subject:"\[Dev\] SSL issue in EI while using Entitlement mediator with IS"

Re: [Dev] SSL issue in EI while using Entitlement mediator with IS

2017-10-27 Thread Dilshani Subasinghe

Hi Tharindu,

Thanks for pointing out methods to identify root cause through SSL logs.

It was identified that EI 6.1.1 had an issue with the expired private key
and issue fixed when I use the latest pack with WUM update.

Thank you,
Dilshani

On Fri, Oct 27, 2017 at 5:23 AM, Tharindu Edirisinghe 
wrote:

> By the way, shouldn't we BCC (instead of CC) the internal mailing lists
> when mailing to public mailing lists like Dev ?
>
> Hi Dilshani,
>
> Disabling hostname verification to bypass this issue would not be a good
> practice.
>
> This error message can come due to several certificate related issues.
> Therefore, to isolate the exact issue, would you be able to start EI with
> enabling SSL debug logs for handshake.
>
> -Djavax.net.debug=ssl:handshake
>
> You'll have to append the SSL debug logs to a file as it would just print
> to terminal without appending to carbon log.
>
> sh integrator.sh -Djavax.net.debug=ssl:handshake > ssl.log
>
> Once EI is running, try out the same flow and check (or share) the SSL
> debug log. Then you should be able to identify the root cause
>
> Thanks,
> TharinduE
>
>
>
>
>
>
> On Thu, Oct 26, 2017 at 10:16 PM, Dilshani Subasinghe 
> wrote:
>
>> Hi all,
>>
>> I implemented "Fine-grained access control for SOAP services" (Refer 25th
>> pattern in this blog [1]) pattern using WSO2 EI 6.1.1 and WSO2 IS 5.3.0. I
>> was able to implement the pattern locally and tested it successfully. While
>> I'm moving to cloud setup, I got some errors while EI going to make the
>> connection with IS.
>>
>> I got an error as follows:
>>
>> [*2017-10-26 18:52:05,406] [EI-Core]  INFO - HTTPSender Unable to
>> sendViaPost to url[https://192.168.57.251/services/EntitlementService
>> ]*
>> *javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname
>> validation for name: null*
>> * at org.opensaml.ws.soap.client.ht
>> tp.TLSProtocolSocketFactory.ve
>> rifyHostname(TLSProtocolSocketFactory.java:233)*
>> * at org.opensaml.ws.soap.client.ht
>> tp.TLSProtocolSocketFactory.cr
>> eateSocket(TLSProtocolSocketFactory.java:186)*
>> * at
>> org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)*
>>
>> After referring some docs and emails, found out we need to add following
>> property in the integrator.sh script.
>>
>> *-Dorg.opensaml.httpclient.https.disableHostnameVerification=true \*
>>
>> After adding that, again got an error as follows:
>>
>> [2017-10-26 20:19:16,448] [EI-Core]  INFO - HTTPSender Unable to
>> sendViaPost to url[https://is.dev.wso2.org/services/EntitlementService]
>> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>> at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessi
>> onImpl.java:431)
>> at org.apache.commons.httpclient.protocol.SSLProtocolSocketFact
>> ory.verifyHostName(SSLProtocolSocketFactory.java:259)
>> at org.apache.commons.httpclient.protocol.SSLProtocolSocketFact
>> ory.createSocket(SSLProtocolSocketFactory.java:158)
>>
>> Any idea on fixing this issue?
>>
>> [1] https://medium.facilelogin.com/thirty-solution-patterns-
>> with-the-wso2-identity-server-16f9fd0c0389
>>
>> --
>> Best Regards,
>>
>> Dilshani Subasinghe
>> Software Engineer - QA *|* WSO2
>> lean *|* enterprise *|* middleware
>>
>> Mobile : +94773375185 <+94%2077%20337%205185>
>> Blog: dilshani.me
>>
>> 
>>
>
>
>
> --
>
> Tharindu Edirisinghe
> Senior Software Engineer | WSO2 Inc
> Platform Security Team
> Blog : http://tharindue.blogspot.com
> mobile : +94 775181586 <+94%2077%20518%201586>
>



-- 
Best Regards,

Dilshani Subasinghe
Software Engineer - QA *|* WSO2
lean *|* enterprise *|* middleware

Mobile : +94773375185
Blog: dilshani.me


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] SSL issue in EI while using Entitlement mediator with IS

2017-10-26 Thread Tharindu Edirisinghe

By the way, shouldn't we BCC (instead of CC) the internal mailing lists
when mailing to public mailing lists like Dev ?

Hi Dilshani,

Disabling hostname verification to bypass this issue would not be a good
practice.

This error message can come due to several certificate related issues.
Therefore, to isolate the exact issue, would you be able to start EI with
enabling SSL debug logs for handshake.

