I have a liberty server and an IHS server (both on different hosts). This is on rhel7.
I've followed a number of guides that I found that walk thru the setup of keystores and sharing of certs but still run into issues. For reference, I tried the methods detailed https://jazz.net/wiki/bin/view/Deployment/CreateIHSPLUGINFORLIBERTYPROFILE and https://www.ibm.com/support/knowledgecenter/en/SSEQTJ_9.0.5/com.ibm.websphere.ihs.doc/ihs/tihs_install_config_liberty.html.
A quick summary of what I have done this past attempt... On the liberty server I added the following to my server.xml to add a plugin include (to keep things easier to read):
<include location="${server.config.dir}/plugin-join-include.xml" />
And the plugin-join-include.xml:
<featureManager>
<feature>ssl-1.0</feature>
</featureManager>
<keyStore id="libertyKey" password="xxxx"
location="${server.config.dir}/resources/security/libkey.jks"/>
<pluginConfiguration webserverPort="10500" webserverSecurePort="10447"
pluginInstallRoot="/opt/IBM/wasadmin/Plugins"
sslKeyRingLocation="/opt/IBM/wasadmin/Plugins/config/webserver1/plugin-key.kdb"
sslStashFileLocation="/opt/IBM/wasadmin/Plugins/config/webserver1/plugin-key.sth"
sslCertlabel="libertyKey"/>
On my IHS server the path for the root Plugin directory is as indicated above in the file at /opt/IBM/wasadmin/Plugins and the plugin-key.kdb and plugin-key.sth are located in the locations listed above.
I reboot the liberty server and it generated the plugin-cfg.xml in the logs/state directory:
<?xml version="1.0" encoding="UTF-8"?><!--HTTP server plugin config file for app generated on 2020.03.04 at 12:32:02 UTC-->
<Config ASDisableNagle="false" AcceptAllContent="false" AppServerPortPreference="HostHeader" ChunkedResponse="false" ConfigHash="1077723051" FIPSEnable="false" IISDisableNagle="false" IISPluginPriority="High" IgnoreDNSFailures="false" RefreshInterval="60" ResponseChunkSize="64" SSLConsolidate="false" TrustedProxyEnable="false" VHostMatchingCompat="false">
<Log LogLevel="Error" Name="/opt/IBM/wasadmin/Plugins/logs/webserver1/http_plugin.log"/>
<Property Name="ESIEnable" Value="true"/>
<Property Name="ESIMaxCacheSize" Value="1024"/>
<Property Name="ESIInvalidationMonitor" Value="false"/>
<Property Name="ESIEnableToPassCookies" Value="false"/>
<Property Name="PluginInstallRoot" Value="/opt/IBM/wasadmin/Plugins"/>
<!-- Configuration generated using httpEndpointRef=defaultHttpEndpoint-->
<!-- The default_host contained only aliases for endpoint defaultHttpEndpoint.
The generated VirtualHostGroup will contain only configured web server ports:
webserverPort=10500
webserverSecurePort=10447 -->
<VirtualHostGroup Name="default_host">
<VirtualHost Name="*:10500"/>
<VirtualHost Name="*:10447"/>
</VirtualHostGroup>
<ServerCluster CloneSeparatorChange="false" GetDWLMTable="false" IgnoreAffinityRequests="true" LoadBalance="Round Robin" Name="affms_default_node_Cluster" PostBufferSize="0" PostSizeLimit="-1" RemoveSpecialHeaders="true" RetryInterval="60" ServerIOTimeoutRetry="-1">
<Server CloneID="412b3187-16c4-41b0-86e8-1e327c1c6b1b" ConnectTimeout="5" ExtendedHandshake="false" LoadBalanceWeight="20" MaxConnections="-1" Name="default_node_affms" ServerIOTimeout="900" WaitForContinue="false">
<Transport Hostname="libertyhost" Port="10500" Protocol="http"/>
<Transport Hostname="libertyhost" Port="10447" Protocol="https">
<Property Name="keyring" Value="/opt/IBM/wasadmin/Plugins/config/webserver1/plugin-key.kdb"/>
<Property Name="stashfile" Value="/opt/IBM/wasadmin/Plugins/config/webserver1/plugin-key.sth"/>
<Property Name="certLabel" Value="libertyKey"/>
</Transport>
</Server>
<PrimaryServers>
<Server Name="default_node_app"/>
</PrimaryServers>
</ServerCluster>
<UriGroup Name="default_host_app_default_node_Cluster_URIs">
<Uri AffinityCookie="JSESSIONID" AffinityURLIdentifier="jsessionid" Name="/app/ui/*"/>
<Uri AffinityCookie="JSESSIONID" AffinityURLIdentifier="jsessionid" Name="/adminCenter/*"/>
</UriGroup>
<Route ServerCluster="app_default_node_Cluster" UriGroup="default_host_app_default_node_Cluster_URIs" VirtualHostGroup="default_host"/>
I copy the plugin-cfg.xml over to the IHS server at /opt/IBM/wasadmin/Plugins/config/webserver1/plugin-cfg.xml
The plugin stuff works only the SSL portion between IHS and the app server give me issues.
