We have a javascript file hosted on GitHub that I'd like to fetch:
Error logs:
172416 cli error 320673 0x81000224 === Line 2: copy -f https://raw.githubusercontent.com/mmxxxxx/abc/master/shim_mpgw_mapping.js store:///js/shim_mpgw_mapping.js
172416 audit error 320673 0x82400020 (admin:default:web-gui:10.106.170.13): (config)# copy -f https://raw.githubusercontent.com/mm58169/datapower7/master/shim_mpgw_mapping.js store:///js/shim_mpgw_mapping.js
172416 audit error 320673 0x8240002e (admin:default:*:*): Copying file "https://raw.githubusercontent.com/mm58169/datapower7/master/shim_mpgw_mapping.js" to "store:///js/shim_mpgw_mapping.js" failed
172416 cli error 320673 0x810002e7 File copy failed - destination URL could not be opened: store:///js/shim_mpgw_mapping.js
172416 file error 320673 0x8100015c Copying file "https://raw.githubusercontent.com/mm58169/datapower7/master/shim_mpgw_mapping.js" to "store:///js/shim_mpgw_mapping.js" : failed
172416 system warning 320673 0x8040000a destination URL could not be opened: store:///js/shim_mpgw_mapping.js
172416 network error 31711 0x80e0005a Cannot establish SSL credentials (credential is NULL), URL: 'https://raw.githubusercontent.com/mm58169/datapower7/master/shim_mpgw_mapping.js'.
172416 network warning 31711 0x80e00058 SSL connection to 'https://raw.githubusercontent.com/mm58169/datapower7/master/shim_mpgw_mapping.js' failed, unable to get SSL Profile ''
172416 network warning 31711 0x80e00058 SSL connection to 'https://raw.githubusercontent.com/mm58169/datapower7/master/shim_mpgw_mapping.js' failed, unable to get SSL Profile ''
#VonC is correct that you need a SSL Client Profile. You need to add it into the User Agent of your service:
The Fetch action will download the file to your DataPower local:/// filesystem so you might as well download it manually and upload it to the DataPower instance though...
This should be related to TLS selection, like the DataPower service configuration variable called var://service/tls-info, or serviceVars.tlsInfo, which might not be properly set.
You would have then to define an SSL client profile (which secures connections between the DataPower Gateway and its targets)
Related
I am trying to use minio as a local S3 server. I am following this article
I downloaded key and cert files.
I added the env parameters:
set MINIO_KMS_KES_ENDPOINT=https://play.min.io:7373
set MINIO_KMS_KES_KEY_FILE=D:\KMS\root.key
set MINIO_KMS_KES_CERT_FILE=D:\KMS\root.cert
set MINIO_KMS_KES_KEY_NAME=my-minio-key
I started minio server: D:\>minio.exe server D:\Photos
It logs after sturt up:
Endpoint: http://169.254.182.253:9000 http://169.254.47.198:9000 http://172.17.39.193:9000 http://192.168.0.191:9000 http://169.254.103.105:9000 http://169.254.209.102:9000 http://169.254.136.71:9000 http://127.0.0.1:9000
AccessKey: minioadmin
SecretKey: minioadmin
Browser Access:
http://169.254.182.253:9000 http://169.254.47.198:9000 http://172.17.39.193:9000 http://192.168.0.191:9000 http://169.254.103.105:9000 http://169.254.209.102:9000 http://169.254.136.71:9000 http://127.0.0.1:9000
Command-line Access: https://docs.min.io/docs/minio-client-quickstart-guide
$ mc.exe alias set myminio http://169.254.182.253:9000 minioadmin minioadmin
Object API (Amazon S3 compatible):
Go: https://docs.min.io/docs/golang-client-quickstart-guide
Java: https://docs.min.io/docs/java-client-quickstart-guide
Python: https://docs.min.io/docs/python-client-quickstart-guide
JavaScript: https://docs.min.io/docs/javascript-client-quickstart-guide
.NET: https://docs.min.io/docs/dotnet-client-quickstart-guide
Detected default credentials 'minioadmin:minioadmin', please change the credentials immediately using 'MINIO_ACCESS_KEY' and 'MINIO_SECRET_KEY'
I opened UI in browser: http://localhost:9000/minio/mybacket/
I tried to upload a jpg file and got an exception:
<?xml version="1.0" encoding="UTF-8"?> <Error><Code>InternalError</Code><Message>We encountered an internal error, please try again.</Message><Key>Completed.jpg</Key><BucketName>mybacket</BucketName><Resource>/minio/upload/mybacket/Completed.jpg</Resource><RequestId>1634A6E5663C9D70</RequestId><HostId>4a46a947-6473-4d53-bbb3-a4f908d444ce</HostId></Error>
And I got this exception in minio console:
Error: Post "https://play.min.io:7373/v1/key/generate/my-minio-key": x509: certificate signed by unknown authority
3: cmd\api-errors.go:1961:cmd.toAPIErrorCode()
2: cmd\api-errors.go:1986:cmd.toAPIError()
1: cmd\web-handlers.go:1116:cmd.(*webAPIHandlers).Upload()
Most probably your OS trust store (containing the Root CA certificates) does not trust Let's Encrypt (the Let's Encrypt Authority X3 CA certificate).
