IBM Mobile First - Http request failed: javax.net.ssl.SSLHandshakeException - odata

I am trying to consume an OData service using SAP Netweaver Gateway Adapters. But I am facing an issue like below
Runtime: Http request failed: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Here is my worklight.properties
########## MobileFirst SSL keystore
#############################################
#SSL certificate keystore location.
ssl.keystore.path=conf/default.keystore
#SSL certificate keystore type (jks or PKCS12)
ssl.keystore.type=jks
#SSL certificate keystore password.
ssl.keystore.password=<keystorepassword>
Here is my adapter.xml
<connectivity>
<connectionPolicy xsi:type="nwgateway:NWGatewayHTTPConnectionPolicyType">
<protocol>https</protocol>
<domain>mydomain</domain>
<port>myport</port>
<connectionTimeoutInMilliseconds>30000</connectionTimeoutInMilliseconds>
<socketTimeoutInMilliseconds>30000</socketTimeoutInMilliseconds>
<serviceRootUrl>/sap/opu/odata/SAP/ZBIN_POC_SRV/</serviceRootUrl>
<authentication>
<basic/>
<serverIdentity>
<client>001</client>
<username>username</username>
<password>password</password>
</serverIdentity>
</authentication>
<!-- Following properties used by adapter's key manager for choosing specific certificate from key store-->
<sslCertificateAlias></sslCertificateAlias>
<sslCertificatePassword></sslCertificatePassword>
<maxConcurrentConnectionsPerNode>50</maxConcurrentConnectionsPerNode>
</connectionPolicy>
</connectivity>
<procedure name="retrieveTravelAgency"/>
And also I imported default.keystore here, PFA
Here is the link I am following.
Can anyone help me out on this, Thanks in advance.

Related

Jenkins with Azure AD integration fails with "A problem occurred while processing the request"

There is lot of help available. Not able to fix it. After I enter my user name and password.
Jenkins with Azure AD login is successful and it return the token also. After that it fails with "A problem occurred while processing the request". Login is successful when I see the Azure side and jenkins ui prints token also.
When I see the error logs, I see
javax.net.ssl|DEBUG|13|Handling POST /securityRealm/finishLogin from x.x.x.x : Jetty (winstone)-19|2021-07-15 19:36:53.374 EDT|Utilities.java:73|the previous server name in SNI (type=host_name (0), value=login.microsoftonline.com) was replaced with (type=host_name (0), value=login.microsoftonline.com)
2021-07-15 23:36:55.398+0000 [id=326] INFO c.m.a.a.AuthenticationAuthority#doInstanceDiscovery: [Correlation ID: e11160be-50c3-43d7-96a8-dc02c3cc2b2c] Instance discovery was successful
javax.net.ssl|ERROR|13|Handling POST /securityRealm/finishLogin from x.x.x.x : Jetty (winstone)-19|2021-07-15 19:36:55.769 EDT|TransportContext.java:344|Fatal **** (CERTIFICATE_UNKNOWN): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (
"throwable" : {
Also
javax.net.ssl|DEBUG|13|Handling POST /securityRealm/finishLogin from x.x.x.x : Jetty (winstone)-19|2021-07-15 19:36:55.773 EDT|SSLSocketImpl.java:1569|close the underlying socket
javax.net.ssl|DEBUG|13|Handling POST /securityRealm/finishLogin from x.x.x.x : Jetty (winstone)-19|2021-07-15 19:36:55.773 EDT|SSLSocketImpl.java:1588|close the SSL connection (initiative)
2021-07-15 23:36:55.787+0000 [id=19] SEVERE c.m.j.azuread.AzureSecurityRealm#doFinishLogin: error
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I have imported certs for login.microsoftonline.com and portal.azure.com, my jenkins.xml has
-Djavax.net.ssl.trustStore="C:\Program Files (x86)\Jenkins\.cacerts\jssecacerts" -Djavax.net.ssl.trustStorePassword=changeit
Not sure what website it says "unable to find valid certification path to requested target"
As posted in another entry in stack overflow I'd try to debug what is happening with your trustStore with something like:
java -Djavax.net.debug=all -Djavax.net.ssl.trustStore="C:\Program Files (x86)\Jenkins\.cacerts\jssecacerts" -Djavax.net.ssl.trustStorePassword=changeit
You may want to have a look at this post