On the IHS server I have created the plugin-key.kdb keystore with stash plugin-key.sth and imported the cert I extracted from the liberty server /opt/IBM/wlp/usr/servers/app/resources/security/key.p12 the default personal cert and copy it to the IHS server and add the default liberty cert to the plugin-key.kdb keystore.
At the bottom of the httpd.conf is:
LoadModule was_ap22_module /opt/IBM/wasadmin/Plugins/bin/64bits/mod_was_ap22_http.so
WebSpherePluginConfig /opt/IBM/wasadmin/Plugins/config/webserver1/plugin-cfg.xml
I bounce the apachectl and go to the url for the application on port 8443 https://hostname:8443/app/ui and get a "500 Internal Server Error".
The http_plugin.log plugin logs show:
[04/Mar/2020:18:23:48.31652] 00002f26 3cff9700 - ERROR: lib_stream: openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_CERT(gsk rc = 414) PARTNER CERTIFICATE DN=CN=hostname,OU=app,O=ibm,C=us, Serial=xxxxxxxxxxx
[04/Mar/2020:18:23:48.31655] 00002f26 3cff9700 - ERROR: Ensure correct certificate is marked as default certificate in plugin-key.kdb. Consult documentation regarding Administering application security and Securing communications for more information.
[04/Mar/2020:18:23:48.31657] 00002f26 3cff9700 - ERROR: Last validation error [575010]: GSKVAL_ERROR_NO_CHAIN_BUILT
[04/Mar/2020:18:23:48.31658] 00002f26 3cff9700 - ERROR: Subject [[Class=]GSKVALMethod::PKIX[Issuer=]OU=memberRoot,O=xxxx-xxx-xxx-xxx-xxxxxxxx,DC=com.ibm.ws.collective[#=]082d6a83e5ec[Subject=]CN=hostname,OU=app,O=ibm,C=us] failed certificate validation
[04/Mar/2020:18:23:48.31659] 00002f26 3cff9700 - ERROR: X509 Certificate validation log: [[Class=]GSKVALMethod::PKIX[Time=]2020:3:4:18:23:48.316[buildChain=][Error=]GSKVAL_ERR_NO_CHAIN_BUILT[Info=]OU=memberRoot,O=xxx-xxx-xxx-xxx-xxx,DC=com.ibm.ws.collective[Cert=][Issuer=]OU=memberRoot,O=xxx-xxx-xxx-xxx-xxxx,DC=com.ibm.ws.collective[#=]082d6a83e5ec[Subject=]CN=hostname,OU=app,O=ibm,C=us[=Cert][=buildChain]^M
]
[04/Mar/2020:18:23:48.31664] 00002f26 3cff9700 - ERROR: ws_common: websphereGetStream: Could not open stream
[04/Mar/2020:18:23:48.31667] 00002f26 3cff9700 - ERROR: ws_common: websphereExecute: Failed to create the stream
[04/Mar/2020:18:23:48.31668] 00002f26 3cff9700 - ERROR: ws_common: websphereHandleRequest: Failed to execute the transaction to 'default_node_app' on host 'hostname:10447'; will try another one
[04/Mar/2020:18:23:48.31669] 00002f26 3cff9700 - ERROR: ws_common: websphereWriteRequestReadResponse: Failed to find an app server to handle this request
[04/Mar/2020:18:23:48.31670] 00002f26 3cff9700 - ERROR: ESI: getResponse: failed to get response: rc = 2
[04/Mar/2020:18:23:48.31671] 00002f26 3cff9700 - ERROR: [xxx.xx.xx.17://app/ui/] ws_common: websphereHandleRequest: Failed to handle request rc=2
Thank you!
