How to secure a camel cxf endpoint (https) in FUSE 7.6? - https

We have been using camel-cxf service endpoints for multiple applications. They works well. Recently we have a need to secure these service endpoints. Therefore, we are adding <httpu:engine-factory> configuration to the camel-context.xml.
We also configured FUSE 7.6 server to have the secure port at 8183 by setting
[FUSE 7.6 Install]/etc/org.ops4j.pax.web.cfg file:
org.osgi.service.http.port = 8181
org.osgi.service.http.port.secure = 8183
org.ops4j.pax.web.config.file = ${karaf.etc}/undertow.xml
org.ops4j.pax.web.session.cookie.httpOnly = false
org.ops4j.pax.web.session.cookie.secure = true
[FUSE 7.6 Install]/etc/undertow.xml is correctly configured to point
to right keystore and truststore, etc.
Following is the camel-context.xml:
<?xml version="1.0" encoding="UTF-8"?>
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
xmlns:cxf="http://camel.apache.org/schema/blueprint/cxf"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:sec="http://cxf.apache.org/configuration/security"
xmlns:http="http://cxf.apache.org/transports/http/configuration"
xmlns:httpu="http://cxf.apache.org/transports/http-undertow/configuration"
xsi:schemaLocation="
http://www.osgi.org/xmlns/blueprint/v1.0.0
https://osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd
http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://cxf.apache.org/transports/http-undertow/configuration
http://cxf.apache.org/schemas/configuration/http-undertow.xsd">
<bean class="com.mycom.myapp.CamelRequestProcessor" id="myProcessor"/>
<cxf:cxfEndpoint address="{{MY_HOST}}:8185{{MY_SVC_ADDRESS}}"
bus="auditBus" id="myWebServiceEndpoint"
serviceClass="com.mycom.myapp.MyWebServiceEndpoint" wsdlURL="wsdl/mySvc.wsdl"/>
<httpu:engine-factory bus="cxf">
<httpu:engine port="8185">
<httpu:tlsServerParameters secureSocketProtocol="$(MY_SECURE_SOCKET_PROTOCOL)">
<sec:keyManagers keyPassword="$(MY_KEY_PASSWORD)">
<sec:keyStore file="$(MY_KEYSTORE)" password="$(MY_KEYSTORE_PASSWORD)" type="JKS"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore file="$(MY_TRUSTSTORE)" password="$(MY_TRUSTSTORE_PASSWORD)" type="JKS"/>
</sec:trustManagers>
<sec:clientAuthentication required="true" want="true"/>
</httpu:tlsServerParameters>
</httpu:engine>
</httpu:engine-factory>
<camelContext id="_myCamelContext" useBlueprintPropertyResolver="true" errorHandlerRef="myErrorHandler">
<route id="_firstRuote">
<from id="_from" uri="cxf:bean:myWebServiceEndpoint"/>
<bean id="_processor" method="process" ref="myProcessor"/>
<to id="_to4" uri="direct:otherEndpoints"/>
</route>
</camelContext>
</blueprint>
After we add <httpu:engine-factory/>section, the code is built and deployed to FUSE 7.6. Everything goes well. There is no error in the log, and the bundle starts normally. When I inspected the service at https://myhost:8183/cxf, the service is displayed in browser
Endpoint address: https://my host:8185/cxf/MyWebServiceEndpoint/<br>
WSDL : {namespace}MyWebServiceEndpoint <--This is a link-->
However, when I click the WSDL link, it spins a few seconds, then displays "Unable to connect". It should display the WSDL file.
The browser address bar does point to the correct URL
https://myhost:8185/cxf/MyWebServiceEndpoint/?wsdl
Any help is greatly appreciated.

Your camel-cxf endpoint has
<sec:clientAuthentication required="true" want="true"/>
Which means your client(in this case a browser to load the wsdl) also needs to provide the private key(keystore).
Did you import truststore/keystore that you used for the camel-cxf endpoint into your browser?

