Hi, Well I’m afraid you have no other option than updating the certificate on policy pap here (it’s probably the easiest option you have)
I’m giving you some info about how Clamp communicates, may be you will see options that I do not see right now: Clamp uses camel HTTP4 component to communicate with the outside world, it has its own SSL context so I don’t think it’s going to honour any of the JVM global parameters, see here: https://gerrit.onap.org/r/gitweb?p=clamp.git;a=blob;f=src/main/java/org/onap/clamp/clds/config/CamelConfiguration.java;h=36e11f64fe271c2fc70c69bd4bffdf96056785cb;hb=HEAD For that I think we need to modify the clamp code (may be only the Camel Routes) located here: https://gerrit.onap.org/r/gitweb?p=policy/clamp.git;a=tree;f=src/main/resources/clds/camel/routes;h=9bade0c7fb0af07f61d138cba58dff345d5993ef;hb=HEAD Please note that those routes are bundled in the clamp JAR in the resources, so they could be modified even in the docker container but that’s really awful to do ☹ Sorry still thinking about it… Regards, Seb From: Vivekanandan Muthukrishnan <[email protected]> Sent: 19 February 2021 11:45 To: Determe, Sebastien <[email protected]> Cc: [email protected] Subject: Re: [onap-discuss] CLAMP org.onap.clamp.p12 certifcate expired Hi Sebastien, Yes, we did manually include the DMAAP certificate into Policy drools trust store and it resolved that issue. The issue is with the CLAMP backend. It is not able to interact with Policy PAP and it fails with SSH certificate validation. I guess CLAMP backed is not able to ignore the SSL certificate exception and proceed further. I tried to pass the following java arguments but the same issue persists. Is there a way to bypass this one to make Dublin CL to work. Thanks & Regards Vivek ~/oom/kubernetes$ git diff clamp/templates/deployment.yaml diff --git a/kubernetes/clamp/templates/deployment.yaml b/kubernetes/clamp/templates/deployment.yaml index 4e6d1d13..f672e555 100644 --- a/kubernetes/clamp/templates/deployment.yaml +++ b/kubernetes/clamp/templates/deployment.yaml @@ -64,7 +64,8 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} args: - "-Dcom.att.eelf.logging.file=file:/opt/clamp/logback.xml" - - "" + - "-Dcom.sun.net.ssl.checkRevocation=false" + - "-Dtrust_all_cert=true" ports: - containerPort: {{ .Values.service.internalPort }} # disable liveness probe when breakpoints set in debugger CLAMP Logs 08:57:12.323 [https-jsse-nio-8443-exec-5] DEBUG org.apache.http.impl.conn.BasicHttpClientConnectionManager - Get connection for route {s}->https://policy-pap.onap:6969<https://urldefense.com/v3/__https:/policy-pap.onap:6969__;!!BhdT!zbvrA4eucKt654sbBStPL5Wt4Su0MYwJYLBIgSPg700F01uEYJgBIv6_lQF-6dgkqzICMCg$> 08:57:12.323 [https-jsse-nio-8443-exec-5] DEBUG org.apache.http.impl.conn.BasicHttpClientConnectionManager - Get connection for route {s}->https://policy-pap.onap:6969<https://urldefense.com/v3/__https:/policy-pap.onap:6969__;!!BhdT!zbvrA4eucKt654sbBStPL5Wt4Su0MYwJYLBIgSPg700F01uEYJgBIv6_lQF-6dgkqzICMCg$> 08:57:12.323 [https-jsse-nio-8443-exec-5] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-225: set socket timeout to 0 08:57:12.323 [https-jsse-nio-8443-exec-5] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-225: set socket timeout to 0 08:57:12.323 [https-jsse-nio-8443-exec-5] DEBUG org.apache.http.impl.execchain.MainClientExec - Opening connection {s}->https://policy-pap.onap:6969<https://urldefense.com/v3/__https:/policy-pap.onap:6969__;!!BhdT!zbvrA4eucKt654sbBStPL5Wt4Su0MYwJYLBIgSPg700F01uEYJgBIv6_lQF-6dgkqzICMCg$> 08:57:12.323 [https-jsse-nio-8443-exec-5] DEBUG org.apache.http.impl.execchain.MainClientExec - Opening connection {s}->https://policy-pap.onap:6969<https://urldefense.com/v3/__https:/policy-pap.onap:6969__;!!BhdT!zbvrA4eucKt654sbBStPL5Wt4Su0MYwJYLBIgSPg700F01uEYJgBIv6_lQF-6dgkqzICMCg$> 08:57:12.324 [https-jsse-nio-8443-exec-5] DEBUG org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - Connecting to policy-pap.onap/10.43.6.89:6969<https://urldefense.com/v3/__http:/10.43.6.89:6969__;!!BhdT!zbvrA4eucKt654sbBStPL5Wt4Su0MYwJYLBIgSPg700F01uEYJgBIv6_lQF-6dgkSufZ3Wk$> 08:57:12.324 [https-jsse-nio-8443-exec-5] DEBUG org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - Connecting to policy-pap.onap/10.43.6.89:6969<https://urldefense.com/v3/__http:/10.43.6.89:6969__;!!BhdT!zbvrA4eucKt654sbBStPL5Wt4Su0MYwJYLBIgSPg700F01uEYJgBIv6_lQF-6dgkSufZ3Wk$> 08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-225: Shutdown connection 08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-225: Shutdown connection 08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection discarded 08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection discarded 08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG org.apache.http.impl.conn.BasicHttpClientConnectionManager - Releasing connection [Not bound] 08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG org.apache.http.impl.conn.BasicHttpClientConnectionManager - Releasing connection [Not bound] 08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG org.apache.camel.processor.Pipeline - Message exchange has failed: so breaking out of pipeline for exchange: Exchange[ID-dev-clamp-clamp-697b889c49-8tf5n-1613629368511-0-412] Exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed 08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG org.apache.camel.processor.Pipeline - Message exchange has failed: so breaking out of pipeline for exchange: Exchange[ID-dev-clamp-clamp-697b889c49-8tf5n-1613629368511-0-412] Exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed 08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG org.apache.camel.processor.MulticastProcessor - Message exchange has failed: Sequential processing failed for number 1 for exchange: Exchange[ID-dev-clamp-clamp-697b889c49-8tf5n-1613629368511-0-412] Exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed 08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG org.apache.camel.processor.MulticastProcessor - Message exchange has failed: Sequential processing failed for number 1 for exchange: Exchange[ID-dev-clamp-clamp-697b889c49-8tf5n-1613629368511-0-412] Exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed 08:57:12.342 [https-jsse-nio-8443-exec-5] INFO remove-all-policy-from-active-pdp-group - Endpoint to delete policy from PDP Group: https4://policy-pap.onap:6969/pdps/policies/tca_k8s_dcae1_v1_0_vFWCL_vPKG23ec14e8-ae1b0_tca_dublin/versions/1.0.0 08:57:12.343 [https-jsse-nio-8443-exec-5] DEBUG org.apache.camel.spring.SpringCamelContext - Loading component JSON Schema for: https4 using class resolver: org.apache.camel.impl.DefaultClassResolver@cdb2d95<mailto:org.apache.camel.impl.DefaultClassResolver@cdb2d95> -> org.springframework.boot.loader.jar.ZipInflaterInputStream@68c5fbe0<mailto:org.springframework.boot.loader.jar.ZipInflaterInputStream@68c5fbe0> 