Is there a way to configure the Eureka client to use a different keystore\truststore than the spring-boot embedded tomcat? OR is there a way to disable cert validation in SBA server?
I have a situation where I have a cluster of spring-boot based microservices across several VMs. All of the microservices, including backend management like SBA and Eureka server are secured using HTTPS and the typical spring-boot SSL certificate configuration. For these services I am using a self-signed CA to generate certificates for each machine. One exception to this is the "gateway" service which serves the api through to our web client. This service is configured with a certificate signed by a real CA, as it is the only publicly accessible service
Getting to the point, my "gateway" service is unable to connect to SBA server, I see a scroll of SSL-related errors complaining about the hostname of the client not matching any alt names in its certificate. This is because it is presenting its public cert to SBA which does not match the internal host name that the request is originating from.
My services are using Netflix Eureka and service discovery.
EDIT: Adding stacktrace from SBA Server:
2019-02-06 21:34:30 [reactor-http-epoll-3] ERROR r.n.http.client.HttpClientConnect - [id: 0x5844260b, L:/172.17.0.5:40928 - R:myhost.mydomain.com/172.xxx.xxx.xxx:443] The connection observed an error
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:802)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:294)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1297)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1199)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1243)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:799)
at io.netty.channel.epoll.AbstractEpollChannel$AbstractEpollUnsafe$1.run(AbstractEpollChannel.java:382)
at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:163)
at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:404)
at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:335)
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:897)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:970)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:967)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459)
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1460)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1365)
... 19 common frames omitted
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching myhost.mydomain.com found.
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:214)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1626)
... 27 common frames omitted
EDIT: Upon further inspection, I have the sequence of this issue wrong. The SSL error is not occurring when the gateway tries to register with SBA, it actually registers fine, the SSL error is occurring when SBA tries to reach back to actuator on the gateway.
So I guess the updated question is a bit more complicated: Is there a way to configure actuator with a different keystore/truststore. Furthermore, is there a way to open up Actuator in Zuul only for connections on the backend like SBA and not for users on the public/client end?
Related
[SOLVED - answer in comments]
I've followed how-to from https://docs.rundeck.com/docs/administration/security/authentication.html#communicating-over-secure-ldap-ldaps
Authentication works great for LDAP, but when I change to LDAPS (I am only changing providerUrl="ldap://" to ldaps:// stanza in custom jaas conf), error is being returned:
ERROR jaas.JettyCachingLdapLogModule - Naming error
javax.naming.CommunicationException: simple bind failed: <AD IP>
AD is listening on port 636.
I suspect problem can be with authenticationMethod="simple" - but when I am trying to change it to "tls:simple" (per https://docs.oracle.com/cd/E53394_01/html/E54912/ldapsecure-75.html) Rundeck claims there's syntax issue.
Do you had similar problem?
How switch from simple auth to tls?
I am trying to run schema registry server with SSL authentication but while starting the server
./schema-registry-start ../etc/schema-registry/schema-registry.properties
I keep on getting :
[2019-11-29 15:20:13,778] ERROR Error starting the schema registry (io.confluent.kafka.schemaregistry.rest.SchemaRegistryRestApplication:67)
io.confluent.kafka.schemaregistry.exceptions.SchemaRegistryException: No listener configured with requested scheme SSL
io.confluent.kafka.schemaregistry.storage.KafkaSchemaRegistry.getSchemeAndPortForIdentity(KafkaSchemaRegistry.java:210)
But I have the listeners,broker everything configured
kafkastore.bootstrap.servers=SSL://<my-brokers>
security.protocol=SSL
ssl.truststore.location=/home/ec2-user/kafka.client.truststore.jks
ssl.keystore.location=/home/ec2-user/kafka.client.keystore.jks
ssl.keystore.password=my-pass
ssl.key.password=my-key
listeners=https://0.0.0.0:443
ssl.enabled.protocols=TLSv1.2
ssl.client.auth=fals
schema.registry.inter.instance.protocol=SSL
schema.registry.url=https://<IP>:443
You'll want to verify the listeners of the brokers
Then, security protocol itself isn't valid, plus the inter instance protocol of the registry should be https, not SSL
https://docs.confluent.io/current/schema-registry/installation/config.html
Plus, you have a typo on ssl.client.auth=false, and schema.registry.url is a client setting only, not on the server
Eureka + Gateway + BackendServerA + BackendServerB. After BackendServerB is down, it throws exception:
com.netflix.zuul.exception.ZuulException: Forwarding error
Caused by: com.netflix.client.ClientException: Load balancer does not have available server for client: service-B
Event after I manually reboot serverB, it still throws the same error with a 500 http code returned. However, if I turn on the other 3 servers before Gateway, it works properly. I used application.properties file to configure routes.
