Trying to achieve:
As required in Apple Pay for Web, 2 way TLS 1.2 is required. In my case i'm trying to hit apple pay server from my java with json payload (which you can say as client).
https://developer.apple.com/reference/applepayjs/applepaysession#2166532
My points of Concern:
1) Any command that list all the cipher suites supported? running on java 1.8.
2) What is required while making HttpsURLconnection.openconnection to be TLS1.2?
3) Any example code by which i can achieve this connection.
4) What are the settings required like certificate and private key?
Any help would be useful.
I know i have asked very direct questions, but i will keep adding more specific questions in this.
Update: First 3 points are done.
Now only Regarding point 4: I'm sending both the files key and cert by converting to cert.p12 file and saving as new keystore.
openssl x509 -inform der -in merchant_id.cer -out merchant_id.pem
openssl pkcs12 -nodes -export -in merchant_id.pem -inkey clientprivate.key -out cert.p12 -name "Certificate"
After that running java code with VM arguments in eclipse:
-Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStore=cert.p12 -Djavax.net.debug=ssl
I can see following error in console:
*ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
* Certificate chain
** ECDHClientKeyExchange
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data:
*
main, WRITE: TLSv1.2 Handshake, length = 64
main, handling exception: java.net.SocketException: Connection reset
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
main, SEND TLSv1.2 ALERT: fatal, description = unexpected_message
main, WRITE: TLSv1.2 Alert, length = 48
main, Exception sending alert: java.net.SocketException: Connection reset by peer: socket write error
main, called closeSocket()
java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(Unknown Source)
at java.net.SocketInputStream.read(Unknown Source)
at sun.security.ssl.InputRecord.readFully(Unknown Source)
at sun.security.ssl.InputRecord.read(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
Here is the java code:
HttpsURLConnection conn = (HttpsURLConnection)url.openConnection();
conn.setSSLSocketFactory(factory);
conn.setDoOutput(true);
conn.setDoInput(true);
conn.setRequestProperty("Content-Type", "application/json; charset=UTF-8");
conn.setRequestProperty("Accept", "application/json");
conn.setRequestMethod("POST");
OutputStream os = conn.getOutputStream();
os.write(jsonInString.getBytes("UTF-8"));
Failing at
conn.getOutputStream();
Using java 1.8
General answers in the order asked..
I found this very helpful to list all ciphers: https://confluence.atlassian.com/stashkb/list-ciphers-used-by-jvm-679609085.html
I used this System.setProperty("https.protocols", "TLSv1.2"); to set it to TLS 1.2.
I can't post my whole project here its too much code... It's a basic http request with all required fields sent along.
First create an "apple pay merchant id" certificate on apple's website, download it, extract the certificate and the key from it into 2 separate files, send both along with your request (with the password, of course).
Related
I'm trying to build pact-workshop-Maven-Springboot-JUnit5/tree/step1 but getting this error when I run command "mvnw verify":
C:\Users\MyUser\git\pact-workshop-Maven-Springboot-JUnit5\consumer>mvnw verify
Found "C:\Users\MyUser\git\pact-workshop-Maven-Springboot-JUnit5\consumer\.mvn\wrapper\maven-wrapper.jar"
JRE being used (logged by my modification in mvnw.cmd): "C:\Program Files (x86)\Java\jre7\bin\java.exe"
Takari Maven Wrapper 0.5.6
Downloading Maven binary from https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.6.3/apache-maven-3.6.3-bin.zip
Downloading https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.6.3/apache-maven-3.6.3-bin.zip
Exception in thread "main" javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
at org.apache.maven.wrapper.DefaultDownloader.downloadInternal(DefaultDownloader.java:90)
at org.apache.maven.wrapper.DefaultDownloader.download(DefaultDownloader.java:76)
at org.apache.maven.wrapper.Installer.createDist(Installer.java:72)
at org.apache.maven.wrapper.WrapperExecutor.execute(WrapperExecutor.java:121)
at org.apache.maven.wrapper.MavenWrapperMain.main(MavenWrapperMain.java:61)
I've already added the certificate of Maven Repo to the cacerts file "C:\Program Files (x86)\Java\jre7\lib\security\cacerts". Here is its entry in cacerts:
C:\WINDOWS\system32>"C:\Program Files (x86)\Java\jre7\bin\keytool.exe" -list -keystore "C:\Program Files (x86)\Java\jre7\lib\security\cacerts"
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 79 entries
apachemaven, 14.Eyl.2022, trustedCertEntry,
Certificate fingerprint (SHA1): 5E:9A:A9:4B:5A:8A:1C:31:DB:1F:B5:E6:CF:E4:4D:B1:4C:AE:2F:5F
What am I missing?
