From aikeaguinea at xsmail.com Tue Mar 1 10:01:23 2016
From: aikeaguinea at xsmail.com (Aikeaguinea)
Date: Tue, 01 Mar 2016 10:01:23 -0500
Subject: [Apiman-user] Elasticsearch configuration
In-Reply-To: <56CEF87B.60404@redhat.com>
References: <1456265240.2661102.529881690.421DF35F@webmail.messagingengine.com>
<56CDCFCD.9010408@redhat.com>
<1456339927.2956591.530835378.6139C8A8@webmail.messagingengine.com>
<56CEF87B.60404@redhat.com>
Message-ID: <1456844483.1393438.536253786.3E105B18@webmail.messagingengine.com>
I'll keep you posted. Using Amazon's Elasticsearch service presents
issues of its own, since it can't be secured using VPC security groups.
I found a very lightweight JS proxy for signing requests to the service,
which allows you to use IAM users and roles to restrict access to the
service -- this may also be useful knowledge for anyone who gets into
this situation.
The proxy is on Gist at
https://gist.github.com/nakedible-p/ad95dfb1c16e75af1ad5 with a
description at https://forums.aws.amazon.com/thread.jspa?threadID=218214
.
On Thu, Feb 25, 2016, at 07:50 AM, Eric Wittmann wrote:
> No problem. If you end up with a production configuration strategy for
> elasticsearch+apiman we'd love to hear about it! Perhaps a guest blog
> post? :)
>
> Just a thought...
>
> -Eric
>
> On 2/24/2016 1:52 PM, Aikeaguinea wrote:
> > Thanks!
> >
> > On Wed, Feb 24, 2016, at 10:44 AM, Eric Wittmann wrote:
> >> Apiman will automatically create the appropriate ES indexes if they do
> >> not exist. However, it does this in a very naive way:
> >>
> >> https://github.com/apiman/apiman/blob/master/gateway/engine/es/src/main/java/io/apiman/gateway/engine/es/ESClientFactory.java#L220-L233
> >>
> >> That said, we aren't really elasticsearch experts, so I'm not too
> >> confident offering advice on how to scale/cluster a production instance
> >> of Elasticsearch (note that we are working on alternatives).
> >>
> >> My suggestion is probably to create the indexes manually, and shard them
> >> however you think is appropriate. Apiman will then simply use the
> >> indexes you create rather than create them for you. You can use the ES
> >> Mappings files when configuring the indexes:
> >>
> >> https://github.com/apiman/apiman/tree/master/gateway/engine/es/src/main/resources/io/apiman/gateway/engine/es
> >>
> >> -Eric
> >>
> >> On 2/23/2016 5:07 PM, Aikeaguinea wrote:
> >>> I'm moving toward a production deployment of apiman on AWS. At least for
> >>> now we're using Amazon's Elasticsearch service and have been able to
> >>> configure and use it.
> >>>
> >>> For production, we need to pay attention to some of the finer details of
> >>> clustering, etc. It looks like sharding is mainly controlled when an
> >>> index is created. How does apiman manage creating replica shards? Does
> >>> this need to be configured somehow?
> >>>
> >
> >
--
Aikeaguinea
aikeaguinea at xsmail.com
--
http://www.fastmail.com - A fast, anti-spam email service.
From Joel.Schuster at davita.com Tue Mar 15 12:22:43 2016
From: Joel.Schuster at davita.com (Joel Schuster)
Date: Tue, 15 Mar 2016 16:22:43 +0000
Subject: [Apiman-user] Trying to get echo example working...
Message-ID: <63897DB19EE8C54894A3AAF646E7AD8D120A3F@DEN3-EXCH09.DAVITA.Corp>
Folks,
I'm working through the echo example and I'm running into a couple of issues:
java version "1.8.0_73"
Java(TM) SE Runtime Environment (build 1.8.0_73-b02)
Java HotSpot(TM) 64-Bit Server VM (build 25.73-b02, mixed mode)
wildfly-10.0.0.Final
apiman-distro-wildfly10-1.2.2.Final-overlay
When I try to add the basic authentication policy the 'Add Policy' button never becomes enabled.
So I skipped that step and tried to publish as-is. I get this error (Full stack trace below):
Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
The only reference I find to this is in this bug, which should be fixed in this version: https://issues.jboss.org/browse/APIMAN-443
Any help would be appreciated.
Thanks!
- Joel
io.apiman.manager.api.rest.contract.exceptions.ActionException: Failed to publish API.
at io.apiman.manager.api.rest.impl.util.ExceptionFactory.actionException(ExceptionFactory.java:311)
at io.apiman.manager.api.rest.impl.ActionResourceImpl.publishApi(ActionResourceImpl.java:229)
at io.apiman.manager.api.rest.impl.ActionResourceImpl.performAction(ActionResourceImpl.java:105)
at io.apiman.manager.api.rest.impl.ActionResourceImpl$Proxy$_$$_WeldClientProxy.performAction(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at io.apiman.common.servlet.RootResourceFilter.doFilter(RootResourceFilter.java:59)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.apiman.manager.api.war.TransactionWatchdogFilter.doFilter(TransactionWatchdogFilter.java:57)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.apiman.manager.api.security.impl.DefaultSecurityContextFilter.doFilter(DefaultSecurityContextFilter.java:56)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.apiman.common.servlet.DisableCachingFilter.doFilter(DisableCachingFilter.java:59)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.apiman.common.servlet.ApimanCorsFilter.doFilter(ApimanCorsFilter.java:71)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.apiman.common.servlet.LocaleFilter.doFilter(LocaleFilter.java:61)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.keycloak.adapters.undertow.UndertowAuthenticatedActionsHandler.handleRequest(UndertowAuthenticatedActionsHandler.java:66)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.RuntimeException: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at io.apiman.manager.api.gateway.rest.GatewayClient.getStatus(GatewayClient.java:98)
at io.apiman.manager.api.gateway.rest.RestGatewayLink.isGatewayUp(RestGatewayLink.java:134)
at io.apiman.manager.api.gateway.rest.RestGatewayLink.publishApi(RestGatewayLink.java:160)
at io.apiman.manager.api.rest.impl.ActionResourceImpl.publishApi(ActionResourceImpl.java:203)
... 68 more
Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:710)
at sun.security.ssl.InputRecord.read(InputRecord.java:527)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
at io.apiman.manager.api.gateway.rest.GatewayClient.getStatus(GatewayClient.java:86)
... 71 more
CONFIDENTIALITY NOTICE: THIS MESSAGE IS CONFIDENTIAL, INTENDED FOR THE NAMED RECIPIENT(S) AND MAY CONTAIN INFORMATION THAT IS (I) PROPRIETARY TO THE SENDER, AND/OR, (II) PRIVILEGED, CONFIDENTIAL, AND/OR OTHERWISE EXEMPT FROM DISCLOSURE UNDER APPLICABLE STATE AND FEDERAL LAW, INCLUDING, BUT NOT LIMITED TO, PRIVACY STANDARDS IMPOSED PURSUANT TO THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 ("HIPAA"). IF YOU ARE NOT THE INTENDED RECIPIENT, OR THE EMPLOYEE OR AGENT RESPONSIBLE FOR DELIVERING THE MESSAGE TO THE INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY DISSEMINATION, DISTRIBUTION OR COPYING OF THIS COMMUNICATION IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED THIS TRANSMISSION IN ERROR, PLEASE (I) NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR BY TELEPHONE AT (855.472.9822), (II) REMOVE IT FROM YOUR SYSTEM, AND (III) DESTROY THE ORIGINAL TRANSMISSION AND ITS ATTACHMENTS WITHOUT READING OR SAVING THEM. THANK YOU.
-DaVita Healthcare Partners Inc.-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20160315/ae0b993e/attachment-0001.html
From eric.wittmann at redhat.com Tue Mar 15 15:01:30 2016
From: eric.wittmann at redhat.com (Eric Wittmann)
Date: Tue, 15 Mar 2016 15:01:30 -0400
Subject: [Apiman-user] Trying to get echo example working...
In-Reply-To: <63897DB19EE8C54894A3AAF646E7AD8D120A3F@DEN3-EXCH09.DAVITA.Corp>
References: <63897DB19EE8C54894A3AAF646E7AD8D120A3F@DEN3-EXCH09.DAVITA.Corp>
Message-ID: <56E85C0A.3010807@redhat.com>
Can you provide any other details about your configuration? Are you
using mysql or postgres, for example? E.g. anything changed from the
defaults?
"Caused by: javax.net.ssl.SSLException: Unrecognized SSL message,
plaintext connection?"
This usually means that your gateway is configured incorrectly -
specifically that the Configuration Endpoint setting for your gateway
indicates a protocol of "https" but the port is *not* (e.g. port 8080).
So for example:
https://localhost:8080/apiman-gateway-api/
This would fail because port 8080 is not an SSL port. I would need to
change the port to 8443.
Can you indicate whether you have data in the various admin UI pages,
such as Roles, Policy Definitions, Gateways, etc?
-Eric
On 3/15/2016 12:22 PM, Joel Schuster wrote:
> Folks,
>
> I?m working through the echo example and I?m running into a couple of
> issues:
>
> java version "1.8.0_73"
>
> Java(TM) SE Runtime Environment (build 1.8.0_73-b02)
>
> Java HotSpot(TM) 64-Bit Server VM (build 25.73-b02, mixed mode)
>
> wildfly-10.0.0.Final
>
> apiman-distro-wildfly10-1.2.2.Final-overlay
>
> When I try to add the basic authentication policy the ?Add Policy?
> button never becomes enabled.
>
> So I skipped that step and tried to publish as-is. I get this error
> (Full stack trace below):
>
> Caused by: javax.net.ssl.SSLException: Unrecognized SSL message,
> plaintext connection?
>
> The only reference I find to this is in this bug, which should be fixed
> in this version: https://issues.jboss.org/browse/APIMAN-443
>
> Any help would be appreciated.
>
> Thanks!
>
> -Joel
>
> io.apiman.manager.api.rest.contract.exceptions.ActionException: Failed
> to publish API.
