WebLogic 12.1.2 bad record MAC on HTTPS - https

I'm trying to use WebLogic with HTTPS default keystore for development and I get the following error when I try to connect to the server via web browser:
ExecuteThread: '0' for queue: 'weblogic.socket.Muxer', fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: bad record MAC
<13-nov-2014 11H48' COT> <Debug> <SecuritySSL> <BEA-000000> <[Thread[ExecuteThread: '0' for queue: 'weblogic.socket.Muxer',5,Thread Group fo
r Queue: 'weblogic.socket.Muxer']]weblogic.security.SSL.jsseadapter: SSLENGINE: Exception occurred during SSLEngine.unwrap(ByteBuffer,ByteBu
ffer[]).
javax.net.ssl.SSLException: bad record MAC
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1605)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1573)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:971)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:876)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:750)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:664)
at weblogic.security.SSL.jsseadapter.JaSSLEngine$5.run(JaSSLEngine.java:134)
at weblogic.security.SSL.jsseadapter.JaSSLEngine.doAction(JaSSLEngine.java:732)
at weblogic.security.SSL.jsseadapter.JaSSLEngine.unwrap(JaSSLEngine.java:132)
at weblogic.socket.JSSEFilterImpl.unwrap(JSSEFilterImpl.java:603)
at weblogic.socket.JSSEFilterImpl.unwrapAndHandleResults(JSSEFilterImpl.java:507)
at weblogic.socket.JSSEFilterImpl.unwrapAndHandleResults(JSSEFilterImpl.java:474)
at weblogic.socket.JSSEFilterImpl.isMessageComplete(JSSEFilterImpl.java:313)
at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:991)
at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:928)
at weblogic.socket.NIOSocketMuxer.process(NIOSocketMuxer.java:507)
at weblogic.socket.NIOSocketMuxer.processSockets(NIOSocketMuxer.java:473)
at weblogic.socket.SocketReaderRequest.run(SocketReaderRequest.java:30)
at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:43)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:147)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:119)
>
I found some links about this, but nothing important.
Is there any solution for this?

Remove the WebLogic Domain data folder and setup it again. This time I restart the WebLogic server domain after the WebLogic Domain data folder setup and enable the SSL after. Next open the browser with the https address and it work.

Related

Spinnaker & Okta integration failing

Scenerio:
Upgraded Spinnaker to 1.12.0. No other config changes that would impact this integration (we had to modify an s3 IAM because it quit working). Okta integration stopped working. Public key was reissued during install process for the ingress, may be relevant?
SAML-TRACE shows payload getting to okta and back
Spinnaker throws two different errors depending on browser and how I get there.
Direct link to deck url: (500) No IDP was configured, please update included metadata with at least one IDP (seen in browser and gate)
Okta "chicklet" in okta dashboard: (401) Authentication Failed: Incoming SAML message is invalid
Config details (again none of this changed):
Downloading metadata directly
JKS is being leveraged and is valid
service url is confirmed
alias for JKS is confirmed
I had this issue as well when upgrading from 1.10.13 to 1.12.2. I found lots of these error messages in Gate's logs:
2019-02-19 05:31:30.421 ERROR 1 --- [.0-8084-exec-10] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw e
xception [org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP] with root cause
org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP
at org.springframework.security.saml.metadata.MetadataManager.getDefaultIDP(MetadataManager.java:795) ~[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]
at org.springframework.security.saml.context.SAMLContextProviderImpl.populatePeerEntityId(SAMLContextProviderImpl.java:157) ~[spring-security-saml2-core-1.0.2.RELEASE.jar
:1.0.2.RELEASE]
at org.springframework.security.saml.context.SAMLContextProviderImpl.getLocalAndPeerEntity(SAMLContextProviderImpl.java:127) ~[spring-security-saml2-core-1.0.2.RELEASE.ja
r:1.0.2.RELEASE]
at org.springframework.security.saml.SAMLEntryPoint.commence(SAMLEntryPoint.java:146) ~[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.sendStartAuthentication(ExceptionTranslationFilter.java:203) ~[spring-security-web-4.2.9.RELEASE.jar
:4.2.9.RELEASE]
...
After downgrading back to 1.10.13, I upgraded to the next version, 1.11.0, and found that's when the issue started. Eventually, I looked at Gate's logs from the launch of the Container and found:
2019-02-20 22:31:40.132 ERROR 1 --- [0.0-8084-exec-3] o.o.s.m.provider.HTTPMetadataProvider : Error retrieving metadata from https://000000000000.okta.com/app/00000000000000000/sso/saml/metadata
javax.net.ssl.SSLException: Error in hostname verification
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:241) ~[openws-1.5.4.jar:na]
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:186) ~[openws-1.5.4.jar:na]
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) ~[commons-httpclient-3.1.jar:na]
...
This lead me to realize that the TLS Certificate was being rejected by Gate. Not sure why it suddenly started failing the check. Up to this point, I had it configured as:
$ hal config security authn saml edit --metadata https://000000000000.okta.com/app/00000000000000000/sso/saml/metadata
I ended up downloading the metadata file and redeploying with halyard.
$ wget https://000000000000.okta.com/app/00000000000000000/sso/saml/metadata
$ hal config security authn saml edit --metadata "${PWD}/metadata"
$ hal config version edit --version 1.12.2
$ hal deploy apply
Opened up a private browser window as suggested by the Spinnaker documentation and Gate started redirecting to Okta correctly again.
Issue filed, https://github.com/spinnaker/spinnaker/issues/4017.
So I ended up finding the answer. The tomcat config changed apparently in spinnaker in later versions for gate.
I created this snippet in ~/.hal/default/profiles/gate-local.yml
server:
tomcat:
protocolHeader: X-Forwarded-Proto
remoteIpHeader: X-Forwarded-For
internalProxies: .*
Deployed spinnaker and it was back to working.