Maven Central repository support only TLS 1.2 - more info
By the way mentioned project require JDK 1.8, so you must use JDK 1.8 at least - not 1.7.
With JDK 1.8 your problem will disappear.
I followed this tutorial for using a self signed certificate and that worked so far.
Then, I purchased a SSL certificate from my provider and tried to use that one. I get the error:
2019-04-19 17:45:36.385 ERROR 9245 --- [ restartedMain] org.apache.catalina.util.LifecycleBase : Failed to start component [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Protocol handler start failed
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1004) ~[tomcat-embed-core-9.0.14.jar:9.0.14]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) ~[tomcat-embed-core-9.0.14.jar:9.0.14]
at org.apache.catalina.core.StandardService.addConnector(StandardService.java:226) [tomcat-embed-core-9.0.14.jar:9.0.14]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.addPreviouslyRemovedConnectors(TomcatWebServer.java:259) [spring-boot-2.1.2.RELEASE.jar:2.1.2.RELEASE]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:197) [spring-boot-2.1.2.RELEASE.jar:2.1.2.RELEASE]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.startWebServer(ServletWebServerApplicationContext.java:311) [spring-boot-2.1.2.RELEASE.jar:2.1.2.RELEASE]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.finishRefresh(ServletWebServerApplicationContext.java:164) [spring-boot-2.1.2.RELEASE.jar:2.1.2.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:549) [spring-context-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:142) [spring-boot-2.1.2.RELEASE.jar:2.1.2.RELEASE]
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:775) [spring-boot-2.1.2.RELEASE.jar:2.1.2.RELEASE]
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:397) [spring-boot-2.1.2.RELEASE.jar:2.1.2.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:316) [spring-boot-2.1.2.RELEASE.jar:2.1.2.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1260) [spring-boot-2.1.2.RELEASE.jar:2.1.2.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1248) [spring-boot-2.1.2.RELEASE.jar:2.1.2.RELEASE]
at de.tki.chinese.ChineseApplication.main(ChineseApplication.java:24) [classes/:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_73]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_73]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_73]
at java.lang.reflect.Method.invoke(Method.java:497) ~[na:1.8.0_73]
at org.springframework.boot.devtools.restart.RestartLauncher.run(RestartLauncher.java:49) [spring-boot-devtools-2.1.2.RELEASE.jar:2.1.2.RELEASE]
Caused by: java.lang.IllegalArgumentException: DerInputStream.getLength(): lengthTag=109, too big.
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114) ~[tomcat-embed-core-9.0.14.jar:9.0.14]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85) ~[tomcat-embed-core-9.0.14.jar:9.0.14]
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:224) ~[tomcat-embed-core-9.0.14.jar:9.0.14]
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1085) ~[tomcat-embed-core-9.0.14.jar:9.0.14]
at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1171) ~[tomcat-embed-core-9.0.14.jar:9.0.14]
at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:568) ~[tomcat-embed-core-9.0.14.jar:9.0.14]
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1001) ~[tomcat-embed-core-9.0.14.jar:9.0.14]
... 19 common frames omitted
Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
at sun.security.util.DerInputStream.getLength(DerInputStream.java:561) ~[na:1.8.0_73]
at sun.security.util.DerValue.init(DerValue.java:365) ~[na:1.8.0_73]
at sun.security.util.DerValue.<init>(DerValue.java:320) ~[na:1.8.0_73]
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1914) ~[na:1.8.0_73]
at java.security.KeyStore.load(KeyStore.java:1445) ~[na:1.8.0_73]
at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:178) ~[tomcat-embed-core-9.0.14.jar:9.0.14]
at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:204) ~[tomcat-embed-core-9.0.14.jar:9.0.14]
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:203) ~[tomcat-embed-core-9.0.14.jar:9.0.14]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112) ~[tomcat-embed-core-9.0.14.jar:9.0.14]
... 25 common frames omitted
2019-04-19 17:45:36.405 INFO 9245 --- [ restartedMain] o.apache.catalina.core.StandardService : Stopping service [Tomcat]
2019-04-19 17:45:36.414 INFO 9245 --- [ restartedMain] ConditionEvaluationReportLoggingListener :
I created a keystore like this:
MacBook-Pro:keystore tobias$ keytool -import -alias tomcat -file hanzien_de.key -keystore keystore_hanzien.de.p12 -storepass xxxxx
Then I used that keystore in my application.properties file:
# ==============================================================
# = ssh
# ==============================================================
# Tell Spring Security (if used) to require requests over HTTPS
security.require-ssl=true
# The format used for the keystore
server.ssl.key-store-type=PKCS12
# The path to the keystore containing the certificate
server.ssl.key-store=classpath:keystore/keystore_hanzien.de.p12
#server.ssl.key-store=classpath:keystore/hanzien_de.pfx
# The password used to generate the certificate
server.ssl.key-store-password=xxxxx
# The alias mapped to the certificate
server.ssl.key-alias=tomcat
What am I doing wrong?
