problems spring security saml with vmware identity appliance - spring-security

I am using the spring-boot-security-saml-sample and attempting to hook it up to an application that uses the vmware identity appliance for SSO.
I can run the vanilla sample application just fine but when I change the IDP Metadata to point at the vmware identity server I am running into some issues.
My app uses a local keystore which contains a private key and I have imported the certs from the IDP metadata into it manually. When the application redirects I am seeing an error on the vmware identity server side:
java.lang.NullPointerException
com.vmware.identity.samlservice.impl.SamlServiceImpl.verifySignature(SamlServiceImpl.java:124)
com.vmware.identity.samlservice.AuthnRequestState.parseRequestForTenant(AuthnRequestState.java:341)
com.vmware.identity.BaseSsoController.processSsoRequest(BaseSsoController.java:63)
com.vmware.identity.SsoController.sso(SsoController.java:68)
sun.reflect.GeneratedMethodAccessor113.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:606)
org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:215)
org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:132)
org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:104)
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:749)
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:689)
org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:83)
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:938)
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:870)
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:961)
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:852)
javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:837)
javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
My assumption is that I am doing something wrong in that the identity server is erroring out when trying to verifySignature(). I do not see any errors in my app.
Here is my idp metadata:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:vmes="http://vmware.com/schemas/attr-names/2012/04/Extensions" entityID="https://hostname:7444/websso/SAML2/Metadata/vsphere.local">
<Extensions>
<vmes:ExportedOn>2015-02-26T02:52:39Z</vmes:ExportedOn>
<vmes:ExportedBy>Exported by VMware Identity Server (c) 2012</vmes:ExportedBy>
</Extensions>
<IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://hostname:7444/websso/SAML2/SLO/vsphere.local"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://hostname:7444/websso/SAML2/SLO/vsphere.local"/>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<NameIDFormat>http://schemas.xmlsoap.org/claims/UPN</NameIDFormat>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://hostname:7444/websso/SAML2/SSO/vsphere.local"/>
<saml:Attribute FriendlyName="Groups" Name="http://rsa.com/schemas/attr-names/2009/01/GroupIdentity" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<saml:Attribute FriendlyName="givenName" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<saml:Attribute FriendlyName="surname" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<saml:Attribute FriendlyName="Subject Type" Name="http://vmware.com/schemas/attr-names/2011/07/isSolution" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<saml:Attribute FriendlyName="userPrincipalName" Name="http://schemas.xmlsoap.org/claims/UPN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<saml:Attribute FriendlyName="email" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
</IDPSSODescriptor>
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://hostname:7444/websso/SsoClient/SLO/vsphere.local"/>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<NameIDFormat>http://schemas.xmlsoap.org/claims/UPN</NameIDFormat>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://hostname:7444/websso/SsoClient/SSO/vsphere.local" index="0"/>
</SPSSODescriptor>
The only modifications I've made to the sample are to change the metadata provider, point the keystore to a local file, imported the two certs from the metadata file into the keystore and pointed the extendedMetadata to reference the alias of one of the certs and used the private key as the signingKey
Any ideas what could be going wrong?

I changed the private key in my keystore to be an RSA key with sigalg SHA1WithRSA and that seems to have solved this issue. Not sure if the vmware identity server restricts the sigalg or not but either way it looks to be a bug on their end. Just for sake of completeness I created my private key with this command:
keytool -genkey -alias server -keyalg RSA -sigalg SHA1WithRSA -keysize 2048 -keystore mykeystore -dname "CN=www.mycompany.com,OU=it, O=mycompany, L=city, ST=state, C=US" -storepass keystorepass

Related

Peer not authenticated Observed while securing API , using WSO2 EI Oauth 2.0 in localhost