>
> at
> io.apiman.manager.api.rest.impl.util.ExceptionFactory.actionException(ExceptionFactory.java:311)
>
> at
> io.apiman.manager.api.rest.impl.ActionResourceImpl.publishApi(ActionResourceImpl.java:229)
>
> at
> io.apiman.manager.api.rest.impl.ActionResourceImpl.performAction(ActionResourceImpl.java:105)
>
> at
> io.apiman.manager.api.rest.impl.ActionResourceImpl$Proxy$_$$_WeldClientProxy.performAction(Unknown
> Source)
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
> at java.lang.reflect.Method.invoke(Method.java:497)
>
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
>
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
>
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
>
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
>
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
>
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
>
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>
> at
> io.apiman.common.servlet.RootResourceFilter.doFilter(RootResourceFilter.java:59)
>
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>
> at
> io.apiman.manager.api.war.TransactionWatchdogFilter.doFilter(TransactionWatchdogFilter.java:57)
>
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>
> at
> io.apiman.manager.api.security.impl.DefaultSecurityContextFilter.doFilter(DefaultSecurityContextFilter.java:56)
>
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>
> at
> io.apiman.common.servlet.DisableCachingFilter.doFilter(DisableCachingFilter.java:59)
>
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>
> at
> io.apiman.common.servlet.ApimanCorsFilter.doFilter(ApimanCorsFilter.java:71)
>
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>
> at
> io.apiman.common.servlet.LocaleFilter.doFilter(LocaleFilter.java:61)
>
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>
> at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
> at
> org.keycloak.adapters.undertow.UndertowAuthenticatedActionsHandler.handleRequest(UndertowAuthenticatedActionsHandler.java:66)
>
> at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>
> at
> io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
>
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
> at
> io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
>
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>
> at
> io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
>
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>
> at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>
> at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
> at
> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
>
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>
> at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>
> at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>
> at java.lang.Thread.run(Thread.java:745)
>
> Caused by: java.lang.RuntimeException: javax.net.ssl.SSLException:
> Unrecognized SSL message, plaintext connection?
>
> at
> io.apiman.manager.api.gateway.rest.GatewayClient.getStatus(GatewayClient.java:98)
>
> at
> io.apiman.manager.api.gateway.rest.RestGatewayLink.isGatewayUp(RestGatewayLink.java:134)
>
> at
> io.apiman.manager.api.gateway.rest.RestGatewayLink.publishApi(RestGatewayLink.java:160)
>
> at
> io.apiman.manager.api.rest.impl.ActionResourceImpl.publishApi(ActionResourceImpl.java:203)
>
> ... 68 more
>
> Caused by: javax.net.ssl.SSLException: Unrecognized SSL message,
> plaintext connection?
>
> at
> sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:710)
>
> at sun.security.ssl.InputRecord.read(InputRecord.java:527)
>
> at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
>
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
>
> at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
>
> at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
>
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
>
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
>
> at
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
>
> at
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
>
> at
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
>
> at
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
>
> at
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
>
> at
> org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
>
> at
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
>
> at
> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
>
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
>
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
>
> at
> io.apiman.manager.api.gateway.rest.GatewayClient.getStatus(GatewayClient.java:86)
>
> ... 71 more
>
> CONFIDENTIALITY NOTICE: THIS MESSAGE IS CONFIDENTIAL, INTENDED FOR THE
> NAMED RECIPIENT(S) AND MAY CONTAIN INFORMATION THAT IS (I) PROPRIETARY
> TO THE SENDER, AND/OR, (II) PRIVILEGED, CONFIDENTIAL, AND/OR OTHERWISE
> EXEMPT FROM DISCLOSURE UNDER APPLICABLE STATE AND FEDERAL LAW,
> INCLUDING, BUT NOT LIMITED TO, PRIVACY STANDARDS IMPOSED PURSUANT TO THE
> FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996
> ("HIPAA"). IF YOU ARE NOT THE INTENDED RECIPIENT, OR THE EMPLOYEE OR
> AGENT RESPONSIBLE FOR DELIVERING THE MESSAGE TO THE INTENDED RECIPIENT,
> YOU ARE HEREBY NOTIFIED THAT ANY DISSEMINATION, DISTRIBUTION OR COPYING
> OF THIS COMMUNICATION IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED THIS
> TRANSMISSION IN ERROR, PLEASE (I) NOTIFY US IMMEDIATELY BY REPLY E-MAIL
> OR BY TELEPHONE AT (855.472.9822), (II) REMOVE IT FROM YOUR SYSTEM, AND
> (III) DESTROY THE ORIGINAL TRANSMISSION AND ITS ATTACHMENTS WITHOUT
> READING OR SAVING THEM. THANK YOU.
>
> -DaVita Healthcare Partners Inc.-
>
>
>
> _______________________________________________
> Apiman-user mailing list
> Apiman-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/apiman-user
>
From Joel.Schuster at davita.com Tue Mar 15 15:21:06 2016
From: Joel.Schuster at davita.com (Joel Schuster)
Date: Tue, 15 Mar 2016 19:21:06 +0000
Subject: [Apiman-user] Trying to get echo example working...
In-Reply-To: <56E85C0A.3010807@redhat.com>
References: <63897DB19EE8C54894A3AAF646E7AD8D120A3F@DEN3-EXCH09.DAVITA.Corp>
<56E85C0A.3010807@redhat.com>
Message-ID: <63897DB19EE8C54894A3AAF646E7AD8D120A8E@DEN3-EXCH09.DAVITA.Corp>
Eric,
Thanks for the info... indeed the problem was that I was trying to change the base url for the gateway... Apparently it's not done by changing the gateway configuration. I figured that out via the User Manual.
If you can give some guidance as to how to change the gateway url from 'apiman-gateway' to whatever I like that would be great. I tried modifying the resource element of the configuration file... that busted a bunch of other things.
- Joel
-----Original Message-----
From: Eric Wittmann [mailto:eric.wittmann at redhat.com]
Sent: Tuesday, March 15, 2016 1:02 PM
To: Joel Schuster; apiman-user at lists.jboss.org
Subject: Re: [Apiman-user] Trying to get echo example working...
WARNING: This email originated outside of DaVita.
DO NOT CLICK links or attachments unless you recognize the sender and know the content is safe.
Can you provide any other details about your configuration? Are you using mysql or postgres, for example? E.g. anything changed from the defaults?
"Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?"
This usually means that your gateway is configured incorrectly - specifically that the Configuration Endpoint setting for your gateway indicates a protocol of "https" but the port is *not* (e.g. port 8080).
So for example:
https://localhost:8080/apiman-gateway-api/
This would fail because port 8080 is not an SSL port. I would need to change the port to 8443.
Can you indicate whether you have data in the various admin UI pages, such as Roles, Policy Definitions, Gateways, etc?
-Eric
On 3/15/2016 12:22 PM, Joel Schuster wrote:
> Folks,
>
> I'm working through the echo example and I'm running into a couple of
> issues:
>
> java version "1.8.0_73"
>
> Java(TM) SE Runtime Environment (build 1.8.0_73-b02)
>
> Java HotSpot(TM) 64-Bit Server VM (build 25.73-b02, mixed mode)
>
> wildfly-10.0.0.Final
>
> apiman-distro-wildfly10-1.2.2.Final-overlay
>
> When I try to add the basic authentication policy the 'Add Policy'
> button never becomes enabled.
>
> So I skipped that step and tried to publish as-is. I get this error
> (Full stack trace below):
>
> Caused by: javax.net.ssl.SSLException: Unrecognized SSL message,
> plaintext connection?
>
> The only reference I find to this is in this bug, which should be
> fixed in this version: https://issues.jboss.org/browse/APIMAN-443
>
> Any help would be appreciated.
>
> Thanks!
>
> -Joel
>
> io.apiman.manager.api.rest.contract.exceptions.ActionException: Failed
> to publish API.
>
> at
> io.apiman.manager.api.rest.impl.util.ExceptionFactory.actionException(
> ExceptionFactory.java:311)
>
> at
> io.apiman.manager.api.rest.impl.ActionResourceImpl.publishApi(ActionRe
> sourceImpl.java:229)
>
> at
> io.apiman.manager.api.rest.impl.ActionResourceImpl.performAction(Actio
> nResourceImpl.java:105)
>
> at
> io.apiman.manager.api.rest.impl.ActionResourceImpl$Proxy$_$$_WeldClien
> tProxy.performAction(Unknown
> Source)
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
>
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
> ava:62)
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess
> orImpl.java:43)
>
> at java.lang.reflect.Method.invoke(Method.java:497)
>
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.j
> ava:139)
>
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceM
> ethodInvoker.java:295)
>
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInv
> oker.java:249)
>
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInv
> oker.java:236)
>
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispat
> cher.java:395)
>
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispat
> cher.java:202)
>
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.s
> ervice(ServletContainerDispatcher.java:221)
>
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.servic
> e(HttpServletDispatcher.java:56)
>
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.servic
> e(HttpServletDispatcher.java:51)
>
> at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandl
> er.java:85)
>
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(Fi
> lterHandler.java:129)
>
> at
> io.apiman.common.servlet.RootResourceFilter.doFilter(RootResourceFilte
> r.java:59)
>
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(Fi
> lterHandler.java:131)
>
> at
> io.apiman.manager.api.war.TransactionWatchdogFilter.doFilter(Transacti
> onWatchdogFilter.java:57)
>
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(Fi
> lterHandler.java:131)
>
> at
> io.apiman.manager.api.security.impl.DefaultSecurityContextFilter.doFil
> ter(DefaultSecurityContextFilter.java:56)
>
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(Fi
> lterHandler.java:131)
>
> at
> io.apiman.common.servlet.DisableCachingFilter.doFilter(DisableCachingF
> ilter.java:59)
>
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(Fi
> lterHandler.java:131)
>
> at
> io.apiman.common.servlet.ApimanCorsFilter.doFilter(ApimanCorsFilter.ja
> va:71)
>
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(Fi
> lterHandler.java:131)
>
> at
> io.apiman.common.servlet.LocaleFilter.doFilter(LocaleFilter.java:61)
>
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(Fi
> lterHandler.java:131)
>
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler
> .java:84)
>
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handl
> eRequest(ServletSecurityRoleHandler.java:62)
>
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(S
> ervletDispatchingHandler.java:36)
>
> at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHand
> ler.handleRequest(SecurityContextAssociationHandler.java:78)
>
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHa
> ndler.java:43)
>
> at
> org.keycloak.adapters.undertow.UndertowAuthenticatedActionsHandler.han
> dleRequest(UndertowAuthenticatedActionsHandler.java:66)
>
> at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler
> .handleRequest(SSLInformationAssociationHandler.java:131)
>
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler
> .handleRequest(ServletAuthenticationCallHandler.java:57)
>
> at
> io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableC
> acheHandler.java:33)
>
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHa
> ndler.java:43)
>
> at
> io.undertow.security.handlers.AuthenticationConstraintHandler.handleRe
> quest(AuthenticationConstraintHandler.java:51)
>
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleReq
> uest(AbstractConfidentialityHandler.java:46)
>
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraint
> Handler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>
> at
> io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler
> .handleRequest(ServletSecurityConstraintHandler.java:56)
>
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRe
> quest(AuthenticationMechanismsHandler.java:60)
>
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandle
> r.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>
> at
> io.undertow.security.handlers.NotificationReceiverHandler.handleReques
> t(NotificationReceiverHandler.java:50)
>
> at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandle
> r.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHa
> ndler.java:43)
>
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.hand
> leRequest(JACCContextIdHandler.java:61)
>
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHa
> ndler.java:43)
>
> at
> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequ
> est(ServletPreAuthActionsHandler.java:69)
>
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHa
> ndler.java:43)
>
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(
> ServletInitialHandler.java:284)
>
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(Ser
> vletInitialHandler.java:263)
>
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletI
> nitialHandler.java:81)
>
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(Ser
> vletInitialHandler.java:174)
>
> at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>
> at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:79
> 3)
>
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.j
> ava:1142)
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.
