@IS Team, I think IS will also fail in the back channel SLO flow?
IMO, we could set that system property in the startup script, but there
should be a Production Guideline in our docs to remove that at the
production time. WDYT?
On Mon, Apr 11, 2016 at 1:41 PM, Dinusha Senanayaka <dinu...@wso2.com>
wrote:
> Hi All,
>
> Getting same exception in App Manager also after updating to kernel-4.4.5.
> What is the resolution for this, can we continue with
> "-Dorg.opensaml.httpclient.https.disableHostnameVerification=true \" system
> property in startup script as Harsha suggested ?
>
> Regards,
> Dinusha.
>
> On Tue, Apr 5, 2016 at 7:18 PM, Harsha Kumara <hars...@wso2.com> wrote:
>
>> Hi IS Team,
>>
>> It seems that the issue got resolved with the system property. We will
>> needed to add it to our startup scripts. Any concerns on doing that?
>>
>> Thanks,
>> Harsha
>>
>> On Tue, Apr 5, 2016 at 6:26 PM, Harsha Kumara <hars...@wso2.com> wrote:
>>
>>> Boolean.getBoolean perform system property lookup. I'll try that
>>> solution and update.
>>>
>>> On Tue, Apr 5, 2016 at 6:20 PM, Harsha Kumara <hars...@wso2.com> wrote:
>>>
>>>> I have done some analysis on this. In API Manager initial functionality
>>>> works fine. When the access token is generated SAML2BearerGrantHandler
>>>> doing DefaultBootstrap.bootstrap(); in opensaml library. With the new
>>>> version of the opensaml library they have
>>>> perform initializeHttpClient();[1] during the bootstrap. So the underline
>>>> commons http client library socket factory has changed
>>>> from SSLProtocolSocketFactory to TLSProtocolSocketFactory.
>>>> In TLSProtocolSocketFactory it's perform host name verification which cause
>>>> this exception. When go through their code, they have tried to disable this
>>>> from System property. But implementation is doing Boolean.getBoolean
>>>> instead of looking from System.getPropety[2] which seems bug. If this has
>>>> worked, we could have set a system property.
>>>>
>>>> [1]
>>>> /**
>>>> * Initializes the Apache Commons HttpClient library.
>>>> */
>>>> protected static void initializeHttpClient() {
>>>> if
>>>> (!Boolean.getBoolean(SYSPROP_HTTPCLIENT_HTTPS_DISABLE_HOSTNAME_VERIFICATION))
>>>> {
>>>> ProtocolSocketFactory socketFactory =
>>>> new TLSProtocolSocketFactory(null, null, new
>>>> StrictHostnameVerifier());
>>>> Protocol.registerProtocol("https", new Protocol("https",
>>>> socketFactory, 443));
>>>> }
>>>> }
>>>>
>>>> [2]
>>>> /** System property used to disable global default HTTPS hostname
>>>> verification in Apache Commons HttpClient. */
>>>> public static final String
>>>> SYSPROP_HTTPCLIENT_HTTPS_DISABLE_HOSTNAME_VERIFICATION =
>>>> "org.opensaml.httpclient.https.disableHostnameVerification";
>>>>
>>>> Thanks,
>>>> Harsha
>>>>
>>>>
>>>> On Tue, Apr 5, 2016 at 5:48 PM, Nuwan Dias <nuw...@wso2.com> wrote:
>>>>
>>>>> IS Team,
>>>>>
>>>>> It looks like the TLSProtocolSocketFactory isn't honouring the
>>>>> HostName verification parameter. It always tries to do the hostname
>>>>> verification. Looks like a buggy behaviour to me.
>>>>>
>>>>> This causes problems for API Manager and any other product which has a
>>>>> distributed deployment (App Manager, DAS, etc) because it prevents http
>>>>> clients within our code from accessing Admin Services of remote nodes. The
>>>>> http clients fail since the server cert is by default for localhost and
>>>>> whenever we try to access through IPs it fails. The only way to overcome
>>>>> this is to create the proper certs and deploy on the server. Which is a
>>>>> huge hassle for simple test scenarios.
>>>>>
>>>>> The TLSProtocolSocketFactory is being set when the SAMLBearerGrant is
>>>>> being initialized. Until then things work fine. We either have to stop it
>>>>> being set or use a version of opensaml which supports skipping the host
>>>>> name verification (like our transports allow). Otherwise this is going to
>>>>> be a huge blocker for our releases.