I tried to secure my API using Oauth 2.0 http://abeykoon.blogspot.com/2015/04/wso2-esb-securing-rest-end-point-using.html in wso2 EI custom SimpleOauthhandler and I'm observing this exception
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated.
I tried to import certificates using keytool, but I'm not sure which certificates are expired, if certificate expiry is the cause for this exception.
Line 63(return stub.validate(dto).getValid();) in SimpleOAuthHandler class http://abeykoon.blogspot.com/2015/04/wso2-esb-securing-rest-end-point-using.html causing this exception
Exception:
[2020-01-10 13:10:54,931] [EI-Core] INFO - HTTPSender Unable to sendViaPost to url[https://localhost:9445/services/OAuth2TokenValidationService]
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:450)
at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(SSLProtocolSocketFactory.java:276)
at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:186)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:704)
at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:199)
at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:81)
at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:459)
at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:286)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:441)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:227)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
at org.wso2.carbon.identity.oauth2.stub.OAuth2TokenValidationServiceStub.validate(OAuth2TokenValidationServiceStub.java:738)
at org.wso2.handler.SimpleOauthHandler.handleRequest(SimpleOauthHandler.java:93)
at org.apache.synapse.rest.API.process(API.java:325)
at org.apache.synapse.rest.RESTRequestHandler.apiProcess(RESTRequestHandler.java:135)
at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:113)
at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:71)
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:303)
at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:92)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:337)
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:158)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
[2020-01-10 13:10:54,933] [EI-Core] ERROR - SimpleOauthHandler Error occurred while processing the message
org.apache.axis2.AxisFault: peer not authenticated
at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
Download server certificat
(here is desrcibed how:
https://superuser.com/questions/97201/how-to-save-a-remote-server-ssl-certificate-locally-as-a-file)
In your case from localhost:9445
Add downloaded server SSL certificate to client-truststore.jks in WSO2.
keytool -import -alias localhost -file {PathToDownloadedCertFile} -keystore {WSO2HomeDir}\repository\resources\security\client-truststore.jks
Restart WSO2

Invalid grant on SAML2 Bearer Assertion profile for OAuth within WSO2 API Manager

I have problems getting work "SAML2 Bearer Assertion profile for Oauth" within WSO2 API Manager(9445 port).
My Setup,
I created an application (app1) in API manager tenant domain (wso2.com) and generated keys.
When I log into IS as admin of wso2.com tenant domain I see a service provider is created for my application (app1).
I configured the SP of app1 and created the IDP as explained in documentation.
I could generate SAML assertion by SAML2AssertionCreator.
When I try to generate access token using the assertion generated with command I get "
{"error":"invalid_grant","error_description":"Provided Authorization Grant is invalid"}
SAML Assertion
<?xml version="1.0" encoding="UTF-8"?>
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="alajckjphcbadkfhacmcfnnanohlnlpbhfomlmjm" IssueInstant="2017-06-13T08:05:36.500Z" Version="2.0">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">TestSP</saml:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#alajckjphcbadkfhacmcfnnanohlnlpbhfomlmjm">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs xsi"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>ISNhVVsEbeRLN2MQdob0qs1QEXc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
XrMqLJO6z8BERlmrysn9aV9m1GPte3hOUqxNUhr8eTMtho2zjYE5fJkbT+pf8oHxXUaozefs5G+o
N0tWQc9pqXxuYtk6Lk/EimMzF2xEgrtEzZqksVebJagz9UeOr1mfubZpSGcfdWMHSJdkOuAmsW0E
rqIc1RZDh+95aoh3VmE=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UE
CAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxv
Y2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQsw
CQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UE
AwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTou
sMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5
HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQID
AQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44i
QlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJR
O4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="0" NotOnOrAfter="2017-06-13T08:10:36.500Z" Recipient="https://localhost:9445/oauth2/token"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2017-06-13T08:05:36.500Z" NotOnOrAfter="2017-06-13T08:10:36.500Z">
<saml:AudienceRestriction>
<saml:Audience>https://localhost:9445/oauth2/token</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2017-06-13T08:05:36.601Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="C">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">:
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
Command java -jar SAML2AssertionCreator.jar TestSP admin https://localhost:9445/oauth2/token https://localhost:9445/oauth2/token .../wso2/wso2is-5.1.0/repository/resources/security/resources/security/wso2carbon.jks wso2carbon wso2carbon wso2carbon
Token CMD-
curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<Assertion_provided_by_client>&scope=PRODUCTION" -H "Authorization: Basic <Base64 encoded consumer key:consumer secret>" -H "Content-Type:application/x-www-form-urlencoded" https://<IP of the APIM server>:9445/oauth2/token
Logs
[2017-06-13 12:56:17,036] DEBUG - OAuth2Service Access Token request received for Client ID 0rD1Hf7ZT5ZMz5ZJkMDpCZSBOHka, User ID null, Scope : [PRODUCTION] and Grant Type : urn:ietf:params:oauth:grant-type:saml2-bearer
[2017-06-13 12:56:17,036] DEBUG - AbstractClientAuthHandler Can authenticate with client ID and Secret. Client ID: 0rD1Hf7ZT5ZMz5ZJkMDpCZSBOHka
[2017-06-13 12:56:17,039] DEBUG - AbstractClientAuthHandler Grant type : urn:ietf:params:oauth:grant-type:saml2-bearer Strict client validation set to : null
[2017-06-13 12:56:17,043] DEBUG - OAuth2Util Client credentials were available in the cache for client id : 0rD1Hf7ZT5ZMz5ZJkMDpCZSBOHka
[2017-06-13 12:56:17,045] DEBUG - OAuth2Util Successfully authenticated the client with client id : 0rD1Hf7ZT5ZMz5ZJkMDpCZSBOHka
[2017-06-13 12:56:17,055] DEBUG - SAML2BearerGrantHandler SAML Assertion Audience Restriction validation failed against the Audience : https://192.168.0.4:9445/oauth2/token of Identity Provider : IS in tenant : carbon.super
[2017-06-13 12:56:17,055] DEBUG - AccessTokenIssuer Invalid Grant provided by the client Id: 0rD1Hf7ZT5ZMz5ZJkMDpCZSBOHka
[2017-06-13 12:56:17,060] DEBUG - AccessTokenIssuer OAuth-Error-Code=invalid_grant client-id=0rD1Hf7ZT5ZMz5ZJkMDpCZSBOHka grant-type=urn:ietf:params:oauth:grant-type:saml2-bearer scope=PRODUCTION