> java:617)
>
> at java.lang.Thread.run(Thread.java:745)
>
> Caused by: java.lang.RuntimeException: javax.net.ssl.SSLException:
> Unrecognized SSL message, plaintext connection?
>
> at
> io.apiman.manager.api.gateway.rest.GatewayClient.getStatus(GatewayClie
> nt.java:98)
>
> at
> io.apiman.manager.api.gateway.rest.RestGatewayLink.isGatewayUp(RestGat
> ewayLink.java:134)
>
> at
> io.apiman.manager.api.gateway.rest.RestGatewayLink.publishApi(RestGate
> wayLink.java:160)
>
> at
> io.apiman.manager.api.rest.impl.ActionResourceImpl.publishApi(ActionRe
> sourceImpl.java:203)
>
> ... 68 more
>
> Caused by: javax.net.ssl.SSLException: Unrecognized SSL message,
> plaintext connection?
>
> at
> sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:710)
>
> at sun.security.ssl.InputRecord.read(InputRecord.java:527)
>
> at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
>
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.j
> ava:1375)
>
> at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
>
> at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
>
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocke
> t(SSLConnectionSocketFactory.java:394)
>
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLC
> onnectionSocketFactory.java:353)
>
> at
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(
> DefaultHttpClientConnectionOperator.java:134)
>
> at
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(P
> oolingHttpClientConnectionManager.java:353)
>
> at
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClien
> tExec.java:380)
>
> at
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.j
> ava:236)
>
> at
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:
> 184)
>
> at
> org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
>
> at
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:
> 110)
>
> at
> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpC
> lient.java:184)
>
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpC
> lient.java:82)
>
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpC
> lient.java:107)
>
> at
> io.apiman.manager.api.gateway.rest.GatewayClient.getStatus(GatewayClie
> nt.java:86)
>
> ... 71 more
>
> CONFIDENTIALITY NOTICE: THIS MESSAGE IS CONFIDENTIAL, INTENDED FOR THE
> NAMED RECIPIENT(S) AND MAY CONTAIN INFORMATION THAT IS (I) PROPRIETARY
> TO THE SENDER, AND/OR, (II) PRIVILEGED, CONFIDENTIAL, AND/OR OTHERWISE
> EXEMPT FROM DISCLOSURE UNDER APPLICABLE STATE AND FEDERAL LAW,
> INCLUDING, BUT NOT LIMITED TO, PRIVACY STANDARDS IMPOSED PURSUANT TO
> THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF
> 1996 ("HIPAA"). IF YOU ARE NOT THE INTENDED RECIPIENT, OR THE EMPLOYEE
> OR AGENT RESPONSIBLE FOR DELIVERING THE MESSAGE TO THE INTENDED
> RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY DISSEMINATION,
> DISTRIBUTION OR COPYING OF THIS COMMUNICATION IS STRICTLY PROHIBITED.
> IF YOU HAVE RECEIVED THIS TRANSMISSION IN ERROR, PLEASE (I) NOTIFY US
> IMMEDIATELY BY REPLY E-MAIL OR BY TELEPHONE AT (855.472.9822), (II)
> REMOVE IT FROM YOUR SYSTEM, AND
> (III) DESTROY THE ORIGINAL TRANSMISSION AND ITS ATTACHMENTS WITHOUT
> READING OR SAVING THEM. THANK YOU.
>
> -DaVita Healthcare Partners Inc.-
>
>
>
> _______________________________________________
> Apiman-user mailing list
> Apiman-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/apiman-user
>
CONFIDENTIALITY NOTICE: THIS MESSAGE IS CONFIDENTIAL, INTENDED FOR THE NAMED RECIPIENT(S) AND MAY CONTAIN INFORMATION THAT IS (I) PROPRIETARY TO THE SENDER, AND/OR, (II) PRIVILEGED, CONFIDENTIAL, AND/OR OTHERWISE EXEMPT FROM DISCLOSURE UNDER APPLICABLE STATE AND FEDERAL LAW, INCLUDING, BUT NOT LIMITED TO, PRIVACY STANDARDS IMPOSED PURSUANT TO THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 ("HIPAA"). IF YOU ARE NOT THE INTENDED RECIPIENT, OR THE EMPLOYEE OR AGENT RESPONSIBLE FOR DELIVERING THE MESSAGE TO THE INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY DISSEMINATION, DISTRIBUTION OR COPYING OF THIS COMMUNICATION IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED THIS TRANSMISSION IN ERROR, PLEASE (I) NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR BY TELEPHONE AT (855.472.9822), (II) REMOVE IT FROM YOUR SYSTEM, AND (III) DESTROY THE ORIGINAL TRANSMISSION AND ITS ATTACHMENTS WITHOUT READING OR SAVING THEM. THANK YOU.
-DaVita Healthcare Partners Inc.-
From Joel.Schuster at davita.com Tue Mar 15 17:46:43 2016
From: Joel.Schuster at davita.com (Joel Schuster)
Date: Tue, 15 Mar 2016 21:46:43 +0000
Subject: [Apiman-user] How to change the default API URL
Message-ID: <63897DB19EE8C54894A3AAF646E7AD8D120B3A@DEN3-EXCH09.DAVITA.Corp>
By default APIs end up here:
http://gatewayhost:port/apiman-gateway/{organizationId}/{apiId}/{version}/
I'd like to change this so it ends up here:
http://gatewayhost:port/apiman-gateway/{organizationId}/{version}/{apiId}/
I'd also like to change the 'apiman-gateway' to simply 'gateway'.
How can I do that?
Thanks!
- Joel
CONFIDENTIALITY NOTICE: THIS MESSAGE IS CONFIDENTIAL, INTENDED FOR THE NAMED RECIPIENT(S) AND MAY CONTAIN INFORMATION THAT IS (I) PROPRIETARY TO THE SENDER, AND/OR, (II) PRIVILEGED, CONFIDENTIAL, AND/OR OTHERWISE EXEMPT FROM DISCLOSURE UNDER APPLICABLE STATE AND FEDERAL LAW, INCLUDING, BUT NOT LIMITED TO, PRIVACY STANDARDS IMPOSED PURSUANT TO THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 ("HIPAA"). IF YOU ARE NOT THE INTENDED RECIPIENT, OR THE EMPLOYEE OR AGENT RESPONSIBLE FOR DELIVERING THE MESSAGE TO THE INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY DISSEMINATION, DISTRIBUTION OR COPYING OF THIS COMMUNICATION IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED THIS TRANSMISSION IN ERROR, PLEASE (I) NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR BY TELEPHONE AT (855.472.9822), (II) REMOVE IT FROM YOUR SYSTEM, AND (III) DESTROY THE ORIGINAL TRANSMISSION AND ITS ATTACHMENTS WITHOUT READING OR SAVING THEM. THANK YOU.
-DaVita Healthcare Partners Inc.-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20160315/455fe66b/attachment.html
From eric.wittmann at redhat.com Wed Mar 16 07:08:50 2016
From: eric.wittmann at redhat.com (Eric Wittmann)
Date: Wed, 16 Mar 2016 07:08:50 -0400
Subject: [Apiman-user] How to change the default API URL
In-Reply-To: <63897DB19EE8C54894A3AAF646E7AD8D120B3A@DEN3-EXCH09.DAVITA.Corp>
References: <63897DB19EE8C54894A3AAF646E7AD8D120B3A@DEN3-EXCH09.DAVITA.Corp>
Message-ID: <56E93EC2.8000306@redhat.com>
There's no way to customize the format of the endpoint at the moment.
That would need to be a feature request, unless you wanted to fork the
codebase (not really recommended). I'd recommend creating a JIRA
feature request ticket for this, with your requirements. It's not
particularly hard to implement I don't think.
The context is something you *can* change. Here's how:
1) Unpack/open the following file:
$WILDFLY/standalone/deployments/apiman-gateway.war
2) Modify the following file within that WAR:
/WEB-INF/jboss-web.xml
3) Change the context-root element to "gateway":
gateway
4) Re-package up the WAR file and rename it to "gateway.war" (optional)
5) Profit!
-Eric
On 3/15/2016 5:46 PM, Joel Schuster wrote:
> By default APIs end up here:
>
> http://gatewayhost:port/apiman-gateway/{organizationId}/{apiId}/{version}/
>
>
> I?d like to change this so it ends up here:
>
> http://gatewayhost:port/apiman-gateway/{organizationId}/{version}/{apiId}/
>
>
>
> I?d also like to change the ?apiman-gateway? to simply ?gateway?.
>
> How can I do that?
>
> Thanks!
>
> -Joel
>
> CONFIDENTIALITY NOTICE: THIS MESSAGE IS CONFIDENTIAL, INTENDED FOR THE
> NAMED RECIPIENT(S) AND MAY CONTAIN INFORMATION THAT IS (I) PROPRIETARY
> TO THE SENDER, AND/OR, (II) PRIVILEGED, CONFIDENTIAL, AND/OR OTHERWISE
> EXEMPT FROM DISCLOSURE UNDER APPLICABLE STATE AND FEDERAL LAW,
> INCLUDING, BUT NOT LIMITED TO, PRIVACY STANDARDS IMPOSED PURSUANT TO THE
> FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996
> ("HIPAA"). IF YOU ARE NOT THE INTENDED RECIPIENT, OR THE EMPLOYEE OR
> AGENT RESPONSIBLE FOR DELIVERING THE MESSAGE TO THE INTENDED RECIPIENT,
> YOU ARE HEREBY NOTIFIED THAT ANY DISSEMINATION, DISTRIBUTION OR COPYING
> OF THIS COMMUNICATION IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED THIS
> TRANSMISSION IN ERROR, PLEASE (I) NOTIFY US IMMEDIATELY BY REPLY E-MAIL
> OR BY TELEPHONE AT (855.472.9822), (II) REMOVE IT FROM YOUR SYSTEM, AND
> (III) DESTROY THE ORIGINAL TRANSMISSION AND ITS ATTACHMENTS WITHOUT
> READING OR SAVING THEM. THANK YOU.
