Hi Sebastien, Thank you very much for the detailed explanation and reference links.
We will review this one and try to resolve these issues. We any way have to support Dublin till the end of this year. I will keep you posted. Thanks & Regards Vivek On Fri, Feb 19, 2021 at 6:21 PM Determe, Sebastien < [email protected]> wrote: > Hi, > > > > Well I’m afraid you have no other option than updating the certificate on > policy pap here (it’s probably the easiest option you have) > > > > I’m giving you some info about how Clamp communicates, may be you will see > options that I do not see right now: > > > > Clamp uses camel HTTP4 component to communicate with the outside world, it > has its own SSL context so I don’t think it’s going to honour any of the > JVM global parameters, see here: > > > https://gerrit.onap.org/r/gitweb?p=clamp.git;a=blob;f=src/main/java/org/onap/clamp/clds/config/CamelConfiguration.java;h=36e11f64fe271c2fc70c69bd4bffdf96056785cb;hb=HEAD > > > > For that I think we need to modify the clamp code (may be only the Camel > Routes) located here: > > > https://gerrit.onap.org/r/gitweb?p=policy/clamp.git;a=tree;f=src/main/resources/clds/camel/routes;h=9bade0c7fb0af07f61d138cba58dff345d5993ef;hb=HEAD > > Please note that those routes are bundled in the clamp JAR in the > resources, so they could be modified even in the docker container but > that’s really awful to do ☹ > > > > Sorry still thinking about it… > > Regards, > > Seb > > > > *From:* Vivekanandan Muthukrishnan <[email protected]> > *Sent:* 19 February 2021 11:45 > *To:* Determe, Sebastien <[email protected]> > *Cc:* [email protected] > *Subject:* Re: [onap-discuss] CLAMP org.onap.clamp.p12 certifcate expired > > > > Hi Sebastien, > > > > Yes, we did manually include the DMAAP certificate into Policy drools > trust store and it resolved that issue. > > > > The issue is with the CLAMP backend. It is not able to interact with > Policy PAP and it fails with SSH certificate validation. > > I guess CLAMP backed is not able to ignore the SSL certificate exception > and proceed further. I tried to pass the following java arguments but the > same issue persists. > > > > Is there a way to bypass this one to make Dublin CL to work. > > > > Thanks & Regards > > Vivek > > > > > *~/oom/kubernetes$ git diff clamp/templates/deployment.yaml *diff --git > a/kubernetes/clamp/templates/deployment.yaml > b/kubernetes/clamp/templates/deployment.yaml > index 4e6d1d13..f672e555 100644 > --- a/kubernetes/clamp/templates/deployment.yaml > +++ b/kubernetes/clamp/templates/deployment.yaml > @@ -64,7 +64,8 @@ spec: > imagePullPolicy: {{ .Values.global.pullPolicy | default > .Values.pullPolicy }} > args: > - "-Dcom.att.eelf.logging.file=file:/opt/clamp/logback.xml" > - - "" > + - "-*Dcom.sun.net.ssl.checkRevocation=false*" > + - "*-Dtrust_all_cert=true*" > ports: > - containerPort: {{ .Values.service.internalPort }} > # disable liveness probe when breakpoints set in debugger > > > > > > *CLAMP Logs* > > > > 08:57:12.323 [https-jsse-nio-8443-exec-5] DEBUG > org.apache.http.impl.conn.BasicHttpClientConnectionManager - Get connection > for route {s}->https://policy-pap.onap:6969 > <https://urldefense.com/v3/__https:/policy-pap.onap:6969__;!!BhdT!zbvrA4eucKt654sbBStPL5Wt4Su0MYwJYLBIgSPg700F01uEYJgBIv6_lQF-6dgkqzICMCg$> > 08:57:12.323 [https-jsse-nio-8443-exec-5] DEBUG > org.apache.http.impl.conn.BasicHttpClientConnectionManager - Get connection > for route {s}->https://policy-pap.onap:6969 > <https://urldefense.com/v3/__https:/policy-pap.onap:6969__;!!BhdT!zbvrA4eucKt654sbBStPL5Wt4Su0MYwJYLBIgSPg700F01uEYJgBIv6_lQF-6dgkqzICMCg$> > 08:57:12.323 [https-jsse-nio-8443-exec-5] DEBUG > org.apache.http.impl.conn.DefaultManagedHttpClientConnection - > http-outgoing-225: set socket timeout to 0 > 08:57:12.323 [https-jsse-nio-8443-exec-5] DEBUG > org.apache.http.impl.conn.DefaultManagedHttpClientConnection - > http-outgoing-225: set socket timeout to 0 > 08:57:12.323 [https-jsse-nio-8443-exec-5] DEBUG > org.apache.http.impl.execchain.MainClientExec - Opening connection {s}-> > https://policy-pap.onap:6969 > <https://urldefense.com/v3/__https:/policy-pap.onap:6969__;!!BhdT!zbvrA4eucKt654sbBStPL5Wt4Su0MYwJYLBIgSPg700F01uEYJgBIv6_lQF-6dgkqzICMCg$> > 08:57:12.323 [https-jsse-nio-8443-exec-5] DEBUG > org.apache.http.impl.execchain.MainClientExec - Opening connection {s}-> > https://policy-pap.onap:6969 > <https://urldefense.com/v3/__https:/policy-pap.onap:6969__;!!BhdT!zbvrA4eucKt654sbBStPL5Wt4Su0MYwJYLBIgSPg700F01uEYJgBIv6_lQF-6dgkqzICMCg$> > 08:57:12.324 [https-jsse-nio-8443-exec-5] DEBUG > org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - Connecting > to policy-pap.onap/10.43.6.89:6969 > <https://urldefense.com/v3/__http:/10.43.6.89:6969__;!!BhdT!zbvrA4eucKt654sbBStPL5Wt4Su0MYwJYLBIgSPg700F01uEYJgBIv6_lQF-6dgkSufZ3Wk$> > 08:57:12.324 [https-jsse-nio-8443-exec-5] DEBUG > org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - Connecting > to policy-pap.onap/10.43.6.89:6969 > <https://urldefense.com/v3/__http:/10.43.6.89:6969__;!!BhdT!zbvrA4eucKt654sbBStPL5Wt4Su0MYwJYLBIgSPg700F01uEYJgBIv6_lQF-6dgkSufZ3Wk$> > 08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG > org.apache.http.impl.conn.DefaultManagedHttpClientConnection - > http-outgoing-225: Shutdown connection > 08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG > org.apache.http.impl.conn.DefaultManagedHttpClientConnection - > http-outgoing-225: Shutdown connection > 08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG > org.apache.http.impl.execchain.MainClientExec - Connection discarded > 08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG > org.apache.http.impl.execchain.MainClientExec - Connection discarded > 08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG > org.apache.http.impl.conn.BasicHttpClientConnectionManager - Releasing > connection [Not bound] > 08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG > org.apache.http.impl.conn.BasicHttpClientConnectionManager - Releasing > connection [Not bound] > 08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG > org.apache.camel.processor.Pipeline - Message exchange has failed: so > breaking out of pipeline for exchange: > Exchange[ID-dev-clamp-clamp-697b889c49-8tf5n-1613629368511-0-412] > Exception: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path validation failed: > java.security.cert.CertPathValidatorException: validity check failed > 08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG > org.apache.camel.processor.Pipeline - Message exchange has failed: so > breaking out of pipeline for exchange: > Exchange[ID-dev-clamp-clamp-697b889c49-8tf5n-1613629368511-0-412] > Exception: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path validation failed: > java.security.cert.CertPathValidatorException: validity check failed > 08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG > org.apache.camel.processor.MulticastProcessor - Message exchange has > failed: Sequential processing failed for number 1 for exchange: > Exchange[ID-dev-clamp-clamp-697b889c49-8tf5n-1613629368511-0-412] > Exception: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path validation failed: > java.security.cert.CertPathValidatorException: validity check failed > 08:57:12.342 [https-jsse-nio-8443-exec-5] DEBUG > org.apache.camel.processor.MulticastProcessor - Message exchange has > failed: Sequential processing failed for number 1 for exchange: > Exchange[ID-dev-clamp-clamp-697b889c49-8tf5n-1613629368511-0-412] > Exception: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path validation failed: > java.security.cert.CertPathValidatorException: validity check failed > 08:57:12.342 [https-jsse-nio-8443-exec-5] INFO > remove-all-policy-from-active-pdp-group - Endpoint to delete policy from > PDP Group: > https4://policy-pap.onap:6969/pdps/policies/tca_k8s_dcae1_v1_0_vFWCL_vPKG23ec14e8-ae1b0_tca_dublin/versions/1.0.0 > 08:57:12.343 [https-jsse-nio-8443-exec-5] DEBUG > org.apache.camel.spring.SpringCamelContext - Loading component JSON Schema > for: https4 using class resolver: > org.apache.camel.impl.DefaultClassResolver@cdb2d95 -> > org.springframework.boot.loader.jar.ZipInflaterInputStream@68c5fbe0 > 08:57:12.343 [https-jsse-nio-8443-exec-5] DEBUG > org.apache.camel.spring.SpringCamelContext - Loading component JSON Schema > for: https4 using class resolver: > org.apache.camel.impl.DefaultClassResolver@cdb2d95 -> > org.springframework.boot.loader.jar.ZipInflaterInputStream@68c5fbe0 > 08:57:12.345 [https-jsse-nio-8443-exec-5] DEBUG > org.apache.camel.spring.SpringCamelContext - Loading component JSON Schema > for: https4 using class resolver: > org.apache.camel.impl.DefaultClassResolver@cdb2d95 -> > org.springframework.boot.loader.jar.ZipInflaterInputStream@5ed719c > 08:57:12.345 [https-jsse-nio-8443-exec-5] DEBUG > org.apache.camel.spring.SpringCamelContext - Loading component JSON Schema > for: https4 using class resolver: > org.apache.camel.impl.DefaultClassResolver@cdb2d95 -> > org.springframework.boot.loader.jar.ZipInflaterInputStream@5ed719c > > > > *Policy PAP SSL Certificate* > > $ echo "" | openssl s_client -showcerts -connect 10.43.6.89:6969 > <https://urldefense.com/v3/__http:/10.43.6.89:6969__;!!BhdT!zbvrA4eucKt654sbBStPL5Wt4Su0MYwJYLBIgSPg700F01uEYJgBIv6_lQF-6dgkSufZ3Wk$> > 2>/dev/null | openssl x509 -inform pem -noout -text > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 6453580827895746706 (0x598fb99207ff5092) > Signature Algorithm: sha256WithRSAEncryption > Issuer: C = US, O = ONAP, OU = OSAAF, CN = intermediateCA_9 > Validity > Not Before: Apr 15 22:02:48 2019 GMT > Not After : Apr 15 22:02:48 2020 GMT > Subject: CN = policy, emailAddress = , OU = [email protected], > OU = OSAAF, O = ONAP, C = US > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public-Key: (2048 bit) > Modulus: > 00:ac:5c:11:e7:e5:1b:2e:0d:2b:22:ea:bf:85:7f: > b7:93:84:ad:d2:22:9f:55:50:0a:ce:29:81:b4:21: > db:0e:8e:dc:bf:aa:f3:a5:13:6a:a2:96:6b:24:6e: > 3c:79:db:1d:ab:90:5a:6f:6b:1b:47:ee:33:81:9e: > f6:c6:5a:c4:07:0f:7f:93:c4:dd:fa:b0:e0:ca:05: > 46:d4:e1:7d:35:6f:3e:f0:a2:17:6c:15:e2:b7:31: > df:11:29:e1:8a:6e:f4:27:c3:cd:4c:9f:c2:52:af: > 80:17:14:a5:ea:6b:a8:d0:94:53:4b:bf:16:77:69: > 30:bd:81:5d:67:77:d3:16:3a:91:bc:bd:38:9b:8c: > 42:34:26:3d:51:ae:c5:bc:18:a8:47:22:49:63:31: > ef:7c:53:6d:06:50:ec:9f:00:ca:29:7f:11:eb:87: > e3:cb:67:9a:7d:a4:41:17:d2:4b:4a:8c:b3:34:b9: > de:33:a8:27:f9:a3:1a:c2:0f:9d:72:e3:1c:a5:79: > 0d:2f:52:83:ef:9b:17:b0:6f:6f:7c:4e:51:75:ce: > dc:6d:f5:96:e9:50:f6:47:c8:51:c3:51:1f:5b:9c: > f3:db:5d:23:0d:49:1b:a1:83:82:5a:90:85:8c:32: > 9f:f3:fb:68:9c:67:37:b5:4a:1a:24:d3:f7:a8:59: > d6:a1 > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > X509v3 Key Usage: critical > Digital Signature, Non Repudiation, Key Encipherment > X509v3 Extended Key Usage: critical > TLS Web Server Authentication, TLS Web Client > Authentication > X509v3 Authority