CODEWITHSUNDEEP
tomcatsslsoapwso2wso2-esb
gurdjieff
gurdjieff

Reputation: 29

wso2esb "Unable to validate SSL Certificate"

I cant connect my custom proxy in wso2esb (4.8.1) to my tomcat deployed soap service accessible only on https.

I have already imported my self signed Tomcat certificate to client-trustore of wso2esb and edited WSO2_ESB/repository/conf/axis2/axis2.xml in the transport out section this way:

<transportSender name="https"class="org.apache.synapse.transport.passthru.PassThroughHttpSSLSender">
    <parameter name="non-blocking" locked="false">true</parameter>
    <parameter name="keystore" locked="false">
        <KeyStore>
            <Location>repository/resources/security/wso2carbon.jks</Location>
            <Type>JKS</Type>
            <Password>wso2carbon</Password>
            <KeyPassword>wso2carbon</KeyPassword>
        </KeyStore>
    </parameter>
    <parameter name="truststore" locked="false">
        <TrustStore>
            <Location>repository/resources/security/client-truststore.jks</Location>
            <Type>JKS</Type>
            <Password>wso2carbon</Password>
        </TrustStore>
    </parameter>
    <parameter name="HostnameVerifier">AllowAll</parameter>
</transportSender>

Anyway everytime I try to set the address endpoint to my out sequence in wso2esb and test it I receive this message: "Unable to validate SSL Certificate"

Also when I create a custom proxy if i try to specify source URI for the publishing WSDL by giving the address of the wsdl and test it I obtain the message "Invalid WSDL URI (Unable to establish a connection)"

I dont know what else to do. Please help me to solve this problem. Thank you very much

EDIT: Now I have another problem: I wrote the proxy and if I try with a policy set in WSO2IS which is based only on the username it goes fine. 

<?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns="http://ws.apache.org/ns/synapse"
   name="Prova1"
   transports="https"
   statistics="disable"
   trace="disable"
   startOnLoad="true">
<target>
  <inSequence>
     <entitlementService remoteServiceUrl="https://localhost:9443/services/"
                         remoteServiceUserName="admin"
             remoteServicePassword="enc:kuv2MubUUveMyv6GeHrXr9il59ajJIqUI4eoYHcgGKf/BBFOWn96NTjJQI+wYbWjKW6r79S7L7ZzgYeWx7DlGbff5X3pBN2Gh9yV0BHP1E93QtFqR7uTWi141Tr7V7ZwScwNqJbiNoV+vyLbsqKJE7T3nP8Ih9Y6omygbcLcHzg="
                         callbackClass="org.wso2.carbon.identity.entitlement.mediator.callback.UTEntitlementCallbackHandler"
                         client="basicAuth">
        <onReject>
           <makefault version="soap11">
              <code xmlns:soap11Env="http://schemas.xmlsoap.org/soap/envelope/"
                    value="soap11Env:VersionMismatch"/>
              <reason value="you're not authorized"/>
              <role/>
           </makefault>
        </onReject>
        <onAccept>
           <send>
              <endpoint>
                 <address uri="https://localhost:8443/Calculator/services/Calcolatrice"/>
              </endpoint>
           </send>
        </onAccept>
        <obligations/>
        <advice/>
     </entitlementService>
  </inSequence>
  <outSequence>
     <send/>
  </outSequence>
  <faultSequence>
     <send/>
  </faultSequence>
</target>
<publishWSDL uri="http://localhost:8080/Calculator/services/Calcolatrice?wsdl"/>
<parameter name="ScenarioID">scenario1</parameter>
<enableSec/>
<policy key="conf:/repository/axis2/service-groups/Prova1/services/Prova1/policies/UTOverTransport"/>
<description/>
</proxy>

Now I'm struggling with the wso2 IS as a PDP. I explain better: if I set a policy with a rule based only on the username or a role it goes fine if I try the proxy. As soon as I try to set a policy based on the Resource Names it simply doesn't work and if I try the proxy it gives me the error "AxisFault: The input stream for an incoming message is null". I dont know if the problem is the resource I specify (I tried both the proxy endpoint and the Tomcat's deployed service endpoint but both dont work) or the fact that the entitlement mediator doesnt send the resource name to the wso2is. If anybody can help me it would be very useful

EDIT 2: This is the message after having enabled debug: enter image description here

So I've entered the resource name as the one indicated in the debug console:

/services/Prova1.Prova1HttpsSoap12Endpoint/prodotto

and now it works (I didn't know I had to use this syntax) and the decision in permit. But I still get the "AxisFault: The input stream for an incoming message is null" when (I suppose) the decision should be deny. For what I see in the debug console the decision in this case is NotApplicable instead of Deny. I still don't understand why. I suppose there is something wrong with the XACML policy. Here it is:

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="prova5" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/services/Prova1.Prova1HttpsSoap12Endpoint/prodotto</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="regola5">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">NormalUser</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
</Condition>

EDIT 2.1

Looking this, I've changed the RuleCombiningAlg from"First Applicable" to "Deny unless Permit" and now from the debug console the decision is finally "deny" but still I get the "AxisFault: The input stream for an incoming message is null" error when I use "TryIt" in wso2esb. I would like instead to receive an error message from the proxy. This is what I get:

enter image description here

Upvotes: 1

Views: 2553

Answers (1)

Asela
Asela

Reputation: 5821

I think there you do not want to worry about testing the address endpoint. Endpoint/WSDL URL testing feature is not working in ESB according to the jira. it is a know limitation in ESB endpoint UI where it does not use SSL configuration defined in axis2.xml to validate SSL certificates. Therefore it gives "Unable to validate SSL Certificate". However, as you are configured every thing fine in axis2.xml, Service invocation must work file. So, please skip the "Test" part when creating the proxy service.

Upvotes: 1

Related Questions