Kafka Ranger SSL integration issue

We are trying to enable SSL connection between Apache Ranger and Kafka cluster. After creating keystore and truststore for both Kafka and Ranger, we are unable to connect Kafka to Ranger and we are getting the following error message:
[2020-06-25 20:47:40,013] ERROR Unable to get the Credential Provider from the Configuration (org.apache.ranger.authorization.hadoop.utils.RangerCredentialProvider)
java.lang.IllegalArgumentException: The value of property hadoop.security.credential.provider.path must not be null
at com.google.common.base.Preconditions.checkArgument(Preconditions.java:122)
at org.apache.hadoop.conf.Configuration.set(Configuration.java:1134)
at org.apache.hadoop.conf.Configuration.set(Configuration.java:1115)
at org.apache.ranger.authorization.hadoop.utils.RangerCredentialProvider.getCredentialProviders(RangerCredentialProvider.java:68)
at org.apache.ranger.authorization.hadoop.utils.RangerCredentialProvider.getCredentialString(RangerCredentialProvider.java:46)
at org.apache.ranger.plugin.util.RangerRESTClient.getCredential(RangerRESTClient.java:386)
at org.apache.ranger.plugin.util.RangerRESTClient.getKeyManagers(RangerRESTClient.java:272)
at org.apache.ranger.plugin.util.RangerRESTClient.buildClient(RangerRESTClient.java:188)
at org.apache.ranger.plugin.util.RangerRESTClient.getClient(RangerRESTClient.java:176)
at org.apache.ranger.plugin.util.RangerRESTClient.getResource(RangerRESTClient.java:156)
at org.apache.ranger.admin.client.RangerAdminRESTClient.createWebResource(RangerAdminRESTClient.java:275)
at org.apache.ranger.admin.client.RangerAdminRESTClient.getServicePoliciesIfUpdated(RangerAdminRESTClient.java:126)
at org.apache.ranger.plugin.util.PolicyRefresher.loadPolicyfromPolicyAdmin(PolicyRefresher.java:264)
at org.apache.ranger.plugin.util.PolicyRefresher.loadPolicy(PolicyRefresher.java:202)
at org.apache.ranger.plugin.util.PolicyRefresher.run(PolicyRefresher.java:171)
[2020-06-25 20:47:40,013] ERROR PolicyRefresher(serviceName=KafkaTest): failed to refresh policies. Will continue to use last known version of policies (51) (org.apache.ranger.plugin.util.PolicyRefresher)
java.lang.IllegalArgumentException: TrustManager is not specified
at org.apache.commons.lang.Validate.notNull(Validate.java:192)
at org.apache.ranger.plugin.util.RangerRESTClient.getSSLContext(RangerRESTClient.java:369)
at org.apache.ranger.plugin.util.RangerRESTClient.buildClient(RangerRESTClient.java:190)
at org.apache.ranger.plugin.util.RangerRESTClient.getClient(RangerRESTClient.java:176)
at org.apache.ranger.plugin.util.RangerRESTClient.getResource(RangerRESTClient.java:156)
at org.apache.ranger.admin.client.RangerAdminRESTClient.createWebResource(RangerAdminRESTClient.java:275)
at org.apache.ranger.admin.client.RangerAdminRESTClient.getServicePoliciesIfUpdated(RangerAdminRESTClient.java:126)
at org.apache.ranger.plugin.util.PolicyRefresher.loadPolicyfromPolicyAdmin(PolicyRefresher.java:264)
at org.apache.ranger.plugin.util.PolicyRefresher.loadPolicy(PolicyRefresher.java:202)
at org.apache.ranger.plugin.util.PolicyRefresher.run(PolicyRefresher.java:171)
In Kafka-Ranger plugin, I have configured below properties in install.properites
COMPONENT_INSTALL_DIR_NAME=/home/ec2-user/kafka
POLICY_MGR_URL=https://public-dns-of-ec2:6182
REPOSITORY_NAME=KafkaTest
SSL_KEYSTORE_FILE_PATH=/etc/hadoop/conf/<keystore>.jks
SSL_KEYSTORE_PASSWORD=<password
>
SSL_TRUSTSTORE_FILE_PATH=/etc/hadoop/conf/<truststore>.jks
SSL_TRUSTSTORE_PASSWORD=<password>
Note: We are not using Ambari
Make sure following properties are set:-
xasecure.policymgr.clientssl.keystore.credential.file=jceks://file/{{credential_file}}
xasecure.policymgr.clientssl.truststore.credential.file=jceks://file/{{credential_file}}
xasecure.policymgr.clientssl.truststore=/path/to/truststore