08:57:12.343 [https-jsse-nio-8443-exec-5] DEBUG org.apache.camel.spring.SpringCamelContext - Loading component JSON Schema for: https4 using class resolver: org.apache.camel.impl.DefaultClassResolver@cdb2d95<mailto:org.apache.camel.impl.DefaultClassResolver@cdb2d95> -> org.springframework.boot.loader.jar.ZipInflaterInputStream@68c5fbe0<mailto:org.springframework.boot.loader.jar.ZipInflaterInputStream@68c5fbe0> 08:57:12.345 [https-jsse-nio-8443-exec-5] DEBUG org.apache.camel.spring.SpringCamelContext - Loading component JSON Schema for: https4 using class resolver: org.apache.camel.impl.DefaultClassResolver@cdb2d95<mailto:org.apache.camel.impl.DefaultClassResolver@cdb2d95> -> org.springframework.boot.loader.jar.ZipInflaterInputStream@5ed719c<mailto:org.springframework.boot.loader.jar.ZipInflaterInputStream@5ed719c> 08:57:12.345 [https-jsse-nio-8443-exec-5] DEBUG org.apache.camel.spring.SpringCamelContext - Loading component JSON Schema for: https4 using class resolver: org.apache.camel.impl.DefaultClassResolver@cdb2d95<mailto:org.apache.camel.impl.DefaultClassResolver@cdb2d95> -> org.springframework.boot.loader.jar.ZipInflaterInputStream@5ed719c<mailto:org.springframework.boot.loader.jar.ZipInflaterInputStream@5ed719c> Policy PAP SSL Certificate $ echo "" | openssl s_client -showcerts -connect 10.43.6.89:6969<https://urldefense.com/v3/__http:/10.43.6.89:6969__;!!BhdT!zbvrA4eucKt654sbBStPL5Wt4Su0MYwJYLBIgSPg700F01uEYJgBIv6_lQF-6dgkSufZ3Wk$> 2>/dev/null | openssl x509 -inform pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 6453580827895746706 (0x598fb99207ff5092) Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = ONAP, OU = OSAAF, CN = intermediateCA_9 Validity Not Before: Apr 15 22:02:48 2019 GMT Not After : Apr 15 22:02:48 2020 GMT Subject: CN = policy, emailAddress = , OU = [email protected]<mailto:[email protected]>, OU = OSAAF, O = ONAP, C = US Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:ac:5c:11:e7:e5:1b:2e:0d:2b:22:ea:bf:85:7f: b7:93:84:ad:d2:22:9f:55:50:0a:ce:29:81:b4:21: db:0e:8e:dc:bf:aa:f3:a5:13:6a:a2:96:6b:24:6e: 3c:79:db:1d:ab:90:5a:6f:6b:1b:47:ee:33:81:9e: f6:c6:5a:c4:07:0f:7f:93:c4:dd:fa:b0:e0:ca:05: 46:d4:e1:7d:35:6f:3e:f0:a2:17:6c:15:e2:b7:31: df:11:29:e1:8a:6e:f4:27:c3:cd:4c:9f:c2:52:af: 80:17:14:a5:ea:6b:a8:d0:94:53:4b:bf:16:77:69: 30:bd:81:5d:67:77:d3:16:3a:91:bc:bd:38:9b:8c: 42:34:26:3d:51:ae:c5:bc:18:a8:47:22:49:63:31: ef:7c:53:6d:06:50:ec:9f:00:ca:29:7f:11:eb:87: e3:cb:67:9a:7d:a4:41:17:d2:4b:4a:8c:b3:34:b9: de:33:a8:27:f9:a3:1a:c2:0f:9d:72:e3:1c:a5:79: 0d:2f:52:83:ef:9b:17:b0:6f:6f:7c:4e:51:75:ce: dc:6d:f5:96:e9:50:f6:47:c8:51:c3:51:1f:5b:9c: f3:db:5d:23:0d:49:1b:a1:83:82:5a:90:85:8c:32: 9f:f3:fb:68:9c:67:37:b5:4a:1a:24:d3:f7:a8:59: d6:a1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: critical TLS Web Server Authentication, TLS Web Client Authentication X509v3 Authority Key Identifier: keyid:81:F7:99:5B:10:B9:C8:8C:DE:F3:52:5E:EA:4E:69:A0:43:3E:AC:DD DirName:/OU=OSAAF/O=ONAP/C=US serial:07 X509v3 Subject Key Identifier: 4E:95:D6:FA:CC:2A:16:C5:89:34:67:C1:55:35:36:B1:0B:50:B2:E0 X509v3 Subject Alternative Name: DNS:policy, DNS:*.pdp, DNS:*.pdp.onap.svc.cluster.local, DNS:brmsgw, DNS:brmsgw.onap, DNS:drools, DNS:drools.onap, DNS:pap, DNS:pap.onap, DNS:pdp, DNS:pdp.onap, DNS:policy-apex-pdp, DNS:policy-apex-pdp.onap, DNS:policy-api, DNS:policy-api.onap, DNS:policy-distribution, DNS:policy-distribution.onap, DNS:policy-pap, DNS:policy-pap.onap, DNS:policy-xacml-pdp, DNS:policy-xacml-pdp.onap, DNS:policy.api.simpledemo.onap.org<https://urldefense.com/v3/__http:/policy.api.simpledemo.onap.org__;!!BhdT!zbvrA4eucKt654sbBStPL5Wt4Su0MYwJYLBIgSPg700F01uEYJgBIv6_lQF-6dgkea5pHmI$> Signature Algorithm: sha256WithRSAEncryption 8c:27:99:b2:08:db:b1:68:18:03:7e:e2:e1:37:4d:5c:48:5b: e5:ad:02:33:f2:9a:cd:44:e6:b8:82:84:0f:d2:44:66:55:3c: 8d:ea:a5:39:45:ec:63:5c:aa:51:dd:9a:a5:f6:2d:cc:f4:8a: f4:1e:fd:d9:30:a7:9b:b0:0a:f2:7b:ae:d1:c4:2b:c6:1f:d0: 99:e6:ef:23:f2:7a:07:cb:f5:5e:6c:36:15:27:4a:a2:24:88: 51:af:0b:c4:99:0b:bd:1c:c1:96:6c:04:3d:25:c9:fe:f8:07: aa:b5:d7:a0:f7:79:09:99:a6:f4:7c:55:f1:a7:85:4b:f3:bf: 9f:ea:ec:0c:e9:7f:e8:28:b8:45:5c:b4:9a:19:f7:2f:d9:01: 83:5e:92:0a:26:39:d6:07:27:fb:8e:05:39:d1:a8:7a:f1:ce: b6:ab:e5:f1:3b:04:bc:1e:3d:06:87:41:6b:45:5a:0b:a9:c5: 5d:47:6e:85:a8:8f:d8:92:37:cb:fd:7a:95:60:6f:dd:19:b5: d1:74:66:03:46:69:44:32:4a:9d:e2:05:23:c2:89:ff:64:4b: 81:41:28:05:eb:4f:c4:14:67:58:9f:33:c6:27:3c:52:07:ac: 76:ec:71:fb:54:47:e0:75:df:b5:8b:cc:ee:b3:95:ca:18:b4: 8b:ae:25:65 On Fri, Feb 19, 2021 at 2:09 PM Determe, Sebastien <[email protected]<mailto:[email protected]>> wrote: Hi, This log is not from clamp, it’s from policy right ? I guess the issue is the expiration of the https message-router server certificate (NotAfter: Mon May 04 00:36:24 GMT 2020), meaning its down since a while ☹ Seb From: Vivekanandan Muthukrishnan <[email protected]<mailto:[email protected]>> Sent: 19 February 2021 07:51 To: Determe, Sebastien <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> Subject: Re: [onap-discuss] CLAMP org.onap.clamp.p12 certifcate expired Hi Sebastien, It seems like the issue is coming from Policy drools. Here are the exceptions while communicating with the message router. [2021-02-19T06:49:54.677+00:00|INFO|CambriaSimplerBatchPublisher|pool-4-thread-1] sending 3 msgs to /events/POLICY-PDP-PAP. Oldest: 262654 ms [2021-02-19T06:49:54.677+00:00|WARN|HostSelector|pool-4-thread-1] All hosts were blacklisted; reverting to full set of hosts. [2021-02-19T06:49:54.677+00:00|INFO|HttpClient|pool-4-thread-1] POST https://message-router:3905/events/POLICY-PDP-PAP<https://urldefense.com/v3/__https:/message-router:3905/events/POLICY-PDP-PAP__;!!BhdT!3QOBrhycbaHf03o5M_bOu01osfXYRJBllreWDwuYVNh9M8fOh41pqiFwK0vnOYsQEli52VE$> (anonymous) ... [2021-02-19T06:49:54.686+00:00|WARN|HttpClient|pool-4-thread-1] Error executing HTTP request. sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed; blacklisting for 2 minutes [2021-02-19T06:49:54.687+00:00|WARN|CambriaSimplerBatchPublisher|pool-4-thread-1] sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) at sun.security.ssl.Handshaker.process_record(Handshaker.java:965) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at com.att.nsa.apiClient.http.HttpClient.runCall(HttpClient.java:708) at com.att.nsa.apiClient.http.HttpClient.post<https://urldefense.com/v3/__http:/com.att.nsa.apiClient.http.HttpClient.post__;!!BhdT!3QOBrhycbaHf03o5M_bOu01osfXYRJBllreWDwuYVNh9M8fOh41pqiFwK0vnOYsQE0K9elo$>(HttpClient.java:456) at com.att.nsa.cambria.client.impl.CambriaSimplerBatchPublisher.sendBatch(CambriaSimplerBatchPublisher.java:342) at com.att.nsa.cambria.client.impl.CambriaSimplerBatchPublisher.send(CambriaSimplerBatchPublisher.java:251) at com.att.nsa.cambria.client.impl.CambriaSimplerBatchPublisher.access$100(CambriaSimplerBatchPublisher.java:31) at com.att.nsa.cambria.client.impl.CambriaSimplerBatchPublisher$1.run(CambriaSimplerBatchPublisher.java:411) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270) at sun.security.validator.Validator.validate(Validator.java:262) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621) ... 