HTTPS connection

In order to setup an SSL connection with the Axis2-based client, we've added
the following: "System.setProperty("javax.net.ssl.trustStore",
"d:/path_to_file/name_of_keystore");
System.setProperty("javax.net.ssl.trustStorePassword", "secret");".

In ESB, I've changed the value of the "truststore" parameter to use the same
truststore used by the Axis2-based client. I've also created a Proxy that
points to the https webservice. When calling this Proxy, the following error
is generated: "Caused by: sun.security.validator.ValidatorException: PKIX
path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target". The used truststore contains
the SSL certificate of the site.
  

I'm aware that this question is more related to JKS and SSL configuration,
but - although I found it out for the Axis2-based client - I'm unable to
configure it correctly for ESB. 
  

asankha wrote:

Hi Stefan
> In order to setup an SSL connection with the Axis2-based client, we've added
> the following: "System.setProperty("javax.net.ssl.trustStore",
> "d:/path_to_file/name_of_keystore");
> System.setProperty("javax.net.ssl.trustStorePassword", "secret");".
>
> In ESB, I've changed the value of the "truststore" parameter to use the same
> truststore used by the Axis2-based client. I've also created a Proxy that
> points to the https webservice. When calling this Proxy, the following error
> is generated: "Caused by: sun.security.validator.ValidatorException: PKIX
> path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target". The used truststore contains
> the SSL certificate of the site.
>  
Which "truststore" parameter did you change? Since you are "calling" and
external HTTPS service, you must edit the HTTPS Transport Sender
configuration as follows, and not the Listener

    <transportSender name="https"
class="org.apache.synapse.transport.nhttp.HttpCoreNIOSSLSender">
        <parameter name="non-blocking" locked="false">true</parameter>
        <parameter name="keystore" locked="false">
            <KeyStore>
                <Location>identity.jks</Location>
                <Type>JKS</Type>
                <Password>password</Password>
                <KeyPassword>password</KeyPassword>
            </KeyStore>
        </parameter>
        *<parameter name="truststore" locked="false">
            <TrustStore>
                <Location>trust.jks</Location>
                <Type>JKS</Type>
                <Password>password</Password>
            </TrustStore>
        </parameter>*
        <!--<parameter
name="HostnameVerifier">DefaultAndLocalhost</parameter>
            supports Strict|AllowAll|DefaultAndLocalhost or the default
if none specified -->
    </transportSender>

> I'm aware that this question is more related to JKS and SSL configuration,
> but - although I found it out for the Axis2-based client - I'm unable to
> configure it correctly for ESB.
>  
I am confident that this works without any issues if the keystores are
properly configured. Basically I would expect the truststore to contain
the CA certificate of your external server as a "trusted certificate" in
the keystore

If you can also send me the output of "keytool -v -list -keystore
trust.jks" for your JKS, that would be helpful (please remember to hide
your password from the output generated before you post it here :-))

asankha

_______________________________________________
Esb-java-user mailing list
Esb-java-user@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/esb-java-user

Ruwan Linton-3 wrote:

Hi Stefan,

By looking at the stack trace, I think the server to which you are
talking through ESB returns a *HTML* response rather than a *SOAP*
response, with a 404 not found, which can not be handled by the ESB
because it contains a DTD which cannot be built by AXIOM.

Can you please tell us the server to which you are talking through ESB,
and can you make sure to send a request which will not result in a 404
Resource not found and see whether it is working properly.