You said "imported" I assume this means an "add" operation in ikeyman/gskcmd/gskcapicmd? The two verbs in these tools have a different meaning.
I suspect you added the issued certificate (CN=hostname...) instead of the CA that issued the certificate (memberroot). The debug information in the WAS Plugin message implies that it couldn't chase the certificate up to a trusted root (as opposed to finding some X509 error w/ the root it had access to).
But, it could also be that you imported the "wrong" certificate with cn=memberroot. WebSphere does not always add the necessary Subject Key Identifier/Authority Key Identifier to be sure, so check carefully.
Ok, I got this working finally. It seems having a collective setup which used DefaultKeyStore id was somehow causing conflict with my Liberty plugin keystore.
I ended up re-creating everything (plugin-key.kdb keystore and the liberty plugin keystore which I named LibertyKeystore.jks). I dumped the collective stuff (not needed at this time anyways) and made an include as above called plugin-join-include.xml:
<?xml version="1.0" encoding="UTF-8" ?>
<server description="IHS plugin join include file">
<featureManager>
<feature>ssl-1.0</feature>
</featureManager>
<keyStore id="defaultKeyStore" password="password"
location="${server.config.dir}/resources/security/LibertyKeystore.jks" />
<pluginConfiguration webserverPort="80" webserverSecurePort="8443"
pluginInstallRoot="/opt/IBM/wasadmin/Plugins"
sslKeyRingLocation="/opt/IBM/wasadmin/Plugins/config/webserver1/plugin-key.kdb"
sslStashFileLocation="/opt/IBM/wasadmin/Plugins/config/webserver1/plugin-key.sth"
sslCertlabel="LibertyKeystore"/>
</server>
I exchanged keys between the liberty server LibertyKeystore.jks and the IHS plugin-key.kdb keystores and pushed the newly generated plugin to the IHS server and bounced everything and it all seems to function without issue.
I do now notice in the /opt/IBM/wasadmin/HTTPServer/logs the error log streams:
[Wed Mar 04 21:32:28 2020] [error] [client xxx.xx.xx.17:65261] [7ff5a0000910] [19831] SSL0279E: SSL Handshake Failed due to fatal alert from client. Client sent fatal alert [level 2 (fatal), description 46 (certificate_unknown)] [xxx.xx.xx.17:65261 -> xxx.xx.xx.87:8443] [21:32:28.000934048] 0ms
The access logs show 200's. Maybe a non plugin "issue" at this point.
Related
When I deploy a spring boot application on an external tomcat server, do I need to configure HTTP2 on the tomcat server as well my spring boot application? I am a bit confused here about how the communication occurs when I call my spring application deployed inside of Tomcat via the browser or any other client say, Postman.
I have enabled HTTP2 on Tomcat and verified the same:
0:0:0:0:0:0:0:1 - - [08/Jan/2023:18:28:44 +0530] "GET / HTTP/2.0" 200 11408
0:0:0:0:0:0:0:1 - - [08/Jan/2023:18:28:44 +0530] "GET /tomcat.svg HTTP/2.0" 200 68761
0:0:0:0:0:0:0:1 - - [08/Jan/2023:18:28:44 +0530] "GET /tomcat.css HTTP/2.0" 200 5895
and I have configured my spring boot application to use HTTP2 as well using the steps mentioned in this link.
When I am calling my RestController deployed in the external tomcat, I am still getting HTTP 1.1
127.0.0.1 - - [08/Jan/2023:23:41:26 +0530] "HEAD /demo-0.0.1-SNAPSHOT/ HTTP/1.1" 200 -
127.0.0.1 - - [08/Jan/2023:23:41:51 +0530] "HEAD /demo-0.0.1-SNAPSHOT/getMessage HTTP/1.1" 200 -
where demo-0.0.1-SNAPSHOT is the deployed artifact.
