I am trying to invoke a secured endpoint (https) from wso2 integration studio8.0/MI 4.0. Created integration project, created an endpoint with the url with secured endpoint address, provided on header with the transport scope as required for the secured endpoint. I got the public key certificate (.p7b/.cer) and imported to the trust store using key tool utility.
keytool -import -alias aliasName -file public-key-from-browser.cer -keystore client-truststore.jks -storepass password. Provided the truststore file path in deployment.toml in integration studio/MI4.0 but getting the following exception. Please let me know how to resolve the exception.
[2022-01-17 10:28:09,696] ERROR {TargetHandler} - I/O error: General SSLEngine problem javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1566)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:545)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1217)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1185)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:471)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:270)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:316)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:541)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:198)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1729)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:333)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:325)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1688)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:226)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1082)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:1015)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:1012)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1504)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:288)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:356)
... 9 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:450)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:317)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:289)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1675)
Make sure that you have imported the chain of certificates. If you have already done that better to enable ssl debug logs [1] and analyse the ssl logs to identify what is the exact cause of the issue.
[1]-https://dilsichandrasena.medium.com/how-to-enable-ssl-debug-logs-for-wso2-products-6de7276ffe10
Related
I setup Rundeck with LDAP/AD auth via JAAS module (vide official documentation).
Auth. works perfectly fine with non-encrypted connection (providerUrl="ldap://AD-FQDN").
When I am trying to switch from LDAP to LDAPS (providerUrl="ldaps://AD-FQDN"), that's where problem begins.
I gathered AD cert along with Sub and Root CA's, added them into rundeck truststore (and keystore afterwards) and restarted rundeckd.
Certs are being validated successfully:
[root#rundeck01 ssl]# openssl verify -CAfile RootCA.cer -untrusted SubCA.cer ad01.cer
ad01.cer: OK
What I can see in service.log:
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Firewall ports are opened (can connect to p. 389,636 from via telnet).
Running on:
rundeck-3.4.0.20210614-1
CentOS 7.9
Kindly advise.
Extract the ldaps server cert:
echo -n | openssl s_client -connect your_ldap_server:636 > cert.out
Import to the Rundeck's truststore:
keytool -importcert -trustcacerts -file cert.out -alias myldap -keystore etc/rundeck/truststore
Add the truststore path on your rundeckd file (-Djavax.net.ssl.trustStore):
RDECK_JVM_OPTS="-Drundeck.jaaslogin=true \
-Djava.security.auth.login.config=/etc/rundeck/jaas-ldap.conf \
-Dloginmodule.name=ldap \
-Djavax.net.ssl.trustStore=/etc/rundeck/truststore"
Same issue solved here.
I am getting below exception :
ERROR [MessagingService-Outgoing-/10.16.252.241-Gossip] 2020-05-15 08:39:10,957 OutboundTcpConnection.java:597 - SSL handshake error for outbound connection to 7abffb17[SSL_NULL_WITH_NULL_NULL: Socket[addr=/10.16.252.241,port=7001,localport=52222]]
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
I am adding self-signed certificate. I have added to certificate to cacerts in java security path, But still it not working.
A test build of a jdk10 app is deployed on a machine. No SSL certificate is applied. This is a fresh set up. And yet I get below error when I try to run the app. Database and app are on the same machine. So is tomcat/nginx etc.
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:290)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:343)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:226)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:133)
at java.base/sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1947)
... 63 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 69 common frames omitted
I downloaded jhipster registry version 4.0.0, imported and run the registry successfully, when I open localhost:8761 I am getting request cannot be proceed error, there is no error information also.
When I used command mvnw I am getting an exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
One way is to use http protocol instead of https.
To do this go into your project directory > .mvn > wrapper > maven-wrapper.properties.
You will find something like distributionUrl=http://repo1.maven.org/maven2/org/apache/maven/apache-maven/3.5.3/apache-maven-3.5.3-bin.zip.
Change this url to using http instead of https.
Other solutions are more complex but there is no harm in trying.
Problems connecting via HTTPS/SSL through own Java client
Calling web service: javax.net.ssl.SSLException: Received fatal alert: protocol_version
javax.net.ssl.SSLException: Received fatal alert: protocol_version
Simply pass "-Dhttps.protocols=TLSv1.2" as extra argument
My webserver, orion 1.5.4, run on jre 1.4.2, when I run
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
the following exception is thrown
java.security.NoSuchAlgorithmException:Algorithm PBKDF2WithHmacSHA1 not available
I google and find need to add Bouncy Castle provider, so I download bcprov-jdk14-150.jar and placed it in classpath, and download the unlimited policy files in the JVM, then when I run the program code, error thrown in line
aesCipher.init(Cipher.DECRYPT_MODE,secretKey, new IvParameterSpec(ivByte));
the error message is
Caused by: java.lang.SecurityException: Cannot set up certs for trusted CAs
at javax.crypto.SunJCE_b.(DashoA12275)
... 15 more
Caused by: java.lang.SecurityException: Jurisdiction policy files are not signed by trusted signers!
at javax.crypto.SunJCE_b.a(DashoA12275)
at javax.crypto.SunJCE_b.g(DashoA12275)
at javax.crypto.SunJCE_b.f(DashoA12275)
at javax.crypto.SunJCE_t.run(DashoA12275)
at java.security.AccessController.doPrivileged(Native Method)
... 16 more
how to solve it?
I found the problem, I download the unlimited policy files for java 1.6 wrongly, should download for java 1.4.
thanks