>
> -DaVita Healthcare Partners Inc.-
>
>
>
> _______________________________________________
> Apiman-user mailing list
> Apiman-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/apiman-user
>
From eric.wittmann at redhat.com Wed Mar 16 07:12:52 2016
From: eric.wittmann at redhat.com (Eric Wittmann)
Date: Wed, 16 Mar 2016 07:12:52 -0400
Subject: [Apiman-user] Trying to get echo example working...
In-Reply-To: <63897DB19EE8C54894A3AAF646E7AD8D120A8E@DEN3-EXCH09.DAVITA.Corp>
References: <63897DB19EE8C54894A3AAF646E7AD8D120A3F@DEN3-EXCH09.DAVITA.Corp>
<56E85C0A.3010807@redhat.com>
<63897DB19EE8C54894A3AAF646E7AD8D120A8E@DEN3-EXCH09.DAVITA.Corp>
Message-ID: <56E93FB4.1080202@redhat.com>
Yeah the gateway settings in the UI are all about telling the API
Manager where the API Gateway lives. In order to actually change where
the API Gateway lives, you would need to change the apiman-gateway war.
I *think* I answered that question in reply to your other email. If
that response didn't help, let me know. :)
-Eric
On 3/15/2016 3:21 PM, Joel Schuster wrote:
> Eric,
>
> Thanks for the info... indeed the problem was that I was trying to change the base url for the gateway... Apparently it's not done by changing the gateway configuration. I figured that out via the User Manual.
>
> If you can give some guidance as to how to change the gateway url from 'apiman-gateway' to whatever I like that would be great. I tried modifying the resource element of the configuration file... that busted a bunch of other things.
>
> - Joel
>
> -----Original Message-----
> From: Eric Wittmann [mailto:eric.wittmann at redhat.com]
> Sent: Tuesday, March 15, 2016 1:02 PM
> To: Joel Schuster; apiman-user at lists.jboss.org
> Subject: Re: [Apiman-user] Trying to get echo example working...
>
> WARNING: This email originated outside of DaVita.
>
> DO NOT CLICK links or attachments unless you recognize the sender and know the content is safe.
>
> Can you provide any other details about your configuration? Are you using mysql or postgres, for example? E.g. anything changed from the defaults?
>
> "Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?"
>
> This usually means that your gateway is configured incorrectly - specifically that the Configuration Endpoint setting for your gateway indicates a protocol of "https" but the port is *not* (e.g. port 8080).
> So for example:
>
> https://localhost:8080/apiman-gateway-api/
>
> This would fail because port 8080 is not an SSL port. I would need to change the port to 8443.
>
> Can you indicate whether you have data in the various admin UI pages, such as Roles, Policy Definitions, Gateways, etc?
>
> -Eric
>
>
> On 3/15/2016 12:22 PM, Joel Schuster wrote:
>> Folks,
>>
>> I'm working through the echo example and I'm running into a couple of
>> issues:
>>
>> java version "1.8.0_73"
>>
>> Java(TM) SE Runtime Environment (build 1.8.0_73-b02)
>>
>> Java HotSpot(TM) 64-Bit Server VM (build 25.73-b02, mixed mode)
>>
>> wildfly-10.0.0.Final
>>
>> apiman-distro-wildfly10-1.2.2.Final-overlay
>>
>> When I try to add the basic authentication policy the 'Add Policy'
>> button never becomes enabled.
>>
>> So I skipped that step and tried to publish as-is. I get this error
>> (Full stack trace below):
>>
>> Caused by: javax.net.ssl.SSLException: Unrecognized SSL message,
>> plaintext connection?
>>
>> The only reference I find to this is in this bug, which should be
>> fixed in this version: https://issues.jboss.org/browse/APIMAN-443
>>
>> Any help would be appreciated.
>>
>> Thanks!
>>
>> -Joel
>>
>> io.apiman.manager.api.rest.contract.exceptions.ActionException: Failed
>> to publish API.
>>
>> at
>> io.apiman.manager.api.rest.impl.util.ExceptionFactory.actionException(
>> ExceptionFactory.java:311)
>>
>> at
>> io.apiman.manager.api.rest.impl.ActionResourceImpl.publishApi(ActionRe
>> sourceImpl.java:229)
>>
>> at
>> io.apiman.manager.api.rest.impl.ActionResourceImpl.performAction(Actio
>> nResourceImpl.java:105)
>>
>> at
>> io.apiman.manager.api.rest.impl.ActionResourceImpl$Proxy$_$$_WeldClien
>> tProxy.performAction(Unknown
>> Source)
>>
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>> Method)
>>
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
>> ava:62)
>>
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess
>> orImpl.java:43)
>>
>> at java.lang.reflect.Method.invoke(Method.java:497)
>>
>> at
>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.j
>> ava:139)
>>
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceM
>> ethodInvoker.java:295)
>>
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInv
>> oker.java:249)
>>
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInv
>> oker.java:236)
>>
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispat
>> cher.java:395)
>>
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispat
>> cher.java:202)
>>
>> at
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.s
>> ervice(ServletContainerDispatcher.java:221)
>>
>> at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.servic
>> e(HttpServletDispatcher.java:56)
>>
>> at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.servic
>> e(HttpServletDispatcher.java:51)
>>
>> at
>> javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>
>> at
>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandl
>> er.java:85)
>>
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(Fi
>> lterHandler.java:129)
>>
>> at
>> io.apiman.common.servlet.RootResourceFilter.doFilter(RootResourceFilte
>> r.java:59)
>>
>> at
>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(Fi
>> lterHandler.java:131)
>>
>> at
>> io.apiman.manager.api.war.TransactionWatchdogFilter.doFilter(Transacti
>> onWatchdogFilter.java:57)
>>
>> at
>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(Fi
>> lterHandler.java:131)
>>
>> at
>> io.apiman.manager.api.security.impl.DefaultSecurityContextFilter.doFil
>> ter(DefaultSecurityContextFilter.java:56)
>>
>> at
>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(Fi
>> lterHandler.java:131)
>>
>> at
>> io.apiman.common.servlet.DisableCachingFilter.doFilter(DisableCachingF
>> ilter.java:59)
>>
>> at
>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(Fi
>> lterHandler.java:131)
>>
>> at
>> io.apiman.common.servlet.ApimanCorsFilter.doFilter(ApimanCorsFilter.ja
>> va:71)
>>
>> at
>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(Fi
>> lterHandler.java:131)
>>
>> at
>> io.apiman.common.servlet.LocaleFilter.doFilter(LocaleFilter.java:61)
>>
>> at
>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(Fi
>> lterHandler.java:131)
>>
>> at
>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler
>> .java:84)
>>
>> at
>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handl
>> eRequest(ServletSecurityRoleHandler.java:62)
>>
>> at
>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(S
>> ervletDispatchingHandler.java:36)
>>
>> at
>> org.wildfly.extension.undertow.security.SecurityContextAssociationHand
>> ler.handleRequest(SecurityContextAssociationHandler.java:78)
>>
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHa
>> ndler.java:43)
>>
>> at
>> org.keycloak.adapters.undertow.UndertowAuthenticatedActionsHandler.han
>> dleRequest(UndertowAuthenticatedActionsHandler.java:66)
>>
>> at
>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler
>> .handleRequest(SSLInformationAssociationHandler.java:131)
>>
>> at
>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler
>> .handleRequest(ServletAuthenticationCallHandler.java:57)
>>
>> at
>> io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableC
>> acheHandler.java:33)
>>
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHa
>> ndler.java:43)
>>
>> at
>> io.undertow.security.handlers.AuthenticationConstraintHandler.handleRe
>> quest(AuthenticationConstraintHandler.java:51)
>>
>> at
>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleReq
>> uest(AbstractConfidentialityHandler.java:46)
>>
>> at
>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraint
>> Handler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>
>> at
>> io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler
>> .handleRequest(ServletSecurityConstraintHandler.java:56)
>>
>> at
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRe
>> quest(AuthenticationMechanismsHandler.java:60)
>>
>> at
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandle
>> r.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>
>> at
>> io.undertow.security.handlers.NotificationReceiverHandler.handleReques
>> t(NotificationReceiverHandler.java:50)
>>
>> at
>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandle
>> r.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHa
>> ndler.java:43)
>>
>> at
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.hand
>> leRequest(JACCContextIdHandler.java:61)
>>
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHa
>> ndler.java:43)
>>
>> at
>> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequ
>> est(ServletPreAuthActionsHandler.java:69)
>>
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHa
>> ndler.java:43)
>>
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(
>> ServletInitialHandler.java:284)
>>
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(Ser
>> vletInitialHandler.java:263)
>>
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletI
>> nitialHandler.java:81)
>>
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(Ser
>> vletInitialHandler.java:174)
>>
>> at
>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>
>> at
>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:79
>> 3)
>>
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.j
>> ava:1142)
>>
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.
>> java:617)
>>
>> at java.lang.Thread.run(Thread.java:745)
>>
>> Caused by: java.lang.RuntimeException: javax.net.ssl.SSLException:
>> Unrecognized SSL message, plaintext connection?
>>
>> at
>> io.apiman.manager.api.gateway.rest.GatewayClient.getStatus(GatewayClie
>> nt.java:98)
>>
>> at
>> io.apiman.manager.api.gateway.rest.RestGatewayLink.isGatewayUp(RestGat
>> ewayLink.java:134)
>>
>> at
>> io.apiman.manager.api.gateway.rest.RestGatewayLink.publishApi(RestGate
>> wayLink.java:160)
>>
>> at
>> io.apiman.manager.api.rest.impl.ActionResourceImpl.publishApi(ActionRe
>> sourceImpl.java:203)
>>
>> ... 68 more
>>
>> Caused by: javax.net.ssl.SSLException: Unrecognized SSL message,
>> plaintext connection?