Secure Gateway Client fails to recognize gatewayid or sectoken on docker run, error 401

When trying to execute docker container with gatewayid & sectoken, it fails with error "The Secure Gateway gateway ID was either not recognized or requires a security token to connect, error was: 401". And yet when I manually add via the CLI, it's successful.
I suspect it's because my security token has '--' in it. I tried '', "", and escaping characters on command line. but nothing worked. Fails in both Win10 and RHEL7.
Here's the console:
C:\Users\DebraJohnson>docker run -p 9023:9003 -it ibmcom/secure-gateway-client <gateway_id> --t <sectoken>
IBM Bluemix Secure Gateway Client Version 1.8.0fp4
....
<press enter for the command line>
[2018-04-16 09:12:17.993] [INFO] (Client ID 1) No password provided. The UI will not require a password for access
[2018-04-16 09:12:18.008] [WARN] (Client ID 1) UI Server started. The UI is not currently password protected
[2018-04-16 09:12:18.009] [INFO] (Client ID 1) Visit localhost:9003/dashboard to view the UI.
cli> [2018-04-16 09:12:18.327] [INFO] (Client ID 13) Setting log level to INFO
[2018-04-16 09:12:18.665] [ERROR] (Client ID 13) The Secure Gateway gateway ID was either not recognized or requires a security token to connect, error was: 401
cli> [2018-04-16 09:12:18.671] [INFO] (Client ID 13) Process exiting without errors due to user or server request
cli> sectoken <sectoken>
cli> connect <gateway_id>
cli> [2018-04-16 09:12:43.095] [INFO] (Client ID 27) Setting log level to INFO
[2018-04-16 09:12:43.774] [INFO] (Client ID 27) The Secure Gateway tunnel is connected
[2018-04-16 09:12:43.868] [INFO] (Client ID xxxxxxxxxxx_Hsu) Your Client ID is xxxxxxxxxxx_Hsu
xxxxxxxxxxx_Hsu>
Thanks
Having a -- as part of the security token could be the reason why you got 403 error. Can you please try regenerating the security token and connect the gateway again.
If you still have issues please open a support ticket (https://console.bluemix.net/docs/get-support/howtogetsupport.html#getting-customer-support) where you can provide the gateway id for us to look further into this.

Google Spreadsheet Connector Issue: Unable to get valid certificate path to requested Google API OAUTH2 target