I verified the same using curl
HTTP/1.1 200
Content-Type: text/plain;charset=UTF-8
Content-Length: 41
Date: Sun, 08 Jan 2023 18:11:51 GMT
What am I missing here?
My application.properties file looks like:
# configuring SSL
server.port=8443
server.ssl.key-store-type=pkcs12
server.ssl.key-store=classpath:springboot.p12
server.ssl.key-store-password=password
server.ssl.key-alias=springboot
# enabling http2
server.http2.enabled=true
and I have created the Keystore correctly using the following command:
keytool -genkeypair -alias springboot -keyalg RSA -keysize 4096 -storetype PKCS12 -keystore springboot.p12 -validity 3650 -storepass password
EDIT 1:
Spring Boot version - 2.7.2
Tomcat server - 9.0.70
In my server.xml, I have commented and edited the following Connector:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="200" SSLEnabled="true">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeystoreFile="ssl/tomcat.jks"
certificateKeyAlias="tomcat"
certificateKeystorePassword="password"
type="RSA" />
</SSLHostConfig>
</Connector>
which has helped me enable TLS as well as HTTP2 both on Tomcat. The problem is when I am deploying a spring boot application and making rest calls to that application's RestController, I am getting HTTP1.1 response. Making calls to Tomcat webservices is giving correct HTTP2 response.
Tomcat as standalone sever has by default in it's sever.xml disabled the connector for http 2.
Spring Boot 2, up to Tomcat 9
If this is a spring boot 2 deployed as war application then this could be using up to Tomcat 9.
You must find your Tomcat 9 (Server.xml) connector for http2 under the deployed server conf directory and uncomment this connector, while also providing the necessary certificate files.
You need to uncomment the
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
Spring Boot 3, Tomcat 10 or later
In case you have a spring boot 3 deployed as war application then this should be using Tomcat 10 or later.
You must find your Tomcat 10 (Server.xml) connector for http2 under the deployed server conf directory and uncomment while also providing the necessary certificate file.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
I found the solution. While deploying a spring boot application on external tomcat there is no need to specify Server SSL and HTTP2 parameters in the spring properties file as Tomcat will handle all the HTTPS requests. I was trying to mix 2 things.
Configuring the Spring Boot application to support HTTP2 will work if we are deploying using an embedded Tomcat server and I was able to verify that with Chrome browser.
As of writing this post, Postman still doesn't support HTTP2 requests, hence, I was seeing HTTP 1.1 protocol in the Tomcat access log. The same thing I believe is the issue with curl request. As my certificate is self-signed, I am using options -k and -sI. Maybe that's the reason, I am getting the response :
HTTP/1.1 200
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Tue, 10 Jan 2023 18:09:29 GMT
when running curl -k -sI https://localhost:8443. I will figure out why I am getting HTTP 1.1 and update it here.
Sharing this answer to help anyone coming across this question next time.
In Liberty profile, How can we remove the default keystore and add new keystore file ? in server.xml file we have onlydefault configuration and we have below requirement.
1) we created a new keystore file using ikeyman named ccm.jks
2) opened the ccm.jks keystore file using ikeyman and under "personal certificate" content, created a new self signed certificate with common name as servers FQDN name and given the key alias name as "ccm". Now the personel certificate displays "ccm" certificate. (Refer Screenshot1)
2) we created a new truststore file using ikeyman named ccmtrust.jks
3) then we edited the server.xml values with new parameters as below.
<!-- Enable features -->
<featureManager>
<feature>monitor-1.0</feature>
<feature>jsp-2.2</feature>
<feature>servlet-3.0</feature>
<feature>ssl-1.0</feature>
<feature>appSecurity-2.0</feature>
<feature>adminCenter-1.0</feature>
</featureManager>
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" sslProtocol="SSL" enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"/>
<keyStore id="defaultKeyStore" location="${server.config.dir}/resources/security/CCM.jks" type="JKS" password="changeme"/>
<keyStore id="defaultTrustStore" location="${server.config.dir}/resources/security/ccmtrust.jks" type="JKS" password="changeme"/>
<httpEndpoint id="defaultHttpEndpoint"
host="*"
httpPort="9080"
httpsPort="9443" />
4) Since we have to enable ssl trusting with our client DB server, we imported the DB servers self signed certificate to the the created truststore.jks file using ikeyman , signer certificate session (screenshot2).
