10:16 a.m.
Hello,
I have been following the information in the blog post:
http://www.apiman.io/blog/gateway/security/mutual-auth/ssl/mtls/1.2.x/201...
but has a tough time. I had a simple Java test program that worked against the Api with
setting the has a trust store etc. using system properties:
System.setProperty("javax.net.ssl.trustStore",
System.getProperty("truststore.path"));
System.setProperty("javax.net.ssl.trustStorePassword",
System.getProperty("keystore.password"));
System.setProperty("javax.net.ssl.keyStore",
System.getProperty("keystore.path"));
System.setProperty("javax.net.ssl.keyStorePassword",
System.getProperty("keystore.password"));
System.setProperty("javax.net.ssl.keyStoreType",
System.getProperty("keystore.type"));
However, when I try to do the same , but using APIMan (and setting the properties in the
apiman.properties file) to gateway the API it fails as below. I tried setting the
-Djavax.net.debug.all (as suggested in the article) which gives a lot more in the logs
but all I could see that looked relevant: "Warning: no suitable certificate found -
continuing without client authentication" which made no sense since I have the
correct cert and it works with the test program.
I finally figured out the issue - the MTLS setup does not allow you to pass in the
keyStoreType and my keystore was PKCS12 and not JKS.
Couple of suggestions as a result:
* Add the ability to set the keyStoreType so we won't have to convert them
* Also the stacktrace gets truncated in the output (see below) and its very
difficult to diagnose what the problem is - something I think would have been minutes if I
could have seen the message about not being able to load the keystore took hours.
* Also I want to be able to automatically use different keystores based on the api
or logged-in user or url etc. My thought was to extend the HttpConnectorFactory and
override the TlsOptions. However the class has all the properties private with no
getters/setters and so it is difficult to do so that. This means I have to pretty much
make a copy of the class instead of just a custom extension . Would be good if the class
had public or at least protected getters/setters there so I could override the keystore
based on some rules..
Results when running against apiman but with a pkcs12 keystore:
Using the Advanced Rest Client app for Chrome. I see the following as a response
X-Gateway-Error: Not connected.
500 Internal Server Error
And the response looks as follows. Note that the message is generic "Not
connected" and the stack trace is missing any information about why the connection
failed.
{
"responseCode": 500,
"message": "Not connected.",
"trace": "io.apiman.gateway.engine.beans.exceptions.ConnectorException:
Not connected.\n\tat
io.apiman.gateway.platforms.servlet.connectors.HttpApiConnection.write(HttpApiConnection.java:332)\n\tat
io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.lambda$null$1(ApiRequestExecutorImpl.java:234)\n\tat
io.apiman.gateway.engine.io.AbstractStream.handleBody(AbstractStream.java:107)\n\tat
io.apiman.gateway.engine.policy.Chain.write(Chain.java:181)\n\tat
io.apiman.gateway.engine.impl.ApiRequestExecutorImpl$1.write(ApiRequestExecutorImpl.java:525)\n\tat
io.apiman.gateway.platforms.servlet.GatewayServlet$2.handle(GatewayServlet.java:169)\n\tat
io.apiman.gateway.platforms.servlet.GatewayServlet$2.handle(GatewayServlet.java:161)\n\tat
io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.handleStream(ApiRequestExecutorImpl.java:517)\n\tat
io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.lambda$null$3(ApiRequestExecutorImpl.java:243)\n\tat
io.apiman.gateway.engine.policy.Chain.handleHead(Chain.java:211)\n\tat
io.apiman.gateway.engine.policy.Chain.doApply(Chain.java:150)\n\tat
io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.lambda$execute$4(ApiRequestExecutorImpl.java:246)\n\tat
io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.loadPolicies(ApiRequestExecutorImpl.java:419)\n\tat
io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.lambda$execute$5(ApiRequestExecutorImpl.java:269)\n\tat
io.apiman.gateway.engine.impl.SecureRegistryWrapper$1.handle(SecureRegistryWrapper.java:123)\n\tat
io.apiman.gateway.engine.impl.SecureRegistryWrapper$1.handle(SecureRegistryWrapper.java:112)\n\tat
io.apiman.gateway.engine.es.CachingESRegistry.getApi(CachingESRegistry.java:115)\n\tat
