<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">The keycloak tries to send POST request
to the endpoint specified as "token URL" in the configuration. In
case of github provider, token URL is set to <span
style="color:#008000;font-weight:bold;"><a class="moz-txt-link-freetext" href="https://github.com/login/oauth/access_token">https://github.com/login/oauth/access_token</a>
.<br>
<br>
</span>
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
TBH I don't know how exactly this works if you are behind proxy.
However SimpleHttp class is using standard
java.net.HttpURLConnection to send backchannel request and it
seems that this is able to read system properties "http.proxyHost"
and "http.proxyPort" as Niels pointed. I assume that system
properties are working based on the
<a class="moz-txt-link-freetext" href="http://stackoverflow.com/questions/1432961/how-do-i-make-httpurlconnection-use-a-proxy">http://stackoverflow.com/questions/1432961/how-do-i-make-httpurlconnection-use-a-proxy</a>
(see post from Sean Owen).<br>
<br>
Marek<br>
<br>
On 08/06/16 00:04, LI Ming wrote:<br>
</div>
<blockquote
cite="mid:81FBAB8F05BC6F418853660D9326281E1F142B87@cnshjmbx03"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Times New Roman \, serif ";}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
text-align:justify;
text-justify:inter-ideograph;
font-size:10.5pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
text-align:justify;
text-justify:inter-ideograph;
font-size:8.0pt;
font-family:"Calibri","sans-serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";
color:black;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Calibri","sans-serif";
color:black;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Marek,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-indent:9.6pt"><span
style="color:#1F497D" lang="EN-US">Do you have idea on the
failure reason ?<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:9.6pt"><span
style="color:#1F497D" lang="EN-US">From the call stack,
Keycloak hung at the following function:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:26.25pt"><span
style="color:#1F497D" lang="EN-US">org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">
In the source code, Keycloak tried to send Post request to
the below Url:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">
tokenUrl:
<a moz-do-not-send="true"
href="https://135.1.34.23:8443/auth/realms/demo/protocol/openid-connect/token">https://135.1.34.23:8443/auth/realms/demo/protocol/openid-connect/token</a><o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:9.6pt"><span
style="color:#1F497D" lang="EN-US">It is local token
authentication service, why reporting “Connection timed
out”?<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:9.6pt"><span
style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Ming
Li<o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="text-align:left" align="left"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
lang="EN-US"> <a class="moz-txt-link-abbreviated" href="mailto:keycloak-user-bounces@lists.jboss.org">keycloak-user-bounces@lists.jboss.org</a>
[<a class="moz-txt-link-freetext" href="mailto:keycloak-user-bounces@lists.jboss.org">mailto:keycloak-user-bounces@lists.jboss.org</a>]
<b>On Behalf Of </b>LI Ming<br>
<b>Sent:</b> Tuesday, June 07, 2016 4:42 PM<br>
<b>To:</b> Marek Posolda; <a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<b>Subject:</b> Re: [keycloak-user] When using Social
Identity Provider, it failed with failure "Connection
timed out"<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="text-align:left" align="left"><span
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">No,
github is not working.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">BTW,
my server needs set http_proxy/https_proxy to access
github.com.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">wget
--secure-protocol=TLSv1 github.com<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">--2016-06-07
03:39:02--
<a moz-do-not-send="true" href="http://github.com/">http://github.com/</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Resolving
global.proxy.alcatel-lucent.com
(global.proxy.alcatel-lucent.com)... 135.245.48.33<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Connecting
to global.proxy.alcatel-lucent.com
(global.proxy.alcatel-lucent.com)|135.245.48.33|:8000...
connected.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Proxy
request sent, awaiting response... 301 Moved Permanently<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Location:
<a moz-do-not-send="true" href="https://github.com/">
https://github.com/</a> [following]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">--2016-06-07
03:39:03--
<a moz-do-not-send="true" href="https://github.com/">https://github.com/</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Connecting
to global.proxy.alcatel-lucent.com
(global.proxy.alcatel-lucent.com)|135.245.48.33|:8000...