Challenge response from CFEngine Server Failure while conencting cygwin to CFEngine

when i run from windows-7 with cygwin to connect CFEngine bersion 3.4.2
cf-agent -Bs 217.64.173.210
Challenge response from server 217.64.173.210/217.64.173.210 was incorrect!
I: Made in version 'not specified' of '/var/cfengine/inputs/update.cf' near line 47
!! Authentication dialogue with 217.64.173.210 failed
Challenge response from server 217.64.173.210/217.64.173.210 was incorrect!
I: Made in version 'not specified' of '/var/cfengine/inputs/update.cf' near line
and in /var/cfengine/inputs/update.cf on line 47 is
47 : perms => m("600"),
on cgwin in folder keys
/var/cfengine/ppkeys
localhost.pub
localhost.priv
root-MD5=b8825ba0a0e7017e34b15766d3b3ac58 (which is also at CFEngine Server Side shared ky)
on Cf-Engine Server Side
/var/cfengine/ppkeys/
localhost.priv
localhost.pub
root-MD5=b8825ba0a0e7017e34b15766d3b3ac58
With Regards
Sandeep
Did you also get the server to trust the client's key? like so:
cf-key -t root-MD5=b8825ba0a0e7017e34b15766d3b3ac58
(on the server)
Also, try restarting cf-serverd in verbose mode with the -v switch on the server, and watch what error messages you get on that end.

Sonarqube 4.3 email notification not working

I am trying to configure Sonarqube to notify the developers automatically by an email if their is a new issue assigned to their account.
On the settings-page I sent a test-email successfully and I recieved in my inbox (gmail).
But inside the Sonar-Process the notification fails!
Does anyone have experience with that?
org.apache.commons.mail.EmailException: Sending the email to the following server failed : smtp.gmail.com:465
at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1410) ~[commons-email-1.3.2.jar:1.3.2]
at org.apache.commons.mail.Email.send(Email.java:1437) ~[commons-email-1.3.2.jar:1.3.2]
at org.sonar.plugins.emailnotifications.EmailNotificationChannel.send(EmailNotificationChannel.java:182) [sonar-email-notifications-plugin-4.3.2.jar:na]
at org.sonar.plugins.emailnotifications.EmailNotificationChannel.deliver(EmailNotificationChannel.java:130) [sonar-email-notifications-plugin-4.3.2.jar:na]
at org.sonar.plugins.emailnotifications.EmailNotificationChannel.deliver(EmailNotificationChannel.java:106) [sonar-email-notifications-plugin-4.3.2.jar:na]
at org.sonar.server.notifications.NotificationService.dispatch(NotificationService.java:197) [NotificationService.class:na]
Caused by: javax.mail.MessagingException: Unknown SMTP host: smtp.gmail.com
at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1970) ~[mail-1.4.5.jar:1.4.5]
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:642) ~[mail-1.4.5.jar:1.4.5]
Caused by: java.net.UnknownHostException: smtp.gmail.com
just restart the server... this is not part of the documentation