io.apiman.gateway.engine.impl.SecureRegistryWrapper.getApi(SecureRegistryWrapper.java:112)\n\tat
io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.execute(ApiRequestExecutorImpl.java:252)\n\tat
io.apiman.gateway.platforms.servlet.GatewayServlet.doAction(GatewayServlet.java:179)\n\tat
io.apiman.gateway.platforms.servlet.GatewayServlet.service(GatewayServlet.java:79)\n\tat
javax.servlet.http.HttpServlet.service(HttpServlet.java:790)\n\tat
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)\n\tat
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)\n\tat
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)\n\tat
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)\n\tat
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)\n\tat
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)\n\tat
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)\n\tat
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)\n\tat
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)\n\tat
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)\n\tat
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)\n\tat
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)\n\tat
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)\n\tat
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)\n\tat
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)\n\tat
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)\n\tat
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)\n\tat
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)\n\tat
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)\n\tat
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)\n\tat
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)\n\tat
java.lang.Thread.run(Thread.java:745)\nCaused by: java.io.IOException: Not
connected.\n\tat
io.apiman.gateway.platforms.servlet.connectors.HttpApiConnection.write(HttpApiConnection.java:319)\n\t...
48 more\n"
}
Regards,
Amit Joshi
________________________________
This e-mail, including accompanying communications and attachments, is strictly
confidential and only for the intended recipient. Any retention, use or disclosure not
expressly authorised by Markit is prohibited. This email is subject to all waivers and
other terms at the following link:
http://www.markit.com/en/about/legal/email-disclaimer.page
Please visit http://www.markit.com/en/about/contact/contact-us.page for contact
information on our offices worldwide.
8:17 a.m.
Hi Amit,
I've just returned from a work trip abroad, but just to let you know I've
noticed this email and will address it in detail shortly.
We're always keen for high quality feedback, so thank you very much!
Regards,
Marc
On Tuesday, May 17, 2016, Amit Joshi <amit.joshi(a)markit.com> wrote:
Hello,
I have been following the information in the blog post:
http://www.apiman.io/blog/gateway/security/mutual-auth/ssl/mtls/1.2.x/201...
but has a tough time. I had a simple Java test program that worked against
the Api with setting the has a trust store etc. using system properties:
System.setProperty("javax.net.ssl.trustStore",
System.getProperty("truststore.path"));
System.setProperty("javax.net.ssl.trustStorePassword",
System.getProperty("keystore.password"));
System.setProperty("javax.net.ssl.keyStore",
System.getProperty("keystore.path"));
System.setProperty("javax.net.ssl.keyStorePassword",
System.getProperty("keystore.password"));
System.setProperty("javax.net.ssl.keyStoreType",
System.getProperty("keystore.type"));
However, when I try to do the same , but using APIMan (and setting the
properties in the apiman.properties file) to gateway the API it fails as
below. I tried setting the –Djavax.net.debug.all (as suggested in the
article) which gives a lot more in the logs but all I could see that looked
relevant: “Warning: no suitable certificate found - continuing without
client authentication” which made no sense since I have the correct cert
and it works with the test program.
I finally figured out the issue – the MTLS setup does not allow you to
pass in the keyStoreType and my keystore was PKCS12 and not JKS.
Couple of suggestions as a result:
· Add the ability to set the keyStoreType so we won’t have to
convert them
· Also the stacktrace gets truncated in the output (see below)
and its very difficult to diagnose what the problem is – something I think
would have been minutes if I could have seen the message about not being
able to load the keystore took hours.