Key Identifier: > > keyid:81:F7:99:5B:10:B9:C8:8C:DE:F3:52:5E:EA:4E:69:A0:43:3E:AC:DD > DirName:/OU=OSAAF/O=ONAP/C=US > serial:07 > > X509v3 Subject Key Identifier: > 4E:95:D6:FA:CC:2A:16:C5:89:34:67:C1:55:35:36:B1:0B:50:B2:E0 > X509v3 Subject Alternative Name: > DNS:policy, DNS:*.pdp, DNS:*.pdp.onap.svc.cluster.local, > DNS:brmsgw, DNS:brmsgw.onap, DNS:drools, DNS:drools.onap, DNS:pap, > DNS:pap.onap, DNS:pdp, DNS:pdp.onap, DNS:policy-apex-pdp, > DNS:policy-apex-pdp.onap, DNS:policy-api, DNS:policy-api.onap, > DNS:policy-distribution, DNS:policy-distribution.onap, DNS:policy-pap, > DNS:policy-pap.onap, DNS:policy-xacml-pdp, DNS:policy-xacml-pdp.onap, DNS: > policy.api.simpledemo.onap.org > <https://urldefense.com/v3/__http:/policy.api.simpledemo.onap.org__;!!BhdT!zbvrA4eucKt654sbBStPL5Wt4Su0MYwJYLBIgSPg700F01uEYJgBIv6_lQF-6dgkea5pHmI$> > Signature Algorithm: sha256WithRSAEncryption > 8c:27:99:b2:08:db:b1:68:18:03:7e:e2:e1:37:4d:5c:48:5b: > e5:ad:02:33:f2:9a:cd:44:e6:b8:82:84:0f:d2:44:66:55:3c: > 8d:ea:a5:39:45:ec:63:5c:aa:51:dd:9a:a5:f6:2d:cc:f4:8a: > f4:1e:fd:d9:30:a7:9b:b0:0a:f2:7b:ae:d1:c4:2b:c6:1f:d0: > 99:e6:ef:23:f2:7a:07:cb:f5:5e:6c:36:15:27:4a:a2:24:88: > 51:af:0b:c4:99:0b:bd:1c:c1:96:6c:04:3d:25:c9:fe:f8:07: > aa:b5:d7:a0:f7:79:09:99:a6:f4:7c:55:f1:a7:85:4b:f3:bf: > 9f:ea:ec:0c:e9:7f:e8:28:b8:45:5c:b4:9a:19:f7:2f:d9:01: > 83:5e:92:0a:26:39:d6:07:27:fb:8e:05:39:d1:a8:7a:f1:ce: > b6:ab:e5:f1:3b:04:bc:1e:3d:06:87:41:6b:45:5a:0b:a9:c5: > 5d:47:6e:85:a8:8f:d8:92:37:cb:fd:7a:95:60:6f:dd:19:b5: > d1:74:66:03:46:69:44:32:4a:9d:e2:05:23:c2:89:ff:64:4b: > 81:41:28:05:eb:4f:c4:14:67:58:9f:33:c6:27:3c:52:07:ac: > 76:ec:71:fb:54:47:e0:75:df:b5:8b:cc:ee:b3:95:ca:18:b4: > 8b:ae:25:65 > > > > On Fri, Feb 19, 2021 at 2:09 PM Determe, Sebastien < > [email protected]> wrote: > > Hi, > > This log is not from clamp, it’s from policy right ? > > I guess the issue is the expiration of the https message-router server > certificate (NotAfter: Mon May 04 00:36:24 GMT 2020), meaning its down > since a while ☹ > > > > Seb > > > > *From:* Vivekanandan Muthukrishnan <[email protected]> > *Sent:* 19 February 2021 07:51 > *To:* Determe, Sebastien <[email protected]> > *Cc:* [email protected] > *Subject:* Re: [onap-discuss] CLAMP org.onap.clamp.p12 certifcate expired > > > > Hi Sebastien, > > > > It seems like the issue is coming from Policy drools. > > > > Here are the exceptions while communicating with the message router. > > > > [2021-02-19T06:49:54.677+00:00|INFO|CambriaSimplerBatchPublisher|pool-4-thread-1] > sending 3 msgs to /events/POLICY-PDP-PAP. Oldest: 262654 ms > [2021-02-19T06:49:54.677+00:00|WARN|HostSelector|pool-4-thread-1] All > hosts were blacklisted; reverting to full set of hosts. > [2021-02-19T06:49:54.677+00:00|INFO|HttpClient|pool-4-thread-1] POST > https://message-router:3905/events/POLICY-PDP-PAP > <https://urldefense.com/v3/__https:/message-router:3905/events/POLICY-PDP-PAP__;!!BhdT!3QOBrhycbaHf03o5M_bOu01osfXYRJBllreWDwuYVNh9M8fOh41pqiFwK0vnOYsQEli52VE$> > (anonymous) ... > [2021-02-19T06:49:54.686+00:00|WARN|HttpClient|pool-4-thread-1] Error > executing HTTP request. sun.security.validator.ValidatorException: PKIX > path validation failed: java.security.cert.CertPathValidatorException: > validity check failed; blacklisting for 2 minutes > [2021-02-19T06:49:54.687+00:00|WARN|CambriaSimplerBatchPublisher|pool-4-thread-1] > sun.security.validator.ValidatorException: PKIX path validation failed: > java.security.cert.CertPathValidatorException: validity check failed > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path validation failed: > java.security.cert.CertPathValidatorException: validity check failed > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639) > at > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) > at sun.security.ssl.Handshaker.process_record(Handshaker.java:965) > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) > at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) > at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) > at > org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) > at > org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355) > at > org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) > at > org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373) > at > org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381) > at > org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237) > at > org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185) > at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) > at > org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111) > at > org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) > at com.att.nsa.apiClient.http.HttpClient.runCall(HttpClient.java:708) > at com.att.nsa.apiClient.http.HttpClient.post > <https://urldefense.com/v3/__http:/com.att.nsa.apiClient.http.HttpClient.post__;!!BhdT!3QOBrhycbaHf03o5M_bOu01osfXYRJBllreWDwuYVNh9M8fOh41pqiFwK0vnOYsQE0K9elo$> > (HttpClient.java:456) > at > com.att.nsa.cambria.client.impl.CambriaSimplerBatchPublisher.sendBatch(CambriaSimplerBatchPublisher.java:342) > at > com.att.nsa.cambria.client.impl.CambriaSimplerBatchPublisher.send(CambriaSimplerBatchPublisher.java:251) > at > com.att.nsa.cambria.client.impl.CambriaSimplerBatchPublisher.access$100(CambriaSimplerBatchPublisher.java:31) > at > com.att.nsa.cambria.client.impl.CambriaSimplerBatchPublisher$1.run(CambriaSimplerBatchPublisher.java:411) > at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > Caused by: sun.security.validator.ValidatorException: PKIX path validation > failed: java.security.cert.CertPathValidatorException: validity check failed > at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362) > at > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270) > at sun.security.validator.Validator.validate(Validator.java:262) > at > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > at > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > at > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621) > ... 31 common frames omitted > Caused by: java.security.cert.CertPathValidatorException: validity check > failed > at > sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135) > at > sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233) > at > sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141) > at > sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80) > at > java.security.cert.CertPathValidator.validate(CertPathValidator.java:292) > at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357) > ... 37 common frames omitted > Caused by: java.security.cert.CertificateExpiredException: NotAfter: Mon > May 04 00:36:24 GMT 2020 > at > sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274) > at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629) > at > sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190) > at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144) > at > sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) > ... 