31 common frames omitted Caused by: java.security.cert.CertPathValidatorException: validity check failed at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135) at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233) at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141) at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80) at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292) at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357) ... 37 common frames omitted Caused by: java.security.cert.CertificateExpiredException: NotAfter: Mon May 04 00:36:24 GMT 2020 at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274) at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629) at sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190) at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144) at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) ... 42 common frames omitted [2021-02-19T06:49:54.687+00:00|WARN|CambriaSimplerBatchPublisher|pool-4-thread-1] Send failed, 3 message to send. [2021-02-19T06:49:54.687+00:00|ERROR|CambriaSimplerBatchPublisher|pool-4-thread-1] PUB_CHRONIC_FAILURE: Send failure count is 251, above threshold 10. [2021-02-19T06:49:55.727+00:00|INFO|CambriaSimplerBatchPublisher|pool-4-thread-1] sending 3 msgs to /events/POLICY-PDP-PAP. Oldest: 263704 ms [2021-02-19T06:49:55.727+00:00|WARN|HostSelector|pool-4-thread-1] All hosts were blacklisted; reverting to full set of hosts. [2021-02-19T06:49:55.727+00:00|INFO|HttpClient|pool-4-thread-1] POST https://message-router:3905/events/POLICY-PDP-PAP<https://urldefense.com/v3/__https:/message-router:3905/events/POLICY-PDP-PAP__;!!BhdT!3QOBrhycbaHf03o5M_bOu01osfXYRJBllreWDwuYVNh9M8fOh41pqiFwK0vnOYsQEli52VE$> (anonymous) ... [2021-02-19T06:49:55.734+00:00|WARN|HttpClient|pool-4-thread-1] Error executing HTTP request. sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed; blacklisting for 2 minutes [2021-02-19T06:49:55.735+00:00|WARN|CambriaSimplerBatchPublisher|pool-4-thread-1] sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) at sun.security.ssl.Handshaker.process_record(Handshaker.java:965) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at com.att.nsa.apiClient.http.HttpClient.runCall(HttpClient.java:708) at com.att.nsa.apiClient.http.HttpClient.post<https://urldefense.com/v3/__http:/com.att.nsa.apiClient.http.HttpClient.post__;!!BhdT!3QOBrhycbaHf03o5M_bOu01osfXYRJBllreWDwuYVNh9M8fOh41pqiFwK0vnOYsQE0K9elo$>(HttpClient.java:456) at com.att.nsa.cambria.client.impl.CambriaSimplerBatchPublisher.sendBatch(CambriaSimplerBatchPublisher.java:342) at com.att.nsa.cambria.client.impl.CambriaSimplerBatchPublisher.send(CambriaSimplerBatchPublisher.java:251) at com.att.nsa.cambria.client.impl.CambriaSimplerBatchPublisher.access$100(CambriaSimplerBatchPublisher.java:31) at com.att.nsa.cambria.client.impl.CambriaSimplerBatchPublisher$1.run(CambriaSimplerBatchPublisher.java:411) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270) at sun.security.validator.Validator.validate(Validator.java:262) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621) ... 