i m working on a scenario 'connecting to Backend service with Simple SOAP binding' required to expose as a RESTful using WSO2 ESB and API manager .
Api Manager is a essential in my scenario so can't ignore it.
I Have configured both but facing some issues in Authentication .
below is the error log describing the problem.
[2015-10-06 18:10:59,721] ERROR - APIUtil Unauthorized client domain :null. Only
"[]" domains are authorized to access the API.
[2015-10-06 18:10:59,727] ERROR - AbstractKeyValidationHandler Error while valid
ating client domain
org.wso2.carbon.apimgt.api.APIManagementException: Unauthorized client domain :n
ull. Only "[]" domains are authorized to access the API.
at org.wso2.carbon.apimgt.impl.utils.APIUtil.checkClientDomainAuthorized
(APIUtil.java:3916)
at org.wso2.carbon.apimgt.keymgt.handlers.AbstractKeyValidationHandler.c
heckClientDomainAuthorized(AbstractKeyValidationHandler.java:92)
at org.wso2.carbon.apimgt.keymgt.handlers.AbstractKeyValidationHandler.v
alidateSubscription(AbstractKeyValidationHandler.java:73)
at org.wso2.carbon.apimgt.keymgt.service.APIKeyValidationService.validat
eKey(APIKeyValidationService.java:157)
at org.wso2.carbon.apimgt.keymgt.service.thrift.APIKeyValidationServiceI
mpl.validateKey(APIKeyValidationServiceImpl.java:131)
at org.wso2.carbon.apimgt.impl.generated.thrift.APIKeyValidationService$
Processor$validateKey.getResult(APIKeyValidationService.java:278)
at org.wso2.carbon.apimgt.impl.generated.thrift.APIKeyValidationService$
Processor$validateKey.getResult(APIKeyValidationService.java:266)
at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:32)
at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:34)
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadP
oolServer.java:176)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
[2015-10-06 18:10:59,749] ERROR - APIUtil Unauthorized client domain :null. Only
"[]" domains are authorized to access the API.
[2015-10-06 18:10:59,750] WARN - APIAuthenticationHandler API authentication fa
ilure due to Unclassified Authentication Failure
.
Please suggest me where i am doing wrong.
Note That i m using a simple publically available Soap service for scenario.
This is happen maybe because your token is expired. So set the below value on identity.xml
AccessTokenDefaultValidityPeriod to -1
and restart the server
for more information read
https://docs.wso2.com/display/AM190/Token+API#TokenAPI-Configuringthetokenexpirationtime
I'm using Spring Security 2.x's Preauthentication with X.509 certificates.
I get the certificateText via HttpServletRequest.getAttribute("CERTIFICATE").
Sometimes, the above call returns "" (empty). I believe it occurs when the HTTP session has expired.
What would explain why HttpServletRequest.getAttribute("CERT") returns empty?
EDIT In Kerberos, for example, the ticket is available in every HTTP request. Is the cert not always in X.509 HTTP requests?
Please access to certificate using this code:
X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
Certificate is always populated to request after successful client certificate authentication.
Ensure your support long certificate chain:
Add the max_packet_size propery to the worker.properties file
worker.ajp13w.max_packet_size=65536
Add the packetSize propery to the configuration of Ajp connector in the Tomcat configuration \conf\server.xml
<Connector port="8089"
enableLookups="false" redirectPort="8443" protocol="AJP/1.3" packetSize="65536"/>
Apache logs:
http://httpd.apache.org/docs/2.2/logs.html#accesslog
http://httpd.apache.org/docs/2.2/logs.html#errorlog
http://httpd.apache.org/docs/2.2/mod/core.html#loglevel