· Also I want to be able to automatically use different keystores
based on the api or logged-in user or url etc. My thought was to extend the
HttpConnectorFactory and override the TlsOptions. However the class has all
the properties private with no getters/setters and so it is difficult to do
so that. This means I have to pretty much make a copy of the class instead
of just a custom extension . Would be good if the class had public or at
least protected getters/setters there so I could override the keystore
based on some rules..
Results when running against apiman but with a pkcs12 keystore:
Using the Advanced Rest Client app for Chrome. I see the following as a
response
X-Gateway-Error: Not connected.
500 Internal Server Error
And the response looks as follows. Note that the message is generic “Not
connected” and the stack trace is missing any information about why the
connection failed.
{
"responseCode": 500,
"message": "Not connected.",
"trace": "io.apiman.gateway.engine.beans.exceptions.ConnectorException:
Not connected.\n\tat
io.apiman.gateway.platforms.servlet.connectors.HttpApiConnection.write(HttpApiConnection.java:332)\n\tat
io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.lambda$null$1(ApiRequestExecutorImpl.java:234)\n\tat
io.apiman.gateway.engine.io.AbstractStream.handleBody(AbstractStream.java:107)\n\tat
io.apiman.gateway.engine.policy.Chain.write(Chain.java:181)\n\tat
io.apiman.gateway.engine.impl.ApiRequestExecutorImpl$1.write(ApiRequestExecutorImpl.java:525)\n\tat
io.apiman.gateway.platforms.servlet.GatewayServlet$2.handle(GatewayServlet.java:169)\n\tat
io.apiman.gateway.platforms.servlet.GatewayServlet$2.handle(GatewayServlet.java:161)\n\tat
io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.handleStream(ApiRequestExecutorImpl.java:517)\n\tat
io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.lambda$null$3(ApiRequestExecutorImpl.java:243)\n\tat
io.apiman.gateway.engine.policy.Chain.handleHead(Chain.java:211)\n\tat
io.apiman.gateway.engine.policy.Chain.doApply(Chain.java:150)\n\tat
io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.lambda$execute$4(ApiRequestExecutorImpl.java:246)\n\tat
io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.loadPolicies(ApiRequestExecutorImpl.java:419)\n\tat
io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.lambda$execute$5(ApiRequestExecutorImpl.java:269)\n\tat
io.apiman.gateway.engine.impl.SecureRegistryWrapper$1.handle(SecureRegistryWrapper.java:123)\n\tat
io.apiman.gateway.engine.impl.SecureRegistryWrapper$1.handle(SecureRegistryWrapper.java:112)\n\tat
io.apiman.gateway.engine.es.CachingESRegistry.getApi(CachingESRegistry.java:115)\n\tat
io.apiman.gateway.engine.impl.SecureRegistryWrapper.getApi(SecureRegistryWrapper.java:112)\n\tat
io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.execute(ApiRequestExecutorImpl.java:252)\n\tat
io.apiman.gateway.platforms.servlet.GatewayServlet.doAction(GatewayServlet.java:179)\n\tat
io.apiman.gateway.platforms.servlet.GatewayServlet.service(GatewayServlet.java:79)\n\tat
javax.servlet.http.HttpServlet.service(HttpServlet.java:790)\n\tat
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)\n\tat
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)\n\tat
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)\n\tat
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)\n\tat
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)\n\tat
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)\n\tat
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)\n\tat
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)\n\tat
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)\n\tat
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)\n\tat
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)\n\tat
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)\n\tat
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)\n\tat
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)\n\tat
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)\n\tat
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)\n\tat
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)\n\tat
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)\n\tat
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)\n\tat
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)\n\tat
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)\n\tat
java.lang.Thread.run(Thread.java:745)\nCaused by: java.io.IOException: Not
connected.\n\tat
io.apiman.gateway.platforms.servlet.connectors.HttpApiConnection.write(HttpApiConnection.java:319)\n\t...