>>
>> at
>> sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:710)
>>
>> at sun.security.ssl.InputRecord.read(InputRecord.java:527)
>>
>> at
>> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
>>
>> at
>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.j
>> ava:1375)
>>
>> at
>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
>>
>> at
>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
>>
>> at
>> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocke
>> t(SSLConnectionSocketFactory.java:394)
>>
>> at
>> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLC
>> onnectionSocketFactory.java:353)
>>
>> at
>> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(
>> DefaultHttpClientConnectionOperator.java:134)
>>
>> at
>> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(P
>> oolingHttpClientConnectionManager.java:353)
>>
>> at
>> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClien
>> tExec.java:380)
>>
>> at
>> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.j
>> ava:236)
>>
>> at
>> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:
>> 184)
>>
>> at
>> org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
>>
>> at
>> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:
>> 110)
>>
>> at
>> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpC
>> lient.java:184)
>>
>> at
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpC
>> lient.java:82)
>>
>> at
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpC
>> lient.java:107)
>>
>> at
>> io.apiman.manager.api.gateway.rest.GatewayClient.getStatus(GatewayClie
>> nt.java:86)
>>
>> ... 71 more
>>
>> CONFIDENTIALITY NOTICE: THIS MESSAGE IS CONFIDENTIAL, INTENDED FOR THE
>> NAMED RECIPIENT(S) AND MAY CONTAIN INFORMATION THAT IS (I) PROPRIETARY
>> TO THE SENDER, AND/OR, (II) PRIVILEGED, CONFIDENTIAL, AND/OR OTHERWISE
>> EXEMPT FROM DISCLOSURE UNDER APPLICABLE STATE AND FEDERAL LAW,
>> INCLUDING, BUT NOT LIMITED TO, PRIVACY STANDARDS IMPOSED PURSUANT TO
>> THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF
>> 1996 ("HIPAA"). IF YOU ARE NOT THE INTENDED RECIPIENT, OR THE EMPLOYEE
>> OR AGENT RESPONSIBLE FOR DELIVERING THE MESSAGE TO THE INTENDED
>> RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY DISSEMINATION,
>> DISTRIBUTION OR COPYING OF THIS COMMUNICATION IS STRICTLY PROHIBITED.
>> IF YOU HAVE RECEIVED THIS TRANSMISSION IN ERROR, PLEASE (I) NOTIFY US
>> IMMEDIATELY BY REPLY E-MAIL OR BY TELEPHONE AT (855.472.9822), (II)
>> REMOVE IT FROM YOUR SYSTEM, AND
>> (III) DESTROY THE ORIGINAL TRANSMISSION AND ITS ATTACHMENTS WITHOUT
>> READING OR SAVING THEM. THANK YOU.
>>
>> -DaVita Healthcare Partners Inc.-
>>
>>
>>
>> _______________________________________________
>> Apiman-user mailing list
>> Apiman-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/apiman-user
>>
>
> CONFIDENTIALITY NOTICE: THIS MESSAGE IS CONFIDENTIAL, INTENDED FOR THE NAMED RECIPIENT(S) AND MAY CONTAIN INFORMATION THAT IS (I) PROPRIETARY TO THE SENDER, AND/OR, (II) PRIVILEGED, CONFIDENTIAL, AND/OR OTHERWISE EXEMPT FROM DISCLOSURE UNDER APPLICABLE STATE AND FEDERAL LAW, INCLUDING, BUT NOT LIMITED TO, PRIVACY STANDARDS IMPOSED PURSUANT TO THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 ("HIPAA"). IF YOU ARE NOT THE INTENDED RECIPIENT, OR THE EMPLOYEE OR AGENT RESPONSIBLE FOR DELIVERING THE MESSAGE TO THE INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY DISSEMINATION, DISTRIBUTION OR COPYING OF THIS COMMUNICATION IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED THIS TRANSMISSION IN ERROR, PLEASE (I) NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR BY TELEPHONE AT (855.472.9822), (II) REMOVE IT FROM YOUR SYSTEM, AND (III) DESTROY THE ORIGINAL TRANSMISSION AND ITS ATTACHMENTS WITHOUT READING OR SAVING THEM. THANK YOU.
>
> -DaVita Healthcare Partners Inc.-
>
From jeanette_cabardo at merck.com Mon Mar 21 10:10:19 2016
From: jeanette_cabardo at merck.com (Cabardo, Jeanette)
Date: Mon, 21 Mar 2016 10:10:19 -0400
Subject: [Apiman-user] Securing back-end API endpoints with keycloak renders
apis inaccessible via Apiman
Message-ID:
Hi. Not sure if there are already posting similar to the issue I?m having (or maybe the feature may not be in place yet). My requirement is to secure the back-end API endpoints with keycloak. It was a bit of a pain because the apis were developed in node.js and there was really not a whole lot of examples or library on how to accomplish this. Anyway, I think I was finally able to do this, however, once I had put the protection in place, the endpoints stopped working in Apiman. I?m not quite sure how to forward the credentials to allow it to access the endpoints. I think the closest posting I found that may be similar to what I need is:
http://lists.jboss.org/pipermail/apiman-user/2015-March/000030.html
I guess what I wanted to find out is whether or not what I?m trying to do is possible at this time as I have researching and trying to search for more info on how to accomplish this and haven?t had any luck doing so.
I appreciate any help you can extend. Thanks in advance.
Jeanette
Notice: This e-mail message, together with any attachments, contains
information of Merck & Co., Inc. (2000 Galloping Hill Road, Kenilworth,
New Jersey, USA 07033), and/or its affiliates Direct contact information
for affiliates is available at
http://www.merck.com/contact/contacts.html) that may be confidential,
proprietary copyrighted and/or legally privileged. It is intended solely
for the use of the individual or entity named on this message. If you are
not the intended recipient, and have received this message in error,
please notify us immediately by reply e-mail and then delete it from
your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20160321/0cab8d5b/attachment.html
From Joel.Schuster at davita.com Mon Mar 21 11:20:28 2016
From: Joel.Schuster at davita.com (Joel Schuster)
Date: Mon, 21 Mar 2016 15:20:28 +0000
Subject: [Apiman-user] Securing back-end API endpoints with keycloak
renders apis inaccessible via Apiman
In-Reply-To:
References:
Message-ID: <63897DB19EE8C54894A3AAF646E7AD8D1211B7@DEN3-EXCH09.DAVITA.Corp>
Jeanette,
I was able to get it working for both javascript and iOS clients. I'm doing both client id/secret and username/password based OAuth2.
If that's what you are looking for, please email me privately and I'll send along info about how I got it working.
Joel Schuster
Guest Team Member
719-445-8789
joel.schuster at davita.com
From: apiman-user-bounces at lists.jboss.org [mailto:apiman-user-bounces at lists.jboss.org] On Behalf Of Cabardo, Jeanette
Sent: Monday, March 21, 2016 8:10 AM
To: apiman-user at lists.jboss.org
Subject: [Apiman-user] Securing back-end API endpoints with keycloak renders apis inaccessible via Apiman
WARNING: This email originated outside of DaVita.
DO NOT CLICK links or attachments unless you recognize the sender and know the content is safe.
Hi. Not sure if there are already posting similar to the issue I'm having (or maybe the feature may not be in place yet). My requirement is to secure the back-end API endpoints with keycloak. It was a bit of a pain because the apis were developed in node.js and there was really not a whole lot of examples or library on how to accomplish this. Anyway, I think I was finally able to do this, however, once I had put the protection in place, the endpoints stopped working in Apiman. I'm not quite sure how to forward the credentials to allow it to access the endpoints. I think the closest posting I found that may be similar to what I need is:
http://lists.jboss.org/pipermail/apiman-user/2015-March/000030.html
I guess what I wanted to find out is whether or not what I'm trying to do is possible at this time as I have researching and trying to search for more info on how to accomplish this and haven't had any luck doing so.
I appreciate any help you can extend. Thanks in advance.
Jeanette
Notice: This e-mail message, together with any attachments, contains
information of Merck & Co., Inc. (2000 Galloping Hill Road, Kenilworth,
New Jersey, USA 07033), and/or its affiliates Direct contact information
for affiliates is available at
http://www.merck.com/contact/contacts.html) that may be confidential,
proprietary copyrighted and/or legally privileged. It is intended solely
for the use of the individual or entity named on this message. If you are
not the intended recipient, and have received this message in error,
please notify us immediately by reply e-mail and then delete it from
your system.
CONFIDENTIALITY NOTICE: THIS MESSAGE IS CONFIDENTIAL, INTENDED FOR THE NAMED RECIPIENT(S) AND MAY CONTAIN INFORMATION THAT IS (I) PROPRIETARY TO THE SENDER, AND/OR, (II) PRIVILEGED, CONFIDENTIAL, AND/OR OTHERWISE EXEMPT FROM DISCLOSURE UNDER APPLICABLE STATE AND FEDERAL LAW, INCLUDING, BUT NOT LIMITED TO, PRIVACY STANDARDS IMPOSED PURSUANT TO THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 ("HIPAA"). IF YOU ARE NOT THE INTENDED RECIPIENT, OR THE EMPLOYEE OR AGENT RESPONSIBLE FOR DELIVERING THE MESSAGE TO THE INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY DISSEMINATION, DISTRIBUTION OR COPYING OF THIS COMMUNICATION IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED THIS TRANSMISSION IN ERROR, PLEASE (I) NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR BY TELEPHONE AT (855.472.9822), (II) REMOVE IT FROM YOUR SYSTEM, AND (III) DESTROY THE ORIGINAL TRANSMISSION AND ITS ATTACHMENTS WITHOUT READING OR SAVING THEM. THANK YOU.
-DaVita Healthcare Partners Inc.-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20160321/75831006/attachment.html
From marc at rhymewithgravy.com Mon Mar 21 11:31:49 2016
From: marc at rhymewithgravy.com (Marc Savy)
Date: Mon, 21 Mar 2016 15:31:49 +0000
Subject: [Apiman-user] keycloak question
In-Reply-To:
References:
<1A8CE15D-E8BD-4E03-AEA6-EAC3839785E8@rhymewithgravy.com>
<22593AB0-049C-4C2C-A28B-4573232738FB@rhymewithgravy.com>
Message-ID: <4777AF80-0386-4890-B751-9114703BCB7D@rhymewithgravy.com>
> You meant the diagram in the link you provided for using the Mutual TLS, correct? I just want to make sure that you were referring to that solution. And thanks so much for providing these information?really, really helpful.
Yes, that?s right.
Communications between a client (e.g. web app) and apiman are secured by Keycloak; communications between apiman and APIs are secured by mutual TLS (or whichever scheme you choose).
Regards,
Marc
> On 21 Mar 2016, at 15:23, Cabardo, Jeanette wrote:
>
> Just to clarify your statement:
>
> Instead of protecting your APIs directly, you could instead remove the auth from them and let apiman deal with it (see the diagram in the linked blog post) and simply stop unauthorised folk calling those services directly. That would likely be a good option to evaluate.
>
> You meant the diagram in the link you provided for using the Mutual TLS, correct? I just want to make sure that you were referring to that solution. And thanks so much for providing these information?really, really helpful.