Socket.IO flashsocket security sandbox error

I have been playing around with node.js and socket.io for the past few days. Everything works fine on my local machine (windows using iss for a webserver), but when uploading it to my remote server (ubuntu box), I get security errors.
[trace] Warning: Failed to load policy file from http://localhost:8000/crossdomain.xml
[trace] *** Security Sandbox Violation ***
[trace] Connection to http://localhost:8000/socket.io/1/ halted - not permitted from http://****/virtualcinema/VirtualCinema.swf
[trace] Error #2044: Unhandled securityError:. text=Error #2048: Security sandbox violation: http://****/virtualcinema/VirtualCinema.swf cannot load data from http://localhost:8000/socket.io/1/.
The AS3 code it's erroring on is:
Security.loadPolicyFile("xmlsocket://localhost:10843");
socket = new FlashSocket("localhost:8000");
The policy file is being served correctly on port 10843 and I can receive the policy file fine at http://**:10843/ in my browser. Why is it trying to load the policy file on port 8000. That warning does not appear on my local build.
The socket.io code:
socket = io.listen(8000);
socket.configure(function()
{
socket.set("transports", ["flashsocket"]);
socket.set("log level", 2);
});
I'm confused as to why it gets resolved fine when I test it on a localmachine but not on a remote one. Any help would be much appreciated :)
The crossdomain.xml I am using:
<cross-domain-policy>
<allow-access-from domain="*" to-ports="*"/>
</cross-domain-policy>
Fixed. I changed it from pointing to localhost to my servers externalIP.
I had tried this before, but unfortunately the server had cached my swf file and I did not realise it was fixed.
Security.loadPolicyFile("xmlsocket://****.com:10843");
socket = new FlashSocket("****.com:8000");

Cannot run Gradlew: get Exception in thread "main" java.net.SocketException: Connection reset

I'm trying to run gradlew to build some code that had been supplied to me. The source is the ZIP download from here and all I've done is open a command prompt, cd to that folder and run gradlew.bat.
I've had this work on my crash'n'burn machine but I can't get it working on my main dev machine. The dev machine sits behind a proxy which requires authentication, the other machine doesn't - they're at different locations.
Originally, I got:
Exception in thread "main" java.net.UnknownHostException: services.gradle.org
From this, to gradle.properties, I added:
systemProp.http.proxyHost=192.168.x.y
systemProp.http.proxyPort=80
systemProp.http.proxyUser=myuserid
systemProp.http.proxyPassword=mypassword
and ran it again and got:
C:\Users\tso259sa\workspace\spring-security-saml-master>gradlew.bat
Downloading http://services.gradle.org/distributions/gradle-1.4-bin.zip
Exception in thread "main" java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:189)
at java.net.SocketInputStream.read(SocketInputStream.java:121)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:235)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:275)
at java.io.BufferedInputStream.read(BufferedInputStream.java:334)
at sun.net.www.MeteredStream.read(MeteredStream.java:134)
at java.io.FilterInputStream.read(FilterInputStream.java:133)
at sun.net.www.protocol.http.HttpURLConnection$HttpInputStream.read(HttpURLConnection.java:3052)
at sun.net.www.protocol.http.HttpURLConnection$HttpInputStream.read(HttpURLConnection.java:3046)
at org.gradle.wrapper.Download.downloadInternal(Download.java:67)
at org.gradle.wrapper.Download.download(Download.java:49)
at org.gradle.wrapper.Install.createDist(Install.java:51)
at org.gradle.wrapper.WrapperExecutor.execute(WrapperExecutor.java:129)
at org.gradle.wrapper.GradleWrapperMain.main(GradleWrapperMain.java:48)
For info, if I try an incorrect password or ID, I get:
Exception in thread "main" java.net.ProtocolException: Server redirected too many times (20)
so I think that rules out incorrect ID. Anyone have any ideas what I can try?
I don't know exactly what caused the connection reset but I tried again several times, in case it was transient and, after some time, the response changed to:
Exception in thread "main" java.io.IOException: Server returned
HTTP response code: 403
Suspecting our security systems, I tried to download the file using a browser and received a message from one of the security boxes saying it had been blocked because it contained a .bat file: a regular occurrence.
Look in your build.gradle and gradle.properties and edit 'https://' to 'http://' in all links
I still got this issue today. Different company has different proxy settings.
after investigate, it worked for me:
org.gradle.daemon=true
systemProp.https.proxyHost=[server name]
systemProp.https.proxyPort=[port]
systemProp.https.proxyUser=[user name]
systemProp.https.proxyPassword=XXXXX
systemProp.https.nonProxyHosts= localhost
systemProp.http.proxyHost=[server name]
systemProp.http.proxyPort=[port]
systemProp.http.proxyUser=[user name]
systemProp.http.proxyPassword=XXXXX
systemProp.http.nonProxyHosts= localhost

Resources