Having problems with google-spreadsheets:authorize. The exact error received is the following when going through the oauth2callback...
500 Server Error. Message - Unable to fetch access token.
Local Dev Environment:
Mule ESB 3.9
JDK 1.8_161
Google Spreadsheet Connector 1.2.4
http://localhost:3000/oauth2callback?state=some_generated_state_value&code=some_generated_code
<google-spreadsheets:config-with-oauth name="Google_Spreadsheets" consumerKey="${google.apiKey}" consumerSecret="${google.apiSecret}" doc:name="Google Spreadsheets">
<google-spreadsheets:oauth-callback-config domain="localhost" localPort="3000" remotePort="3000" path="oauth2callback"/>
</google-spreadsheets:config-with-oauth>
<flow name="authorizationAndAuthenticationFlow">
<http:listener config-ref="httpListenerConfig" path="${google.api}/oauth-authorize" allowedMethods="GET" doc:name="HTTP" >
</http:listener>
<google-spreadsheets:authorize config-ref="Google_Spreadsheets" accessTokenUrl="https://accounts.google.com/o/oauth2/token" authorizationUrl="https://accounts.google.com/o/oauth2/auth" doc:name="Google Spreadsheets"/>
<logger message="Google has authorized the connector." level="INFO" doc:name="Logger: Log Google authorization"/>
<set-payload value="You have successfully authorized the connector" doc:name="Set Payload"/>
</flow>
The exact stack trace error is below...
ERROR 2018-02-08 19:35:25,195 [[app-google].auto-generated-listener-config-0.worker.01] org.mule.exception.DefaultMessagingExceptionStrategy:
********************************************************************************
Message : Unable to fetch access token.
Payload : {NullPayload}
Payload Type : org.mule.transport.NullPayload
Element : /DynamicFlow-localhost:3000\/oauth2callback/processors/0/1 # app-google
--------------------------------------------------------------------------------
Root Exception stack trace:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1334)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1309)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:259)
at org.mule.security.oauth.util.HttpUtilImpl.post(HttpUtilImpl.java:72)
Any ideas on how to resolve this issue. I'm not sure if it's a connector source code issue or an issue with Google potentially changing their OAUTH2 API implementation in v4. Either way the stack trace seems to be clear with TLS certificate issues. Maybe need to provide the google api certificate, so any idea on how to inject a truststore used by the application or JVM to get passed this certifcate issue?
My java installation was not installed correctly after re-imaging my system. Reinstalled JDK 1.8_161 and it fixed the certificate issue.

MQTT:SSL routines:SSL3_GET_RECORD:wrong version number

I am trying to use SSL with MQTT and gets following error,
1379677998: Client connection from 127.0.0.1 failed: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number.
1379678058: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
1379678058: Socket read error on client (null), disconnecting.
My conf file has seetings as below,
port 8883
cafile /home/administrator/Downloads/mosquitto-1.2.1_dilip/test/ssl/test-root-ca.crt (also tried all-ca.crt here)
certfile /home/administrator/Downloads/mosquitto-1.2.1_dilip/test/ssl/server.crt
keyfile /home/administrator/Downloads/mosquitto-1.2.1_dilip/test/ssl/server.key
tls_version tlsv1
require_certificate true (tried commenting this too)
and I run, 08-ssl-connect-cert-auth.test from test folder. code snippet included below
mosquitto_tls_opts_set(mosq, 1, "tlsv1", NULL);
mosquitto_tls_set(mosq, "../ssl/test-root-ca.crt", "../ssl/certs", "../ssl/client.crt", "../ssl/client.key", NULL);
mosquitto_connect_callback_set(mosq, on_connect);
mosquitto_disconnect_callback_set(mosq, on_disconnect);
rc = mosquitto_connect(mosq, "localhost", 8883, 60);
Environment info:
Python 2.7.3
OpenSSL 1.0.1 14 Mar 2012
Description: Ubuntu 12.04.2 LTS
Release: 12.0
mosquitto-1.2.1/mosquitto-1.2
Please let me know what could go wrong here? I also tried generating certificates using gen.sh.
Thanks in advance.
-Dilip
On a general note - you should be generating your own certificates, don't use the ones provided by mosquitto for testing, or use the gen.sh script without modifying it for your own details.
To use the certificates provided, you should be using all-ca.crt in the broker. It contains the example root CA and intermediary CA certificates. The client only requires the root CA for verification purposes.
You are using a full path to the certificates in the broker configuration, but relative paths in the client. Are you sure that they are both correct?
Have you tried running the tests unmodified with make test? This would tell you if there is a problem with your openssl installation for example.

Resources