We configured https authentication by using NifiToolKit on Nifi(1.3).
We have a requirement of having https enabled for the rest end points created using - (HandleHTTPRequest -> CustomProcessors -> HandleHTTPResponse).
Configured SSL context service using the same keystore,truststore properties that were generated by the NifiToolkit previously.
Currently i am running Nifi on port 9443 and handleHTTPRequest on 56661.
When i hit the URL with port 56661 from the client , i am getting SSL error even after passing the certificate and the keycode.
import requests
requests.port('https://IPADDRESS:56661/sample',verify='PATH/certificate.pem',json= {})
Can anyone help me on this.. Thanks in advance..
Below is the link which i referred for https configuration on nifi.
https://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy
Related
I try to access a graphql api.
The post request goes via a proxy chain of:
local http proxy -> local socks5 proxy -> graphql api host
However, I get java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: Failed to create SSL connection in
io.smallrye.graphql.client.vertx.typesafe.VertxTypesafeGraphQLClientProxy#postSync
I did not find any info or method to disable ssl checks, like verify hosts = false etc. in the used TypesafeGraphQLClientBuildernor in the built client.
How to get rid of the ssl checks in this local dev only test setup?
In debug I see that the built client io.smallrye.graphql.client.vertx.typesafe.VertxTypesafeGraphQLClientProxy
has httpClient.options.verifyHost=true which I would like to set to false.
But I don't know how/where to manipulate or replace the httpClient within the VertxTypesafeGraphQLClientProxy.
Any hints please?
I have two javascript adapter:adapterA、adapterB
And I need call adapterA after that the adapterA will call adapterB(use MFP.Server.invokeProcedure, in the same mfp server) using this API
when I call in mfp localhost, it works
http://localhost:9080/mfp/api/adapters/AdapterA/test
then I call https after I import mfp cer to jre cacerts
It works fine too
https://localhost:443/mfp/api/adapters/AdapterA/test
My question is I have IHS Server to redirect mfp services
when I call api by IHS http url
http://{domain}/mfp/api/adapters/AdapterA/test
It works
when I call api by IHS https url
https://{domain}/mfp/api/adapters/AdapterA/test
mfp server will get error like this:
com.ibm.mfp.server.js.adapter.internal.JavascriptManagerImpl E FWLST0904E: Exception was thrown while invoking procedure: test in adapter: adapterB
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target
at com.ibm.mfp.server.js.adapter.internal.invocation.JavaScriptIntegrationLibraryImplementation.invokeProcedure(JavaScriptIntegrationLibraryImplementation.java:255)
but my IHS plugin only set http
how can I resolve this issue and avoid this issue
thanks
When the MobileFirst server creates the request to reach adapter B, the default behaviour is to frame the request, based on the URL of the currently executing request. That is, it uses the request originally used to reach adapter A, to frame the request to reach the target adapter B.
It works well in case 1, where the webserver is accessed using a "http://.." URL. In case 2, where MFP1 has to make an outbound call to the webserver using the "https://.." URL, it needs to first complete a SSL Handshake with the webserver. In case the MFP1 JVM lacks the certificates of the webserver, it fails to establish SSL Handshake and can lead to the error you saw.
In your case, there are two approaches you can take:
Choose to keep the adapter A to adapter B call internal to MFP1. This prevents the outbound "https://" call and you will not see the problem. Additionally, this helps in keeping the travel time shorter and also prevent a new connection on the webserver. To enable this setting, use the JNDI property mfp.adapter.invocation.url. For instance, if you set the value of this property to "http://localhost:9080/mfp", adapter B will be invoked as "http://localhost:9080/mfp/api/adapters/adapterB". The call stays local. More details on this property here.
If you wish to retain the request to adapter B go through the webserver using the secure endpoint, then you should ensure the webserver's root certificates are made available to the MFP1 JVM's trust store so that SSL handshake can be established successfully.
I am trying to do load testing with JMeter for a spring boot application running locally on port 8080.