>>>>>
>>>>> Thanks,
>>>>> NuwanD.
>>>>>
>>>>> On Thu, Mar 17, 2016 at 7:09 PM, Sam Sivayogam <s...@wso2.com> wrote:
>>>>>
>>>>>> HI All,
>>>>>>
>>>>>> Had a offline chat with Pulasthi and got to know that in IS 5.0.8
>>>>>> there was opensaml upgrade from 2.4.1 to 2.6.4. After going through [1]
>>>>>> got
>>>>>> to know that there is a hostname verification introduced in opensaml
>>>>>> 2.6.4
>>>>>> which is not there in opensaml 2.4.1 and this is why we are getting the
>>>>>> above issue after moving to carbon identity 5.0.8.
>>>>>>
>>>>>> We are using *CommonsHTTPTransportSender * to call key
>>>>>> manager internally and from what I understood if we set the
>>>>>> *HostnameVerifier
>>>>>> *parameter to *AllowAll *we should be able to get rid of this issue,
>>>>>> But still we are getting this issue. Does anyone know why
>>>>>> HostnameVerifier
>>>>>> prameter is not working as expected with CommonsHTTPTransportSender ?
>>>>>>
>>>>>> [1]
>>>>>> http://grepcode.com/file_/repo1.maven.org/maven2/org.apache.servicemix.bundles/org.apache.servicemix.bundles.opensaml/2.4.1_2/org/opensaml/ws/soap/client/http/TLSProtocolSocketFactory.java/?v=diff&id2=2.6.4_1
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> On Thu, Mar 17, 2016 at 11:12 AM, Sam Sivayogam <s...@wso2.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi All,
>>>>>>>
>>>>>>> I'm trying to to upgrade APIM's Crabon kernel to 4.4.4. during the
>>>>>>> kernel upgrade i also upgraded the following
>>>>>>> carbon identity from 5.0.7 to 5.08
>>>>>>> carbon commons from 4.4.8 to 4.5.2
>>>>>>> wso2 rampart from 1.6.1-wso2v16 to 1.6.1-wso2v18
>>>>>>>
>>>>>>> After the upgrade, when I try to generate a key from the API Store
>>>>>>> I'm getting the error [1] . I was able to get rid of this issue after
>>>>>>> replacing APIKeyValidator ip with localhost in api-manager.xml.
>>>>>>> Please note that this issue is occuring after the kernel upgrade
>>>>>>> before that we didn't encounter this issue. what i would like to know to
>>>>>>> know is there is any changes in kernel 4.4.4 or rampart 1.6.1-wso2v18
>>>>>>> to do
>>>>>>> the hostname verification by default?
>>>>>>>
>>>>>>> [1] [2016-03-17 11:08:35,995] INFO - HTTPSender Unable to
>>>>>>> sendViaPost to url[
>>>>>>> https://10.100.5.192:9443//services/APIKeyMgtSubscriberService]
>>>>>>> javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname
>>>>>>> validation for name: 10.100.5.192
>>>>>>> at
>>>>>>> org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233)
>>>>>>> at
>>>>>>> org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:194)
>>>>>>> at
>>>>>>> org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
>>>>>>> at
>>>>>>> org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
>>>>>>> at
>>>>>>> org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
>>>>>>> at
>>>>>>> org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
>>>>>>> at
>>>>>>> org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
>>>>>>> at
>>>>>>> org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:632)
>>>>>>> at
>>>>>>> org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:195)
>>>>>>> at
>>>>>>> org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:77)
>>>>>>> at
>>>>>>> org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:451)
>>>>>>> at
>>>>>>> org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:278)
>>>>>>> at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442)
>>>>>>> at
>>>>>>> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:430)
>>>>>>> at
>>>>>>> org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225)
>>>>>>> at
>>>>>>> org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
>>>>>>> at
>>>>>>> org.wso2.carbon.apimgt.keymgt.stub.subscriber.APIKeyMgtSubscriberServiceStub.retrieveOAuthApplication(APIKeyMgtSubscriberServiceStub.java:1389)