connected.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Proxy
request sent, awaiting response... 200 OK<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Length:
unspecified [text/html]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Saving
to: 'index.html'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">
[
<=>
] 25,508 --.-K/s in 0.03s
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">2016-06-07
03:39:03 (870 KB/s) - 'index.html' saved [25508]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Github.com
can be accessible via http proxy. I do not know why keycloak
will complain the certificate.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="text-align:left" align="left"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
lang="EN-US"> Marek Posolda [<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com">mailto:mposolda@redhat.com</a>]
<br>
<b>Sent:</b> Tuesday, June 07, 2016 4:07 PM<br>
<b>To:</b> LI Ming; <a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<b>Subject:</b> Re: [keycloak-user] When using Social
Identity Provider, it failed with failure "Connection
timed out"<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="text-align:left" align="left"><span
lang="EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">Hmm... is github
working for you if you omit the "truststore" configuration
in keycloak-server.json and use the default java cacerts
file without any changes?<br>
<br>
Marek<br>
<br>
On 07/06/16 09:38, LI Ming wrote:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Marek,</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:9.6pt"><span
style="color:#1F497D" lang="EN-US">I already set
truststore file to the default java certificates file path
in keycloak configuration file
$KEYCLOAK_HOME/standalone/configuration/keycloak-server.json
as below:</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:9.6pt"><span
style="color:#1F497D" lang="EN-US"> "truststore": {</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:9.6pt"><span
style="color:#1F497D" lang="EN-US"> "file": {</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:9.6pt"><span
style="color:#1F497D" lang="EN-US"> "file":
"/usr/java/jre/lib/security/cacerts",</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:9.6pt"><span
style="color:#1F497D" lang="EN-US"> "password":
"changeit",</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:9.6pt"><span
style="color:#1F497D" lang="EN-US">
"hostname-verification-policy": "ANY",</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:9.6pt"><span
style="color:#1F497D" lang="EN-US"> "disabled":
false</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:9.6pt"><span
style="color:#1F497D" lang="EN-US"> }</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:9.6pt"><span
style="color:#1F497D" lang="EN-US"> }</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">
And I put my customer certificate file in it also.</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Ming
Li</span><span lang="EN-US"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="text-align:left" align="left"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
lang="EN-US"> Marek Posolda [<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com">mailto:mposolda@redhat.com</a>]
<br>
<b>Sent:</b> Tuesday, June 07, 2016 3:17 PM<br>
<b>To:</b> LI Ming; <a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<b>Subject:</b> Re: [keycloak-user] When using Social
Identity Provider, it failed with failure "Connection
timed out"</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="text-align:left" align="left"><span
lang="EN-US"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">It seems that's
because Keycloak is not able to send backchannel request
to github due to github certificate not trusted.
<br>
<br>
Are you using custom truststore set with truststore SPI
or with "javax.net.ssl.truststore" system property? I
think that by default github SSL certificate is verified
by well-known CA, so it shouldn't be the issue to
connect to that if you use default Java file with
certificates (cacerts). However if you have custom
trustore set, then default java cacerts file is possibly
not used, so well-known certificates like the one from
github are not trusted. We should likely have a
solution, which will allow to set custom truststore in
addition to default java cacerts file. But until we have
it, you probably need to manually create truststore
file, where you import both the "well-known"
certificates together with your custom certificates.<br>
<br>
Marek<br>
<br>
On 07/06/16 08:02, LI Ming wrote:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="EN-US">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> When I setup
social identity provider (GitHub) to authenticate the
user, it always failed with the below error:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">2016-06-07
00:49:05,349 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]
(default task-9) Failed to make identity provider oauth
callback: java.net.ConnectException: Connection timed
out<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
java.net.PlainSocketImpl.socketConnect(Native Method)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
java.net.Socket.connect(Socket.java:589)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.net.NetworkClient.doConnect(NetworkClient.java:180)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.net.www.http.HttpClient.openServer(HttpClient.java:432)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.net.www.http.HttpClient.openServer(HttpClient.java:527)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:141)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> …<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">2016-06-07
00:49:05,355 WARN [org.keycloak.events] (default
task-9) type=LOGIN_ERROR, realmId=demo, clientId=null,
userId=null, ipAddress=135.252.159.35,
error=identity_provider_login_failure<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> Can you help to
identity the failure reason?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Ming Li<o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:12.0pt;text-align:left" align="left"><span
style="font-size:12.0pt;font-family:"Times New
Roman \, serif "" lang="EN-US"><br>
<br>
<br>
</span><span lang="EN-US"><o:p></o:p></span></p>
<pre><span lang="EN-US">_______________________________________________<o:p></o:p></span></pre>
<pre><span lang="EN-US">keycloak-user mailing list<o:p></o:p></span></pre>
<pre><span lang="EN-US"><a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><o:p></o:p></span></pre>
<pre><span lang="EN-US"><a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><o:p></o:p></span></pre>
</blockquote>
<p class="MsoNormal" style="text-align:left" align="left"><span
style="font-size:12.0pt;font-family:"Times New Roman
\, serif "" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</blockquote>
<p class="MsoNormal" style="text-align:left" align="left"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"" lang="EN-US"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
</body>
</html>