5) All these setup we restarted the service and when we tried to connect the DB, getting the below error.
Caused by: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:654)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:368)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at com.ibm.jsse2.util.f.a(f.java:61)
Please let us know if we missed something there in the configuration.
Also we couldnt identify that whether the server.xml configuration which we made are reflecting . ?
I have written a proxy service and deployed on WSO2 ESB 5 to receive some file content via http and use vfs transport to transfer that content to an ftp server. The service works as expected when I specify the connection parameters correctly but when I specify something wrong on the connection string to simulate a down server, I can not manage to control the behavior of the VFS transport using the parameters specified in [1]. What I'm looking for is to short the delay between the error occurred in VFS and the fault exception catched by Axis;
As you are going to see below I specify 0 retries and 0 wait time between retries but it seems the VFSTransportSender class is not able to read somehow those values because it does all the time the same number of retries and it waits the same number of seconds each time it is executed, I also changed the values and put others but the result is always the same, the server is always retrying 3 more times with 30 seconds delay between each other besides the original request before Axis is able to receive some information related to the error.
Here is my proxy service that works without any issues:
<?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns="http://ws.apache.org/ns/synapse"
name="ftpProxy"
startOnLoad="true"
statistics="disable"
trace="disable"
transports="https,http">
<target>
<inSequence>
<log level="full"/>
<property expression="json-eval($.key)" name="file_name"/>
<property name="OUT_ONLY" value="true"/>
<property name="FORCE_SC_ACCEPTED" scope="axis2" value="true"/>
<property name="HTTP_SC" scope="axis2" value="200"/>
<property expression="fn:concat(get-property('file_name'), '.json')"
name="transport.vfs.ReplyFileName"
scope="transport"/>
<property name="OUT_ONLY" value="true"/>
</inSequence>
<endpoint name="ftp_endpoint">
<address uri="vfs:ftp://jairof_ftp:passftp#localhost:21">
<timeout>
<duration>2000</duration>
<responseAction>fault</responseAction>
</timeout>
<suspendOnFailure>
<errorCodes>-1</errorCodes>
<progressionFactor>1.0</progressionFactor>
</suspendOnFailure>
<markForSuspension>
<errorCodes>-1</errorCodes>
</markForSuspension>
</address>
</endpoint>
</target>
<parameter name="transport.vfs.ReconnectTimeout">0</parameter>
<parameter name="transport.vfs.MaxRetryCount">0</parameter>
<description/>
</proxy>
And when I want to simulate the server is not reachable I just modify the address URI and I put this one where the user is incorrect:
<address uri="vfs:ftp://ja8irof_ftp:passftp#localhost:21">
I have also tried to set the transport.vfs parameters as properties before calling the endpoint but the result is exactly the same
Here you can inspect part of the log file where I cut some parts of the stack trace to keep the post simple:
[2016-10-29 12:23:01,134] ERROR - VFSTransportSender cannot resolve replyFile
org.apache.commons.vfs2.FileSystemException: Could not connect to FTP server on "localhost".
... (the rest of stack trace)
...
Caused by: org.apache.commons.vfs2.FileSystemException: Could not login to FTP server on "localhost" as user "ja8irof_ftp".
at org.apache.commons.vfs2.provider.ftp.FtpClientFactory.createConnection(FtpClientFactory.java:210)
... 29 more
[2016-10-29 12:23:34,223] ERROR - VFSTransportSender cannot resolve replyFile
org.apache.commons.vfs2.FileSystemException: Could not connect to FTP server on "localhost".
... (the rest of stack trace)
...
