We Keep Coding

Error javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException in JBoss7.3

I'm facing the below error in connecting the LDAP in JBoss 7.3 while deploying the SSL.
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException
LDAP is working fine, once we rollback the SSL over the JBoss7.3.
We've tried
Reinstall the SSL over the JBoss7.3
Check the Certificate
Expecting:
LDAP should be working fine after deploying the SSL over JBossEAP7.3

How to configure Keycloak to work with Guacamole's OpenID plugin?

I'm trying to setup Apache Guacamole with KeyCloak as OpenID Connect Authorization Server.
Guacamole is redirecting me to KeyCloak, I can Log in with my user I created on KeyCloak and I get redirected back to Guacamole, but there it says that my token is invalid
08:08:11.477 [http-nio-4432-exec-7] INFO o.a.g.a.o.t.TokenValidationService - Rejected invalid OpenID token: Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable verification key for JWS w/ header {"alg":"RS256","typ" : "JWT","kid" : "8ZNpgh_vnmG0HMMNYdOz1lw4ECoWxmsiUGte1mJfvyI"} due to an unexpected exception (javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty) while obtaining or using keys from JWKS endpoint at https://172.16.47.229:12345/auth/realms/Guacamole-test/protocol/openid-connect/certs): JsonWebSignature{"alg":"RS256","typ" : "JWT","kid" : "8ZNpgh_vnmG0HMMNYdOz1lw4ECoWxmsiUGte1mJfvyI"}->eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI4Wk5wZ2hfdm5tRzBITU1OWWRPejFsdzRFQ29XeG1zaVVHdGUxbUpmdnlJIn0.eyJleHAiOjE2MDIzOTczODgsImlhdCI6MTYwMjM5NjQ4OCwiYXV0aF90aW1lIjoxNjAyMzk2NDcwLCJqdGkiOiI5Y2RiZDVjZC01MDJhLTRjNmItYTM3Mi1jZDIxMTNjNTE1NTMiLCJpc3MiOiJodHRwczovLzE3Mi4xNi40Ny4yMjk6MTIzNDUvYXV0aC9yZWFsbXMvR3VhY2Ftb2xlLXRlc3QiLCJhdWQiOiJHdWFjYW1vbGUiLCJzdWIiOiI1YzQ3N2NiZC04ZjIzLTRlMjEtYmNhMi1kMzNlMTRhZGY0ZDYiLCJ0eXAiOiJJRCIsImF6cCI6Ikd1YWNhbW9sZSIsIm5vbmNlIjoiaTQyZDBpZTc4c2s0MjRjMHJzMmJvdTM4YnUiLCJzZXNzaW9uX3N0YXRlIjoiMjNlZjdhMTYtMDhhNS00YTNkLTgxYTItYTQ2ZmE1NmM1NjE3IiwiYWNyIjoiMCIsImlzX3N1cGVydXNlciI6IlRydWUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIm5hbWUiOiJ0ZXN0IHRlc3QiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciIsImdpdmVuX25hbWUiOiJ0ZXN0IiwiZmFtaWx5X25hbWUiOiJ0ZXN0IiwiZW1haWwiOiJ0ZXN0QHRlc3QuY29tIn0.eOhkDqcgfdJnO12PRDqLIHACRNVdVHoSDFjThHWc6Ug1gdoz9t_T2K7F_B6dJSbNygAJrGvc5BVRx9XCJH1fVFSYhpXVqCO0jrHm0XJKhw_kBce4x3ZluGAtktx614j9qFzUwZHXOkFAUGPtyPQKuRTfdzHqQUILLJhVdSRPmou40rX31-l7VwqWZk_Yp1JCdQsA61XvJcQrU_aiKivZFaDGiY5GrnpL8zcEwJcFemptVoGKrG63O_LjxDCxhLpO1C1fi8GjngMSfco9aAp4AaGpHWy8ofJAu-TWbLGf-UPLUhC3lf903-Q_BU3eehYxtMyN1eet0HeGm0x_gV_wvA
In KeyCloak I created a Client as follows:
(Will change the Valid Redirect URI`s once I have it working)
And my guacamole.properites look like this:
guacd-port: 4822
guacd-hostname: localhost
# OpenID Connect Properties
openid-authorization-endpoint: https://172.16.47.229:12345/auth/realms/Guacamole-test/protocol/openid-connect/auth
openid-jwks-endpoint: https://172.16.47.229:12345/auth/realms/Guacamole-test/protocol/openid-connect/certs
openid-issuer: https://172.16.47.229:12345/auth/realms/Guacamole-test
openid-client-id: Guacamole
openid-redirect-uri: http://172.16.47.229:4432/guacamole/
# Postgresql Properties
postgresql-hostname: 172.16.47.229
postgresql-port: 4444
postgresql-database: guacamoledb
postgresql-username: guacamoleuser
postgresql-password: test
What do I have to change for guacamole to accept the token?
Update: I found the configuration to be working, if I use KeyCloak with HTTP instead of HTTPS, but that is not desirable. I have now also configured Guacamole, or more precisely the tomcat that's hosting guacamole, to use https, but I still can not get it to work (without having to use HTTP for KeyCloak).

