:6c:04:3d:25:c9:fe:f8:07:
aa:b5:d7:a0:f7:79:09:99:a6:f4:7c:55:f1:a7:85:4b:f3:bf:
9f:ea:ec:0c:e9:7f:e8:28:b8:45:5c:b4:9a:19:f7:2f:d9:01:
83:5e:92:0a:26:39:d6:07:27:fb:8e:05:39:d1:a8:7a:f1:ce:
b6:ab:e5:f1:3b:04:bc:1e:3d:06:87:41:6b:45:5a:0b:a9:c5:
5d:47:6e:85:a8:8f:d8:92:37:cb:fd:7a:95:60:6f:dd:19:b5:
d1:74:66:03:46:69:44:32:4a:9d:e2:05:23:c2:89:ff:64:4b:
81:41:28:05:eb:4f:c4:14:67:58:9f:33:c6:27:3c:52:07:ac:
76:ec:71:fb:54:47:e0:75:df:b5:8b:cc:ee:b3:95:ca:18:b4:
8b:ae:25:65
On Fri, Feb 19, 2021 at 2:09 PM Determe, Sebastien <
[email protected]> wrote:
> Hi,
>
> This log is not from clamp, it’s from policy right ?
>
> I guess the issue is the expiration of the https message-router server
> certificate (NotAfter: Mon May 04 00:36:24 GMT 2020), meaning its down
> since a while ☹
>
>
>
> Seb
>
>
>
> *From:* Vivekanandan Muthukrishnan <[email protected]>
> *Sent:* 19 February 2021 07:51
> *To:* Determe, Sebastien <[email protected]>
> *Cc:* [email protected]
> *Subject:* Re: [onap-discuss] CLAMP org.onap.clamp.p12 certifcate expired
>
>
>
> Hi Sebastien,
>
>
>
> It seems like the issue is coming from Policy drools.
>
>
>
> Here are the exceptions while communicating with the message router.
>
>
>
> [2021-02-19T06:49:54.677+00:00|INFO|CambriaSimplerBatchPublisher|pool-4-thread-1]
> sending 3 msgs to /events/POLICY-PDP-PAP. Oldest: 262654 ms
> [2021-02-19T06:49:54.677+00:00|WARN|HostSelector|pool-4-thread-1] All
> hosts were blacklisted; reverting to full set of hosts.
> [2021-02-19T06:49:54.677+00:00|INFO|HttpClient|pool-4-thread-1] POST
> https://message-router:3905/events/POLICY-PDP-PAP
> <https://urldefense.com/v3/__https:/message-router:3905/events/POLICY-PDP-PAP__;!!BhdT!3QOBrhycbaHf03o5M_bOu01osfXYRJBllreWDwuYVNh9M8fOh41pqiFwK0vnOYsQEli52VE$>
> (anonymous) ...
> [2021-02-19T06:49:54.686+00:00|WARN|HttpClient|pool-4-thread-1] Error
> executing HTTP request. sun.security.validator.ValidatorException: PKIX
> path validation failed: java.security.cert.CertPathValidatorException:
> validity check failed; blacklisting for 2 minutes
> [2021-02-19T06:49:54.687+00:00|WARN|CambriaSimplerBatchPublisher|pool-4-thread-1]
> sun.security.validator.ValidatorException: PKIX path validation failed:
> java.security.cert.CertPathValidatorException: validity check failed
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path validation failed:
> java.security.cert.CertPathValidatorException: validity check failed
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
> at
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
> at
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
> at
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
> at
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
> at
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
> at
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
> at
> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
> at com.att.nsa.apiClient.http.HttpClient.runCall(HttpClient.java:708)
> at com.att.nsa.apiClient.http.HttpClient.post
> <https://urldefense.com/v3/__http:/com.att.nsa.apiClient.http.HttpClient.post__;!!BhdT!3QOBrhycbaHf03o5M_bOu01osfXYRJBllreWDwuYVNh9M8fOh41pqiFwK0vnOYsQE0K9elo$>
> (HttpClient.java:456)
> at
> com.att.nsa.cambria.client.impl.CambriaSimplerBatchPublisher.sendBatch(CambriaSimplerBatchPublisher.java:342)
> at
> com.att.nsa.cambria.client.impl.CambriaSimplerBatchPublisher.send(CambriaSimplerBatchPublisher.java:251)
> at
> com.att.nsa.cambria.client.impl.CambriaSimplerBatchPublisher.access$100(CambriaSimplerBatchPublisher.java:31)
> at
> com.att.nsa.cambria.client.impl.CambriaSimplerBatchPublisher$1.run(CambriaSimplerBatchPublisher.java:411)
> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
> at
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
> at
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: sun.security.validator.ValidatorException: PKIX path validation
> failed: java.security.cert.CertPathValidatorException: validity check failed
> at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362)
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
> at sun.security.validator.Validator.validate(Validator.java:262)
> at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
> ... 31 common frames omitted
> Caused by: java.security.cert.CertPathValidatorException: validity check
> failed
> at
> sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
> at
> sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233)
> at
> sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141)
> at
> sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)
> at
> java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
> at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357)
> ... 37 common frames omitted
> Caused by: java.security.cert.CertificateExpiredException: NotAfter: Mon
> May 04 00:36:24 GMT 2020
> at
> sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
> at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
> at
> sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190)
> at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144)
> at
> sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
> ... 42 common frames omitted
> [2021-02-19T06:49:54.687+00:00|WARN|CambriaSimplerBatchPublisher|pool-4-thread-1]
> Send failed, 3 message to send.