-Djavax.net.debug=ssl:handshake

You'll have to append the SSL debug logs to a file as it would just print
to terminal without appending to carbon log.

sh integrator.sh -Djavax.net.debug=ssl:handshake > ssl.log

Once EI is running, try out the same flow and check (or share) the SSL
debug log. Then you should be able to identify the root cause

Thanks,
TharinduE






On Thu, Oct 26, 2017 at 10:16 PM, Dilshani Subasinghe 
wrote:

> Hi all,
>
> I implemented "Fine-grained access control for SOAP services" (Refer 25th
> pattern in this blog [1]) pattern using WSO2 EI 6.1.1 and WSO2 IS 5.3.0. I
> was able to implement the pattern locally and tested it successfully. While
> I'm moving to cloud setup, I got some errors while EI going to make the
> connection with IS.
>
> I got an error as follows:
>
> [*2017-10-26 18:52:05,406] [EI-Core]  INFO - HTTPSender Unable to
> sendViaPost to url[https://192.168.57.251/services/EntitlementService
> ]*
> *javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname
> validation for name: null*
> * at org.opensaml.ws.soap.client.ht
> tp.TLSProtocolSocketFactory.ve
> rifyHostname(TLSProtocolSocketFactory.java:233)*
> * at org.opensaml.ws.soap.client.ht
> tp.TLSProtocolSocketFactory.cr
> eateSocket(TLSProtocolSocketFactory.java:186)*
> * at
> org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)*
>
> After referring some docs and emails, found out we need to add following
> property in the integrator.sh script.
>
> *-Dorg.opensaml.httpclient.https.disableHostnameVerification=true \*
>
> After adding that, again got an error as follows:
>
> [2017-10-26 20:19:16,448] [EI-Core]  INFO - HTTPSender Unable to
> sendViaPost to url[https://is.dev.wso2.org/services/EntitlementService]
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessi
> onImpl.java:431)
> at org.apache.commons.httpclient.protocol.SSLProtocolSocketFact
> ory.verifyHostName(SSLProtocolSocketFactory.java:259)
> at org.apache.commons.httpclient.protocol.SSLProtocolSocketFact
> ory.createSocket(SSLProtocolSocketFactory.java:158)
>
> Any idea on fixing this issue?
>
> [1] https://medium.facilelogin.com/thirty-solution-patterns-with-the-
> wso2-identity-server-16f9fd0c0389
>
> --
> Best Regards,
>
> Dilshani Subasinghe
> Software Engineer - QA *|* WSO2
> lean *|* enterprise *|* middleware
>
> Mobile : +94773375185 <+94%2077%20337%205185>
> Blog: dilshani.me
>
> 
>



-- 

Tharindu Edirisinghe
Senior Software Engineer | WSO2 Inc
Platform Security Team
Blog : http://tharindue.blogspot.com
mobile : +94 775181586
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] SSL issue in EI while using Entitlement mediator with IS

2017-10-26 Thread Dilshani Subasinghe

Hi all,

I implemented "Fine-grained access control for SOAP services" (Refer 25th
pattern in this blog [1]) pattern using WSO2 EI 6.1.1 and WSO2 IS 5.3.0. I
was able to implement the pattern locally and tested it successfully. While
I'm moving to cloud setup, I got some errors while EI going to make the
connection with IS.

I got an error as follows:

[*2017-10-26 18:52:05,406] [EI-Core]  INFO - HTTPSender Unable to
sendViaPost to url[https://192.168.57.251/services/EntitlementService
]*
*javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname
validation for name: null*
* at
org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233)*
* at
org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:186)*
* at
org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)*

After referring some docs and emails, found out we need to add following
property in the integrator.sh script.

*-Dorg.opensaml.httpclient.https.disableHostnameVerification=true \*

After adding that, again got an error as follows:

[2017-10-26 20:19:16,448] [EI-Core]  INFO - HTTPSender Unable to
sendViaPost to url[https://is.dev.wso2.org/services/EntitlementService]
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(
SSLSessionImpl.java:431)
at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.
verifyHostName(SSLProtocolSocketFactory.java:259)
at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.
createSocket(SSLProtocolSocketFactory.java:158)

Any idea on fixing this issue?

[1]
https://medium.facilelogin.com/thirty-solution-patterns-with-the-wso2-identity-server-16f9fd0c0389

-- 
Best Regards,

Dilshani Subasinghe
Software Engineer - QA *|* WSO2
lean *|* enterprise *|* middleware

Mobile : +94773375185 <+94%2077%20337%205185>
Blog: dilshani.me


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] SSL issue in EI while using Entitlement mediator with IS

Re: [Dev] SSL issue in EI while using Entitlement mediator with IS

[Dev] SSL issue in EI while using Entitlement mediator with IS

3 matches

Site Navigation

Mail list logo

Footer information