manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jörn Franke <jornfra...@gmail.com>
Subject Re: CSWS Connector : ServiceConstructionException: Failed to create service
Date Wed, 15 Jan 2020 06:19:51 GMT
Yes I am doing that but I will need to rebuild.
I don’t recommend TLSv1 - this is already outphased and will lock out TLSv1.2. I try TLS
only as it includes all TLS protocols (depends on JDK).

SSL will not be supported by this (however as I said there are other parts of the code where
there is a getInstance(TLS). And some caveats: On JDK6+7 TLS only means TLSv1 (and newer TLS
Protocols are deactivated) on JDK8 it means also that newer TLS protocols are enabled.
To be honest in my opinion - a SSL only one is a significant security hole and given how old
TLS support is JDK i would be surprised if there is someone using such a server (most Organisations
should switch to TLSv1.2 in any case as all protocols below have been broken). 
While it works for all JDKs - probably JDK8 should be recommended as it seems to have all
TLS protocols activated when using „TLS“. Older JDKs seem to deactivate TLSv1.1 and TLSv1.2
when using TLS. I will write more about this in the JIRA, once I verified that this solves
the problem. 
Then TLSv1.3 is JDK11 only - I will investigate what that implies.
Does ManifoldCf supports JDK11?

> Am 15.01.2020 um 00:08 schrieb Karl Wright <daddywri@gmail.com>:
> 
> 
> I think you can just change the code to read as follows when it creates the SSLContext:
> 
> SSLContext ctx = SSLContext.getInstance("TLSv1");
> 
> I don't know if TLS will downgrade to SSL if that's all that's available.
> 
> Karl
> 
> 
>> On Tue, Jan 14, 2020 at 6:02 PM Jörn Franke <jornfranke@gmail.com> wrote:
>> Yes it you do not change this setting as what I suspect happens here. See my previous
mail for details.
>> 
>>>> Am 14.01.2020 um 23:51 schrieb Karl Wright <daddywri@gmail.com>:
>>>> 
>>> 
>>> It looks looks TLS is actually enabled in the SSLSocketFactory framework based
on how you create the SSLSocketContext.  See:
>>> 
>>> https://docs.oracle.com/cd/E19698-01/816-7609/security-83/index.html 
>>> 
>>> Karl
>>>  
>>> 
>>>> On Tue, Jan 14, 2020 at 5:48 PM Karl Wright <daddywri@gmail.com> wrote:
>>>> The design of ManifoldCF deliberately manages keystores on a connection by
connection basis, not globally.  If you think the only way to implement TLS is via global
keystore I very much doubt it.
>>>> 
>>>> I am on the road until late tomorrow but somewhere along the line I can do
some research into why TLS won't work as we are currently doing it.
>>>> 
>>>> Karl
>>>> 
>>>> 
>>>>> On Tue, Jan 14, 2020 at 12:56 PM Jörn Franke <jornfranke@gmail.com>
wrote:
>>>>> These are TLS only. So maybe you have other servers where tls and ssl
are possible and it downgrades to ssl.however, this is speculation and I need to verify it.
I have to rebuilt manifold for that. Probably I have to reinstall everything as the keystorefactory
is a dependency in the connector.
>>>>> 
>>>>>>> Am 14.01.2020 um 18:34 schrieb Karl Wright <daddywri@gmail.com>:
>>>>>>> 
>>>>>> 
>>>>>> If you can recommend changes to support TLS, that would be great.
 The basic infrastructure should still work; it is just a custom keystone and associated SSLSocketFactory,
which I think also is used for TLS connections, unless I am missing something.
>>>>>> 
>>>>>>> On Tue, Jan 14, 2020, 9:38 AM Jörn Franke <jornfranke@gmail.com>
wrote:
>>>>>>> Yes this works fine. I believe the error comes from the fact
that TLS connections are not supported. 
>>>>>>> 
>>>>>>>>> Am 14.01.2020 um 15:31 schrieb Michael Cizmar <michael.cizmar@mcplusa.com>:
>>>>>>>>> 
>>>>>>>> 
>>>>>>>> If you want to test the url and the ssl, I would recommend
attempting using SSLPoke to confirm that they keystore is setup properly:
>>>>>>>> 
>>>>>>>>  
>>>>>>>> 
>>>>>>>> https://github.com/MichalHecko/SSLPoke
>>>>>>>> 
>>>>>>>>  
>>>>>>>> 
>>>>>>>> Michael
>>>>>>>> 
>>>>>>>>  
>>>>>>>> 
>>>>>>>> From: Karl Wright <daddywri@gmail.com>