WSO2 Identity Server OAuth2 Bearer SAML Assertion

I encountered a problem in using WSO2 Identity Server.
I have a web server using SAML2 in Identity Server for SSO.
After login, Identity Server return the saml response message:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Destination="http://localhost:8080/travelocity.com/home.jsp" ID="lfkelagpefmnohdlcalkpoeobnahpjapkfljnoah" InResponseTo="mieoddeiiebbaphejlfdgaiojbnogmpnnhijaema" IssueInstant="2016-01-02T17:31:47.863Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">localhost</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#lfkelagpefmnohdlcalkpoeobnahpjapkfljnoah"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>HCnAalpftzdBW6dZbB+0nJf2A7c=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>QKXtIMRFkw/eqAX1b30PGbCHqPTYrlOEGl0UobvK/hqaYz+2wuoJfMz9t0BS5CFYUT/OqAsv9eR2IVTDUq+Wp17xOu48yAPI9gl9L1gH9YZ4+k12y19C3WbAgTwaZ+IOqa9a01N5nWAKa3G38rhX58KAX31FgILvFT6aegQYXMU=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion ID="jajekgbkamaadloajjnhckhdofjdiicgkcfbjbmd" IssueInstant="2016-01-02T17:31:47.863Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#jajekgbkamaadloajjnhckhdofjdiicgkcfbjbmd"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>pDzChf9Ote3Ljws9ErogUQxfN0I=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ZFw9zwyuB2xJuChBdkQArV+yb2NW0LcTkoZK+GuhTRqoD/Ndk880U18cRT4am/Ut1qxIR90ec9pqosCd9ax/UZzu/ZZ69mNfn0xB6Uni/1MQ9G+FijjmuTHPWK2jyO1PrkbK7OUNTD1UgQxQGaMufbuWR2BsNFWnRbLBB5PG8e0=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin#carbon.super</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="mieoddeiiebbaphejlfdgaiojbnogmpnnhijaema" NotOnOrAfter="2016-01-02T17:36:47.863Z" Recipient="http://localhost:8080/travelocity.com/home.jsp"/></saml2:SubjectConfirmation><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="mieoddeiiebbaphejlfdgaiojbnogmpnnhijaema" NotOnOrAfter="2016-01-02T17:36:47.863Z" Recipient="https://localhost:9443/oauth2/token"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2016-01-02T17:31:47.863Z" NotOnOrAfter="2016-01-02T17:36:47.863Z"><saml2:AudienceRestriction><saml2:Audience>travelocity.com</saml2:Audience><saml2:Audience>https://localhost:9443/oauth2/token</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2016-01-02T17:31:47.864Z" SessionIndex="fed8981e-65b5-4a07-b7b0-b5b2dfcd1c35"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion></saml2p:Response>
I extract the Assertion tag from the SAML2 response and encode it using base64 and send the request to the identity server for requesting the OAuth2 Bearer token using OAuth2 SAML Aseertion.
However I got the following exception message in the server:
[2016-01-02 12:33:34,938] ERROR {org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler} - Error while validating the signature.
org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key
at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78)
at org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler.validateGrant(SAML2BearerGrantHandler.java:451)
at org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer.issue(AccessTokenIssuer.java:154)
at org.wso2.carbon.identity.oauth2.OAuth2Service.issueAccessToken(OAuth2Service.java:196)
at org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint.getAccessToken(OAuth2TokenEndpoint.java:245)
at org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint.issueAccessToken(OAuth2TokenEndpoint.java:111)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:188)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:104)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:204)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:94)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:249)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:289)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:209)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:265)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.wso2.carbon.ui.filters.CSRFPreventionFilter.doFilter(CSRFPreventionFilter.java:88)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.wso2.carbon.ui.filters.CRLFPreventionFilter.doFilter(CRLFPreventionFilter.java:59)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1739)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1698)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
I only set the SAML2 service provider in the Identity Server and use the default Resident Identity Provider as the identity provider in Identity Server.
Am i doing something wrong in the OAuth2 SAML Assertion flow or Am I missing some configuration in the server?
Thank you very much.
You need to extract the Assertion tag from the SAML2 response and convert it to base64 URL encode. please follow the steps below.
you need to remove the line breaks.
URL encode
encode base 64 the client ID and client secret
(note : you can directly convert it to base64 URL encode, no need to do this using two steps)
then use below curl command
curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<Assertion_provided_by_client>&scope=PRODUCTION" -H "Authorization: Basic <Base64 encoded consumer key:consumer secret>, Content-Type: application/x-www-form-urlencoded" https://<IP of the APIM server>:9443/oauth2/token
This error occurs when the assertion signed private key's public key and the verification public key does not match. So in this case the public key used at API Manger side to validate the send in SAML assertion has not matched with the private key used at Identity Server to sign the SAML assertion.
The other option is to add the certificate they provide you to the wso2carbon.jks (and remember the alias).
please refer below references for more info.
[1] https://docs.wso2.com/display/AM190/Exchanging+SAML2+Bearer+Tokens+with+OAuth2+-+SAML+Extension+Grant+Type
[2]https://docs.wso2.com/display/IS510/SAML2+Bearer+Assertion+Profile+for+OAuth+2.0+with+WSO2+Travelocity
[3] http://xacmlinfo.org/2014/10/31/saml2-bearer-assertion-profile-for-oauth-2-0/