> [2021-02-19T06:49:54.687+00:00|ERROR|CambriaSimplerBatchPublisher|pool-4-thread-1]
> PUB_CHRONIC_FAILURE: Send failure count is 251, above threshold 10.
> [2021-02-19T06:49:55.727+00:00|INFO|CambriaSimplerBatchPublisher|pool-4-thread-1]
> sending 3 msgs to /events/POLICY-PDP-PAP. Oldest: 263704 ms
> [2021-02-19T06:49:55.727+00:00|WARN|HostSelector|pool-4-thread-1] All
> hosts were blacklisted; reverting to full set of hosts.
> [2021-02-19T06:49:55.727+00:00|INFO|HttpClient|pool-4-thread-1] POST
> https://message-router:3905/events/POLICY-PDP-PAP
> <https://urldefense.com/v3/__https:/message-router:3905/events/POLICY-PDP-PAP__;!!BhdT!3QOBrhycbaHf03o5M_bOu01osfXYRJBllreWDwuYVNh9M8fOh41pqiFwK0vnOYsQEli52VE$>
> (anonymous) ...
> [2021-02-19T06:49:55.734+00:00|WARN|HttpClient|pool-4-thread-1] Error
> executing HTTP request. sun.security.validator.ValidatorException: PKIX
> path validation failed: java.security.cert.CertPathValidatorException:
> validity check failed; blacklisting for 2 minutes
> [2021-02-19T06:49:55.735+00:00|WARN|CambriaSimplerBatchPublisher|pool-4-thread-1]
> sun.security.validator.ValidatorException: PKIX path validation failed:
> java.security.cert.CertPathValidatorException: validity check failed
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path validation failed:
> java.security.cert.CertPathValidatorException: validity check failed
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
> at
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
> at
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
> at
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
> at
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
> at
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
> at
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
> at
> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
> at com.att.nsa.apiClient.http.HttpClient.runCall(HttpClient.java:708)
> at com.att.nsa.apiClient.http.HttpClient.post
> <https://urldefense.com/v3/__http:/com.att.nsa.apiClient.http.HttpClient.post__;!!BhdT!3QOBrhycbaHf03o5M_bOu01osfXYRJBllreWDwuYVNh9M8fOh41pqiFwK0vnOYsQE0K9elo$>
> (HttpClient.java:456)
> at
> com.att.nsa.cambria.client.impl.CambriaSimplerBatchPublisher.sendBatch(CambriaSimplerBatchPublisher.java:342)
> at
> com.att.nsa.cambria.client.impl.CambriaSimplerBatchPublisher.send(CambriaSimplerBatchPublisher.java:251)
> at
> com.att.nsa.cambria.client.impl.CambriaSimplerBatchPublisher.access$100(CambriaSimplerBatchPublisher.java:31)
> at
> com.att.nsa.cambria.client.impl.CambriaSimplerBatchPublisher$1.run(CambriaSimplerBatchPublisher.java:411)
> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
> at
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
> at
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: sun.security.validator.ValidatorException: PKIX path validation
> failed: java.security.cert.CertPathValidatorException: validity check failed
> at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362)
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
> at sun.security.validator.Validator.validate(Validator.java:262)
> at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
> ... 31 common frames omitted
> Caused by: java.security.cert.CertPathValidatorException: validity check
> failed
> at
> sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
> at
> sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233)
> at
> sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141)
> at
> sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)
>
>
>
>
>
>
>
> On Thu, Feb 18, 2021 at 8:43 PM Determe, Sebastien <
> [email protected]> wrote:
>
> Hi Could you attach the clamp backend log may be ?