Thanks,
Ruwan

stlecho wrote:
> Hi Asankha,
>
> I've changed the HTTPS Transport sender and the following error message
> disappeared: "PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target".
>
> But now I'm receiving another one :o(:
> "com.ctc.wstx.exc.WstxUnexpectedCharException: Unexpected character '"'
> (code 34) in DOCTYPE declaration; expected a space between public and system
> identifiers".
>
> The only modification I've done, is changing the trustStore parameter of the
> HTTPS Transport Sender in the webapp\WEB-INF\classes\conf\axis2.xml file.
> Based on the stacktrace I'm not able to determine which document causes this
> error. The modified axis2.xml file does not contain a DOCTYPE declaration.
>
> Stacktrace:
> 2008-03-05 17:20:01,567 [192.168.13.175-INFOR2] [I/O dispatcher 3] ERROR
> ClientHandler Received an unexpected response - of content type : text/html;
> charset=iso-8859-1 and status code : 404 with reason : Not Found
> 2008-03-05 17:20:01,582 [192.168.13.175-INFOR2] [HttpClientWorker-1] ERROR
> ClientWorker Unexpected response received
> org.apache.axiom.om.OMException:
> com.ctc.wstx.exc.WstxUnexpectedCharException: Unexpected character '"' (code
> 34) in DOCTYPE declaration; expected a space between public and system
> identifiers
>  at [row,col {unknown-source}]: [1,50]
> at
> org.apache.axiom.om.impl.builder.StAXOMBuilder.next(StAXOMBuilder.java:239)
> at
> org.apache.axiom.soap.impl.builder.StAXSOAPModelBuilder.getSOAPEnvelope(StAXSOAPModelBuilder.java:161)
> at
> org.apache.axiom.soap.impl.builder.StAXSOAPModelBuilder.<init>(StAXSOAPModelBuilder.java:110)
> at
> org.apache.axis2.builder.BuilderUtil.getSOAPBuilder(BuilderUtil.java:609)
> at
> org.apache.axis2.transport.TransportUtils.createDocumentElement(TransportUtils.java:178)
> at
> org.apache.axis2.transport.TransportUtils.createSOAPMessage(TransportUtils.java:111)
> at
> org.apache.synapse.transport.nhttp.ClientWorker.run(ClientWorker.java:160)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:650)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675)
> at java.lang.Thread.run(Thread.java:595)
>
> PS: I'm using ESB v1.6.
>
> Regards, Stefan Lecho.
>
>
> asankha wrote:
>  
>> Hi Stefan
>>    
>>> In order to setup an SSL connection with the Axis2-based client, we've
>>> added
>>> the following: "System.setProperty("javax.net.ssl.trustStore",
>>> "d:/path_to_file/name_of_keystore");
>>> System.setProperty("javax.net.ssl.trustStorePassword", "secret");".
>>>
>>> In ESB, I've changed the value of the "truststore" parameter to use the
>>> same
>>> truststore used by the Axis2-based client. I've also created a Proxy that
>>> points to the https webservice. When calling this Proxy, the following
>>> error
>>> is generated: "Caused by: sun.security.validator.ValidatorException: PKIX
>>> path building failed:
>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>> find
>>> valid certification path to requested target". The used truststore
>>> contains
>>> the SSL certificate of the site.
>>>  
>>>      
>> Which "truststore" parameter did you change? Since you are "calling" and
>> external HTTPS service, you must edit the HTTPS Transport Sender
>> configuration as follows, and not the Listener
>>
>>     <transportSender name="https"
>> class="org.apache.synapse.transport.nhttp.HttpCoreNIOSSLSender">
>>         <parameter name="non-blocking" locked="false">true</parameter>
>>         <parameter name="keystore" locked="false">
>>             <KeyStore>
>>                 <Location>identity.jks</Location>
>>                 <Type>JKS</Type>
>>                 <Password>password</Password>
>>                 <KeyPassword>password</KeyPassword>
>>             </KeyStore>
>>         </parameter>
>>         *<parameter name="truststore" locked="false">
>>             <TrustStore>
>>                 <Location>trust.jks</Location>
>>                 <Type>JKS</Type>
>>                 <Password>password</Password>
>>             </TrustStore>
>>         </parameter>*
>>         <!--<parameter
>> name="HostnameVerifier">DefaultAndLocalhost</parameter>
>>             supports Strict|AllowAll|DefaultAndLocalhost or the default
>> if none specified -->
>>     </transportSender>
>>
>>    
>>> I'm aware that this question is more related to JKS and SSL
>>> configuration,
>>> but - although I found it out for the Axis2-based client - I'm unable to
>>> configure it correctly for ESB.
>>>  
>>>      
>> I am confident that this works without any issues if the keystores are
>> properly configured. Basically I would expect the truststore to contain
>> the CA certificate of your external server as a "trusted certificate" in
>> the keystore
>>
>> If you can also send me the output of "keytool -v -list -keystore
>> trust.jks" for your JKS, that would be helpful (please remember to hide
>> your password from the output generated before you post it here :-))
>>
>> asankha
>>
>> _______________________________________________
>> Esb-java-user mailing list
>> Esb-java-user@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/esb-java-user
>>
>>
>>    
>
>  