>
> Jeanette
>
> From: Marc Savy >
> Date: Monday, March 21, 2016 at 11:15 AM
> To: "Cabardo, Jeanette" >
> Subject: Re: keycloak question
>
>> (I have recommended doing it on the network level as you noted in the embedded link that I provided but our network engineer is adamant on protecting the endpoints explicitly).
>
> I suggest using Mutual TLS (good solution, high security) or BASIC (development or lower security). MTLS blog is below. It?s an excellent option for your requirements:
>
> http://www.apiman.io/blog/gateway/security/mutual-auth/ssl/mtls/1.2.x/2016/01/22/mtls-mutual-auth-redux.html
>
>
> The downside of both of these is that it requires some modification of your existing APIs, whereas the network solution is more transparent. Either way, the above is well supported :).
>
> Instead of protecting your APIs directly, you could instead remove the auth from them and let apiman deal with it (see the diagram in the linked blog post) and simply stop unauthorised folk calling those services directly. That would likely be a good option to evaluate.
>
>
>
>> On 21 Mar 2016, at 14:53, Cabardo, Jeanette > wrote:
>>
>> Yes, Marc, please feel free to copy my posting. I am fairly new to Apiman and keycloak, and been struggling finding examples/documentation that can help. I think these blogs definitely helped a lot in the past few days.
>>
>> And yes, my requirement is to explicitly protect the endpoints (I have recommended doing it on the network level as you noted in the embedded link that I provided but our network engineer is adamant on protecting the endpoints explicitly). I was able to protect the endpoints by using the nodejs library (connect-keycloak) though I?m finding I have to make adjustments as it was developed on the older version of keycloak and I think it?s really primarily if you have a client app more than just a back-end api. I know that this issue that I have raised maybe a combination of apiman/keycloak but it would be good to know if what I?m doing is feasible or am I chasing something that?s not even possible at this time, is what I am trying to at least find out. As a back-up we can opt to do the protection on the network level.
>>
>> Jeanette
>>
>> From: Marc Savy >
>> Date: Monday, March 21, 2016 at 10:41 AM
>> To: "Cabardo, Jeanette" >
>> Subject: Re: keycloak question
>>
>> Hi Jeanette,
>>
>> The blog-post refers to a use-case where you are applying your Keycloak authentication [1] against your API configured in apiman; not directly on the API itself. That is, apiman provides and performs the authentication *on behalf* of your API:
>>
>> i.e
>>
>>
>> /---> Keycloak
>> |
>> v [Validate]
>> client > apiman > API
>>
>> Notice, the API itself is not protected directly by Keycloak. apiman does it on the API?s behalf.
>>
>>
>>> means that you are protecting this api explicitly, I.e., that without using any additional network level protection, one cannot just simply go into the browser or Postman and type in the url: http://localhost:8080/apiman-echo?
>>
>> If you want to stop people calling your API endpoint explicitly then you need to protect it . For instance, network level configuration or OOTB endpoint protection options: MTLS (Mutual TLS) or BASIC. The blog is simply for demonstrating the concepts, so it would indeed be useless in a production setup if developers could bypass the gateway.
>>
>> Would you object if I copy this over to the apiman-user mailing list so that more people can participate?
>>
>> Regards,
>> Marc
>>
>> [1] OpenID Connect JWT
>>
>>> On 18 Mar 2016, at 19:59, Cabardo, Jeanette > wrote:
>>>
>>> Hi, Marc. I just have a quick question regarding your blog post (http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication/authorization/1.2.x/2016/01/22/keycloak-oauth2-redux.html )
>>>
>>> We currently have managed to set up our api to use Apiman to manage access to it and is also trying to use keycloak to potentially protect the back-end api endpoints. In you post, I just wasn?t clear whether your statement?
>>>
>>> ?Let?s assume we?re going to protect a very simple echo service, which echoes back to the requestor the details of any request made to it. It is located athttp://localhost:8080/apiman-echo .?
>>>
>>> means that you are protecting this api explicitly, I.e., that without using any additional network level protection, one cannot just simply go into the browser or Postman and type in the url: http://localhost:8080/apiman-echo ? I was using this middleware connect-keycloak to protect my endpoints but after doing so, my endpoint configuration in apiman also can?t get to the endpoint. So, when I saw your post, I thought maybe this will be the solution to my problem but just not sure if on the api side itself (in your example, apiman-echo), there is also some keycloak setup/config that needs to happen.
>>>
>>> I have been struggling to get this to work but maybe you can shed some light for me to understand whether what I?m doing even make sense. Appreciate any help you can provide.
>>>
>>> Jeanette
>>>
>>> Jeanette U. Cabardo
>>> IT Planning & Innovation ? Applied Technology
>>> Mail Room: 1131, Mail Code: BRN-1161A
>>> Merck Sharp & Dohme Corp.
>>> 3070 Route 22
>>> Branchburg, NJ 08876 USA
>>> 908-243-8818
>>> Email: jeanette_cabardo at merck.com
>>> Notice: This e-mail message, together with any attachments, contains
>>> information of Merck & Co., Inc. (2000 Galloping Hill Road, Kenilworth,
>>> New Jersey, USA 07033), and/or its affiliates Direct contact information
>>> for affiliates is available at
>>> http://www.merck.com/contact/contacts.html ) that may be confidential,
>>> proprietary copyrighted and/or legally privileged. It is intended solely
>>> for the use of the individual or entity named on this message. If you are
>>> not the intended recipient, and have received this message in error,
>>> please notify us immediately by reply e-mail and then delete it from
>>> your system.
>>
>> Notice: This e-mail message, together with any attachments, contains
>> information of Merck & Co., Inc. (2000 Galloping Hill Road, Kenilworth,
>> New Jersey, USA 07033), and/or its affiliates Direct contact information
>> for affiliates is available at
>> http://www.merck.com/contact/contacts.html ) that may be confidential,
>> proprietary copyrighted and/or legally privileged. It is intended solely
>> for the use of the individual or entity named on this message. If you are
>> not the intended recipient, and have received this message in error,
>> please notify us immediately by reply e-mail and then delete it from
>> your system.
>
> Notice: This e-mail message, together with any attachments, contains
> information of Merck & Co., Inc. (2000 Galloping Hill Road, Kenilworth,
> New Jersey, USA 07033), and/or its affiliates Direct contact information
> for affiliates is available at
> http://www.merck.com/contact/contacts.html) that may be confidential,
> proprietary copyrighted and/or legally privileged. It is intended solely
> for the use of the individual or entity named on this message. If you are
> not the intended recipient, and have received this message in error,
> please notify us immediately by reply e-mail and then delete it from
> your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20160321/b2f7b545/attachment-0001.html
From jazz at sqmail.me Tue Mar 29 09:44:03 2016
From: jazz at sqmail.me (jazz)
Date: Tue, 29 Mar 2016 15:44:03 +0200
Subject: [Apiman-user] apiman using external keycloak and elasticsearch
Message-ID: <1459259043.4265.11.camel@sqmail.me>
Hi,
I would like to use apiman deployed on wildfly 10, without the included
keyloak and elasticsearch instances.
keycloak (v1.9.1): localhost:8080/auth
elasticsearch (v2.2.1): localhost:9200
apiman (v1.2.3): localhost:8080/apiman
This guide got me started:?http://www.apiman.io/latest/production-guide
.html
I use the overlay:?http://downloads.jboss.org/apiman/1.2.3.Final/apiman
-distro-wildfly10-1.2.3.Final-overlay.zip
2016-03-29 11:41:01,770 ERROR [org.jboss.as.controller.management-
operation] (DeploymentScanner-threads
?- 2) WFLYCTL0013: Operation ("full-replace-deployment") failed -
address: ([]) - failure description:?
{"WFLYCTL0288: One or more services were unable to start due to one or
more indirect dependencies not being available." => {
????"Services that were unable to start:" =>
["jboss.deployment.unit.\"apiman-gateway-engine-beans.jar\".PARSE"],
????"Services that may be the cause:" => [
????????"jboss.module.spec.service.\"deployment.apiman-gateway-engine-
beans.jar\".main",
????????"jboss.remoting.remotingConnectorInfoService.http-remoting-
connector",
????????"module.resolved.service.\"deployment.apiman-gateway-
api.war\".main",
????????"module.resolved.service.\"deployment.apiman-
gateway.war\".main"
????]
}}
2016-03-29 12:05:47,782 ERROR [org.jboss.msc.service.fail] (MSC service
thread 1-2) MSC000001: Failed t
o start service jboss.deployment.unit."apiman-gateway-
api.war".STRUCTURE: org.jboss.msc.service.StartEx
ception in service jboss.deployment.unit."apiman-gateway-
api.war".STRUCTURE: WFLYSRV0153: Failed to pro
cess phase STRUCTURE of deployment "apiman-gateway-api.war"
Deployment in the web console works fine for these wars
apiman.war
apimanui.war
The apiman-gateway.war and apiman-gateway-api.war fail.
Question: how to deploy apiman using external keycloak and
elasticsearch instances running on the same host?
Thanks in advance for any pointers.
Regards, Bart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20160329/fd4fc951/attachment.html
From eric.wittmann at redhat.com Tue Mar 29 11:54:29 2016
From: eric.wittmann at redhat.com (Eric Wittmann)
Date: Tue, 29 Mar 2016 11:54:29 -0400
Subject: [Apiman-user] apiman using external keycloak and elasticsearch
In-Reply-To: <1459259043.4265.11.camel@sqmail.me>
References: <1459259043.4265.11.camel@sqmail.me>
Message-ID: <56FAA535.40907@redhat.com>
Couple things here. First, we have not tested using Elasticsearch 2.x,
so you should probably expect failures there. We currently only support
1.x (e.g. 1.7.2).
Next, in order to diagnose the startup problem, I need a bit more info.
Can you send the full wildfly startup log? Can you also do a file
listing here:
ls -al $WILDFLY/standalone/deployments
Thanks,
-Eric
On 3/29/2016 9:44 AM, jazz wrote:
> Hi,
>
> I would like to use apiman deployed on wildfly 10, without the included
> keyloak and elasticsearch instances.