42 common frames omitted > [2021-02-19T06:49:54.687+00:00|WARN|CambriaSimplerBatchPublisher|pool-4-thread-1] > Send failed, 3 message to send. > [2021-02-19T06:49:54.687+00:00|ERROR|CambriaSimplerBatchPublisher|pool-4-thread-1] > PUB_CHRONIC_FAILURE: Send failure count is 251, above threshold 10. > [2021-02-19T06:49:55.727+00:00|INFO|CambriaSimplerBatchPublisher|pool-4-thread-1] > sending 3 msgs to /events/POLICY-PDP-PAP. Oldest: 263704 ms > [2021-02-19T06:49:55.727+00:00|WARN|HostSelector|pool-4-thread-1] All > hosts were blacklisted; reverting to full set of hosts. > [2021-02-19T06:49:55.727+00:00|INFO|HttpClient|pool-4-thread-1] POST > https://message-router:3905/events/POLICY-PDP-PAP > <https://urldefense.com/v3/__https:/message-router:3905/events/POLICY-PDP-PAP__;!!BhdT!3QOBrhycbaHf03o5M_bOu01osfXYRJBllreWDwuYVNh9M8fOh41pqiFwK0vnOYsQEli52VE$> > (anonymous) ... > [2021-02-19T06:49:55.734+00:00|WARN|HttpClient|pool-4-thread-1] Error > executing HTTP request. sun.security.validator.ValidatorException: PKIX > path validation failed: java.security.cert.CertPathValidatorException: > validity check failed; blacklisting for 2 minutes > [2021-02-19T06:49:55.735+00:00|WARN|CambriaSimplerBatchPublisher|pool-4-thread-1] > sun.security.validator.ValidatorException: PKIX path validation failed: > java.security.cert.CertPathValidatorException: validity check failed > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path validation failed: > java.security.cert.CertPathValidatorException: validity check failed > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639) > at > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) > at sun.security.ssl.Handshaker.process_record(Handshaker.java:965) > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) > at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) > at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) > at > org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) > at > org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355) > at > org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) > at > org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373) > at > org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381) > at > org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237) > at > org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185) > at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) > at > org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111) > at > org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) > at com.att.nsa.apiClient.http.HttpClient.runCall(HttpClient.java:708) > at com.att.nsa.apiClient.http.HttpClient.post > <https://urldefense.com/v3/__http:/com.att.nsa.apiClient.http.HttpClient.post__;!!BhdT!3QOBrhycbaHf03o5M_bOu01osfXYRJBllreWDwuYVNh9M8fOh41pqiFwK0vnOYsQE0K9elo$> > (HttpClient.java:456) > at > com.att.nsa.cambria.client.impl.CambriaSimplerBatchPublisher.sendBatch(CambriaSimplerBatchPublisher.java:342) > at > com.att.nsa.cambria.client.impl.CambriaSimplerBatchPublisher.send(CambriaSimplerBatchPublisher.java:251) > at > com.att.nsa.cambria.client.impl.CambriaSimplerBatchPublisher.access$100(CambriaSimplerBatchPublisher.java:31) > at > com.att.nsa.cambria.client.impl.CambriaSimplerBatchPublisher$1.run(CambriaSimplerBatchPublisher.java:411) > at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > Caused by: sun.security.validator.ValidatorException: PKIX path validation > failed: java.security.cert.CertPathValidatorException: validity check failed > at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362) > at > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270) > at sun.security.validator.Validator.validate(Validator.java:262) > at > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > at > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > at > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621) > ... 31 common frames omitted > Caused by: java.security.cert.CertPathValidatorException: validity check > failed > at > sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135) > at > sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233) > at > sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141) > at > sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80) > > > > > > > > On Thu, Feb 18, 2021 at 8:43 PM Determe, Sebastien < > [email protected]> wrote: > > Hi Could you attach the clamp backend log may be ? > > > > Thanks, > > Seb > > > > *From:* Vivekanandan Muthukrishnan <[email protected]> > *Sent:* 18 February 2021 14:45 > *To:* Determe, Sebastien <[email protected]> > *Cc:* [email protected] > *Subject:* Re: [onap-discuss] CLAMP org.onap.clamp.p12 certifcate expired > > > > Hi Sebastien, > > > > Thank you for your quick response. Kindly note that we have been using > Dublin and we have to support it till the end of this year. > > > > We get the below exceptions while submitting a CLAMP design we get the > following exception in the UI. We are not sure if this is related to the > CLAMP certificate? Are there any workarounds for this issue ? > > > > We would appreciate any help in this regard. > > > > *CLAMP UI Exception* > > > > PDP Group removal, Error reported: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path validation failed: > java.security.cert.CertPathValidatorException: validity check failed - : > > > > *CLAMP UI Screenshot* > > [image: image.png] > > > > Thanks & Regards > > Vivek > > > > > > > > > > On Thu, Feb 18, 2021 at 6:13 PM Determe, Sebastien < > [email protected]> wrote: > > Hi, > > > > We do not provide a new certificate as it is generated automatically since > Guilin by AAF during OOM installation. > > You can even use the basic auth and use the demo user (pass: demo123456!), > this one has the right AAF permission now. > > > > If you really need a certificate then you will need to re-generate one in > the AAF GUI > > > > If you can’t move to Guilin, you can probably disable the AAF authentication > mechanism in CLAMP OOM, we use spring profiles, you can change that in the > application.properties(/SPRING_APPLICATION_JSON env var) > > > > Normally the default one is > > > spring.profiles.active=clamp-default,clamp-aaf-authentication,clamp-sdc-controller,clamp-ssl-config,clamp-policy-controller,default-dictionary-elements > > > > “clamp-aaf-authentication” must be replaced by “clamp-default-user” > > > > Regards, > > Seb > > > > *From:* [email protected] <[email protected]> *On > Behalf Of *Vivekanandan Muthukrishnan > *Sent:* 18 February 2021 12:55 > *To:* [email protected] > *Subject:* [onap-discuss] CLAMP org.onap.clamp.p12 certifcate expired > > > > Dear Clamp team, > > > > It seems like the below CLAMP certificate has expired on Feb/04/2021. Can > you please point us to the latest one? > > > > We would appreciate any help in this regard. > > > > > > > ttps://gerrit.onap.org/r/gitweb?p=clamp.git;a=blob;f=src/main/resources/clds/aaf/org.onap.clamp.p12;h=268aa1a3ce56e01448f8043cc0b05b5fceb5a47d;hb=HEAD > <https://urldefense.com/v3/__https:/gerrit.onap.org/r/gitweb?p=clamp.git;a=blob;f=src*main*resources*clds*aaf*org.onap.clamp.p12;h=268aa1a3ce56e01448f8043cc0b05b5fceb5a47d;hb=HEAD__;Ly8vLy8!!BhdT!3q_dLKMrqDBRjETtnp1pYpuaqes9xqLZNU82HTE59v0jSPFlz7BnW1Z2QPfNC3OElfuqUFQ$> > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#22885): https://lists.onap.org/g/onap-discuss/message/22885 Mute This Topic: https://lists.onap.org/mt/80727245/21656 Group Owner: [email protected] Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