First, you appear to be using java 8 (8u73). Through 8 keytool defaults to JKS format, not PKCS12. (9 up does default to PKCS12.) This is why your exception cause is about DerStuff; PKCS12 format is/uses DER but JKS not. Either specify -storetype pkcs12 on the keytool command, or specify ..key-store-type=JKS in your app config (and preferably change the name so it is not actively misleading and confusing to people).
Second, keytool -import on a new keystore (or entry) imports only a certificate as a 'trustedcert' entry only usable to verify other parties. A TLS server (or SSL before it was obsoleted) like Tomcat, or in general any prover, must have a 'privatekey' entry containing a cert AND matching PRIVATEKEY AND usually CHAIN CERT(S). To be exact, the TLS standards require the server to send the/all chain cert(s) needed to verify the entity=server cert, optionally excluding the root or anchor; JSSE normally sends the cert(s) that are in the PrivateKeyEntry, so you must put the needed cert(s) there. For any public CA (like Verisign^WSymantec^WDigicert, GoDaddy, LetsEncrypt/Identrust) since about 1990, at least one chain cert is required, sometimes two and very rarely more. For a private CA this may vary depending on the CA. If the server does not send the required chain cert(s), some clients may still be able to verify some certs; in particular, browsers can often 'fill in' missing chain cert(s) from public CAs. This creates a situation where some connections to your server succeed while other connections to the same server fail, which tends to be very confusing and upsetting to users, and is not recommended.
If your .key file actually contains only a cert, naming it .key is misleading and confusing. If it contains a cert and then key in PEM, Java is able to read and separate the cert part and ignore the key; this allows keytool to run but produces a resulting file that Tomcat cannot use to accept TLS/SSL connections. (Depending on the version and maybe config, it may throw a reasonably specific exception like 'not a key' or 'key not found', or it may simply reject all connection attempts with handshake_failure.) If it contains only a key, or a key then a cert, or not PEM, the keytool command would fail, and yours apparently didn't.
keytool is not able to import a privatekey from anything but a(nother) supported keystore, which doesn't help you much because if it's already in a keystore you don't need to import it. Your choices are:
if you have openssl commandline, use it to convert the key + cert(s) to PKCS12. (openssl pkcs12 -export will include chain cert(s) if you provide it/them explicitly, or explicitly specify -chain and provide or default a truststore containing it/them.) There are dozens of existing Stack Qs and As, going back many years, covering this common and popular alternative.
use keytool to generate the keypair (already in a Java-supported keystore format) and CSR and get a certificate issued for that CSR, and then use keytool -import to either (1) import CA chain certs as trusted and then the server cert to the existing privatekey entry, which automatically fills in the chain or (2) import the whole CA chain directly to the existing privatekey entry. There are many existing Qs and As on this alternative also, as well as Sun/Oracle's own doc for Java, and tailored versions from every CA (or nearly so).
write, or find, and use a program that explicitly loads a privatekey and cert(s) from whatever format(s) you have to a 'privatekey' entry in a supported keystore. This is more work, and there are only a few Qs and As on this.
If you use maven, this is probably occurring because of the Maven filtering in your whole resources folder.
Maven resource filtering (that let's you include variables in your resource files) can mess up your binaries - and certificates are especially sensitive to modification.
More about maven resource filtering: http://maven.apache.org/plugins/maven-resources-plugin/examples/filter.html
Faced with this error during Spring Boot Application with PCKS12 cert start. Simply rasing Java version from 8 to 11 fixed the error. Keep in mind that all the classes you use have to be in both versions of Java.
what about direct running from cmd
java -jar -Djavax.net.ssl.trustStoreType=JKS -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStore=C:\Users\certificates\Cert_name -Dspring.profiles.active=local target\jar_or_war_name_with_dot_extension
I have some load testing to do. My web application does not have a domaine name (only an IP adress) and uses HTTPS.