48 more\n"
}
Regards,
Amit Joshi
------------------------------
This e-mail, including accompanying communications and attachments, is
strictly confidential and only for the intended recipient. Any retention,
use or disclosure not expressly authorised by Markit is prohibited. This
email is subject to all waivers and other terms at the following link:
http://www.markit.com/en/about/legal/email-disclaimer.page
Please visit http://www.markit.com/en/about/contact/contact-us.page for
contact information on our offices worldwide.
12:12 p.m.
Responses inline
On 17 May 2016 at 16:16, Amit Joshi <amit.joshi(a)markit.com> wrote:
io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.lambda$null$1(ApiRequestExecutorImpl.java:234)\n\tat
io.apiman.gateway.engine.io.AbstractStream.handleBody(AbstractStream.java:107)\n\tat
> io.apiman.gateway.engine.policy.Chain.write(Chain.java:181)\n\tat
io.apiman.gateway.engine.impl.ApiRequestExecutorImpl$1.write(ApiRequestExecutorImpl.java:525)\n\tat
io.apiman.gateway.platforms.servlet.GatewayServlet$2.handle(GatewayServlet.java:169)\n\tat
io.apiman.gateway.platforms.servlet.GatewayServlet$2.handle(GatewayServlet.java:161)\n\tat
io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.handleStream(ApiRequestExecutorImpl.java:517)\n\tat
io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.lambda$null$3(ApiRequestExecutorImpl.java:243)\n\tat
> io.apiman.gateway.engine.policy.Chain.handleHead(Chain.java:211)\n\tat
> io.apiman.gateway.engine.policy.Chain.doApply(Chain.java:150)\n\tat
io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.lambda$execute$4(ApiRequestExecutorImpl.java:246)\n\tat
io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.loadPolicies(ApiRequestExecutorImpl.java:419)\n\tat
io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.lambda$execute$5(ApiRequestExecutorImpl.java:269)\n\tat
io.apiman.gateway.engine.impl.SecureRegistryWrapper$1.handle(SecureRegistryWrapper.java:123)\n\tat
io.apiman.gateway.engine.impl.SecureRegistryWrapper$1.handle(SecureRegistryWrapper.java:112)\n\tat
io.apiman.gateway.engine.es.CachingESRegistry.getApi(CachingESRegistry.java:115)\n\tat
io.apiman.gateway.engine.impl.SecureRegistryWrapper.getApi(SecureRegistryWrapper.java:112)\n\tat
io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.execute(ApiRequestExecutorImpl.java:252)\n\tat
io.apiman.gateway.platforms.servlet.GatewayServlet.doAction(GatewayServlet.java:179)\n\tat
io.apiman.gateway.platforms.servlet.GatewayServlet.service(GatewayServlet.java:79)\n\tat
> javax.servlet.http.HttpServlet.service(HttpServlet.java:790)\n\tat
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)\n\tat
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)\n\tat
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)\n\tat
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)\n\tat
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)\n\tat
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)\n\tat
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)\n\tat
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)\n\tat
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)\n\tat
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)\n\tat
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)\n\tat
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)\n\tat
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)\n\tat
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)\n\tat
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)\n\tat
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)\n\tat
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)\n\tat
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)\n\tat
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)\n\tat
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)\n\tat
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)\n\tat
> java.lang.Thread.run(Thread.java:745)\nCaused by: java.io.IOException: Not
> connected.\n\tat
io.apiman.gateway.platforms.servlet.connectors.HttpApiConnection.write(HttpApiConnection.java:319)\n\t...
> 48 more\n"
> }
>
Regards,
> Amit
Joshi
>
________________________________
> This e-mail, including accompanying communications and
attachments, is
> strictly confidential and only for the intended recipient. Any retention,
> use or disclosure not expressly authorised by Markit is prohibited. This
> email is subject to all waivers and other terms at the following link:
> http://www.markit.com/en/about/legal/email-disclaimer.page
> Please visit
http://www.markit.com/en/about/contact/contact-us.page for
> contact information on our offices worldwide.