Request configured is a GET request, and protocol is https. I get following error message:
javax.net.ssl.SSLException: Unsupported or unrecognized SSL message
at java.base/sun.security.ssl.SSLSocketInputRecord.handleUnknownRecord(SSLSocketInputRecord.java:439)
at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:184)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1151)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1062)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
Any input on it would help?
Your are most probably using https to hit the server while you should use http as port 8080 is usually for http.
Otherwise change port to 8443 for https
Did you cross-check the port number on JMeter?
make sure that the same port is defined in JMeter as well.
https://localhost/application/sub/url
For the above URL, the port number is 443 which is the default port for https
https://localhost:8080/application/sub/url
Whereas the above URL uses 8080 for communication.
Please make sure the correct port has been specified.
Additionally, also note that that JMeter itself doesn't allow unsigned certificates. Make sure the certificates are properly signed via Certificating Authority.
I'm using DefaultMarkLogicDatabaseClientService 1.9.1.3-incubator in NiFi 1.11.4. MarkLogic 10.0-4 is running AWS and has an app server where SSL is configured at the AWS level.
How do I configure the DefaultMarkLogicDatabaseClientService to use HTTPS without needing an SSL Context Service?
Details:
Before SSL was set up, the DefaultMarkLogicDatabaseClientService was able to connect. Once SSL was set up, I'd get this error:
PutMarkLogic[id=bbb8f3c3-7d83-3fb7-454f-9da7d64fa3f6] Failed to properly initialize Processor. If still scheduled to run, NiFi will attempt to initialize and run the Processor again after the 'Administrative Yield Duration' has elapsed. Failure is due to com.marklogic.client.MarkLogicIOException: java.io.IOException: unexpected end of stream on Connection{my-host:8010, proxy=DIRECT hostAddress=my-host/my-IP:8010 cipherSuite=none protocol=http/1.1}: com.marklogic.client.MarkLogicIOException: java.io.IOException: unexpected end of stream on Connection{my-host:8010, proxy=DIRECT hostAddress=my-ost/my-IP:8010 cipherSuite=none protocol=http/1.1}
Okay, seems like it's not successful using protocol HTTP for a server that needs HTTPS. I see that the service can be configured to use an SSL Context Service, but I'm not looking to do client authentication. (Setting this up requires a truststore or keystore.)
If I replace the PutMarkLogic processor that uses the DefaultMarkLogicDatabaseClientService with an InvokeHTTP processor, I can specify the full URL, including "https://", without needing an SSL Context Services (but then I don't get the batching that I get with PutMarkLogic). I'd like to simply tell the MarkLogic service to use HTTPS.
Creating an SSLContextService with a truststore (that contains the public certificate of the MarkLogic server) populated and no keystore populated should work in this situation.
I'm running a micronaut microservice on a Win 7.
My GET Request looks like : http://localhost:8080/maps/myreq.
The controller use a httpclient to send request to an external webseite : image.maps.api.here.com
When running without proxy, all went fine and the response is ok (an image).
But when running behind the proxy, connection timed out. Proxy works fine for any other applications or browser.
How to set micronaut server behind proxy to properly root requests?
edit : when sending a request, the netty server respond with an error : unable to connect to image.maps.api.here.com:xx.xx.xx.xx:xxxx where xx.xx.xx.xx:xxxx is the proxy
How to set micronaut server behind proxy to properly root requests?
You can set the https.proxyHost, https.proxyPort, http.proxyUser and http.proxyPassword system properties. A common place to do that is in the MN_OPTS environment variable. For example, you could set MN_OPTS to have a value like "-Dhttps.proxyHost=127.0.0.1 -Dhttps.proxyPort=3128 -Dhttp.proxyUser=test -Dhttp.proxyPassword=test".
See https://docs.micronaut.io/1.1.0/guide/index.html#proxy for more info.
I hope that helps.
I fixed the problem with settings the proxy for the CLI but also by setting the proxy in the application.yml like here :
https://github.com/micronaut-projects/micronaut-core/issues/1611