Develop Reference

How to secure a camel cxf endpoint (https) in FUSE 7.6?

We have been using camel-cxf service endpoints for multiple applications. They works well. Recently we have a need to secure these service endpoints. Therefore, we are adding <httpu:engine-factory> configuration to the camel-context.xml.
We also configured FUSE 7.6 server to have the secure port at 8183 by setting
[FUSE 7.6 Install]/etc/org.ops4j.pax.web.cfg file:
org.osgi.service.http.port = 8181
org.osgi.service.http.port.secure = 8183
org.ops4j.pax.web.config.file = ${karaf.etc}/undertow.xml
org.ops4j.pax.web.session.cookie.httpOnly = false
org.ops4j.pax.web.session.cookie.secure = true
[FUSE 7.6 Install]/etc/undertow.xml is correctly configured to point
to right keystore and truststore, etc.
Following is the camel-context.xml:
<?xml version="1.0" encoding="UTF-8"?>
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
xmlns:cxf="http://camel.apache.org/schema/blueprint/cxf"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:sec="http://cxf.apache.org/configuration/security"
xmlns:http="http://cxf.apache.org/transports/http/configuration"
xmlns:httpu="http://cxf.apache.org/transports/http-undertow/configuration"
xsi:schemaLocation="
http://www.osgi.org/xmlns/blueprint/v1.0.0
https://osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd
http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://cxf.apache.org/transports/http-undertow/configuration
http://cxf.apache.org/schemas/configuration/http-undertow.xsd">
<bean class="com.mycom.myapp.CamelRequestProcessor" id="myProcessor"/>
<cxf:cxfEndpoint address="{{MY_HOST}}:8185{{MY_SVC_ADDRESS}}"
bus="auditBus" id="myWebServiceEndpoint"
serviceClass="com.mycom.myapp.MyWebServiceEndpoint" wsdlURL="wsdl/mySvc.wsdl"/>
<httpu:engine-factory bus="cxf">
<httpu:engine port="8185">
<httpu:tlsServerParameters secureSocketProtocol="$(MY_SECURE_SOCKET_PROTOCOL)">
<sec:keyManagers keyPassword="$(MY_KEY_PASSWORD)">
<sec:keyStore file="$(MY_KEYSTORE)" password="$(MY_KEYSTORE_PASSWORD)" type="JKS"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore file="$(MY_TRUSTSTORE)" password="$(MY_TRUSTSTORE_PASSWORD)" type="JKS"/>
</sec:trustManagers>
<sec:clientAuthentication required="true" want="true"/>
</httpu:tlsServerParameters>
</httpu:engine>
</httpu:engine-factory>
<camelContext id="_myCamelContext" useBlueprintPropertyResolver="true" errorHandlerRef="myErrorHandler">
<route id="_firstRuote">
<from id="_from" uri="cxf:bean:myWebServiceEndpoint"/>
<bean id="_processor" method="process" ref="myProcessor"/>
<to id="_to4" uri="direct:otherEndpoints"/>
</route>
</camelContext>
</blueprint>
After we add <httpu:engine-factory/>section, the code is built and deployed to FUSE 7.6. Everything goes well. There is no error in the log, and the bundle starts normally. When I inspected the service at https://myhost:8183/cxf, the service is displayed in browser
Endpoint address: https://my host:8185/cxf/MyWebServiceEndpoint/<br>
WSDL : {namespace}MyWebServiceEndpoint <--This is a link-->
However, when I click the WSDL link, it spins a few seconds, then displays "Unable to connect". It should display the WSDL file.
The browser address bar does point to the correct URL
https://myhost:8185/cxf/MyWebServiceEndpoint/?wsdl
Any help is greatly appreciated.

Your camel-cxf endpoint has
<sec:clientAuthentication required="true" want="true"/>
Which means your client(in this case a browser to load the wsdl) also needs to provide the private key(keystore).
Did you import truststore/keystore that you used for the camel-cxf endpoint into your browser?