> _______________________________________________
> Apiman-user mailing list
> Apiman-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/apiman-user
Hello,
I have been following the information in the blog post:
http://www.apiman.io/blog/gateway/security/mutual-auth/ssl/mtls/1.2.x/201...
but has a tough time. I had a simple Java test program that worked
against
the Api with setting the has a trust store etc. using system properties:
System.setProperty("javax.net.ssl.trustStore",
System.getProperty("truststore.path"));
System.setProperty("javax.net.ssl.trustStorePassword",
System.getProperty("keystore.password"));
System.setProperty("javax.net.ssl.keyStore",
System.getProperty("keystore.path"));
System.setProperty("javax.net.ssl.keyStorePassword",
System.getProperty("keystore.password"));
System.setProperty("javax.net.ssl.keyStoreType",
System.getProperty("keystore.type"));
However, when I try to do the same , but using APIMan (and setting the
properties in the apiman.properties file) to gateway the API it fails as
below. I tried setting the –Djavax.net.debug.all (as suggested in the
article) which gives a lot more in the logs but all I could see that
looked
relevant: “Warning: no suitable certificate found - continuing
without
client authentication” which made no sense since I have the correct cert
and
it works with the test program.
I finally figured out the issue – the MTLS setup does not allow you to
pass
in the keyStoreType and my keystore was PKCS12 and not JKS.
Couple of suggestions as a result:
· Add the ability to set the keyStoreType so we won’t have to
convert them
That shouldn't be too hard https://issues.jboss.org/browse/APIMAN-1154
· Also the stacktrace gets truncated in the output (see below) and
its very difficult to diagnose what the problem is – something I think
would
have been minutes if I could have seen the message about not being
able to
load the keystore took hours.
I don't think it's truncated, it's just that the formatting might be
difficult to read. I agree, though - we need to do something a bit nicer
for humans in this area.
echo -e "<stacktrace>" can be a workaround for the moment.
From the docs:
Note the presence of lines containing the characters "...". These lines
indicate that the remainder of the stack trace for this exception
matches
the indicated number of frames from the bottom of the stack trace of the
exception that was caused by this exception (the "enclosing" exception).
This shorthand can greatly reduce the length of the output in the common
case where a wrapped exception is thrown from same method as the "causative
exception" is caught. The above example was produced by running the program:
· Also I want to be able to automatically use different keystores
based on the api or logged-in user or url etc. My thought was to extend
the
HttpConnectorFactory and override the TlsOptions. However the class
has
all
the properties private with no getters/setters and so it is difficult
to
do
so that. This means I have to pretty much make a copy of the class
instead
of just a custom extension . Would be good if the class had public or at
least protected getters/setters there so I could override the keystore
based
on some rules..
Unfortunately this isn't possible yet, but if you wouldn't mind, could you
file a JIRA with your requirements (as above, plus any other bits you can
think of). That will help guide us, as we're aware this is an area that
might be of interest to some. It may be possible to do something clever in
combination with Keycloak - but it'll require a bit more integration.
Results when running against apiman but with a pkcs12 keystore:
Using the Advanced Rest Client app for Chrome. I see the following as a
response
X-Gateway-Error: Not connected.
500 Internal Server Error
And the response looks as follows. Note that the message is generic “Not
connected” and the stack trace is missing any information about why the
connection failed.
I've already got a JIRA for this (https://issues.jboss.org/browse/APIMAN-690),
but it can be a pain sometimes because the underlying system tends to
return pretty generic errors - I'll see what I can do to improve the
situation. Thanks for bringing it up, it's certainly valid.
{
"responseCode": 500,
"message": "Not connected.",
"trace": "io.apiman.gateway.engine.beans.exceptions.ConnectorException:
Not connected.\n\tat
io.apiman.gateway.platforms.servlet.connectors.HttpApiConnection.write(HttpApiConnection.java:332)\n\tat
3611
days inactive
3616
days old
2 comments
2 participants
participants (2)
-
Amit Joshi -
Marc Savy