The issue is resolved. The undertow configuration has to specify host as the following, which makes the port accessible:
<httpu:engine host="0.0.0.0" port="8185">

Related

Configuring Liberty with httpProxyRedirect

I am attempting to redirect traffic on insecure port to secure port as described here:
https://www.ibm.com/support/knowledgecenter/en/SSD28V_9.0.0/com.ibm.websphere.liberty.autogen.core.doc/ae/rwlp_config_httpProxyRedirect.html
Instead both ports are available and I see nothing in the logs. It's as if the httpProxyRedirect isn't being configured at all.
<?xml version="1.0" encoding="UTF-8"?>
<server description="CAST Liberty Server">
<!-- Enable features -->
<featureManager>
<feature>webProfile-7.0</feature>
</featureManager>
<application id="app" context-root="/" type="war" location="${war.name}">
<classloader apiTypeVisibility="spec, ibm-api, api, third-party" />
</application>
<httpProxyRedirect id="defaultHttpProxyRedirect" httpPort="${http.port}" httpsPort="${https.port}" />
<keyStore id="defaultKeyStore" password="pass" />
<httpEndpoint host="*" httpPort="${http.port}" httpsPort="${https.port}" id="defaultHttpEndpoint" />
<applicationMonitor updateTrigger="mbean" />
</server>
Most likely, you are missing the security-constraints in the web.xml. This configuration tells the server which URLs need to be accessed over a secure transport and then re-directs qualifying requests from the non-secure port to the secure port. This tutorial may help: https://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html
Also, keep in mind that the httpProxyRedirect configuration in the server.xml is intended for redirecting when you have a proxy server in front of your application server. For example, you may have your proxy server on the main "www.ibm.com" host - listening on HTTP port 80 and HTTPS port 443. But that host may route some requests to your Liberty application server on some other host (like "app1host.internal.ibm.com") that listens on different ports (i.e. HTTP port 9080 and HTTPS port 9443). In that case, just using the security-constraints in the web.xml would attempt to redirect the client request on the Liberty server from 9080 to 9443 but on the www.ibm.com host - where nothing is listening on those ports. In this case, you should configure httpProxyRedirect like this:
<httpProxyRedirect httpPort="80" httpsPort="443" host="www.ibm.com" />
With the configuration, a client HTTP request to a secured URL will get redirected to www.ibm.com on port 443, where the proxy server will forward the request to app1host.internal.ibm.com port 9443.
Hope this helps,
Andy
This is the security constraint that i am using in my web.xml and it works well for both Tomcat and IBM Websphere 8.5.5.15:
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Note: make sure that you put it after your <servlet-mapping>.

Configuring TCP communications with Spring Integration Issues

I seem to be having some trouble configuring my Spring MVC backend to receive and send TCP messages. Looking at the configuration a user suggests in this question - how to plug a TCP-IP client server in a spring MVC application - I tried to place this configuration into my root-context.xml. However, for all of the tags it displays a message such as:
Unable to locate Spring NamespaceHandler for element 'int-ip:tcp-outbound-gateway' of schema namespace 'http://www.springframework.org/schema/integration/ip'
int-ip:tcp-outbound-gateway and int:gateway both display cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'int:gateway' (replace int:gateway with int-ip:tcp-outbound-gateway).
Here is my root-context.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:int="http://www.springframework.org/schema/integration"
xmlns:int-ip="http://www.springframework.org/schema/integration/ip"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/integration/ip http://www.springframework.org/schema/integration/ip/spring-integration-ip.xsd
http://www.springframework.org/schema/integration/ http://www.springframework.org/schema/integration/spring-integration.xsd">
<!-- Root Context: defines shared resources visible to all other web components -->
<int:gateway id="gw"
service-interface="org.springframework.integration.samples.tcpclientserver.SimpleGateway"
default-request-channel="input"/>
<int-ip:tcp-connection-factory id="client"
type="client"
host="localhost"
port="1234"
single-use="true"
so-timeout="10000"/>
<int:channel id="input" />
<int-ip:tcp-outbound-gateway id="outGateway"
request-channel="input"
reply-channel="clientBytes2StringChannel"
connection-factory="client"
request-timeout="10000"
remote-timeout="10000"/>
<int:transformer id="clientBytes2String"
input-channel="clientBytes2StringChannel"
expression="new String(payload)"/>
</beans>
What am I doing incorrectly? Also, some general tips as to how I could use Spring to send and receive TCP communications would be appreciated :)
It appears you don't have the spring-integration-ip and spring-integration-core jars on your classpath. You need to bundle them into your war or otherwise make them available on the classpath according to your app server's requirements.

