rally rest api java toolkit sslpeerunverifiedexception : peer not authenticated

Question

I am trying to use this toolkit to test Rally's webservice api. We have an internal setup of Rally. My code looks like this:

    RallyRestApi restApi = new RallyRestApi (new URI("https://rally"), "userName", "password");
    restApi.setApplicationName("Test");
    restApi.setWsapiVersion(wsapiVersion);

    String workspaceRef = new String("/workspace/11457676");
    String projectRef = new String("/project/11457760");

    String storyFormattedID = "US576";

    QueryRequest storyRequest = new QueryRequest("HierarchicalRequirement");
    storyRequest.setFetch(new Fetch("FormattedID","Name","Owner"));
    storyRequest.setQueryFilter(new QueryFilter("FormattedID", "=", storyFormattedID));
    storyRequest.setWorkspace(workspaceRef);
    storyRequest.setProject(projectRef);
    QueryResponse storyQueryResponse = restApi.query(storyRequest);
    ....

The lase line before "...." generate a exception: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated. When I manually access the webservice like this on browser works fine except I noticed there is Certificate Error: "https://rally/slm/webservice/1.29/defect/10509982"

Does anyone have experience with this? Thanks.

Answer 1

Starting with 2.1 version of the jar the toolkit allows access to the HTTPClient under it, and we can tell HTTPClient to ignore invalid certificate chains and tolerate self-singed certificates in order to workaround SSLPeerUnverifiedException: peer not authenticated exception

When we instantiate RallyRestApi:

String host = "https://rally1.rallydev.com";
String apiKey = "_abc123";
RallyRestApi restApi = new RallyRestApi(new URI(host),apiKey);
restApi.setProxy(new URI("http://myproxy.mycompany.com"), "MyProxyUsername", "MyProxyPassword");

we may access HttpClient with getClient()

Here is a full code example:

import com.rallydev.rest.RallyRestApi;
import com.rallydev.rest.client.HttpClient;
import com.rallydev.rest.request.GetRequest;
import com.rallydev.rest.response.GetResponse;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.conn.ssl.TrustStrategy;
import org.apache.http.conn.scheme.Scheme;


public class ConnnectionTestWithHTTPClient {

    public static void main(String[] args) throws URISyntaxException, IOException {


        String host = "https://rally1.rallydev.com";
        String apiKey = "_abc123";
        String applicationName = "Connnection Test With HTTPClient";
        RallyRestApi restApi = new RallyRestApi(new URI(host),apiKey);
        restApi.setApplicationName(applicationName); 
        //restApi.setProxy(new URI("http://myproxy.mycompany.com"), "MyProxyUsername", "MyProxyPassword");  //SET PROXY SETTINS HERE
        HttpClient client = restApi.getClient();
        try {
            SSLSocketFactory sf = new SSLSocketFactory(new TrustStrategy() {
                public boolean isTrusted(X509Certificate[] certificate, String authType)
                    throws CertificateException {
                    //trust all certs
                    return true;
                }
            }, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
            client.getConnectionManager().getSchemeRegistry().register(new Scheme("https", 443, sf));

            String workspaceRef = "/workspace/12345"; //USE VALID WORKSPACE OID 
            GetRequest getRequest = new GetRequest(workspaceRef);
            GetResponse getResponse = restApi.get(getRequest);
            System.out.println(getResponse.getObject());
        } catch (Exception e) {
            System.out.println(e);
        } finally {
            restApi.close();
        }   
    } 
}

Answer 2

If it used to work in the past, perhaps something changed in your environment, specifically related to a proxy.

There is setProxy method documented here. If this is indeed proxy related I hope this helps.

setProxy

public void setProxy(URI proxy, String userName, String password)

[Set the authenticated proxy server to use. By default no proxy is configured.][2]

Parameters:
    proxy - The proxy server, e.g. new URI("http://my.proxy.com:8000")
    userName - The username to be used for authentication.
    password - The password to be used for authentication.

Answer 3

I have used the RallyRestAPi instance for long time for the connection, suddenly its throwing the SSLPeerUnverified Exception, if i use the class you have given the error is not occurring. How the RallyRestAPI has been worked till now? I'm using 1.0.6 also tried 1.0.7

Answer 4

This is definitely an issue we discovered when testing the toolkit internally against servers with self signed certs. Check out this related question:

SSLPeerUnverifiedException with httpClient

and specifically this answer:

https://stackoverflow.com/a/9114024/728184

You can implement this today by extending RallyRestApi and configuring the necessary SSL security overrides:

import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.conn.ssl.TrustStrategy;

import java.net.URI;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

public class OnPremRestApi extends RallyRestApi {

    public OnPremRestApi(URI server, String userName, String password) {
        super(server, userName, password);

        try {
            SSLSocketFactory sf = new SSLSocketFactory(new TrustStrategy() {
                public boolean isTrusted(X509Certificate[] certificate, String authType)
                    throws CertificateException {
                    //trust all certs
                    return true;
                }
            }, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
            httpClient.getConnectionManager().getSchemeRegistry()
                .register(new Scheme("https", 443, sf));
        } catch (Exception e) {
            //hmm...
        }
    }
}

Then just use an instance of OnPremRestApi instead of RallyRestApi in your code.