Caused by: org.apache.commons.vfs2.FileSystemException: Could not login to FTP server on "localhost" as user "ja8irof_ftp".
at org.apache.commons.vfs2.provider.ftp.FtpClientFactory.createConnection(FtpClientFactory.java:210)
... 29 more
[2016-10-29 12:24:07,842] ERROR - VFSTransportSender cannot resolve replyFile
org.apache.commons.vfs2.FileSystemException: Could not connect to FTP server on "localhost".
... (the rest of stack trace)
...
Caused by: org.apache.commons.vfs2.FileSystemException: Could not login to FTP server on "localhost" as user "ja8irof_ftp".
at org.apache.commons.vfs2.provider.ftp.FtpClientFactory.createConnection(FtpClientFactory.java:210)
... 29 more
[2016-10-29 12:24:07,844] ERROR - VFSTransportSender cannot resolve replyFile repeatedly: Could not connect to FTP server on "localhost".
org.apache.commons.vfs2.FileSystemException: Could not connect to FTP server on "localhost".
... (the rest of stack trace)
...
Caused by: org.apache.commons.vfs2.FileSystemException: Could not login to FTP server on "localhost" as user "ja8irof_ftp".
at org.apache.commons.vfs2.provider.ftp.FtpClientFactory.createConnection(FtpClientFactory.java:210)
... 29 more
[2016-10-29 12:24:07,846] ERROR - Axis2Sender Unexpected error during sending message out
org.apache.axis2.AxisFault: cannot resolve replyFile repeatedly: Could not connect to FTP server on "localhost".
... (the rest of stack trace)
...
Caused by: org.apache.commons.vfs2.FileSystemException: Could not connect to FTP server on "localhost".
at org.apache.commons.vfs2.provider.ftp.FtpClientFactory.createConnection(FtpClientFactory.java:275)
at org.apache.commons.vfs2.provider.ftp.FTPClientWrapper.createClient(FTPClientWrapper.java:100)
at org.apache.commons.vfs2.provider.ftp.FTPClientWrapper.getFtpClient(FTPClientWrapper.java:134)
at org.apache.commons.vfs2.provider.ftp.FTPClientWrapper.<init>(FTPClientWrapper.java:59)
at org.apache.commons.vfs2.provider.ftp.FtpFileProvider.doCreateFileSystem(FtpFileProvider.java:128)
at org.apache.commons.vfs2.provider.AbstractOriginatingFileProvider.getFileSystem(AbstractOriginatingFileProvider.java:155)
at org.apache.commons.vfs2.provider.AbstractOriginatingFileProvider.findFile(AbstractOriginatingFileProvider.java:119)
at org.apache.commons.vfs2.provider.AbstractOriginatingFileProvider.findFile(AbstractOriginatingFileProvider.java:88)
at org.apache.commons.vfs2.impl.DefaultFileSystemManager.resolveFile(DefaultFileSystemManager.java:738)
at org.apache.commons.vfs2.impl.DefaultFileSystemManager.resolveFile(DefaultFileSystemManager.java:626)
at org.apache.synapse.transport.vfs.VFSTransportSender.writeFile(VFSTransportSender.java:233)
... 19 more
Caused by: org.apache.commons.vfs2.FileSystemException: Could not login to FTP server on "localhost" as user "ja8irof_ftp".
at org.apache.commons.vfs2.provider.ftp.FtpClientFactory.createConnection(FtpClientFactory.java:210)
... 29 more
Please send me any comments, suggestions... I would appreciate so much, thanks in advance for your time.
[1] https://docs.wso2.com/display/ESB500/VFS+Transport
Try appending parameters to the endpoint URL, like this.
<address uri="vfs:ftp://ja8irof_ftp:passftp#localhost:21?transport.vfs.MaxRetryCount=0&transport.vfs.ReconnectTimeout=0"/>
We are trying to set up the active MQ cluster on production environment on Amazon EC2 with Auto discover and multicast.
I was able to configure successfully auto discovery with multi-cast on my local active mq server but on Amazon EC2 it is not working.
From the link
I found that Amazon EC2 does not support multi-cast. Hence we have to use HTTP transport or VPN for multi-cast. I tried HTTP transport for multi-cast by downloading activemq-optional-5.6.jar (we are using Active-MQ 5.6 version). It requires httpcore and httpClient jars to servlet in it class path.