CXF request response logging using log4j: debug

I am trying to enable logging for cxf framework in weblogic application server along with log4j.
I have placed cxf.xml in domain home and have modified setdomainenv to add cxf.xml entry -Dcxf.config.file.url=cxf.xml.
I am setting System.setProperty("org.apache.cxf.Logger", "org.apache.cxf.common.logging.Log4jLogger") before making a webservice call and i have tried configuring all 3 types of configuration specified in http://cxf.apache.org/docs/configuration.html. But nothing seems to work.
I even tried creating org.apache.cxf.Logger file containing value org.apache.cxf.common.logging.Log4jLogger.
my log4j.properties
log4j.rootLogger = DEBUG, FILE
log4j.logger.org.apache.cxf=DEBUG
log4j.appender.FILE=org.apache.log4j.FileAppender
log4j.appender.FILE.File=<>/logFile.log
log4j.appender.FILE.layout=org.apache.log4j.PatternLayout
log4j.appender.FILE.layout.conversionPattern=%m%n
CXF version: 2.7.5
Please suggest if there is change required for me to log both request and response xml?
Make sure your org.apache.cxf.Logger file is under META-INF/cxf. Inspect your war to make sure.
Also, assuming you are defining your services using jaxws, make sure you're defining loggers under the jaxws:inInterceptor and jaxws:outInterceptor
<jaxws:client id="..." serviceClass="..." address="..." >
<jaxws:outInterceptors>
<ref bean="logOut" />
</jaxws:outInterceptors>
<jaxws:inInterceptors>
<ref bean="logIn"/>
</jaxws:inInterceptors>
</jaxws:client>
<bean class='org.apache.cxf.interceptor.LoggingInInterceptor' id='logIn'/>
<bean class='org.apache.cxf.interceptor.LoggingOutInterceptor' id='logOut'/>

How to locate path of generated wsdl in Spring-ws

I have generated webservice using spring-ws. I have deployed my application in tomcat and deployed without any error. I am not able to find the path for WSDL. Please help me how to form path for wsdl.
My web.xml:
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>listener><servlet><servlet-name>spring-ws</servlet-name><servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class></servlet><servlet-mapping><servlet-name>sprig-ws</servlet-name><url-pattern>/</url-pattern></servlet-mapping> <context-param><param-name>contextConfigLocation</param-name><param-value>/WEB-INF/spring-ws--servlet.xml</param-value></context-param>
spring-ws-servlet.xml
<bean class="org.springframework.ws.server.endpoint.adapter.GenericMarshallingMethodEndpointAdapter">
<constructor-arg ref="marshaller" />
</bean>
<bean id="marshaller"
class="org.springframework.oxm.xmlbeans.XmlBeansMarshaller">
</bean>
<bean id="loginEndpoint" class="com.cloudexult.endpoint.LoginEndpoint">
</bean>
<sws:dynamic-wsdl id="loginmanager" portTypeName="LoginService" locationUri="/loginService/"
targetNamespace="http://www.example.org/Login/definitions">
<sws:xsd location="/WEB-INF/schema/Login.xsd"/>
</sws:dynamic-wsdl>
Your wsdl should be accessible through:
http://<servername>:<port>/<context-path>/loginService.wsdl
Can you try this and tell us if it doesn't work?
If you are really stuck, enabling log4j to print spring debug logs will help you.
Enable debug logging of spring by following in log4j.properties :
log4j.category.org.springframework=DEBUG
Once that is done, restart your container, look for following in the DEBUG log :
20:51:16,718 DEBUG main http.MessageDispatcherServlet:469 - Published [org.springframework.ws.wsdl.wsdl11.DefaultWsdl11Definition#61bf8785] as wsdl11Definition.wsdl
Above is just an example, however the last component of the log, will give you the URI of your WSDL.