>
>
>
> Thanks,
>
> Seb
>
>
>
> *From:* Vivekanandan Muthukrishnan <[email protected]>
> *Sent:* 18 February 2021 14:45
> *To:* Determe, Sebastien <[email protected]>
> *Cc:* [email protected]
> *Subject:* Re: [onap-discuss] CLAMP org.onap.clamp.p12 certifcate expired
>
>
>
> Hi Sebastien,
>
>
>
> Thank you for your quick response. Kindly note that we have been using
> Dublin and we have to support it till the end of this year.
>
>
>
> We get the below exceptions while submitting a CLAMP design we get the
> following exception in the UI. We are not sure if this is related to the
> CLAMP certificate? Are there any workarounds for this issue ?
>
>
>
> We would appreciate any help in this regard.
>
>
>
> *CLAMP UI Exception*
>
>
>
> PDP Group removal, Error reported: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path validation failed:
> java.security.cert.CertPathValidatorException: validity check failed - :
>
>
>
> *CLAMP UI Screenshot*
>
> [image: image.png]
>
>
>
> Thanks & Regards
>
> Vivek
>
>
>
>
>
>
>
>
>
> On Thu, Feb 18, 2021 at 6:13 PM Determe, Sebastien <
> [email protected]> wrote:
>
> Hi,
>
>
>
> We do not provide a new certificate as it is generated automatically since
> Guilin by AAF during OOM installation.
>
> You can even use the basic auth and use the demo user (pass: demo123456!),
> this one has the right AAF permission now.
>
>
>
> If you really need a certificate then you will need to re-generate one in
> the AAF GUI
>
>
>
> If you can’t move to Guilin, you can probably disable the AAF authentication
> mechanism in CLAMP OOM, we use spring profiles, you can change that in the
> application.properties(/SPRING_APPLICATION_JSON env var)
>
>
>
> Normally the default one is
>
>
> spring.profiles.active=clamp-default,clamp-aaf-authentication,clamp-sdc-controller,clamp-ssl-config,clamp-policy-controller,default-dictionary-elements
>
>
>
> “clamp-aaf-authentication” must be replaced by “clamp-default-user”
>
>
>
> Regards,
>
> Seb
>
>
>
> *From:* [email protected] <[email protected]> *On
> Behalf Of *Vivekanandan Muthukrishnan
> *Sent:* 18 February 2021 12:55
> *To:* [email protected]
> *Subject:* [onap-discuss] CLAMP org.onap.clamp.p12 certifcate expired
>
>
>
> Dear Clamp team,
>
>
>
> It seems like the below CLAMP certificate has expired on Feb/04/2021. Can
> you please point us to the latest one?
>
>
>
> We would appreciate any help in this regard.
>
>
>
>
>
>
> ttps://gerrit.onap.org/r/gitweb?p=clamp.git;a=blob;f=src/main/resources/clds/aaf/org.onap.clamp.p12;h=268aa1a3ce56e01448f8043cc0b05b5fceb5a47d;hb=HEAD
> <https://urldefense.com/v3/__https:/gerrit.onap.org/r/gitweb?p=clamp.git;a=blob;f=src*main*resources*clds*aaf*org.onap.clamp.p12;h=268aa1a3ce56e01448f8043cc0b05b5fceb5a47d;hb=HEAD__;Ly8vLy8!!BhdT!3q_dLKMrqDBRjETtnp1pYpuaqes9xqLZNU82HTE59v0jSPFlz7BnW1Z2QPfNC3OElfuqUFQ$>
>
>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#22882): https://lists.onap.org/g/onap-discuss/message/22882
Mute This Topic: https://lists.onap.org/mt/80727245/21656
Group Owner: [email protected]
Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