I've caught the same issue. Most probably you just have to provide valid SSL certificate for your IdP (Keycloak).
Possible workaround was found here: How to configure Keycloak to work with Guacamole's OpenID plugin?.
I've re-compiled guacamole-auth-openid extension with this change:
diff --git a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java
index 5efb09dab..27d818ee5 100644
--- a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java
+++ b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java
## -79,6 +79,7 ## public class TokenValidationService {
// Create JWT consumer for validating received token
JwtConsumer jwtConsumer = new JwtConsumerBuilder()
+ .setSkipSignatureVerification()
.setRequireExpirationTime()
.setMaxFutureValidityInMinutes(confService.getMaxTokenValidity())
.setAllowedClockSkewInSeconds(confService.getAllowedClockSkew())
And this solved the issue. Don't think it's applicable for production needs but in production self-signed certificates should not be used.

With Guacamole 1.4.0 and Keycloak 15.0.2 I fixed the HTTPS issue by mounting a custom cacerts keystore in the the Guacamole container. This custom keystore is just the OpenJDK 8 cacerts with Let's Encrypt CA bundle https://letsencrypt.org/certs/isrgrootx1.pem imported. Because my Keycloak and Guacamole instance use Let's Encrypt certificates.
On the host I had OpenJDK 8 installed. So Docker mount was
/etc/ssl/certs/java/cacerts:/usr/local/openjdk-8/jre/lib/security/cacerts

DataPower SSL config for "Fetch" results in "unable to get SSL Profile''

We have a javascript file hosted on GitHub that I'd like to fetch:
Error logs:
172416 cli error 320673 0x81000224 === Line 2: copy -f https://raw.githubusercontent.com/mmxxxxx/abc/master/shim_mpgw_mapping.js store:///js/shim_mpgw_mapping.js
172416 audit error 320673 0x82400020 (admin:default:web-gui:10.106.170.13): (config)# copy -f https://raw.githubusercontent.com/mm58169/datapower7/master/shim_mpgw_mapping.js store:///js/shim_mpgw_mapping.js
172416 audit error 320673 0x8240002e (admin:default:*:*): Copying file "https://raw.githubusercontent.com/mm58169/datapower7/master/shim_mpgw_mapping.js" to "store:///js/shim_mpgw_mapping.js" failed
172416 cli error 320673 0x810002e7 File copy failed - destination URL could not be opened: store:///js/shim_mpgw_mapping.js
172416 file error 320673 0x8100015c Copying file "https://raw.githubusercontent.com/mm58169/datapower7/master/shim_mpgw_mapping.js" to "store:///js/shim_mpgw_mapping.js" : failed
172416 system warning 320673 0x8040000a destination URL could not be opened: store:///js/shim_mpgw_mapping.js
172416 network error 31711 0x80e0005a Cannot establish SSL credentials (credential is NULL), URL: 'https://raw.githubusercontent.com/mm58169/datapower7/master/shim_mpgw_mapping.js'.
172416 network warning 31711 0x80e00058 SSL connection to 'https://raw.githubusercontent.com/mm58169/datapower7/master/shim_mpgw_mapping.js' failed, unable to get SSL Profile ''
172416 network warning 31711 0x80e00058 SSL connection to 'https://raw.githubusercontent.com/mm58169/datapower7/master/shim_mpgw_mapping.js' failed, unable to get SSL Profile ''

#VonC is correct that you need a SSL Client Profile. You need to add it into the User Agent of your service:
The Fetch action will download the file to your DataPower local:/// filesystem so you might as well download it manually and upload it to the DataPower instance though...

This should be related to TLS selection, like the DataPower service configuration variable called var://service/tls-info, or serviceVars.tlsInfo, which might not be properly set.
You would have then to define an SSL client profile (which secures connections between the DataPower Gateway and its targets)

How do I fix an SSLCertVerificationError while running a test with locust

I'm testing an internal website and on playback I'm seeing this error:
POST /Ex_ACO_EI/Details/2433:
'SSLError(MaxRetryError("HTTPSConnectionPool(host=\'examiner-stage.site.com\',
port=443): Max retries exceeded with url: /Ex_ACO_EI/Details/24 33
(Caused by SSLError(SSLCertVerificationError(1, \'[SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get
local issuer certificate (_ssl.c:1056)\')))"))'
I'm using PyCharm for my IDE.
Any ideas would be greatly appreciated.

A quick hack is always disable SSL verification ( on python requests lib if you use the default HTTPLocust).
To fix it properly, you need to validate that server cert again . May be intermediate certificate is missing ? You can try
openssl s_client -connect yoursite:443
And see what wrong with it.

Installing Ssl certificate spray

I'm trying to install self-signed certificate to the spray server.
I did like described in this post:
generate keystore file
But on a income connection I see this exception:
[ERROR] [05/08/2016 11:07:12.896] [tracking-akka.actor.default-ispatcher-6] [akka://tracking/user/IO-HTTP/listener-0/16] Cannot support TLS_RSA_WITH_AES_256_CBC_SHA with currently installed providers
java.lang.IllegalArgumentException: Cannot support TLS_RSA_WITH_AES_256_CBC_SHA with currently installed providers
at sun.security.ssl.CipherSuiteList.<init>(CipherSuiteList.java:92)
at sun.security.ssl.SSLEngineImpl.setEnabledCipherSuites(SSLEngineImpl.java:2038)
at com.web3.tracking.SslConfiguration$$anonfun$sslEngineProvider$1.apply(SslConfiguration.scala:67)
at com.web3.tracking.SslConfiguration$$anonfun$sslEngineProvider$1.apply(SslConfiguration.scala:66)
at scala.Option.map(Option.scala:146)
at spray.io.SSLEngineProviderCompanion$$anonfun$apply$3.apply(SslTlsSupport.scala:424)
at spray.io.SSLEngineProviderCompanion$$anonfun$apply$3.apply(SslTlsSupport.scala:424)