When try to top use JMeter's Script Recorder, I get the following error in my web browser:
An error occurred during a connection to 188.165.49.217:8443. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG
And if I look at JMeter's log I see the following:
Problem with keystore
java.io.IOException: >> erreur keytool : java.lang.RuntimeException:
java.io.IOException: DNSName components must begin with a letter <<
Command failed, code: 1
'"C:\Program Files (x86)\Java\jre1.8.0_121\bin\keytool" -genkeypair -alias 1XX.XXX.XX.XXX -dname "cn=1XX.XXX.XX.XXX, o=JMeter Proxy (TEMPORARY TRUST ONLY)" -keyalg RSA -keystore proxyserver.jks -storepass {redacted} -keypass {redacted} -validity 7 -ext san=dns:1XX.XXX.XX.XXX'
at org.apache.jorphan.exec.KeyToolUtils.genkeypair(KeyToolUtils.java:171) ~[jorphan.jar:4.0 r1823414]
at org.apache.jorphan.exec.KeyToolUtils.generateSignedCert(KeyToolUtils.java:285) ~[jorphan.jar:4.0 r1823414]
at org.apache.jorphan.exec.KeyToolUtils.generateHostCert(KeyToolUtils.java:276) ~[jorphan.jar:4.0 r1823414]
at org.apache.jmeter.protocol.http.proxy.ProxyControl.updateKeyStore(ProxyControl.java:1563) ~[ApacheJMeter_http.jar:4.0 r1823414]
at org.apache.jmeter.protocol.http.proxy.Proxy.getSSLSocketFactory(Proxy.java:324) [ApacheJMeter_http.jar:4.0 r1823414]
at org.apache.jmeter.protocol.http.proxy.Proxy.startSSL(Proxy.java:429) [ApacheJMeter_http.jar:4.0 r1823414]
at org.apache.jmeter.protocol.http.proxy.Proxy.run(Proxy.java:194) [ApacheJMeter_http.jar:4.0 r1823414]
2018-04-16 17:33:24,397 WARN o.a.j.p.h.p.Proxy: [61014] Unable to negotiate SSL transaction, no keystore?
2018-04-16 17:33:24,397 ERROR o.a.j.p.h.p.Proxy: [61014] Exception when processing sample java.io.IOException: Unable to negotiate SSL transaction, no keystore?
at org.apache.jmeter.protocol.http.proxy.Proxy.startSSL(Proxy.java:446) ~[ApacheJMeter_http.jar:4.0 r1823414]
at org.apache.jmeter.protocol.http.proxy.Proxy.run(Proxy.java:194) [ApacheJMeter_http.jar:4.0 r1823414]
2018-04-16 17:33:24,398 WARN o.a.j.p.h.p.Proxy: [61014] Exception while writing error java.net.SocketException: Connection reset by peer: socket write error
at java.net.SocketOutputStream.socketWrite0(Native Method) ~[?:1.8.0_121]
at java.net.SocketOutputStream.socketWrite(Unknown Source) ~[?:1.8.0_121]
at java.net.SocketOutputStream.write(Unknown Source) ~[?:1.8.0_121]
at java.io.DataOutputStream.writeBytes(Unknown Source) ~[?:1.8.0_121]
at org.apache.jmeter.protocol.http.proxy.Proxy.writeErrorToClient(Proxy.java:561)
[ApacheJMeter_http.jar:4.0 r1823414]
at org.apache.jmeter.protocol.http.proxy.Proxy.run(Proxy.java:258) [ApacheJMeter_http.jar:4.0 r1823414]
The way I see it, the JMeterScript Recorder does not accept IP adresses for HTTPS recording, Am I right? Is there any way to around that (besides usin a domain name for my we app)?
Regards
Elie
One option would be to modify the hosts file on the server that jmeter is running on so that jmeter can resolve the domain name. You can find information on how to modify the hosts file for your operating system here.
Since version 5.1 of apache-jmeter, this problem has been resolved and you can enter IP or domain name that starts with digits.