In broker configuration(activemq.xml)
`
<networkConnectors>
<networkConnector name="default" uri="http://localhost:8161/activemq/DiscoveryRegistryServlet"/>
</networkConnectors>
<transportConnectors>
<transportConnector name="activemq" uri="tcp://localhost:61616" discoveryUri="http://localhost:8161/activemq/DiscoveryRegistryServlet"/>
</transportConnectors>`
are added.
But broker is not identifying the DiscoveryRegistryServlet.
Any help is much appreciated.
Finally figured out how to setup active MQ auto discovery with HTTP
Active-MQ Broker configuration:
In $ACTIVEMQ_HOME/webapps folder create a new folder
|_activemq
|_WEB-INF
|_classes
|_web.xml
create a web.xml file with the following contents
<web-app>
<display-name>ActiveMQ Message Broker Web Application</display-name>
<description>
Provides an embedded ActiveMQ Message Broker embedded inside a web application
</description>
<!-- context config -->
<context-param>
<param-name>org.apache.activemq.brokerURL</param-name>
<param-value>tcp://localhost:61617</param-value>
<description>The URL that the embedded broker should listen on in addition to HTTP</description>
</context-param>
<!-- servlet mappings -->
<servlet>
<servlet-name>DiscoveryRegistryServlet</servlet-name>
<servlet-class>org.apache.activemq.transport.discovery.http.DiscoveryRegistryServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>DiscoveryRegistryServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
</web-app>
Place httpclient-4.0.3.jar, httpcore-4.3.jar, xstream-1.4.5.jar and activemq-optional-5.6.0.jar in $ACTIVEMQ_HOME/lib directory.
In $ACTIVEMQ_HOME/config directory, modify the jetty.xml file to expose activemq web app.
<bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler">
...
<property name="handler">
<bean id="sec" class="org.eclipse.jetty.server.handler.HandlerCollection">
<property name="handlers">
...
...
<bean class="org.eclipse.jetty.webapp.WebAppContext">
<property name="contextPath" value="/activemq" />
<property name="resourceBase" value="${activemq.home}/webapps/activemq" />
<property name="logUrlOnStart" value="true" />
<property name="parentLoaderPriority" value="true" />
...
...
</list>
</property>
</bean>
</property>
</bean>
Modify activemq.xml file in $ACTIVEMQ_HOME/conf directory to use http protocol
<broker name=”brokerName”>
...
<networkConnectors>
<networkConnector name="default" uri="http://<loadbalancer_IP>:<locadbalancer_Port>/activemq/DiscoveryRegistryServlet?group=test"/>
<!--<networkConnector name="default-nc" uri="multicast://default"/>-->
</networkConnectors>
<transportConnectors>
<transportConnector name="http" uri="tcp://0.0.0.0:61618" discoveryUri="http://<loadbalancer_IP>:<locadbalancer_Port>/activemq/test"/>
</transportConnectors>
...
</broker>
make sure that the broker names are unique. “test” in url is the group name of brokers.
Client configuration:
1. Keep httpclient-4.0.3.jar, httpcore-4.3.jar, xstream-1.4.5.jar and activemq-optional-5.6.0.jar in classpath of client
2. URL to be use by client
discovery:(http://<loadbalancer_IP>:<locadbalancer_Port>/activemq/test)connectionTimeout=10000
here “test” is the group name.
I have created a keystore with a self signed certificate, exported the certificate, and re-imported the certificate with an alias of the IP address.
I want to make a call from inside this server to another service on this server at address]/.....
I can not get the client side of the call to trust itself. How do I specify the truststore?
Here is the key part of the server.xml:
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/mykey"
keystorePass="changeit"
truststoreFile="${jboss.server.home.dir}/conf/mykey"
truststorePass="changeit"
sslProtocol = "TLS" />
I get this error on attempting to use https to call a service from this server, to itself.
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Thanks
Answer: jBoss 6 is using the Java runtime for the client truststore, not its own file. Putting the certificate in the Java environment worked.
I would like to learn if I get set the truststore in jBoss's configuration for the connector as I have above...