I Have a Spray Scala project. I am doing HTTPS connection with Self Signed Certificate (.jks) to this project through REST call. I referred this link Configuration issue for Spray https server with self-signed certificate? to configure spray to https server. so when i run my project it reads .jks certificates but when i fire request it gives following error :
Aborting encrypted connection to /192.168.1.3:46346 due to [SSLException:Unrecognized SSL message, plaintext connection?]
I found the answer. so when i configured spray to HTTPS it cant accept the HTTP requests it accepts only HTTPS requests.
Related
I have been trying to write a program that is a websocket client connecting to a wss (tls websocket) endpoint. The problem I am having is that I am getting a bad handshake. What all certificate do I need to create a tls connection? I am asking language non specific just mean general authentication needed and possibly how to generate the files.
From my browser I want to communicate to localhost application using ssl. Here browser(which acts as client) will submit the certificate instead of localhost application(which acts as server). Can Ssl be established in this scenario? So finally it boils down to problem statement can a ssl communication be established by server validating the client certificate and client not validating the server certificate.
The SSL/TLS implementation inside the browser do not support this scenario. A server certificate is always required by the browser with SSL/TLS in order to be sure that the browser is communicating with the expected server (as specified in the URL) and not some man in the middle. Apart from that it is not clear what you want to achieve with such a setup in the first place - maybe there is a better design for your unknown use case.
What additional setup is required to perform HTTPS call using HTTPClient adapter in Apama. I have used the host and port as 443. But still it is giving host not found error with status 400. The same https endpoint is working in POSTMAN , Browser and Integration Server. Please help.
You need to set 'tls' to true in the config for HTTPClient (see http://www.apamacommunity.com/documents/10.3.1.1/apama_10.3.1.1_webhelp/apama-webhelp/#page/apama-webhelp%2Fco-ConApaAppToExtCom_httpclient_configuring_the_http_client_transport.html%23 )
Or, if you're using the Generic HTTP EPL API, it's HttpTransport.getOrCreateWithConfigurations(host, port, {HttpTransport.CONFIG_TLS:"true"})
There's also tlsAcceptUnrecognizedCertificates and tlsCertificateAuthorityFile if you have a service that's not using a recognisable certificate.
I would like to make my Bluemix application(Liberty) to access remote REST API which is provided in SSL. I need to use the gateway's "TLS Mutual Auth option". But now for a purpose to figure out whether I must use "HTTPS option" or not when a remote REST API is provided in SSL, I tested two case, HTTPS and TLS Server Auth. HTTPS case resulted in success and TLS Server Auth resulted in failure.
Is HTTPS option required when a remote REST API is HTTPS in order to rewrite the HTTP header at SecureGatewayClient ? Can't we protect the gateway with TLS Mutual Auth if this is collect ?
1. HTTPS option: success
This case resulted in success.
2. TLS Server Auth option: failure
This case resulted in failure.
I just chaged the gateway's option from "HTTPS" to "TLS Server Auth", so the cause is not a mis-configuration.
[Bluemix Liberty application's log]2015-07-01T04:17:58.64+0900 [RTR] OUT sampleapp.mybluemix.net[30/06/2015:19:17:49 +0000] "GET /XXX HTTP/1.1" 200
2015-07-01T04:17:58.66+0900 [App/0] OUT res:404 Not Found: Requested route ('cloudhost:cloudport') does not exist.
[SG Client's log]
[2015-06-30 02:37:38.144] [INFO] Connection #32 is being established to remote REST API's host:443
[2015-06-30 02:37:38.227] [INFO] Connection #32 established to remote REST API's host:443
[2015-06-30 02:37:52.535] [INFO] Connection #32 to remote REST API's host:443 was closed
In response to this part of your post:
Is the HTTPS option required when a remote REST API is HTTPS in order to rewrite the HTTP header at SecureGatewayClient ?
Yes, HTTPS is required if connecting to a https remote rest api. Additionally, if you're connecting to a backend HTTPS server, you will need to enable client-side TLS.
The link below provides more info regarding securing a gateway in the Bluemix UI:
https://www.ng.bluemix.net/docs/services/SecureGateway/sg_022.html#sg_009
In response to this part of your post:
Can't we protect the gateway with TLS Mutual Auth?
Yes, you can use TLS:Mutual Auth, but you would also need to upload your own certificate or select auto-generate to automatically create a self-signed certificate/key pair that you can download along with the server certificate.
To use the certificates generated by selecting TLS:Mutual Auth, you will also need to configure your application-side TLS connection, and potentially your client-side TLS connection. Enabling TLS security between the client and your REST API is separate to application-side TLS. Application-side TLS secures access between your sample app and the secure gateway client defined. You can use client-side TLS connectivity independent of application-side TLS, vice versa, or together to provide complete security from your sample app to your REST API.
For more information regarding accessing the secure gateway, please see the link below:
https://www.ng.bluemix.net/docs/services/SecureGateway/sg_023.html
Getting below error
Http Action - Request to host 'sipoc.cloudapp.net' failed: TrustFailure The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
while invoking below WCF RestService on https from Azure scheduler service GET job.
below is the webservice URL
https://sipoc.cloudapp.net/Service1.svc/GetPlayersXMl
Service URL is working fine.
Any help would be appreciated.
If I browse to the URL provided it indicates that the SSL certificate is not trusted.
"The security certificate presented by this website was not issued by a trusted certificate authority.
The security certificate presented by this website has expired or is not yet valid. "
Scheduler jobs will fail as it can't trust the endpoint. You can either use a trusted certificate or just use HTTP (instead of HTTPS).
Although I would never recommend this in production unless you know the cert is valid (i.e. self signed), you can override the default behavior and confirm that the cert is good.
Below is a sample on how to do it in C#. There are a couple of ways to write it. The advantage here is that it remains SSL encrypted (versus falling back to HTTP).
ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, errors) => true;