_______________________________________________
Esb-java-user mailing list
Esb-java-user@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/esb-java-user

Ruwan Linton-3 wrote:

Stefan,

See my comments inline,

stlecho wrote:
> Hi Ruwan,
>
> The webservice I'm calling is installed on a server that's behind a BIG-IP
> (firewall, load balancer, ...). The establishment of the SSL connection is
> done with this BIG-IP which at it's turn forwards - based on a specific rule
> - all webservices requests to the dedicated server.
>
> In our Axis2-based application, the SSL connection is setup with HttpClient
> by calling "new HttpClient().executeMethod(new
> GetMethod("https://mywebsite"))". Once this is done, the calls to the
> webservice work perfectly. So I'm wondering how Axis2 is capable of handling
> the '404' HTTP response.
>  
If I got you correctly, what you are saying is that the axis2 based
application can directly talk to the web service, without any issue and
this occurs only when the message is mediated though ESB? If this is the
case then probably there can be a configuration error in ESB

Is there any possibility of  sharing the configuration used by the ESB.
You can send it to me privately if you have any issues in sending the
configuration through the public list.

At the same time can you please attach the full DEBUG log of the ESB
with the configuration that you are using?
> I will try to connect to a HTTPs-based webservice that does not use this
> kind of "forwarding" configuration.
>
> PS: Is there a way to log all incoming messages (in this case the '404' HTTP
> response) received by ESB ?
>  
Not to my knowledge, since this is SSL you cannot even use TCPMON to
monitor the messages, but I think you should be able to use the tcpdump
tool to monitor the message, or you can remote debug Synapse code over
the running instance of ESB and catch the message at the transport
level, (inside ClientWorker)

