My client program is to get the records from DynamoDb table. My binary is working as expected on host machine, but if I run the same binary in Linux container, it's returning this error:
Unable to connect to endpoint
Do I need to change anything in client code or container settings?
This might be a bit late, but in case someone else is trying to run AWS through docker, by default it checks the SSL certificates when it connects. So you need to initialise the AWS client configuration with:
Aws::Client::ClientConfiguration config;
config.verifySSL = false;
It might be an SSL issue, if you see exceptions and/or logs mentioning about some sort of SSL certificate or connection error.
The short summary is that your linux box need to trust Amazon's root CA, which you can test by visiting https://dynamodb.eu-west-3.amazonaws.com.
Here is more detailed documentation to diagnose and resolve certificate related issues: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/ats-certs.html
Related
I'm in the process of upgrading a java application. Originally, the application was built with jdk 8 and the server was jetty 9. Since upgrading to jetty 10 and jdk 11, I'm running into an issue when trying to make requests to our sql datasource. When the application attempts to query the database, it fails with the error:
java.sql.SQLException: Cannot create PoolableConnectionFactory
(The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target". ClientConnectionId:redacted)
at org.apache.commons.dbcp2.BasicDataSource.createPoolableConnectionFactory(BasicDataSource.java:653)
at org.apache.commons.dbcp2.BasicDataSource.createDataSource(BasicDataSource.java:531)
at org.apache.commons.dbcp2.BasicDataSource.getConnection(BasicDataSource.java:731)
at org.hibernate.engine.jdbc.connections.internal.DatasourceConnectionProviderImpl.getConnection(DatasourceConnectionProviderImpl.java:122)
at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator$ConnectionProviderJdbcConnectionAccess.obtainConnection(JdbcEnvironmentInitiator.java:181)
I understand that either the jetty server or the sql server are missing a security certificate, but I'm not sure what to do about it. I read through the documentation here:
https://www.eclipse.org/jetty/documentation/jetty-10/operations-guide/index.html#og-keystore but the sql server is a remote server that I don't have admin access to, so I'm not sure I can even do what they describe. Do I need to get the certificate and key from the sql server somehow? What am I missing here?
Your program is failing because it is trying to connect to an "unsecure" location, you have to connect to the destination manually, get the certificate/or certificates, install them into your local keystore, and restart your program.
Some instructions on how to do that can be gound here.
https://www.thesslstore.com/knowledgebase/ssl-install/jetty-java-http-servlet-webserver-ssl-installation/
If you connect to multiple locations, yes, you need to have an entry for each, unless that they have a wildcard certificate (a certificate that applies for all of them).
Alternatively! (not sure but handy) you can start the connection without enforcing certificate validation, in this case the connection will happen no matter is the destination is actually false, this is a security issue, but there are cases when this is needed, in fact, this happens a lot when you run balancers where they validate the certs for you and you connect in http to them, automatically the validation is getting dropped since most of those balancers won't fail to connect even if the validation fails, but this is a different topic!
Cheers.
I'm a web service client and I'm connecting to the web service through SSL.
It's a 2-way SSL and the producer has shared the certificate. I did run the InstallCert.java, got the alias and created a Keystore.
I'm using weblogic application server and I have placed my Keystore in it.
Now when I run it, I'm getting an error,
Caused by: java.lang.RuntimeException: java.lang.IllegalStateException:
TrustManagerFactoryImpl is not initialized
Before this I could see that it is trying to load the identity certificate and the private key. But as per standards the producer isn't willing to share the private key with us.
Any suggestion on this would be of great help to me. Thanks.
I resolved it.
I added my .cer file to cacerts which is referred by the weblogic server (Using keytool import). In the keystores section, I kept the default option (Demo identity and Demo trust). In the SSL section, I went to advanced, click on the checkbox ("Use JSSE SSL").
It worked.
I had this issue connecting to a MySQL database that requires SSL to connect.
It turns out, for me, the driver version needed to be updated in order to properly-handle the trust store configuration in the JDBC URL.
I'm trying to monitor my WLP v8.5.5 with JConsole.
My Liberty profile is up and running and has SSL properlly configured.
I also have configured as features the monitor-1.0 and restConnector-1.0.
