manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jörn Franke <jornfra...@gmail.com>
Subject Re: CSWS Connector : ServiceConstructionException: Failed to create service
Date Tue, 14 Jan 2020 23:01:27 GMT
I hope to test my assumption this week.
The reason is that if you look at line 404 

https://github.com/apache/manifoldcf/blob/trunk/framework/connector-common/src/main/java/org/apache/manifoldcf/connectorcommon/keystore/KeystoreManager.java

It creates an sslcontext witj ssl only Support but no TLS.

That is why I assume that it you add custom cas it downgrades always to SSL and if you have
a custom CA and TLS only it will not work. 
The same issue is for the Solr connector - however if you do not specify there cas then the
certificate is not validated and the default protocol set of the JDk is used (which includes
TLS). 

It is just an assumption that needs to be tested. 
While I cannot be sure that this is exactly the problem i face - this line looks strange and
should be checked. Maybe it is harmless. 

A similar line was in the gts connector. Maybe if one searches we find others. Eg i also found
a line where there is TLS mentioned instead of SSL.

> Am 14.01.2020 um 23:48 schrieb Karl Wright <daddywri@gmail.com>:
> 
> 
> The design of ManifoldCF deliberately manages keystores on a connection by connection
basis, not globally.  If you think the only way to implement TLS is via global keystore I
very much doubt it.
> 
> I am on the road until late tomorrow but somewhere along the line I can do some research
into why TLS won't work as we are currently doing it.
> 
> Karl
> 
> 
>> On Tue, Jan 14, 2020 at 12:56 PM Jörn Franke <jornfranke@gmail.com> wrote:
>> These are TLS only. So maybe you have other servers where tls and ssl are possible
and it downgrades to ssl.however, this is speculation and I need to verify it. I have to rebuilt
manifold for that. Probably I have to reinstall everything as the keystorefactory is a dependency
in the connector.
>> 
>>>> Am 14.01.2020 um 18:34 schrieb Karl Wright <daddywri@gmail.com>:
>>>> 
>>> 
>>> If you can recommend changes to support TLS, that would be great.  The basic
infrastructure should still work; it is just a custom keystone and associated SSLSocketFactory,
which I think also is used for TLS connections, unless I am missing something.
>>> 
>>>> On Tue, Jan 14, 2020, 9:38 AM Jörn Franke <jornfranke@gmail.com> wrote:
>>>> Yes this works fine. I believe the error comes from the fact that TLS connections
are not supported. 
>>>> 
>>>>>> Am 14.01.2020 um 15:31 schrieb Michael Cizmar <michael.cizmar@mcplusa.com>:
>>>>>> 
>>>>> 
>>>>> If you want to test the url and the ssl, I would recommend attempting
using SSLPoke to confirm that they keystore is setup properly:
>>>>> 
>>>>>  
>>>>> 
>>>>> https://github.com/MichalHecko/SSLPoke
>>>>> 
>>>>>  
>>>>> 
>>>>> Michael
>>>>> 
>>>>>  
>>>>> 
>>>>> From: Karl Wright <daddywri@gmail.com>
>>>>> Reply-To: "user@manifoldcf.apache.org" <user@manifoldcf.apache.org>
>>>>> Date: Tuesday, January 14, 2020 at 7:21 AM
>>>>> To: "user@manifoldcf.apache.org" <user@manifoldcf.apache.org>
>>>>> Subject: Re: CSWS Connector : ServiceConstructionException: Failed to
create service
>>>>> 
>>>>>  
>>>>> 
>>>>> Hmm, others have succeeded setting up SSL connections with the current
code.  Hoping they chime in here.
>>>>> 
>>>>>  
>>>>> 
>>>>> Karl
>>>>> 
>>>>>  
>>>>> 
>>>>> On Tue, Jan 14, 2020, 8:19 AM Jörn Franke <jornfranke@gmail.com>
wrote:
>>>>> 
>>>>> It seems that it has indeed a certificate issue as it cannot find a valid
certification path to the target. The thing is: I added those certificates in the UI should
it should not happen.
>>>>> 
>>>>>  
>>>>> 
>>>>>  
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> Am 10.01.2020 um 20:51 schrieb Jörn Franke <jornfranke@gmail.com>:
>>>>> 
>>>>> 2.15 ...
>>>>> 
>>>>> I will try on the weekend to see if I can get some logs out of it. 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> Am 10.01.2020 um 19:02 schrieb Karl Wright <daddywri@gmail.com>:
>>>>> 
>>>>> Can I ask what version of MCF you are using?  There were issues with
SSL in the first release of the csws connector if I recall correctly, that were fixed for
the second release.
>>>>> 
>>>>>  
>>>>> 
>>>>> Karl
>>>>> 
>>>>>  
>>>>> 
>>>>>  
>>>>> 
>>>>> On Fri, Jan 10, 2020 at 11:42 AM Jörn Franke <jornfranke@gmail.com>
wrote:
>>>>> 
>>>>> I added root, intermediate and server certificate (in base64 cer, it
seems to be recognized by manifoldcf), but I still get the same message. I will try to get
somehow the full stacktrace 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> Am 10.01.2020 um 17:21 schrieb Karl Wright <daddywri@gmail.com>:
>>>>> 
>>>>> If you are using SSL you need to have the proper certificate saved in
the connection's keystore.
>>>>> 
>>>>> Karl
>>>>> 
>>>>>  
>>>>> 
>>>>>  
>>>>> 
>>>>> On Fri, Jan 10, 2020 at 11:20 AM Jörn Franke <jornfranke@gmail.com>
wrote:
>>>>> 
>>>>> It is actually a server using configuration of the command - driven multi-process
model (but the agents executed as a service and the war on a tomcat executed as a service)
under Linux.
>>>>> 
>>>>>  
>>>>> 
>>>>> I thought as well that it cannot reach the webservices, the question
is why. On the same server I can reach the webservices and fetch the WSDL without issues.
>>>>> 
>>>>> Maybe sth related to ssl ?
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> Am 10.01.2020 um 14:59 schrieb Karl Wright <daddywri@gmail.com>:
>>>>> 
>>>>> How are you running manifoldcf?  Single process example, or a custom
setup of some kind?
>>>>> 
>>>>> This exception is a "catch all" exception generated far below anything
in ManifoldCF, but usually means it cannot download the WSDLs from the service.  Getting the
full exception dumped in the log requires a "hack" to the check() method of the connector,
but I'm pretty sure that's what's happening anyway.
>>>>> 
>>>>> Karl
>>>>> 
>>>>>  
>>>>> 
>>>>>  
>>>>> 
>>>>> On Fri, Jan 10, 2020 at 8:50 AM Jörn Franke <jornfranke@gmail.com>
wrote:
>>>>> 
>>>>> Hi,
>>>>> 
>>>>> I tried to use the CSWS connector, but already for the Authority connection
I receive a org.apache.cxf.service.factory.ServiceConstructionException: Failed to create
service.
>>>>> 
>>>>> Unfortunately I don’t see more details , also not in the log (debug
is activated). I try to get a little bit more output by modifying the connector, but maybe
someone has already an idea why this can happen?
>>>>> 
>>>>> Are there some special instructions to use it? The pointers to the webservices
are correct, I tested via Curl and SOAPUI.
>>>>> 
>>>>> 
>>>>> Thank you.
>>>>> Best regards

Mime
View raw message