>>>>>>>> Reply-To: "user@manifoldcf.apache.org" <user@manifoldcf.apache.org>
>>>>>>>> Date: Tuesday, January 14, 2020 at 7:21 AM
>>>>>>>> To: "user@manifoldcf.apache.org" <user@manifoldcf.apache.org>
>>>>>>>> Subject: Re: CSWS Connector : ServiceConstructionException:
Failed to create service
>>>>>>>> 
>>>>>>>>  
>>>>>>>> 
>>>>>>>> Hmm, others have succeeded setting up SSL connections with
the current code.  Hoping they chime in here.
>>>>>>>> 
>>>>>>>>  
>>>>>>>> 
>>>>>>>> Karl
>>>>>>>> 
>>>>>>>>  
>>>>>>>> 
>>>>>>>> On Tue, Jan 14, 2020, 8:19 AM Jörn Franke <jornfranke@gmail.com>
wrote:
>>>>>>>> 
>>>>>>>> It seems that it has indeed a certificate issue as it cannot
find a valid certification path to the target. The thing is: I added those certificates in
the UI should it should not happen.
>>>>>>>> 
>>>>>>>>  
>>>>>>>> 
>>>>>>>>  
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Am 10.01.2020 um 20:51 schrieb Jörn Franke <jornfranke@gmail.com>:
>>>>>>>> 
>>>>>>>> 2.15 ...
>>>>>>>> 
>>>>>>>> I will try on the weekend to see if I can get some logs out
of it. 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Am 10.01.2020 um 19:02 schrieb Karl Wright <daddywri@gmail.com>:
>>>>>>>> 
>>>>>>>> Can I ask what version of MCF you are using?  There were
issues with SSL in the first release of the csws connector if I recall correctly, that were
fixed for the second release.
>>>>>>>> 
>>>>>>>>  
>>>>>>>> 
>>>>>>>> Karl
>>>>>>>> 
>>>>>>>>  
>>>>>>>> 
>>>>>>>>  
>>>>>>>> 
>>>>>>>> On Fri, Jan 10, 2020 at 11:42 AM Jörn Franke <jornfranke@gmail.com>
wrote:
>>>>>>>> 
>>>>>>>> I added root, intermediate and server certificate (in base64
cer, it seems to be recognized by manifoldcf), but I still get the same message. I will try
to get somehow the full stacktrace 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Am 10.01.2020 um 17:21 schrieb Karl Wright <daddywri@gmail.com>:
>>>>>>>> 
>>>>>>>> If you are using SSL you need to have the proper certificate
saved in the connection's keystore.
>>>>>>>> 
>>>>>>>> Karl
>>>>>>>> 
>>>>>>>>  
>>>>>>>> 
>>>>>>>>  
>>>>>>>> 
>>>>>>>> On Fri, Jan 10, 2020 at 11:20 AM Jörn Franke <jornfranke@gmail.com>
wrote:
>>>>>>>> 
>>>>>>>> It is actually a server using configuration of the command
- driven multi-process model (but the agents executed as a service and the war on a tomcat
executed as a service) under Linux.
>>>>>>>> 
>>>>>>>>  
>>>>>>>> 
>>>>>>>> I thought as well that it cannot reach the webservices, the
question is why. On the same server I can reach the webservices and fetch the WSDL without
issues.
>>>>>>>> 
>>>>>>>> Maybe sth related to ssl ?
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Am 10.01.2020 um 14:59 schrieb Karl Wright <daddywri@gmail.com>:
>>>>>>>> 
>>>>>>>> How are you running manifoldcf?  Single process example,
or a custom setup of some kind?
>>>>>>>> 
>>>>>>>> This exception is a "catch all" exception generated far below
anything in ManifoldCF, but usually means it cannot download the WSDLs from the service. 
Getting the full exception dumped in the log requires a "hack" to the check() method of the
connector, but I'm pretty sure that's what's happening anyway.
>>>>>>>> 
>>>>>>>> Karl
>>>>>>>> 
>>>>>>>>  
>>>>>>>> 
>>>>>>>>  
>>>>>>>> 
>>>>>>>> On Fri, Jan 10, 2020 at 8:50 AM Jörn Franke <jornfranke@gmail.com>
wrote:
>>>>>>>> 
>>>>>>>> Hi,
>>>>>>>> 
>>>>>>>> I tried to use the CSWS connector, but already for the Authority
connection I receive a org.apache.cxf.service.factory.ServiceConstructionException: Failed
to create service.
>>>>>>>> 
>>>>>>>> Unfortunately I don’t see more details , also not in the
log (debug is activated). I try to get a little bit more output by modifying the connector,
but maybe someone has already an idea why this can happen?
>>>>>>>> 
>>>>>>>> Are there some special instructions to use it? The pointers
to the webservices are correct, I tested via Curl and SOAPUI.
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Thank you.
>>>>>>>> Best regards

Mime
View raw message