>
> keycloak (v1.9.1): localhost:8080/auth
> elasticsearch (v2.2.1): localhost:9200
> apiman (v1.2.3): localhost:8080/apiman
>
> This guide got me started: http://www.apiman.io/latest/production-guide.html
>
> I use the overlay:
> http://downloads.jboss.org/apiman/1.2.3.Final/apiman-distro-wildfly10-1.2.3.Final-overlay.zip
>
> 2016-03-29 11:41:01,770 ERROR
> [org.jboss.as.controller.management-operation] (DeploymentScanner-threads
> - 2) WFLYCTL0013: Operation ("full-replace-deployment") failed -
> address: ([]) - failure description:
> {"WFLYCTL0288: One or more services were unable to start due to one or
> more indirect dependencies not being available." => {
> "Services that were unable to start:" =>
> ["jboss.deployment.unit.\"apiman-gateway-engine-beans.jar\".PARSE"],
> "Services that may be the cause:" => [
> "jboss.module.spec.service.\"deployment.apiman-gateway-engine-beans.jar\".main",
> "jboss.remoting.remotingConnectorInfoService.http-remoting-connector",
> "module.resolved.service.\"deployment.apiman-gateway-api.war\".main",
> "module.resolved.service.\"deployment.apiman-gateway.war\".main"
> ]
> }}
>
> 2016-03-29 12:05:47,782 ERROR [org.jboss.msc.service.fail] (MSC service
> thread 1-2) MSC000001: Failed t
> o start service
> jboss.deployment.unit."apiman-gateway-api.war".STRUCTURE:
> org.jboss.msc.service.StartEx
> ception in service
> jboss.deployment.unit."apiman-gateway-api.war".STRUCTURE: WFLYSRV0153:
> Failed to pro
> cess phase STRUCTURE of deployment "apiman-gateway-api.war"
>
> Deployment in the web console works fine for these wars
> apiman.war
> apimanui.war
>
> The apiman-gateway.war and apiman-gateway-api.war fail.
>
> Question: how to deploy apiman using external keycloak and elasticsearch
> instances running on the same host?
>
> Thanks in advance for any pointers.
>
> Regards, Bart
>
>
>
>
> _______________________________________________
> Apiman-user mailing list
> Apiman-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/apiman-user
>
From jazz at sqmail.me Tue Mar 29 16:08:46 2016
From: jazz at sqmail.me (jazz)
Date: Tue, 29 Mar 2016 22:08:46 +0200
Subject: [Apiman-user] apiman using external keycloak and elasticsearch
In-Reply-To: <56FAA535.40907@redhat.com>
References: <1459259043.4265.11.camel@sqmail.me> <56FAA535.40907@redhat.com>
Message-ID: <1459282126.4265.15.camel@sqmail.me>
Hi Eric,
Thanks for the pointer. I am back to using apiman-es.war i.s.o
elasticsearch 2.2.1
If the wars are started in this order it seems to work:
1. keycloak (seperate server)
2. apiman & apimanui
3. apiman-es (this takes time), when finished start 4
4. apiman-gateway-engine-beans.jar
5. apiman-gateway
6. apiman-gateway-api
Now working to get keycloak working... I will post logs when I get
stuck again.
Thanks!
Bart
On Tue, 2016-03-29 at 11:54 -0400, Eric Wittmann wrote:
> Couple things here. First, we have not tested using Elasticsearch
> 2.x,?
> so you should probably expect failures there.??We currently only
> support?
> 1.x (e.g. 1.7.2).
>
> Next, in order to diagnose the startup problem, I need a bit more
> info.?
> ? Can you send the full wildfly startup log???Can you also do a file?
> listing here:
>
> ls -al $WILDFLY/standalone/deployments
>
> Thanks,
>
> -Eric
>
> On 3/29/2016 9:44 AM, jazz wrote:
> >
> > Hi,
> >
> > I would like to use apiman deployed on wildfly 10, without the
> > included
> > keyloak and elasticsearch instances.
> >
> > keycloak (v1.9.1): localhost:8080/auth
> > elasticsearch (v2.2.1): localhost:9200
> > apiman (v1.2.3): localhost:8080/apiman
> >
> > This guide got me started: http://www.apiman.io/latest/production-
> > guide.html
> >
> > I use the overlay:
> > http://downloads.jboss.org/apiman/1.2.3.Final/apiman-distro-
> > wildfly10-1.2.3.Final-overlay.zip
> >
> > 2016-03-29 11:41:01,770 ERROR
> > [org.jboss.as.controller.management-operation] (DeploymentScanner-
> > threads
> > ? - 2) WFLYCTL0013: Operation ("full-replace-deployment") failed -
> > address: ([]) - failure description:
> > {"WFLYCTL0288: One or more services were unable to start due to one
> > or
> > more indirect dependencies not being available." => {
> > ?????"Services that were unable to start:" =>
> > ["jboss.deployment.unit.\"apiman-gateway-engine-
> > beans.jar\".PARSE"],
> > ?????"Services that may be the cause:" => [
> > ?????????"jboss.module.spec.service.\"deployment.apiman-gateway-
> > engine-beans.jar\".main",
> > ?????????"jboss.remoting.remotingConnectorInfoService.http-
> > remoting-connector",
> > ?????????"module.resolved.service.\"deployment.apiman-gateway-
> > api.war\".main",
> > ?????????"module.resolved.service.\"deployment.apiman-
> > gateway.war\".main"
> > ?????]
> > }}
> >
> > 2016-03-29 12:05:47,782 ERROR [org.jboss.msc.service.fail] (MSC
> > service
> > thread 1-2) MSC000001: Failed t
> > o start service
> > jboss.deployment.unit."apiman-gateway-api.war".STRUCTURE:
> > org.jboss.msc.service.StartEx
> > ception in service
> > jboss.deployment.unit."apiman-gateway-api.war".STRUCTURE:
> > WFLYSRV0153:
> > Failed to pro
> > cess phase STRUCTURE of deployment "apiman-gateway-api.war"
> >
> > Deployment in the web console works fine for these wars
> > apiman.war
> > apimanui.war
> >
> > The apiman-gateway.war and apiman-gateway-api.war fail.
> >
> > Question: how to deploy apiman using external keycloak and
> > elasticsearch
> > instances running on the same host?
> >
> > Thanks in advance for any pointers.
> >
> > Regards, Bart
> >
> >
> >
> >
> > _______________________________________________
> > Apiman-user mailing list
> > Apiman-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/apiman-user
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20160329/4696d527/attachment.html
From eric.wittmann at redhat.com Wed Mar 30 10:58:20 2016
From: eric.wittmann at redhat.com (Eric Wittmann)
Date: Wed, 30 Mar 2016 10:58:20 -0400
Subject: [Apiman-user] apiman using external keycloak and elasticsearch
In-Reply-To: <1459282126.4265.15.camel@sqmail.me>
References: <1459259043.4265.11.camel@sqmail.me> <56FAA535.40907@redhat.com>
<1459282126.4265.15.camel@sqmail.me>
Message-ID: <56FBE98C.7050208@redhat.com>
OK that's reasonable. Honestly I don't know why you would have any
problems with timing, unless you're trying to perform some sort of data
import on startup.
Note that you can absolutely use an external, standalone elasticsearch
instance (I do this all the time) - you'll just need to download an
older version. For example:
https://www.elastic.co/downloads/past-releases/elasticsearch-1-7-5
-Eric
On 3/29/2016 4:08 PM, jazz wrote:
> Hi Eric,
>
> Thanks for the pointer. I am back to using apiman-es.war i.s.o
> elasticsearch 2.2.1
>
> If the wars are started in this order it seems to work:
> 1. keycloak (seperate server)
> 2. apiman & apimanui
> 3. apiman-es (this takes time), when finished start 4
> 4. apiman-gateway-engine-beans.jar
> 5. apiman-gateway
> 6. apiman-gateway-api
>
> Now working to get keycloak working... I will post logs when I get stuck
> again.
>
> Thanks!
>
> Bart
>
> On Tue, 2016-03-29 at 11:54 -0400, Eric Wittmann wrote:
>> Couple things here. First, we have not tested using Elasticsearch 2.x,
>> so you should probably expect failures there. We currently only support
>> 1.x (e.g. 1.7.2).
>>
>> Next, in order to diagnose the startup problem, I need a bit more info.
>> Can you send the full wildfly startup log? Can you also do a file
>> listing here:
>>
>> ls -al $WILDFLY/standalone/deployments
>>
>> Thanks,
>>
>> -Eric
>>
>> On 3/29/2016 9:44 AM, jazz wrote:
>>>
>>> Hi,
>>>
>>> I would like to use apiman deployed on wildfly 10, without the included
>>> keyloak and elasticsearch instances.
>>>
>>> keycloak (v1.9.1): localhost:8080/auth
>>> elasticsearch (v2.2.1): localhost:9200
>>> apiman (v1.2.3): localhost:8080/apiman
>>>
>>> This guide got me started:
>>> http://www.apiman.io/latest/production-guide.html
>>>
>>> I use the overlay:
>>> http://downloads.jboss.org/apiman/1.2.3.Final/apiman-distro-wildfly10-1.2.3.Final-overlay.zip
>>>
>>> 2016-03-29 11:41:01,770 ERROR
>>> [org.jboss.as.controller.management-operation] (DeploymentScanner-threads
>>> - 2) WFLYCTL0013: Operation ("full-replace-deployment") failed -
>>> address: ([]) - failure description:
>>> {"WFLYCTL0288: One or more services were unable to start due to one or
>>> more indirect dependencies not being available." => {
>>> "Services that were unable to start:" =>
>>> ["jboss.deployment.unit.\"apiman-gateway-engine-beans.jar\".PARSE"],
>>> "Services that may be the cause:" => [
>>> "jboss.module.spec.service.\"deployment.apiman-gateway-engine-beans.jar\".main",
>>> "jboss.remoting.remotingConnectorInfoService.http-remoting-connector",
>>> "module.resolved.service.\"deployment.apiman-gateway-api.war\".main",
>>> "module.resolved.service.\"deployment.apiman-gateway.war\".main"
>>> ]
>>> }}
>>>
>>> 2016-03-29 12:05:47,782 ERROR [org.jboss.msc.service.fail] (MSC service
>>> thread 1-2) MSC000001: Failed t
>>> o start service
>>> jboss.deployment.unit."apiman-gateway-api.war".STRUCTURE:
>>> org.jboss.msc.service.StartEx
>>> ception in service
>>> jboss.deployment.unit."apiman-gateway-api.war".STRUCTURE: WFLYSRV0153:
>>> Failed to pro
>>> cess phase STRUCTURE of deployment "apiman-gateway-api.war"
>>>
>>> Deployment in the web console works fine for these wars
>>> apiman.war
>>> apimanui.war
>>>
>>> The apiman-gateway.war and apiman-gateway-api.war fail.
>>>
>>> Question: how to deploy apiman using external keycloak and elasticsearch
>>> instances running on the same host?
>>>
>>> Thanks in advance for any pointers.