Mule jdbc connector xml parsing

I'm having problems to add a JDBC endpoint to my Mule project but I'm having problems during the initialization due to some XML parsing problems.
The problems started after I've added the JDBC endpoints.
Caused by: org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content was found starting with element 'jdbc:inbound-endpoint'. One of '{
"http://www.mulesource.org/schema/mule/core/2.2":description,
"http://www.springframework.org/schema/beans":beans,
"http://www.springframework.org/schema/beans":bean,
"http://www.springframework.org/schema/context":property-placeholder,
"http://www.mulesource.org/schema/mule/core/2.2":global-property,
"http://www.mulesource.org/schema/mule/core/2.2":configuration,
"http://www.mulesource.org/schema/mule/core/2.2":notifications,
"http://www.mulesource.org/schema/mule/core/2.2":abstract-extension,
"http://www.mulesource.org/schema/mule/core/2.2":abstract-security-manager,
"http://www.mulesource.org/schema/mule/core/2.2":abstract-transaction-manager,
"http://www.mulesource.org/schema/mule/core/2.2":abstract-connector,
"http://www.mulesource.org/schema/mule/core/2.2":abstract-global-endpoint,
"http://www.mulesource.org/schema/mule/core/2.2":abstract-transformer,
"http://www.mulesource.org/schema/mule/core/2.2":abstract-filter,
"http://www.mulesource.org/schema/mule/core/2.2":abstract-model,
"http://www.mulesource.org/schema/mule/core/2.2":abstract-interceptor-stack}'
is expected.
I've been following this guide http://www.mulesoft.org/documentation/display/MULE2USER/JDBC+Transport#JDBCTransport-ConfigurationReference
The Mule JDBC namespace have been added to my xml definition.
Any idea?
Check a piece of my configuration file:
<mule
xmlns="http://www.mulesource.org/schema/mule/core/2.2"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jms="http://www.mulesource.org/schema/mule/jms/2.2"
xmlns:xm="http://www.mulesource.org/schema/mule/xml/2.2"
xmlns:vm="http://www.mulesource.org/schema/mule/vm/2.2"
xmlns:jdbc="http://www.mulesource.org/schema/mule/jdbc/2.2"
xmlns:file="http://www.mulesource.org/schema/mule/file/2.2"
xsi:schemaLocation="
http://www.mulesource.org/schema/mule/jdbc/2.2 http://www.mulesource.org/schema/mule/jdbc/2.2/mule-jdbc.xsd
http://www.mulesource.org/schema/mule/core/2.2 http://www.mulesource.org/schema/mule/core/2.2/mule.xsd
http://www.mulesource.org/schema/mule/jms/2.2 http://www.mulesource.org/schema/mule/jms/2.2/mule-jms.xsd
http://www.mulesource.org/schema/mule/vm/2.2 http://www.mulesource.org/schema/mule/vm/2.2/mule-vm.xsd
http://www.mulesource.org/schema/mule/file/2.2 http://www.mulesource.org/schema/mule/file/2.2/mule-file.xsd
http://www.mulesource.org/schema/mule/xml/2.2 http://www.mulesource.org/schema/mule/xml/2.2/mule-xml.xsd">
<!-- Endpoints -->
<jdbc:inbound-endpoint
name="jdbcKapitalCommandIn"
connector-ref="jdbcConnector"
queryKey="queryKapitalProcessControl"
pollingFrequency="10000" synchronous="true">
</jdbc:inbound-endpoint>
<jdbc:outbound-endpoint
name="jdbcKapitalCommandOut"
connector-ref="jdbcConnector"
queryKey="updateKapitalProcessControl"
synchronous="true">
</jdbc:outbound-endpoint>
<file:endpoint
name="kapitalErrorBackup"
path="${APPS_HOME}/lbo-esb/files/kapital/error"
outputPattern="#[DATE:yyyy-MM-dd_HH-mm-ss]_error.txt">
</file:endpoint>
<file:endpoint
name="kapitalInputBackup"
path="${APPS_HOME}/lbo-esb/files/kapital/backup"
outputPattern="#[DATE:yyyy-MM-dd_HH-mm-ss]_kapital-command.xml">
</file:endpoint>
<file:endpoint
name="kapitalInvalidSchemaBackup"
path="${APPS_HOME}/lbo-esb/files/kapital/error"
outputPattern="#[DATE:yyyy-MM-dd_HH-mm-ss]_inv_schema.xml">
</file:endpoint>
<!-- Kapital -->
<vm:endpoint
name="kapitalTransactionInput"
path="kapital.transaction.input">
</vm:endpoint>
<vm:endpoint
name="kapitalError"
path="kapital.error.input">
</vm:endpoint>
<model
name="KapitalServices">
<default-service-exception-strategy>
<outbound-endpoint
ref="kapitalError">
</outbound-endpoint>
</default-service-exception-strategy>
<service
name="kapitalService">
<inbound>
<inbound-endpoint
ref="jdbcKapitalCommandIn">
</inbound-endpoint>
</inbound>
<echo-component />
<!-- more stuff from here -->
</service>
</model>
<!-- more stuff from here -->
</mule>
Since you're not showing your configuration, it's hard to help you.
From the exception, my impression is that the issue has nothing to do with JDBC. It seems you try to define an inbound-endpoint in a place where only global endpoints (not inbound, not outbound) can be declared. Global endpoints are declared out of services, in/out-bound ones inside services.
If I'm wrong in my diagnostic, please share your config.

Resources