After that I sftp'ed from my WLP the restConnector.jar to my machine and created a keystore on my machine as described here
After that I'm trying to start JConsole with this command:
jconsole -J-Djava.class.path="C:\Program Files\Java\jdk1.7.0_67\lib\jconsole.jar;
C:\Program Files\Java\jdk1.7.0_67\lib\tools.jar;
<whereIDownloaded>\restConnector.jar"
-J-Djavax.net.ssl.keyStore="<locationToCreated>\keystore.jks"
-J-Djavax.net.ssl.keyStorePassword=<password>
-J-Djavax.net.ssl.keyStoreType=jks
-J-Dcom.ibm.ws.jmx.connector.client.disableURLHostnameVerification=true
However, when I try to connect to my WLP via remote with the string:
service:jmx:rest://<ip>:<httpsPort>/IBMJMXConnectorREST
As a credential I'm passing a user configured on <administrator-role>.
I get a JConsole error saying:
Secure connection failed. Retry insecurely?
I don't get why I'm seeing this error, and I don't see any logs to see why it failed.
My next step if getting the keystore from WLP and try that on my machine but I don't think that makes much sense.
Does anyone have any suggestion on where should I look for logs or on that I'm doing wrong?
Thanks in advance!
Reference:
http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.wlp.nd.doc/ae/twlp_mon.html?cp=SSAW57_8.5.5%2F1-3-11-0-6&lang=en
Ensure you don't have localConnector-1.0 feature. If you have that, please remove it. You can find more details here Remote monitoring of Liberty with Health Center. Although it discusses Health Center connection, I was testing using JConsole also.
UPDATE
You might be invoking console with incorrect params - it should be trustStore not keystore see below. And for start use key.jks copied from Liberty (as you need Liberty certificate as trusted)
jconsole -J-Djava.class.path=%JAVA_HOME%/lib/jconsole.jar;
%JAVA_HOME%/lib/tools.jar;
%WLP_HOME%/clients/restConnector.jar
-J-Djavax.net.ssl.trustStore=key.jks
-J-Djavax.net.ssl.trustStorePassword=Liberty
-J-Djavax.net.ssl.trustStoreType=jks
For details check Configuring secure JMX connection to the Liberty
As an additional note - you must not have a webAppSecurity entry with loginFormURL set in your server.xml as this will cause the JMX login to fail (e.g., <webAppSecurity loginFormURL="login.html"/> is problematic). Each individual WAR needs to set their own login-config and not rely on any global method of configuring logins.
`
I have a certificate which i need to pass along with the SOAP Request in JMeter.
I have edited the system.properites file to add
javax.net.ssl.keyStore= path to keystore file
javax.net.ssl.keyStorePassword=password
I am still getting the error You need valid client certificate from DHW to access page.
Am I missing somethig here?
The same request is working well from SOAP_UI.
There is a lot that can be going wrong here.
Here is my guess though...
The server is most likely setup for mutual authentication. You can test this by running your java client with the following system property: -Djavax.net.debug=ssl
You should see the ssl handshake and see if the server is requesting a client certificate or not. The messaging will be VERY verbose and you will have to diligently look though the log output to see what is actually occurring.
Hopefully, in the output you will see a list of Certificate Authorities (CAs) that the server trusts. Your client's certificate MUST be signed by one of these CAs. If not, the client won't even attempt to send its client certificate.
If you have access to the server, you can create your own CA and then sign the clients certificate with that new CA and that will work. I actually just did that yesterday. :D
The issue is resolved. I was giving only single backspace instead of two backspaces as per java conventions. It works fine with this minor modification.
When I try to connect to my EC2 server, using Netbeans(Git-Remote-Push), I get "incorrect credentials coonecting to repository at SSH://xx.xx.xxx.xx/git-repo"
In my ide.log, I get the following message:
"WARNING [org.netbeans.modules.progress.spi.InternalHandle]: Cannot call progress on a task that was never started at org.netbeans.modules.git.client.GitProgressSupport.setProgressMessage(GitProgressSupport.java:247)
INFO [org.netbeans.modules.git.ui.repository.remote.SelectUriStep]: Auth failed when accessing ssh://54.77.226.97/git-repo
com.jcraft.jsch.JSchException: Algorithm negotiation fail"
Steps I have taken to overcome the problem.
I can connect using git-bash OK
I have ussed ssh-keygen to generate the keys
I have downloaded JCE 8 unlimited strength policy files.
Any help much appreciated, thanks
"Algorithm negotiation fail" means that the SSH-Client implementation netbeans uses and the server implementation, cannot find a mutual algorithm to encrypt/compress.
Reason could be that an administrator doesn't want the server to support insecure or doubtful algorithms from now on. So you have to find an update for Netbeans.