ANT SSHEXEC failing with Algorithm negotitation fail error

I am just trying to connect to a remote host using the ant sshexec task . I have the required jar in the ant lib directory and able to connect to the remote host using putty.
This is the way i am running the ssh
<sshexec host="host"
username="username"
password="password"
trust="yes"
command="ls"/>
There seems to be encryption algorith mismatch with the server. How can i specify the algorith as I don't see any attribute for this task [Ant doc][1]. This is the error log i am getting:
com.jcraft.jsch.JSchException: Algorithm negotiation fail
at com.jcraft.jsch.Session.receive_kexinit(Session.java:540)
at com.jcraft.jsch.Session.connect(Session.java:288)
at com.jcraft.jsch.Session.connect(Session.java:145)
at org.apache.tools.ant.taskdefs.optional.ssh.SSHBase.openSession(SSHBase.java:212)
at org.apache.tools.ant.taskdefs.optional.ssh.SSHExec.execute(SSHExec.java:158)
at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:288)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:106)
at org.apache.tools.ant.Task.perform(Task.java:348)
at org.apache.tools.ant.Target.execute(Target.java:357)
at org.apache.tools.ant.Target.performTasks(Target.java:385)
at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1337)
at org.apache.tools.ant.Project.executeTarget(Project.java:1306)
at org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
at org.apache.tools.ant.Project.executeTargets(Project.java:1189)
at org.apache.tools.ant.Main.runBuild(Main.java:758)
at org.apache.tools.ant.Main.startAnt(Main.java:217)
at org.apache.tools.ant.launch.Launcher.run(Launcher.java:257)
at org.apache.tools.ant.launch.Launcher.main(Launcher.java:104)
TL;DR edit your sshd_config and enable support for diffie-hellman-group-exchange-sha1 and diffie-hellman-group1-sha1 in KexAlgorithms:
KexAlgorithms curve25519-sha256#libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
KexAlgorithms curve25519-sha256#libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
I suspect that the problem appeared after the following change in OpenSSH 6.7: "The default set of ciphers and MACs has been altered to remove unsafe algorithms.". (see changelog). This version was released on Oct, 6, and made it on Oct, 21 to Debian testing (see Debian changelog).
OpenSSH enables only the following key exchange algorithms by default:
curve25519-sha256#libssh.org
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group-exchange-sha256
diffie-hellman-group14-sha1
Whereas JSch claims to support these algorithms (see under "features") for key exchange:
diffie-hellman-group-exchange-sha1
diffie-hellman-group1-sha1
So indeed, they cannot agree on a common key exchange algorithm. Updating sshd_config (and restarting the SSH server) does the trick. Apparently JSch is supposed to support the "diffie-hellman-group-exchange-sha256" method since version 0.1.50 (see changelog).
I had the same error trying to connect to OS X 10.11.6 and could fix it by replacing ~/.ant/lib/jsch-0.1.51.jar with the latest ~/.ant/lib/jsch-0.1.54.jar.