Thanks,
Ruwan
> Regards, Stefan Lecho.
>
>
> Ruwan Linton-3 wrote:
>  
>> Hi Stefan,
>>
>> By looking at the stack trace, I think the server to which you are
>> talking through ESB returns a *HTML* response rather than a *SOAP*
>> response, with a 404 not found, which can not be handled by the ESB
>> because it contains a DTD which cannot be built by AXIOM.
>>
>> Can you please tell us the server to which you are talking through ESB,
>> and can you make sure to send a request which will not result in a 404
>> Resource not found and see whether it is working properly.
>>
>> Thanks,
>> Ruwan
>>
>> stlecho wrote:
>>    
>>> Hi Asankha,
>>>
>>> I've changed the HTTPS Transport sender and the following error message
>>> disappeared: "PKIX path building failed:
>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>> find
>>> valid certification path to requested target".
>>>
>>> But now I'm receiving another one :o(:
>>> "com.ctc.wstx.exc.WstxUnexpectedCharException: Unexpected character '"'
>>> (code 34) in DOCTYPE declaration; expected a space between public and
>>> system
>>> identifiers".
>>>
>>> The only modification I've done, is changing the trustStore parameter of
>>> the
>>> HTTPS Transport Sender in the webapp\WEB-INF\classes\conf\axis2.xml file.
>>> Based on the stacktrace I'm not able to determine which document causes
>>> this
>>> error. The modified axis2.xml file does not contain a DOCTYPE
>>> declaration.
>>>
>>> Stacktrace:
>>> 2008-03-05 17:20:01,567 [192.168.13.175-INFOR2] [I/O dispatcher 3] ERROR
>>> ClientHandler Received an unexpected response - of content type :
>>> text/html;
>>> charset=iso-8859-1 and status code : 404 with reason : Not Found
>>> 2008-03-05 17:20:01,582 [192.168.13.175-INFOR2] [HttpClientWorker-1]
>>> ERROR
>>> ClientWorker Unexpected response received
>>> org.apache.axiom.om.OMException:
>>> com.ctc.wstx.exc.WstxUnexpectedCharException: Unexpected character '"'
>>> (code
>>> 34) in DOCTYPE declaration; expected a space between public and system
>>> identifiers
>>>  at [row,col {unknown-source}]: [1,50]
>>> at
>>> org.apache.axiom.om.impl.builder.StAXOMBuilder.next(StAXOMBuilder.java:239)
>>> at
>>> org.apache.axiom.soap.impl.builder.StAXSOAPModelBuilder.getSOAPEnvelope(StAXSOAPModelBuilder.java:161)
>>> at
>>> org.apache.axiom.soap.impl.builder.StAXSOAPModelBuilder.<init>(StAXSOAPModelBuilder.java:110)
>>> at
>>> org.apache.axis2.builder.BuilderUtil.getSOAPBuilder(BuilderUtil.java:609)
>>> at
>>> org.apache.axis2.transport.TransportUtils.createDocumentElement(TransportUtils.java:178)
>>> at
>>> org.apache.axis2.transport.TransportUtils.createSOAPMessage(TransportUtils.java:111)
>>> at
>>> org.apache.synapse.transport.nhttp.ClientWorker.run(ClientWorker.java:160)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:650)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675)
>>> at java.lang.Thread.run(Thread.java:595)
>>>
>>> PS: I'm using ESB v1.6.
>>>
>>> Regards, Stefan Lecho.
>>>
>>>
>>> asankha wrote:
>>>  
>>>      
>>>> Hi Stefan
>>>>    
>>>>        
>>>>> In order to setup an SSL connection with the Axis2-based client, we've
>>>>> added
>>>>> the following: "System.setProperty("javax.net.ssl.trustStore",
>>>>> "d:/path_to_file/name_of_keystore");
>>>>> System.setProperty("javax.net.ssl.trustStorePassword", "secret");".
>>>>>
>>>>> In ESB, I've changed the value of the "truststore" parameter to use the
>>>>> same
>>>>> truststore used by the Axis2-based client. I've also created a Proxy
>>>>> that
>>>>> points to the https webservice. When calling this Proxy, the following
>>>>> error
>>>>> is generated: "Caused by: sun.security.validator.ValidatorException:
>>>>> PKIX
>>>>> path building failed:
>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>>>> find
>>>>> valid certification path to requested target". The used truststore
>>>>> contains
>>>>> the SSL certificate of the site.
>>>>>  
>>>>>      
>>>>>          
>>>> Which "truststore" parameter did you change? Since you are "calling" and
>>>> external HTTPS service, you must edit the HTTPS Transport Sender
>>>> configuration as follows, and not the Listener
>>>>
>>>>     <transportSender name="https"
>>>> class="org.apache.synapse.transport.nhttp.HttpCoreNIOSSLSender">
>>>>         <parameter name="non-blocking" locked="false">true</parameter>
>>>>         <parameter name="keystore" locked="false">
>>>>             <KeyStore>
>>>>                 <Location>identity.jks</Location>
>>>>                 <Type>JKS</Type>
>>>>                 <Password>password</Password>
>>>>                 <KeyPassword>password</KeyPassword>
>>>>             </KeyStore>
>>>>         </parameter>
>>>>         *<parameter name="truststore" locked="false">
>>>>             <TrustStore>
>>>>                 <Location>trust.jks</Location>
>>>>                 <Type>JKS</Type>
>>>>                 <Password>password</Password>
>>>>             </TrustStore>
>>>>         </parameter>*
>>>>         <!--<parameter
>>>> name="HostnameVerifier">DefaultAndLocalhost</parameter>
>>>>             supports Strict|AllowAll|DefaultAndLocalhost or the default
>>>> if none specified -->
>>>>     </transportSender>
>>>>
>>>>    
>>>>        
>>>>> I'm aware that this question is more related to JKS and SSL
>>>>> configuration,
>>>>> but - although I found it out for the Axis2-based client - I'm unable
>>>>> to
>>>>> configure it correctly for ESB.
>>>>>  
>>>>>      
>>>>>          
>>>> I am confident that this works without any issues if the keystores are
>>>> properly configured. Basically I would expect the truststore to contain
>>>> the CA certificate of your external server as a "trusted certificate" in
>>>> the keystore
>>>>
>>>> If you can also send me the output of "keytool -v -list -keystore
>>>> trust.jks" for your JKS, that would be helpful (please remember to hide
>>>> your password from the output generated before you post it here :-))
>>>>
>>>> asankha
>>>>
>>>> _______________________________________________
>>>> Esb-java-user mailing list
>>>> Esb-java-user@wso2.org
>>>> http://wso2.org/cgi-bin/mailman/listinfo/esb-java-user
>>>>
>>>>
>>>>    
>>>>        
>>>  
>>>      
>> _______________________________________________
>> Esb-java-user mailing list
>> Esb-java-user@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/esb-java-user
>>
>>
>>    
>
>  


_______________________________________________
Esb-java-user mailing list
Esb-java-user@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/esb-java-user