Re: [Dev] [Identity cloud]Client certification missing when requesting the REST services using the dashboard jaggery app

Tue, 06 Dec 2016 09:04:46 -0800 

Hi Sajith,

I looked into this issue in detail with ssl debug on, with the help of
Manu.
The request to the backend service is invoked via an HttpClient instance,
picked from a client pool from jaggery [1]. When host name verification is
disabled, HttpClient is initialized with a Trust manager that accepts any
certificate, thus, at the SSL handshake, when the server presents the
certificate, client blindly trusts the server and presents client
certificate back to the server.
When hostname verification is disabled, from jaggery the default HttpClient
is used (with no custom SSL context). It's loading the default key
manager(java cacerts) and using strict hostname verification. In that case,
the self signed certificate the server provide, is not trusted. Thus, since
server authenticity fails in client side, it does not present the client
certificate.
In order to solve this we have to set the ssl context for HttpClient to
use, with key manager and trust manager loaded with the key store and trust
store of the product.

Protocol mutualSSLProtocol = new Protocol("https",
        (ProtocolSocketFactory) new AuthSSLProtocolSocketFactory(new
File(ServerConfiguration.getInstance()

.getFirstProperty("Security.KeyStore.Location")).toURI().toURL(),"wso2carbon",
new File(ServerConfiguration.getInstance()

.getFirstProperty("Security.TrustStore.Location")).toURI().toURL(),"wso2carbon"),
HTTPS_DEFAULT_PORT);
Protocol.registerProtocol("https", mutualSSLProtocol);

Therefore, in order to solve this issue I see below options.

1. Support the local call by configuring CA signed certs in the nodes.

2. From the jaggery application itself, use a HttpClient with custom SSL scheme.

AFAIK, in each place where we use mutual ssl in Identity Server, we
load the context for the client with key manager and trust manager,
which I think is actually needed here as well.

[1]
https://github.com/wso2/jaggery/blob/master/components/hostobjects/org.jaggeryjs.hostobjects.xhr/src/main/java/org/jaggeryjs/hostobjects/xhr/XMLHttpRequestHostObject.java#L88
[2] http://hc.apache.org/httpclient-3.x/sslguide.html

Thanks,
Malithi.

On Tue, Nov 29, 2016 at 9:17 PM, Sajith Abeywardhana <saji...@wso2.com>
wrote:

> Hi All,
>
> I observe the "AuthenticationHandler not found exception"[1] when the
> dashboard jaggery app calls[2] the backend REST services over the HTTPS. By
> debugging, we found that this issue occurs only when the carbon server is
> started with the hostname verification enable mode. If the hostname
> verification is enabled the jaggery app does not send the client
> certificate along with the request. If there is no any client certification
> in the request the AuthenticationHandler reject the request and throws the
> exception[1].  When I disable the hostname verification, the jaggery app
> sends the client certificate along with the request and then the
> AuthenticationHandler will process the request.
>
> Any thoughts how to solve this issue?
>
> [1]
> TID: [-1234] [] [2016-11-29 13:05:36,332] ERROR
> {org.wso2.carbon.tomcat.ext.valves.CompositeValve} -  Could not handle
> request: /api/appm/publisher/v1.1/roles
> org.wso2.carbon.identity.auth.service.exception.AuthRuntimeException:
> AuthenticationHandler not found.
> at org.wso2.carbon.identity.auth.service.AuthenticationManager.
> authenticate(AuthenticationManager.java:101)
> at org.wso2.carbon.identity.auth.valve.AuthenticationValve.
> invoke(AuthenticationValve.java:75)
> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(
> CompositeValve.java:99)
> at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.
> invoke(CarbonTomcatValve.java:47)
> at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(
> TenantLazyLoaderValve.java:57)
> at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(
> TomcatValveContainer.java:47)
> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(
> CompositeValve.java:62)
> at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValv
> e.invoke(CarbonStuckThreadDetectionValve.java:159)
> at org.apache.catalina.valves.AccessLogValve.invoke(
> AccessLogValve.java:956)
> at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(
> CarbonContextCreatorValve.java:57)
> at org.apache.catalina.core.StandardEngineValve.invoke(
> StandardEngineValve.java:116)
> at org.apache.catalina.connector.CoyoteAdapter.service(
> CoyoteAdapter.java:442)
> at org.apache.coyote.http11.AbstractHttp11Processor.process(
> AbstractHttp11Processor.java:1082)
> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.
> process(AbstractProtocol.java:623)
> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.
> doRun(NioEndpoint.java:1756)
> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.
> run(NioEndpoint.java:1715)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1145)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:615)
> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(
> TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:745)
> TID: [-1234] [] [2016-11-29 13:05:36,338] ERROR {JAGGERY.serviceproviders.
> custom.controllers.custom.getRoles:jag} -  org.mozilla.javascript.EcmaError:
> TypeError: Cannot read property "roleIds" from null
> (/dashboard/serviceproviders/custom/controllers/custom/getRoles.jag#15)
> at org.mozilla.javascript.ScriptRuntime.constructError(
> ScriptRuntime.java:3687)
> at org.mozilla.javascript.ScriptRuntime.constructError(
> ScriptRuntime.java:3665)
> at org.mozilla.javascript.ScriptRuntime.typeError(ScriptRuntime.java:3693)
> at org.mozilla.javascript.ScriptRuntime.typeError2(
> ScriptRuntime.java:3712)
> at org.mozilla.javascript.ScriptRuntime.undefReadError(
> ScriptRuntime.java:3725)
> at org.mozilla.javascript.ScriptRuntime.getObjectProp(
> ScriptRuntime.java:1483)
> at org.jaggeryjs.rhino.dashboard.serviceproviders.custom.
> controllers.custom.c5._c_getRoles_1(/dashboard/serviceproviders/custom/
> controllers/custom/getRoles.jag:15)
> at org.jaggeryjs.rhino.dashboard.serviceproviders.custom.
> controllers.custom.c5.call(/dashboard/serviceproviders/
> custom/controllers/custom/getRoles.jag)
> at org.mozilla.javascript.optimizer.OptRuntime.
> callName0(OptRuntime.java:74)
> at org.jaggeryjs.rhino.dashboard.serviceproviders.custom.
> controllers.custom.c5._c_script_0(/dashboard/serviceproviders/custom/
> controllers/custom/getRoles.jag:6)
> at org.jaggeryjs.rhino.dashboard.serviceproviders.custom.
> controllers.custom.c5.call(/dashboard/serviceproviders/
> custom/controllers/custom/getRoles.jag)
> at org.mozilla.javascript.ContextFactory.doTopCall(
> ContextFactory.java:394)
>
> [2] https://github.com/wso2-extensions/identity-cloud/
> blob/master/jaggeryapps/dashboard/modules/appManagementClient.js#L126
>
> Regards,
> Sajith.
>
> --
> *Sajith Abeywardhana* | Software Engineer
> WSO2, Inc | lean. enterprise. middleware.
> #20, Palm Grove, Colombo 03, Sri Lanka.
> Mobile: +94772260485
> Email: saji...@wso2.com | Web: www.wso2.com
>



-- 

*Malithi Edirisinghe*
Associate Technical Lead
WSO2 Inc.

Mobile : +94 (0) 718176807
malit...@wso2.com

_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Reply via email to