How to change the security type from SSL to TLS in Jenkins?

I am trying to setup the smtp email notification. I could see that the gmail part works fine. I want to configure it for my office 365.
Smtp server = smtp.office365.com
We don't have SSL configured. Instead we use TLS. How can I set the TLS in the Jenkins?
There is only a check button which suggests to use SSL or not. If I disable it what is it going to use?
I get the following errors -
Failed to send out e-mail
javax.mail.MessagingException: Could not connect to SMTP host: smtp.office365.com, port: 587;
nested exception is:
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1934)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:638)
at javax.mail.Service.connect(Service.java:317)
at javax.mail.Service.connect(Service.java:176)
at javax.mail.Service.connect(Service.java:125)
at javax.mail.Transport.send0(Transport.java:194)
at javax.mail.Transport.send(Transport.java:124)
at hudson.tasks.Mailer$DescriptorImpl.doSendTestMail(Mailer.java:499)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:298)
at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:161)
at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:96)
at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:120)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
at org.kohsuke.stapler.MetaClass$6.doDispatch(MetaClass.java:248)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:631)
at org.kohsuke.stapler.Stapler.service(Stapler.java:225)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:686)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1494)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:96)
at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:88)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:48)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
at org.eclipse.jetty.server.Server.handle(Server.java:370)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:960)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1021)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1146)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:679)
Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:542)
at sun.security.ssl.InputRecord.read(InputRecord.java:374)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:850)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1217)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1201)
at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:507)
at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:238)
at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1900)
... 63 more
For Jenkins on Windows, open jenkins.xml and modify the arguments node
-Xrs -Xmx256m -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -Dmail.smtp.starttls.enable=true -jar "%BASE%\jenkins.war" --httpPort=8080
Office 365 indeed requires authenticated SMTP with TLS. The SSL option in the Jenkins configuration does not help, leave it unchecked. Instead add the following system property to the Jenkins VM:
-Dmail.smtp.starttls.enable=true
For the standalone Jenkins put it in jenkins.xml from the installation folder and for Tomcat update the startup script or use tray icon on Windows.
Then restart jenkins and you're good to go.
I run Jenkins under Ubuntu Server 14.04 and I had to adapt the previous answer which addresses CentOS distribution.
First of all, under most Linux distribution, the configuration file for Jenkins is located at /etc/default/jenkins (see this link). I use Jenkins 2.7 and I append -Dmail.smtp.starttls.enable=true to the existant setting variable JAVA_ARGS. Finally, I ended with this:
JAVA_ARGS="-Djava.awt.headless=true -Dmail.smtp.starttls.enable=true"
Here is what worked for me running Jenkins on CentOS. Edit /etc/sysconfig/jenkins and add the option -Dmail.smtp.starttls.enable=true to JENKINS_JAVA_OPTIONS,
If there's some other variable already, append -Dmail.smtp.starttls.enable=true to it, so it should be similar to the below:
JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true -Dmail.smtp.starttls.enable=true"
restart Jenkins with service jenkins restart and you should be good to go
Thanks for the answers, I got it fixed. First of all, the JAVA supports by default only SSL. So, Jenkins Java options need to be set to enable TLS. Afterwards, start the Jenkins service. The problem of this permission issue occurs when you don't give the System Admin e-mail address under the Jenkins location column. This doesn't happen for gmail smtp. I guess office 365 has a high security. So, it allows only the registered user to send the emails.
For me adding "-Dmail.smtp.starttls.enable=true" to java options didn't work out of the box - Jenkins was trying to connect to the SMTP, but in the the logs at /var/log/maillog (CentOS 7.2) I've seen that the connection is established and then after some time (presumably after time out) postfix has reported "lost connection after CONNECT from {host_name}". I have also connection through TLS. After some research I've decided to try different port - 587 - instead of default 465 and voila! - finally the test email was sent.
SSL and TLS are, effectively, the same.

Resources