The issue is resolved. The undertow configuration has to specify host as the following, which makes the port accessible:
<httpu:engine host="0.0.0.0" port="8185">

How to change host url websocket configurations?

I have a problem about websocket client url. I want to use remote websocket server for my client machines.
Machine1, Machine2 ---> Remote Websocket Server
I have a config for websocket like this.
<websocket:message-broker application-destination-prefix="/app">
<websocket:stomp-endpoint path="/stomp" allowed-origins="*">
<websocket:handshake-handler ref="myHandshakeHandler"/>
<websocket:sockjs client-library-url="https://cdn.jsdelivr.net/npm/sockjs-client#1/dist/sockjs.min.js"/>
</websocket:stomp-endpoint>
<websocket:simple-broker prefix="/topic,/queue"/>
<websocket:client-inbound-channel>
<websocket:interceptors>
<ref bean="myInterceptor"/>
</websocket:interceptors>
</websocket:client-inbound-channel>
</websocket:message-broker>
I want to post and get remote url for websocket operations so I can multiple my gui machines. How to change to websocket host url localhost to https://remotemachineurl:61614.

I added this config on my xml, and I can connect remote activemq artemis.
<websocket:stomp-broker-relay prefix="/topic,/queue" relay-host="remotehost" relay-port="61614"/>

SpringBoot and IBM MQ connection properties not overrided on deploy

I've a SpringBoot App with a local configuration to connect and listen a local Queue
ibm:
mq:
queueManager: LOCAL_QM
channel: DEV.ADMIN.SVRCONN
connName: localhost(1414)
user: admin
password: passw0rd
user-authentication-m-q-c-s-p: false
When a I deploy the app with Gitlab CI some properties are overrided (with a war_name.xml file in ../tomcat/current/conf/Catalina/localhost/) like database connection properties and mq connection properties to listen a Developpement or Qualification environment queue.
But when the app start the database connection is OK but not the MQ connection (The app use the local connection properties defined in the application.yml file)
When I check the xml file on the remote server, the properties are override.
And when I use a tool like spring actuator, I have the right properties override with the specific env properties.
But in the logs: /tomcat/current/logs/catalina.out I can read that the app try to connect to the local queue manage : LOCAL_QM not the specific environment queue.
2021-05-11 12:19:23.484 ERROR 14483 --- [ntContainer#0-1] o.s.j.l.DefaultMessageListenerContainer : Could not refresh JMS Connection for destination '***' - retrying using FixedBackOff{interval=5000, currentAttempts=16093, maxAttempts=unlimited}. Cause: JMSWMQ0018: Failed to connect to queue manager 'LOCAL_QM' with connection mode 'Client' and host name 'localhost(1414)'.; nested exception is com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2538' ('MQRC_HOST_NOT_AVAILABLE')
The properties are in the same xml file, it works for the database "spring.datasource" but not for MQ "ibm.mq"
<?xml version="1.0" encoding="UTF-8"?>
<Context>
<Environment name="spring.datasource.url" value="jdbc:postgresql://***:5432/**" type="java.lang.String"/>
<Environment name="spring.datasource.username" value="****" type="java.lang.String"/>
<Environment name="spring.datasource.password" value="****" type="java.lang.String"/>
<Environment name="ibm.mq.queueManager" value="***" type="java.lang.String"/>
<Environment name="ibm.mq.channel" value="***" type="java.lang.String"/>
<Environment name="ibm.mq.connName" value="***" type="java.lang.String"/>
<Environment name="ibm.mq.user" value="***" type="java.lang.String"/>
<Environment name="ibm.mq.password" value="" type="java.lang.String"/>
</Context>
Any idea why the properties are not overrided ?
Thanks