>>>
>>> Regards, Bart
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Apiman-user mailing list
>>> Apiman-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/apiman-user
>>>
From jazz at sqmail.me Thu Mar 31 02:38:51 2016
From: jazz at sqmail.me (jazz at sqmail.me)
Date: Thu, 31 Mar 2016 08:38:51 +0200
Subject: [Apiman-user] apiman using external keycloak and elasticsearch
In-Reply-To: <56FBE98C.7050208@redhat.com>
Message-ID: <20160331083851.Horde.rg6uNnscoE0yI1dWgZTxBBN@secure.sqmail.me>
OK, I'll try to use the older elasticsearch version. The apiman-es.war
is not ideal. It slows down deployment of other war's. During
deployment an elasticsearch maintenance action is started. Until it's
finished no progress in the deployment sequence.
What got me stuck yesterday was that the apiman overlay includes
keycloak as a module so it overwrites the keycloak version installed
on wildfly (also as a module). To versions using the same local H2
database doesn't work.
My experience so far with apiman, it works great, but the modularity
could be improved:
1. Option to disable elasticsearch
2. Don't include keycloak in overlay
3. use cli files (like keycloak-install.cli)
Eric Wittmann ? Wed., 30. March 2016 16:58
> OK that's reasonable. Honestly I don't know why you would have any
> problems with timing, unless you're trying to perform some sort of
> data import on startup.
>
> Note that you can absolutely use an external, standalone
> elasticsearch instance (I do this all the time) - you'll just need
> to download an older version. For example:
>
> www.elastic.co/downloads/past-releases/elasticsearch-1-7-5
>
> -Eric
>
> On 3/29/2016 4:08 PM, jazz wrote:
> > Hi Eric,
> >
> > Thanks for the pointer. I am back to using apiman-es.war i.s.o
> > elasticsearch 2.2.1
> >
> > If the wars are started in this order it seems to work:
> > 1. keycloak (seperate server)
> > 2. apiman & apimanui
> > 3. apiman-es (this takes time), when finished start 4
> > 4. apiman-gateway-engine-beans.jar
> > 5. apiman-gateway
> > 6. apiman-gateway-api
> >
> > Now working to get keycloak working... I will post logs when I get stuck
> > again.
> >
> > Thanks!
> >
> > Bart
> >
> > On Tue, 2016-03-29 at 11:54 -0400, Eric Wittmann wrote:
> >> Couple things here. First, we have not tested using Elasticsearch 2.x,
> >> so you should probably expect failures there. We currently only support
> >> 1.x (e.g. 1.7.2).
> >>
> >> Next, in order to diagnose the startup problem, I need a bit more info.
> >> Can you send the full wildfly startup log? Can you also do a file
> >> listing here:
> >>
> >> ls -al $WILDFLY/standalone/deployments
> >>
> >> Thanks,
> >>
> >> -Eric
> >>
> >> On 3/29/2016 9:44 AM, jazz wrote:
> >>>
> >>> Hi,
> >>>
> >>> I would like to use apiman deployed on wildfly 10, without the included
> >>> keyloak and elasticsearch instances.
> >>>
> >>> keycloak (v1.9.1): localhost:8080/auth
> >>> elasticsearch (v2.2.1): localhost:9200
> >>> apiman (v1.2.3): localhost:8080/apiman
> >>>
> >>> This guide got me started:
> >>> www.apiman.io/latest/production-guide.html
> >>>
> >>> I use the overlay:
> >>>
> downloads.jboss.org/apiman/1.2.3.Final/apiman-distro-wildfly10-1.2.3.Final-overlay.zip
> >>>
> >>> 2016-03-29 11:41:01,770 ERROR
> >>> [org.jboss.as.controller.management-operation] (DeploymentScanner-threads
> >>> - 2) WFLYCTL0013: Operation ("full-replace-deployment") failed -
> >>> address: ([]) - failure description:
> >>> {"WFLYCTL0288: One or more services were unable to start due to one or
> >>> more indirect dependencies not being available." => {
> >>> "Services that were unable to start:" =>
> >>> ["jboss.deployment.unit.\"apiman-gateway-engine-beans.jar\".PARSE"],
> >>> "Services that may be the cause:" => [
> >>>
> "jboss.module.spec.service.\"deployment.apiman-gateway-engine-beans.jar\".main",
> >>>
> "jboss.remoting.remotingConnectorInfoService.http-remoting-connector",
> >>>
> "module.resolved.service.\"deployment.apiman-gateway-api.war\".main",
> >>> "module.resolved.service.\"deployment.apiman-gateway.war\".main"
> >>> ]
> >>> }}
> >>>
> >>> 2016-03-29 12:05:47,782 ERROR [org.jboss.msc.service.fail] (MSC service
> >>> thread 1-2) MSC000001: Failed t
> >>> o start service
> >>> jboss.deployment.unit."apiman-gateway-api.war".STRUCTURE:
> >>> org.jboss.msc.service.StartEx
> >>> ception in service
> >>> jboss.deployment.unit."apiman-gateway-api.war".STRUCTURE: WFLYSRV0153:
> >>> Failed to pro
> >>> cess phase STRUCTURE of deployment "apiman-gateway-api.war"
> >>>
> >>> Deployment in the web console works fine for these wars
> >>> apiman.war
> >>> apimanui.war
> >>>
> >>> The apiman-gateway.war and apiman-gateway-api.war fail.
> >>>
> >>> Question: how to deploy apiman using external keycloak and elasticsearch
> >>> instances running on the same host?
> >>>
> >>> Thanks in advance for any pointers.
> >>>
> >>> Regards, Bart
> >>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Apiman-user mailing list
> >>> Apiman-user at lists.jboss.org
> >>> lists.jboss.org/mailman/listinfo/apiman-user
> >>>
>
From jazz at sqmail.me Thu Mar 31 02:54:55 2016
From: jazz at sqmail.me (jazz at sqmail.me)
Date: Thu, 31 Mar 2016 08:54:55 +0200
Subject: [Apiman-user] apiman using external keycloak and elasticsearch
In-Reply-To: <20160331083851.Horde.rg6uNnscoE0yI1dWgZTxBBN@secure.sqmail.me>
Message-ID: <20160331085455.Horde.r4Bmxp6npsjaxp769X078sa@secure.sqmail.me>
I hit 'sent' too fast:
My experience so far with apiman, it works great, but the modularity
could be improved:
1. Option to disable elasticsearch
2. Don't include keycloak in overlay
3. use cli files (like keycloak-install.cli) --> keycloak install
works like this, remove apiman-ds.xml files for the datasource
I have on question: the standalone-apiman.xml file contains
security-realms for each war. How do I know which credential secret is
used for that particular war? It is not set in web.xml?
Regards, Bart
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxyG61ohrfJQKNmDA/ePZtqZVpPXjwn3k3T+iWiTvMsxW2+WlnqIEmL5qZ09DMhBH9r50WZRO2gVoCb657Er9x0vfD6GNf/47XU2y33TX8axhP+hSwkv/VViaDlu4jQrfgPWz/FXMjWIZxg1xQS+nOBF2ScCRYWNQ/ZnUNnvrq8dGC2/AlyeYcgDUOdwlJuvgkGlF0QoVPQiRPurR3RwlG+BjL8JB3hbaAZhdJqwqApmGQbcpgLj2tODnlrZnEAp5cPPU/lgqCE1OOp78BAEiE91ZLPl/+D8qDHk+Maz0Io3bkeRZMXPpvtbL3qN+3GlF8Yz264HDSsTNrH+nd19tFQIDAQAB
/auth
none
false
preferred_username
apiman
apiman
5af5458f-0a96-4251-8f92-08ebcc3a8aa2
true
true
true
apiman
apimanui
722557fd-a725-4cc0-9dff-7d09c0c47038
true
true
apiman
apiman-gateway-api
217b725d-7790-47a7-a3fc-5cf31f92a8db
true
true
true
From eric.wittmann at redhat.com Thu Mar 31 10:28:46 2016
From: eric.wittmann at redhat.com (Eric Wittmann)
Date: Thu, 31 Mar 2016 10:28:46 -0400
Subject: [Apiman-user] apiman using external keycloak and elasticsearch
In-Reply-To: <20160331085455.Horde.r4Bmxp6npsjaxp769X078sa@secure.sqmail.me>
References: <20160331085455.Horde.r4Bmxp6npsjaxp769X078sa@secure.sqmail.me>
Message-ID: <56FD341E.20208@redhat.com>
Thanks for the feedback. I agree that we can definitely improve the
modularity to better help people get set up in production. Perhaps some
additional distributions that do not include all of the components.
That's actually what we're going to be doing when we turn apiman into a
Red Hat product (three separate ZIP distribuations: all-in-one,
gateway, manager).
As for your question - the secret that goes into standalone-apiman.xml
actually comes from Keycloak. When you create/configure the apiman
clients in the apiman keycloak realm, if you mark them as "confidential"
clients, then KC will generate a credential/secret for them. You have
to copy that secret from the KC admin console into the
standalone-apiman.xml file.
Alternatively you can define those secrets in your realm file so that
they are pre-configured when keycloak starts up and bootstraps the new
realm.
-Eric
On 3/31/2016 2:54 AM, jazz at sqmail.me wrote:
> I hit 'sent' too fast:
>
> My experience so far with apiman, it works great, but the modularity
> could be improved:
> 1. Option to disable elasticsearch
> 2. Don't include keycloak in overlay
> 3. use cli files (like keycloak-install.cli) --> keycloak install works
> like this, remove apiman-ds.xml files for the datasource
>
> I have on question: the standalone-apiman.xml file contains
> security-realms for each war. How do I know which credential secret is
> used for that particular war? It is not set in web.xml?
>
> Regards, Bart
>
>
>
>
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxyG61ohrfJQKNmDA/ePZtqZVpPXjwn3k3T+iWiTvMsxW2+WlnqIEmL5qZ09DMhBH9r50WZRO2gVoCb657Er9x0vfD6GNf/47XU2y33TX8axhP+hSwkv/VViaDlu4jQrfgPWz/FXMjWIZxg1xQS+nOBF2ScCRYWNQ/ZnUNnvrq8dGC2/AlyeYcgDUOdwlJuvgkGlF0QoVPQiRPurR3RwlG+BjL8JB3hbaAZhdJqwqApmGQbcpgLj2tODnlrZnEAp5cPPU/lgqCE1OOp78BAEiE91ZLPl/+D8qDHk+Maz0Io3bkeRZMXPpvtbL3qN+3GlF8Yz264HDSsTNrH+nd19tFQIDAQAB
>
> /auth
> none
> false
> preferred_username
>
>
> apiman
> apiman
> name="secret">5af5458f-0a96-4251-8f92-08ebcc3a8aa2
> true
> true
> true
>
>
> apiman
> apimanui
> name="secret">722557fd-a725-4cc0-9dff-7d09c0c47038
> true
> true
>
>
> apiman
> apiman-gateway-api
> name="secret">217b725d-7790-47a7-a3fc-5cf31f92a8db
> true
> true
> true
>
>
>