String driverName = "com.cloudera.hive.jdbc4.HS2Driver";
conf.set("hadoop.security.authentication", "kerberos");
info("Getting Connection");
UserGroupInformation.setConfiguration(conf);
info("Getting Connection"); `info("Getting Connection");
UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab("****#***.***.COM","etc/****.keytab");
Class.forName(driverName); info("Getting Connection");
Connection con = DriverManager.getConnection("jdbc:hive2://localhost:10000;AuthMech=1;KrbRealm=EXAMPLE.COM;KrbHostFQDN=hs2.example.com;KrbServiceName=hive");
info("Got Connection");
18:47:51,894 ERROR [1] Error in section Run at line unknown. An unexpected exception occurred in the script. Script section: Run. Caused by: LoginException occured. Unable to obtain Princpal Name for authentication
java.sql.SQLException: [Simba][HiveJDBCDriver](500164) Error initialized or created transport for authentication: CONN_KERBEROS_AUTHENTICATION_ERROR_GET_TICKETCACHE.
at com.cloudera.hive.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
at com.cloudera.hive.hive.api.ExtendedHS2Factory.createClient(Unknown Source)
at com.cloudera.hive.hivecommon.core.HiveJDBCConnection.connect(Unknown Source)
at com.cloudera.hive.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.cloudera.hive.jdbc.common.AbstractDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(DriverManager.java:582)
at java.sql.DriverManager.getConnection(DriverManager.java:207)
at script.run(script.java:85)
at oracle.oats.scripting.modules.basic.api.IteratingVUser.run(IteratingVUser.java:351)
at oracle.oats.scripting.modules.basic.api.internal.IteratingAgent.run(IteratingAgent.java:801)
Caused by: com.cloudera.hive.support.exceptions.GeneralException: [Simba][HiveJDBCDriver](500164) Error initialized or created transport for authentication: CONN_KERBEROS_AUTHENTICATION_ERROR_GET_TICKETCACHE.
... 10 more
Caused by: com.cloudera.hive.support.exceptions.GeneralException: CONN_KERBEROS_AUTHENTICATION_ERROR_GET_TICKETCACHE
... 10 more
Caused by: javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication
at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:733)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:629)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
at com.cloudera.hive.jdbc.kerberos.Kerberos.getSubjectViaTicketCache(Unknown Source)
at com.cloudera.hive.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
at com.cloudera.hive.hive.api.ExtendedHS2Factory.createClient(Unknown Source)
at com.cloudera.hive.hivecommon.core.HiveJDBCConnection.connect(Unknown Source)
at com.cloudera.hive.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.cloudera.hive.jdbc.common.AbstractDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(DriverManager.java:582)
at java.sql.DriverManager.getConnection(DriverManager.java:207)
at script.run(script.java:85)
at oracle.oats.scripting.modules.basic.api.IteratingVUser.run(IteratingVUser.java:351)
at oracle.oats.scripting.modules.basic.api.internal.IteratingAgent.run(IteratingAgent.java:801)
at java.lang.Thread.run(Thread.java:619)
Hive JDBC drivers don't use the Hadoop Auth libraries, because they are supposed to be able to connect from outside the cluster, with minimal dependencies on Hadoop libs.
So, in practise, your UGI settings are ignored.
But Hive JDBC drivers use the Thrift client libraries, which support raw JAAS configuration for Kerberos auth.
Sample use of system props on command-line:
java -Djava.security.krb5.conf=/etc/krb5.conf \
-Djava.security.auth.login.config=./my_jaas.conf \
*****
Sample "my_jaas.conf" to get a private Kerberos ticket (not read from cache, not written to cache) with a password provided in a keytab file:
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule
required
useTicketCache=false
doNotPrompt=true
useKeyTab=true
keyTab="file:/some/path/to/my_login.keytab"
principal="my_login#MY.REALM"
debug=true;
};
Note that the syntax above works with Sun/Oracle JDK and with OpenJDK, but not with IBM JDK which uses a different syntax...It will not work either with the DataDirect connector (shipped with Oracle, IBM, Microstrategy etc.) which expects a specific "subject" in the conf.
And that's it. The JDBC driver will automatically invoke JAAS when it detects that the URL requests a Kerberos connection, and JAAS will handle the dirty work.
PS: debugging security configuration issues is a hassle, but you have a couple of properties to enable the debug traces:
-Dsun.security.krb5.debug=true
-Djava.security.debug=gssloginconfig,configfile,configparser,logincontext
I am sitting second whole day on a problem and giving up. I have written a jersey client which works on Jetty, and doesnt work on Weblogic. The reason is propably hidden in certificate: CN = "*.somecompany.com". Weblogic doesnt like wildcards in CN. Does anybody has working solution for that ?