The server https://play.min.io:7373 serves a TLS certificates issued by Let's Encrypt.
See:
openssl s_client -showcerts -servername play.min.io -connect play.min.io:7373
Eventually, check your the root CA store of your windows machine.
See: https://security.stackexchange.com/questions/48437/how-can-you-check-the-installed-certificate-authority-in-windows-7-8
I'm testing an internal website and on playback I'm seeing this error:
POST /Ex_ACO_EI/Details/2433:
'SSLError(MaxRetryError("HTTPSConnectionPool(host=\'examiner-stage.site.com\',
port=443): Max retries exceeded with url: /Ex_ACO_EI/Details/24 33
(Caused by SSLError(SSLCertVerificationError(1, \'[SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get
local issuer certificate (_ssl.c:1056)\')))"))'
I'm using PyCharm for my IDE.
Any ideas would be greatly appreciated.
A quick hack is always disable SSL verification ( on python requests lib if you use the default HTTPLocust).
To fix it properly, you need to validate that server cert again . May be intermediate certificate is missing ? You can try
openssl s_client -connect yoursite:443
And see what wrong with it.
I'm getting the following error in the Eclipse console when trying to connect my App (IBM Maximo Anywhere):
[WARNING ] FWLSE0239W: Authentication failure in realm 'CustomAuthenticationRealm': javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.secur
ity.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target [project MaximoAnywhere]
I'm using MobileFirst Studio 7.1 within Eclipse. My backend server has a single, self signed certificate. I have imported the backend server's cert into the following keystores on the machine:
C:\Java\jdk1.8.0_102\jre\lib\security\cacerts
C:\Java\jre1.8.0_102\lib\security\cacerts
C:\IBM\Anywhere\MaximoAnywhere\server\conf\default.keystore
My MobileFirst Development Server has the following keystore entry in the server.xml file:
<keyStore id="defaultKeyStore" password="worklight"/>
My worklight.properties has the following entries:
ssl.keystore.path=conf/default.keystore
ssl.keystore.type=jks
ssl.keystore.password=worklight
I have tested keystore connectivity to the backend target using these utilities: SSLPoke and Portecle
Both utilties connect all three of the above mentioned keystores to the backend target server over port 443 with no problems.
I am wondering if anyone has any further comments or suggestions.
From the comments:
I actually was able to resolve the problem. The cert also needed to be added to the following keystore: C:\Users\Username\workspace\MobileFirstServerConfig\servers\worklight\resources\security\key.jks
I have configured Java MongoDB Client to use MongoCredential.
Unfortunately when I access to a server that does not configured to use an authentication I get authentication failed exception:
Caused by: com.mongodb.MongoCommandException: Command failed with error 18: 'Authentication failed.' on server …. The full response is { "ok" : 0.0, "code" : 18, "errmsg" : "Authentication failed." }
I do expect this exception when a server is configured to use an authentication and when Java MongoDB Client but not in this case.
Is it possible to configure Java MongoDB Client not to fail when access to a server not configured to use an authentication?
I am afraid not, your client does not know whether the server has auth enabed or not.
Your client connection code should match the auth parameters from the server, otherwise it fails.
What I did in this case, was to create a connection function which accepts auth credentials, when credentials are passed, used them - create the connection with auth credentials, otherwise no - create the connection with no auth credentials.
In this case, you should know what server has auth enabled
Followed the instructions for creating an SSL set of files with a self signed certificate according to rabbit docs.
I am using it for the management plugin instead only for now, by configuring rabbitmq.config like:
{rabbitmq_management, [ {http_log_dir, "/tmp/rabbit-mgmt"},
{rates_mode, basic},
{listener, [{port, 7357},
{ssl, true},
{ssl_opts, [{cacertfile, "/path/to/ca_certificate.pem"},
{certfile, "/path/to/server_certificate.pem"},
{keyfile, "/path/to/server_key.pem"},
{verify,verify_peer},
{fail_if_no_peer_cert,false}
]}
]}
]}
The server starts, and the https port seems open, however, the connection fails as soon as a request is received with:
=ERROR REPORT==== 25-Sep-2015::14:25:33 ===
application: mochiweb
"Accept failed error"
"{error,{options,{cacertfile,\"/path/to/ca_certificate.pem\",\n {error,eacces}}}}"
=ERROR REPORT==== 25-Sep-2015::14:25:33 === {mochiweb_socket_server,295,{acceptor_error,{error,accept_failed}}}
I tried chown and chgrp of the folders that have all the certificate files created by following the documentation, but still have the same access error.
The problem was related to file permissions, the folders were all granting rabbitmq read access, but they were inside another folder without access.