This started out as a comment, but as I wrote it I suspected that you are missing the relevant ibm.mq properties. If you don't provide the following properties:
ibm.mq.queueManager
ibm.mq.channel
ibm.mq.connName
ibm.mq.user
ibm.mq.password
then they default to
ibm.mq.queueManager=QM1
ibm.mq.channel=DEV.ADMIN.SVRCONN
ibm.mq.connName=localhost(1414)
ibm.mq.user=admin
ibm.mq.password=passw0rd
ie. localhost.
The mq-jms-spring-boot-starter makes use of
import org.springframework.boot.context.properties.ConfigurationProperties;
#ConfigurationProperties(prefix = "ibm.mq")
to read the connection properties. In this module https://github.com/ibm-messaging/mq-jms-spring/blob/master/mq-jms-spring-boot-starter/src/main/java/com/ibm/mq/spring/boot/MQConfigurationProperties.java
So it relies on spring to make the properties prefixed with ibm.mq available to it. ie. As long as spring through #ConfigurationProperties knows how to handle the overrides it will make them available to mq-jms-spring-boot-starter.

IBM Liberty 19.0.0.11 return CWWKO0801E: Unable to initialize SSL connection

I have added restConnector-2.0 feature in Liberty 19.0.0.11.
I changed configuration in server.xml file like below,
<basicRegistry id="bas" relam="BasicRealm">
<user name="kin" password="password"/>
<group name="admin">
<member name="kin"></member>
</group>
</basicRegistry>
<administrator-role>
<user>jayaramu</user>
<group>admin</group>
</administrator-role>
Then I ran the application server and try to validate database connection using below URL,
https://localhost:9443/ibm/api/validation/dataSource/database
It return CWWKO0801E: Unable to initialize SSL connection error in console. 403 error in browser.

Configuring Liberty with httpProxyRedirect

I am attempting to redirect traffic on insecure port to secure port as described here:
https://www.ibm.com/support/knowledgecenter/en/SSD28V_9.0.0/com.ibm.websphere.liberty.autogen.core.doc/ae/rwlp_config_httpProxyRedirect.html
Instead both ports are available and I see nothing in the logs. It's as if the httpProxyRedirect isn't being configured at all.
<?xml version="1.0" encoding="UTF-8"?>
<server description="CAST Liberty Server">
<!-- Enable features -->
<featureManager>
<feature>webProfile-7.0</feature>
</featureManager>
<application id="app" context-root="/" type="war" location="${war.name}">
<classloader apiTypeVisibility="spec, ibm-api, api, third-party" />
</application>
<httpProxyRedirect id="defaultHttpProxyRedirect" httpPort="${http.port}" httpsPort="${https.port}" />
<keyStore id="defaultKeyStore" password="pass" />
<httpEndpoint host="*" httpPort="${http.port}" httpsPort="${https.port}" id="defaultHttpEndpoint" />
<applicationMonitor updateTrigger="mbean" />
</server>

Most likely, you are missing the security-constraints in the web.xml. This configuration tells the server which URLs need to be accessed over a secure transport and then re-directs qualifying requests from the non-secure port to the secure port. This tutorial may help: https://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html
Also, keep in mind that the httpProxyRedirect configuration in the server.xml is intended for redirecting when you have a proxy server in front of your application server. For example, you may have your proxy server on the main "www.ibm.com" host - listening on HTTP port 80 and HTTPS port 443. But that host may route some requests to your Liberty application server on some other host (like "app1host.internal.ibm.com") that listens on different ports (i.e. HTTP port 9080 and HTTPS port 9443). In that case, just using the security-constraints in the web.xml would attempt to redirect the client request on the Liberty server from 9080 to 9443 but on the www.ibm.com host - where nothing is listening on those ports. In this case, you should configure httpProxyRedirect like this:
<httpProxyRedirect httpPort="80" httpsPort="443" host="www.ibm.com" />
With the configuration, a client HTTP request to a secured URL will get redirected to www.ibm.com on port 443, where the proxy server will forward the request to app1host.internal.ibm.com port 9443.
Hope this helps,
Andy

This is the security constraint that i am using in my web.xml and it works well for both Tomcat and IBM Websphere 8.5.5.15:
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Note: make sure that you put it after your <servlet-mapping>.