31 common frames omitted Caused by: java.security.cert.CertPathValidatorException: validity check failed at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135) at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233) at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141) at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80) On Thu, Feb 18, 2021 at 8:43 PM Determe, Sebastien <[email protected]<mailto:[email protected]>> wrote: Hi Could you attach the clamp backend log may be ? Thanks, Seb From: Vivekanandan Muthukrishnan <[email protected]<mailto:[email protected]>> Sent: 18 February 2021 14:45 To: Determe, Sebastien <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> Subject: Re: [onap-discuss] CLAMP org.onap.clamp.p12 certifcate expired Hi Sebastien, Thank you for your quick response. Kindly note that we have been using Dublin and we have to support it till the end of this year. We get the below exceptions while submitting a CLAMP design we get the following exception in the UI. We are not sure if this is related to the CLAMP certificate? Are there any workarounds for this issue ? We would appreciate any help in this regard. CLAMP UI Exception PDP Group removal, Error reported: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed - : CLAMP UI Screenshot [image.png] Thanks & Regards Vivek On Thu, Feb 18, 2021 at 6:13 PM Determe, Sebastien <[email protected]<mailto:[email protected]>> wrote: Hi, We do not provide a new certificate as it is generated automatically since Guilin by AAF during OOM installation. You can even use the basic auth and use the demo user (pass: demo123456!), this one has the right AAF permission now. If you really need a certificate then you will need to re-generate one in the AAF GUI If you can’t move to Guilin, you can probably disable the AAF authentication mechanism in CLAMP OOM, we use spring profiles, you can change that in the application.properties(/SPRING_APPLICATION_JSON env var) Normally the default one is spring.profiles.active=clamp-default,clamp-aaf-authentication,clamp-sdc-controller,clamp-ssl-config,clamp-policy-controller,default-dictionary-elements “clamp-aaf-authentication” must be replaced by “clamp-default-user” Regards, Seb From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> On Behalf Of Vivekanandan Muthukrishnan Sent: 18 February 2021 12:55 To: [email protected]<mailto:[email protected]> Subject: [onap-discuss] CLAMP org.onap.clamp.p12 certifcate expired Dear Clamp team, It seems like the below CLAMP certificate has expired on Feb/04/2021. Can you please point us to the latest one? We would appreciate any help in this regard. ttps://gerrit.onap.org/r/gitweb?p=clamp.git;a=blob;f=src/main/resources/clds/aaf/org.onap.clamp.p12;h=268aa1a3ce56e01448f8043cc0b05b5fceb5a47d;hb=HEAD<https://urldefense.com/v3/__https:/gerrit.onap.org/r/gitweb?p=clamp.git;a=blob;f=src*main*resources*clds*aaf*org.onap.clamp.p12;h=268aa1a3ce56e01448f8043cc0b05b5fceb5a47d;hb=HEAD__;Ly8vLy8!!BhdT!3q_dLKMrqDBRjETtnp1pYpuaqes9xqLZNU82HTE59v0jSPFlz7BnW1Z2QPfNC3OElfuqUFQ$> -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#22883): https://lists.onap.org/g/onap-discuss/message/22883 Mute This Topic: https://lists.onap.org/mt/80727245/21656 Group Owner: [email protected] Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