>>>>>>> at
>>>>>>> org.wso2.carbon.apimgt.keymgt.client.SubscriberKeyMgtClient.getOAuthApplication(SubscriberKeyMgtClient.java:89)
>>>>>>> at
>>>>>>> org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.retrieveApplication(AMDefaultKeyManagerImpl.java:224)
>>>>>>> at
>>>>>>> org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.getClientOfApplication(ApiMgtDAO.java:2338)
>>>>>>> at
>>>>>>> org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.getOAuthApplications(ApiMgtDAO.java:2302)
>>>>>>> at
>>>>>>> org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.getApplications(ApiMgtDAO.java:4434)
>>>>>>> at
>>>>>>> org.wso2.carbon.apimgt.impl.APIConsumerImpl.getApplications(APIConsumerImpl.java:2813)
>>>>>>> at
>>>>>>> org.wso2.carbon.apimgt.impl.UserAwareAPIConsumer.getApplications(UserAwareAPIConsumer.java:36)
>>>>>>> at
>>>>>>> org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject.getAllSubscriptions(APIStoreHostObject.java:2416)
>>>>>>> at
>>>>>>> org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject.jsFunction_getAllSubscriptionsOfApplication(APIStoreHostObject.java:2659)
>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>>>> at
>>>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>>>>>> at
>>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>>>>> at java.lang.reflect.Method.invoke(Method.java:601)
>>>>>>> at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126)
>>>>>>> at
>>>>>>> org.mozilla.javascript.FunctionObject.call(FunctionObject.java:386)
>>>>>>> at
>>>>>>> org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52)
>>>>>>> at
>>>>>>> org.jaggeryjs.rhino.store.modules.subscription.c1._c_anonymous_2(/store/modules/subscription/list.jag:31)
>>>>>>> at
>>>>>>> org.jaggeryjs.rhino.store.modules.subscription.c1.call(/store/modules/subscription/list.jag)
>>>>>>> at
>>>>>>> org.mozilla.javascript.ScriptRuntime.applyOrCall(ScriptRuntime.java:2430)
>>>>>>> at
>>>>>>> org.mozilla.javascript.BaseFunction.execIdCall(BaseFunction.java:269)
>>>>>>> at
>>>>>>> org.mozilla.javascript.IdFunctionObject.call(IdFunctionObject.java:97)
>>>>>>> at
>>>>>>> org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42)
>>>>>>> at
>>>>>>> org.jaggeryjs.rhino.store.modules.subscription.c0._c_anonymous_5(/store/modules/subscription/module.jag:19)
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Sam
>>>>>>> --
>>>>>>> *Sam Sivayogam*
>>>>>>>
>>>>>>> Software Engineer
>>>>>>> Mobile : +94 772 906 439
>>>>>>> Office : +94 112 145 345
>>>>>>> *WSO2, Inc. :** wso2.com <http://wso2.com/>*
>>>>>>> lean.enterprise.middleware.
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> *Sam Sivayogam*
>>>>>>
>>>>>> Software Engineer
>>>>>> Mobile : +94 772 906 439
>>>>>> Office : +94 112 145 345
>>>>>> *WSO2, Inc. :** wso2.com <http://wso2.com/>*
>>>>>> lean.enterprise.middleware.
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Nuwan Dias
>>>>>
>>>>> Technical Lead - WSO2, Inc. http://wso2.com
>>>>> email : nuw...@wso2.com
>>>>> Phone : +94 777 775 729
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Harsha Kumara
>>>> Software Engineer, WSO2 Inc.
>>>> Mobile: +94775505618
>>>> Blog:harshcreationz.blogspot.com
>>>>
>>>
>>>
>>>
>>> --
>>> Harsha Kumara
>>> Software Engineer, WSO2 Inc.
>>> Mobile: +94775505618
>>> Blog:harshcreationz.blogspot.com
>>>
>>
>>
>>
>> --
>> Harsha Kumara
>> Software Engineer, WSO2 Inc.
>> Mobile: +94775505618
>> Blog:harshcreationz.blogspot.com
>>
>
>
>
> --
> Dinusha Dilrukshi
> Associate Technical Lead
> WSO2 Inc.: http://wso2.com/
> Mobile: +94725255071
> Blog: http://dinushasblog.blogspot.com/
>
> _______________________________________________
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
--
Thanks & Regards,
Dulanja Liyanage
WSO2 Inc.
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
