Hi Tharindu, Thanks for pointing out methods to identify root cause through SSL logs.
It was identified that EI 6.1.1 had an issue with the expired private key and issue fixed when I use the latest pack with WUM update. Thank you, Dilshani On Fri, Oct 27, 2017 at 5:23 AM, Tharindu Edirisinghe <tharin...@wso2.com> wrote: > By the way, shouldn't we BCC (instead of CC) the internal mailing lists > when mailing to public mailing lists like Dev ? > > Hi Dilshani, > > Disabling hostname verification to bypass this issue would not be a good > practice. > > This error message can come due to several certificate related issues. > Therefore, to isolate the exact issue, would you be able to start EI with > enabling SSL debug logs for handshake. > > -Djavax.net.debug=ssl:handshake > > You'll have to append the SSL debug logs to a file as it would just print > to terminal without appending to carbon log. > > sh integrator.sh -Djavax.net.debug=ssl:handshake > ssl.log > > Once EI is running, try out the same flow and check (or share) the SSL > debug log. Then you should be able to identify the root cause > > Thanks, > TharinduE > > > > > > > On Thu, Oct 26, 2017 at 10:16 PM, Dilshani Subasinghe <dilsh...@wso2.com> > wrote: > >> Hi all, >> >> I implemented "Fine-grained access control for SOAP services" (Refer 25th >> pattern in this blog [1]) pattern using WSO2 EI 6.1.1 and WSO2 IS 5.3.0. I >> was able to implement the pattern locally and tested it successfully. While >> I'm moving to cloud setup, I got some errors while EI going to make the >> connection with IS. >> >> I got an error as follows: >> >> [*2017-10-26 18:52:05,406] [EI-Core] INFO - HTTPSender Unable to >> sendViaPost to url[https://192.168.57.251/services/EntitlementService >> <https://192.168.57.251/services/EntitlementService>]* >> *javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname >> validation for name: null* >> * at org.opensaml.ws.soap.client.ht >> <http://org.opensaml.ws.soap.client.ht>tp.TLSProtocolSocketFactory.ve >> <http://tp.TLSProtocolSocketFactory.ve>rifyHostname(TLSProtocolSocketFactory.java:233)* >> * at org.opensaml.ws.soap.client.ht >> <http://org.opensaml.ws.soap.client.ht>tp.TLSProtocolSocketFactory.cr >> <http://tp.TLSProtocolSocketFactory.cr>eateSocket(TLSProtocolSocketFactory.java:186)* >> * at >> org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)* >> >> After referring some docs and emails, found out we need to add following >> property in the integrator.sh script. >> >> *-Dorg.opensaml.httpclient.https.disableHostnameVerification=true \* >> >> After adding that, again got an error as follows: >> >> [2017-10-26 20:19:16,448] [EI-Core] INFO - HTTPSender Unable to >> sendViaPost to url[https://is.dev.wso2.org/services/EntitlementService] >> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated >> at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessi >> onImpl.java:431) >> at org.apache.commons.httpclient.protocol.SSLProtocolSocketFact >> ory.verifyHostName(SSLProtocolSocketFactory.java:259) >> at org.apache.commons.httpclient.protocol.SSLProtocolSocketFact >> ory.createSocket(SSLProtocolSocketFactory.java:158) >> >> Any idea on fixing this issue? >> >> [1] https://medium.facilelogin.com/thirty-solution-patterns- >> with-the-wso2-identity-server-16f9fd0c0389 >> >> -- >> Best Regards, >> >> Dilshani Subasinghe >> Software Engineer - QA *|* WSO2 >> lean *|* enterprise *|* middleware >> >> Mobile : +94773375185 <+94%2077%20337%205185> >> Blog : dilshani.me >> >> <https://wso2.com/signature> >> > > > > -- > > Tharindu Edirisinghe > Senior Software Engineer | WSO2 Inc > Platform Security Team > Blog : http://tharindue.blogspot.com > mobile : +94 775181586 <+94%2077%20518%201586> > -- Best Regards, Dilshani Subasinghe Software Engineer - QA *|* WSO2 lean *|* enterprise *|* middleware Mobile : +94773375185 Blog : dilshani.me <https://wso2.com/signature>
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev