Pivotal Cloud Foundry - Spring Cloud Services - spring-boot

I am trying to push the company app into Pivotal Cloud Foundry. The app should be bound with service registry. I didn't do any changes in application.yml file. I had have service-registry service in my Pivotal apps manager console. After I pushed my company app into PCF and binded with service-registry service. I did restage my company app. The app is not registered in the service registry console.
2016-06-06T11:25:36.72+0530 [APP/0] OUT Caused by: org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://p-spring-cloud-services.uaa.******.com/oauth/token":sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to fin
d valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.securit
y.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
and
2016-06-06T05:49:35.000+00:00 [APP] OUT 2016-06-06 05:49:35.668 ERROR 22 --- [pool-5-thread-1] com.netflix.discovery.DiscoveryClient : DiscoveryClient_COMPANY/https://p-spring-cloud-services.uaa.******.com/oauth/token:****** - was unable to refresh its cache! status = Error requesting access token.
How to solve these issues?

The cause of problem is ssl certification for PCF. I think you are not uploaded ssl certificate to your environment.

Your PCF instance should have valid root certificates of your apps installed at their side and vice versa....

Related

Error in OAuth mediator version WSO2 EI 7.0.2

I am trying to use OAuth mediator for validating an API . I am using WSO2IS as my IAM server . OAUth mediator is configured to connect WSO2IS server . using URL 'https://localhost:9443/services' while invoking i get followign exceptions . Please see Exception stack below
[
2020-05-27 13:47:27,939] WARN {org.apache.synapse.commons.util.MiscellaneousUtil} - Error loading properties from a file at from the System defined location: nhttp.properties
[2020-05-27 13:48:01,105]
INFO {org.apache.axis2.transport.http.HTTPSender} - Unable to sendViaPost to url[https://localhost:9443/services/OAuth2TokenValidationService]
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:450)
at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(SSLProtocolSocketFactory.java:276)
at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:186)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
at
I have updated keystore and it was working

Websphere - Rest service - Certificate chaining error

I am trying to connect Rest service from my application. And my application is deployed to WAS server.
I am using Spring RestTemplate to consumer the rest service and everything working fine in my local WAS setup.
But when i deploy my code to QA environment (lower environment region), i am getting below error in my log file.
[4/30/18 17:18:22:355 EDT] 00000207 SystemErr R org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://host:port/resourcename": com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=XXX Root CA, O="The XXX Services Group, Inc." is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error; nested exception is javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=XXX Root CA, O="The XXX Services Group, Inc." is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
[4/30/18 17:18:22:355 EDT] 00000207 SystemErr R at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:607)
[4/30/18 17:18:22:356 EDT] 00000207 SystemErr R at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:557)
[4/30/18 17:18:22:357 EDT] 00000207 SystemErr R at org.springframework.web.client.RestTemplate.postForObject(RestTemplate.java:357)
I have imported the certs for the port and host using signer certificate option, but still the issue not resolved (Also tried importing root certs). Can any one let me know what could be the issue?
This looks like the JVM you are using does not trust one of the intermediate certificates, as the error suggests.
You need to retrieve the whole certificate chain, not just the root CA certificate and the certificate of the server. You can use your browser or openssl to retrieve the certificate chain. Your client JVM MUST trust each and every certificate in the certificate chain.
See the following:
https://unix.stackexchange.com/questions/368123/how-to-extract-the-root-ca-and-subordinate-ca-from-a-certificate-chain-in-linux

WSO2 API Manager "unable to find valid certification path to requested target {org .wso2.carbon.apimgt.hostobjects.APIProviderHostObject}"

We have deployed a WSO2 API Manager to expose the APIs of the system. When we published an API with a https target endpoint (Eg: https://abc.d.e:), the requests get failed with the following exception.
TID: [-1234] [] [2017-06-26 06:46:43,226] ERROR {org.wso2.carbon.apimgt.hostobje
cts.APIProviderHostObject} - Error occurred while connecting to backend : https
://list-micro.aws.na.sysco.net:9090, reason : sun.security.validator.ValidatorEx
ception: PKIX path building failed: sun.security.provider.certpath.SunCertPathBu
ilderException: unable to find valid certification path to requested target {org
.wso2.carbon.apimgt.hostobjects.APIProviderHostObject}
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExce
ption: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
java:1514)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.jav
a:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
Wso2/Carbon uses Java 8 .. Keep in mind there is an issue where the apparently SSL client doesn't pares SNI very well. So if you are using multiple certificates on 1 ip address, this could be the issue:
http://javabreaks.blogspot.com/2015/12/java-ssl-handshake-with-server-name.html

Secured Nifi Cluster Setup

I am trying to configure the 3node secured Nifi cluster setup by followinng the below Link .
But between nodes the connection not happened after enabled SSL/LDAP and i am getting the below error.
2017-04-01 09:05:47,494 WARN [Clustering Tasks Thread-2] o.apache.nifi.controller.FlowController Failed to send heartbeat due to: org.apache.nifi.cluster.protocol.ProtocolException: Failed marshalling 'HEARTBEAT' protocol message due to: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2017-04-01 09:05:47,494 ERROR [Process Cluster Protocol Request-7] o.a.nifi.security.util.CertificateUtils The incoming request did not contain client certificates and thus the DN cannot be extracted. Check that the other endpoint is providing a complete client certificate chain
2017-04-01 09:05:47,494 WARN [Process Cluster Protocol Request-7] o.a.n.c.p.impl.SocketProtocolListener Failed processing protocol message from HKLPATHAS02.hk.example.com due to org.apache.nifi.cluster.protocol.ProtocolException: java.security.cert.CertificateException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
org.apache.nifi.cluster.protocol.ProtocolException: java.security.cert.CertificateException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at org.apache.nifi.cluster.protocol.impl.SocketProtocolListener.getRequestorDN(SocketProtocolListener.java:221) ~[nifi-framework-cluster-protocol-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2]
at org.apache.nifi.cluster.protocol.impl.SocketProtocolListener.dispatchRequest(SocketProtocolListener.java:133) ~[nifi-framework-cluster-protocol-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2]
at org.apache.nifi.io.socket.SocketListener$2$1.run(SocketListener.java:136) [nifi-socket-utils-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_102]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_102]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_102]
Caused by: java.security.cert.CertificateException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at org.apache.nifi.security.util.CertificateUtils.extractPeerDNFromClientSSLSocket(CertificateUtils.java:306) ~[nifi-security-utils-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2]
at org.apache.nifi.security.util.CertificateUtils.extractPeerDNFromSSLSocket(CertificateUtils.java:261) ~[nifi-security-utils-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2]
at org.apache.nifi.cluster.protocol.impl.SocketProtocolListener.getRequestorDN(SocketProtocolListener.java:219) ~[nifi-framework-cluster-protocol-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2]
... 5 common frames omitted
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431) ~[na:1.8.0_102]
at org.apache.nifi.security.util.CertificateUtils.extractPeerDNFromClientSSLSocket(CertificateUtils.java:291) ~[nifi-security-utils-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2]
... 7 common frames omitted
Please guide me to resolve this thread.
The error is saying that one node in the cluster is attempting to make a heartbeat connection to the other node, but it is not providing a valid client certificate in order to authenticate itself during the TLS handshake negotiation. There are a few possible reasons for this error:
The node is not sending the client certificate. Ensure that nifi.security.needClientAuth=true and nifi.cluster.protocol.is.secure=true are present in your nifi.properties file.
The truststore on the receiving node does not contain the public key certificate of the connecting node. When you followed the instructions from that link, how did you generate the respective certificates? Using the Apache NiFi TLS Toolkit as described by Pierre should ensure that all node certificates are signed by the same CA and that the CA is imported into the common truststore. If you manually generated your certificates, ensure that they are trusted on each node (you can do this with OpenSSL's s_client tool).

error for public stream in Twitter 4j in IBM WAS 6.1

I'm getting below error for public stream using Twitter 4j in IBM WAS 6.1.Can you please suggest on this issue .
INFO: com.ibm.jsse2.util.h: No trusted certificate found
com.ibm.jsse2.util.h: No trusted certificate found
Relevant discussions can be found on the Internet at:
http://www.google.co.jp/search?q=944a924a or
http://www.google.co.jp/search?q=24fd66eb
TwitterException{exceptionCode=[944a924a-24fd66eb 944a924a-24fd66c1 944a924a-24fd66c1], statusCode=-1, message=null, code=-1, retryAfter=-1, rateLimitStatus=null, version=3.0.3}
at twitter4j.internal.http.HttpClientImpl.request(HttpClientImpl.java:192)
at twitter4j.internal.http.HttpClientWrapper.request(HttpClientWrapper.java:61)
at twitter4j.internal.http.HttpClientWrapper.post(HttpClientWrapper.java:98)
at twitter4j.TwitterStreamImpl.getFilterStream(TwitterStreamImpl.java:304)
at twitter4j.TwitterStreamImpl$7.getStream(TwitterStreamImpl.java:292)
at twitter4j.TwitterStreamImpl$TwitterStreamConsumer.run(TwitterStreamImpl.java:462)
Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificate found
at com.ibm.jsse2.n.a(n.java:28)
at com.ibm.jsse2.jc.a(jc.java:235)
at com.ibm.jsse2.db.a(db.java:268)
at com.ibm.jsse2.db.a(db.java:272)
at com.ibm.jsse2.eb.a(eb.java:56)
at com.ibm.jsse2.eb.a(eb.java:122)
at com.ibm.jsse2.db.m(db.java:351)
at com.ibm.jsse2.db.a(db.java:173)
at com.ibm.jsse2.jc.a(jc.java:535)
at com.ibm.jsse2.jc.g(jc.java:203)
at com.ibm.jsse2.jc.a(jc.java:97)
at com.ibm.jsse2.jc.startHandshake(jc.java:44)
at com.ibm.net.ssl.www2.protocol.https.b.afterConnect(b.java:38)
at com.ibm.net.ssl.www2.protocol.https.c.connect(c.java:34)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:866)
at com.ibm.net.ssl.www2.protocol.https.a.getOutputStream(a.java:38)
at twitter4j.internal.http.HttpClientImpl.request(HttpClientImpl.java:150)
... 5 more
Caused by: com.ibm.jsse2.util.h: No trusted certificate found
at com.ibm.jsse2.util.g.a(g.java:24)
at com.ibm.jsse2.util.g.b(g.java:54)
at com.ibm.jsse2.util.e.a(e.java:9)
at com.ibm.jsse2.yb.checkServerTrusted(yb.java:4)
at com.ibm.jsse2.hb.checkServerTrusted(hb.java:9)
at com.ibm.jsse2.eb.a(eb.java:193)
... 17 more
Jul 3, 2013 10:14:56 AM twitter4j.internal.logging.CommonsLoggingLogger info
INFO: Waiting for 500 milliseconds
Jul 3, 2013 10:14:56 AM twitter4j.internal.logging.CommonsLoggingLogger info
INFO: Establishing connection.
The issue is now resolved by adding SSL certificate in JVM. This page really helped me to understand SSL connection concept in Java.

Resources