[Apiman-user] APIMAN MTLS struggles: ssuggestions

Marc Savy marc.savy at redhat.com
Wed May 18 09:17:32 EDT 2016 

Hi Amit,

I've just returned from a work trip abroad, but just to let you know I've
noticed this email and will address it in detail shortly.

We're always keen for high quality feedback, so thank you very much!

Regards,
Marc

On Tuesday, May 17, 2016, Amit Joshi <amit.joshi at markit.com> wrote:

> Hello,
>
>
>
> I have been following the information in the blog post:
> http://www.apiman.io/blog/gateway/security/mutual-auth/ssl/mtls/1.2.x/2016/01/22/mtls-mutual-auth-redux.html
>  but has a tough time. I had a simple Java test program that worked against
> the Api with setting the has a trust store etc. using system properties:
>
>
>
>         System.setProperty("javax.net.ssl.trustStore",
> System.getProperty("truststore.path"));
>
>         System.setProperty("javax.net.ssl.trustStorePassword",
> System.getProperty("keystore.password"));
>
>         System.setProperty("javax.net.ssl.keyStore",
> System.getProperty("keystore.path"));
>
>         System.setProperty("javax.net.ssl.keyStorePassword",
> System.getProperty("keystore.password"));
>
>         System.setProperty("javax.net.ssl.keyStoreType",
> System.getProperty("keystore.type"));
>
>
>
> However, when I try to do the same , but using APIMan (and setting the
> properties in the apiman.properties file) to gateway the API it fails as
> below. I tried setting the –Djavax.net.debug.all  (as suggested in the
> article) which gives a lot more in the logs but all I could see that looked
> relevant: “Warning: no suitable certificate found - continuing without
> client authentication” which made no sense since I have the correct cert
> and it works with the test program.
>
> I finally figured out the issue – the MTLS setup does not allow you to
> pass in the keyStoreType and my keystore was PKCS12 and not JKS.
>
>
>
> Couple of suggestions as a result:
>
> ·         Add the ability to set the keyStoreType so we won’t have to
> convert them
>
> ·         Also the stacktrace gets truncated in the output (see below)
> and its very difficult to diagnose what the problem is – something I think
> would have been minutes if I could have seen the message about not being
> able to load the keystore took hours.
>
> ·         Also I want to be able to automatically use different keystores
> based on the api or logged-in user or url etc. My thought was to extend the
> HttpConnectorFactory and override the TlsOptions. However the class has all
> the properties private with no getters/setters and so it is difficult to do
> so that. This means I have to pretty much make a copy of the class instead
> of just a custom extension . Would be good if the class had public or at
> least protected getters/setters there so I could override the keystore
> based on some rules..
>
>
>
> Results when running against apiman but with a pkcs12 keystore:
>
> Using the Advanced Rest Client app for Chrome. I see the following as a
> response
>
> X-Gateway-Error: Not connected.
>
> 500  Internal Server Error
>
> And the response looks as follows. Note that the message is generic “Not
> connected” and the stack trace is missing any information about why the
> connection failed.
>
>
>
> {
>
>   "responseCode": 500,
>
>   "message": "Not connected.",
>
>   "trace": "io.apiman.gateway.engine.beans.exceptions.ConnectorException:
> Not connected.\n\tat
> io.apiman.gateway.platforms.servlet.connectors.HttpApiConnection.write(HttpApiConnection.java:332)\n\tat
> io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.lambda$null$1(ApiRequestExecutorImpl.java:234)\n\tat
> io.apiman.gateway.engine.io.AbstractStream.handleBody(AbstractStream.java:107)\n\tat
> io.apiman.gateway.engine.policy.Chain.write(Chain.java:181)\n\tat
> io.apiman.gateway.engine.impl.ApiRequestExecutorImpl$1.write(ApiRequestExecutorImpl.java:525)\n\tat
> io.apiman.gateway.platforms.servlet.GatewayServlet$2.handle(GatewayServlet.java:169)\n\tat
> io.apiman.gateway.platforms.servlet.GatewayServlet$2.handle(GatewayServlet.java:161)\n\tat
> io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.handleStream(ApiRequestExecutorImpl.java:517)\n\tat
> io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.lambda$null$3(ApiRequestExecutorImpl.java:243)\n\tat
> io.apiman.gateway.engine.policy.Chain.handleHead(Chain.java:211)\n\tat
> io.apiman.gateway.engine.policy.Chain.doApply(Chain.java:150)\n\tat
> io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.lambda$execute$4(ApiRequestExecutorImpl.java:246)\n\tat
> io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.loadPolicies(ApiRequestExecutorImpl.java:419)\n\tat
> io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.lambda$execute$5(ApiRequestExecutorImpl.java:269)\n\tat
> io.apiman.gateway.engine.impl.SecureRegistryWrapper$1.handle(SecureRegistryWrapper.java:123)\n\tat
> io.apiman.gateway.engine.impl.SecureRegistryWrapper$1.handle(SecureRegistryWrapper.java:112)\n\tat
> io.apiman.gateway.engine.es.CachingESRegistry.getApi(CachingESRegistry.java:115)\n\tat
> io.apiman.gateway.engine.impl.SecureRegistryWrapper.getApi(SecureRegistryWrapper.java:112)\n\tat
> io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.execute(ApiRequestExecutorImpl.java:252)\n\tat
> io.apiman.gateway.platforms.servlet.GatewayServlet.doAction(GatewayServlet.java:179)\n\tat
> io.apiman.gateway.platforms.servlet.GatewayServlet.service(GatewayServlet.java:79)\n\tat
> javax.servlet.http.HttpServlet.service(HttpServlet.java:790)\n\tat
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)\n\tat
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)\n\tat
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)\n\tat
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)\n\tat
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)\n\tat
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)\n\tat
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)\n\tat
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)\n\tat
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)\n\tat
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)\n\tat
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)\n\tat
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)\n\tat
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)\n\tat
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)\n\tat
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)\n\tat
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)\n\tat
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)\n\tat
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)\n\tat
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)\n\tat
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)\n\tat
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)\n\tat
> java.lang.Thread.run(Thread.java:745)\nCaused by: java.io.IOException: Not
> connected.\n\tat
> io.apiman.gateway.platforms.servlet.connectors.HttpApiConnection.write(HttpApiConnection.java:319)\n\t...
> 48 more\n"
>
> }
>
>
>
> Regards,
>
>
>
> Amit Joshi
>
>
>
>
>
> ------------------------------
>
> This e-mail, including accompanying communications and attachments, is
> strictly confidential and only for the intended recipient. Any retention,
> use or disclosure not expressly authorised by Markit is prohibited. This
> email is subject to all waivers and other terms at the following link:
> http://www.markit.com/en/about/legal/email-disclaimer.page
>
> Please visit http://www.markit.com/en/about/contact/contact-us.page for
> contact information on our offices worldwide.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20160518/c1bdcd44/attachment-0001.html

More information about the Apiman-user mailing list