I added these to Weblogic start params, but Weblogic uses many other clients, so I dont want to add these parameter: ignoreHostnameVerification: -
-Dssl.debug=true -Dweblogic.security.SSL.ignoreHostnameVerification=true
-Dweblogic.security.SSL.enforceConstraints=off
-Dweblogic.nodemanager.sslHostNameVerificationEnabled=false
-Dweblogic.security.SSL.allowSmallRSAExponent=true
-Dweblogic.security.SSL.ignoreHostnameVerification=true
I also accessed a REST service using webbrowser and downloaded certificate to disk an then added it to truststore using keytool.. It still doesnt work.
The only and best way would be to write something custom that validate hostname?? Maybe this wildcard is a problem.. But I am newbie, no idea how to write it, a working example would be greatly appreciated, I won't be able to do it myself :/
Below are exceptions that I found (not sure which were present and when but it is still not working) I was trying to fix it by:
1) Importing whole certificate chain to truststore (Java and Weblogic truststores)
2) Adding starting parameters to Weblogic, but it is not a good solution
com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLKeyException: FATAL
Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
com.sun.jersey.api.client.ClientHandlerException:
javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt
or unuseable certificate was received.
at
com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHa ndler.java:131)
at com.sun.jersey.api.client.Client.handle(Client.java:629)
at
com.sun.jersey.api.client.WebResource.handle(WebResource.java:601)
at
com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
at
com.sun.jersey.api.client.WebResource$Builder.post(WebResource.java:507)
at
SECOND
with Severity: FATAL, Type: 42
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at java.io.FilterOutputStream.flush(FilterOutputStream.java:140)
at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:154)
at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:358)
at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
at weblogic.net.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:702)
at weblogic.net.http.HttpURLConnection.getResponseCode(HttpURLConnection.java:962)
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:217)
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:129)
at com.sun.jersey.api.client.Client.handle(Client.java:629)
at com.sun.jersey.api.client.WebResource.handle(WebResource.java:601)
at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
at com.sun.jersey.api.client.WebResource$Builder.post(WebResource.java:507)
at
THIRD
E7C0E2529308F> <> <1387573464164> <BEA-000000> <Failure loading trusted CA list
java.security.cert.CertificateParsingException: Could not set value for ASN.1 string object.
at com.certicom.security.cert.internal.x509.X509V3CertImpl.<init>(Unknown Source)
at com.certicom.tls.interfaceimpl.CertificateSupport.addTrustedCertificate(Unknown Source)
at com.certicom.net.ssl.SSLContext.addTrustedCertificate(Unknown Source)
at com.bea.sslplus.CerticomSSLContext.addTrustedCA(Unknown Source)
at weblogic.security.utils.SSLContextWrapper.addTrustedCA(SSLContextWrapper.java:62)
at weblogic.security.utils.SSLSetup.getSSLContext(SSLSetup.java:320)
at weblogic.net.http.HttpsClient.openServer(HttpsClient.java:334)
at weblogic.net.http.HttpsClient.New(HttpsClient.java:566)
at weblogic.net.http.HttpsURLConnection.getHttpClient(HttpsURLConnection.java:339)
at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:408)
at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
at weblogic.net.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:702)
at weblogic.net.http.HttpURLConnection.getResponseCode(HttpURLConnection.java:962)
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:217)
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:129)
at com.sun.jersey.api.client.Client.handle(Client.java:629)
at com.sun.jersey.api.client.WebResource.handle(WebResource.java:601)
at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
at com.sun.jersey.api.client.WebResource$Builder.post(WebResource.java:507)
at
try to add the site certificate to you weblogic truststore and then add the below param in your weblogic startup
-DUseSunHttpHandler=true
-Dssl.SocketFactory.provider=sun.security.ssl.SSLSocketFactoryImpl
-Dssl.ServerSocketFactory.provider=sun.security.ssl.SSLSocketFactoryImpl
i have a problem like yours and by this post i solve it
Cannot access HTTPS from Weblogic
Issue fixed by adding these entry in JVM arguments
"-Dweblogic.security.SSL.nojce=true"
"-Dweblogic.ssl.JSSEEnabled=true"
"-Dweblogic.security.SSL.enableJSSE=true"