Authentication fails when HTTPS is enabled

lpellegr commented 8 years ago

I have followed the explanations given in the documentation to configure the Scheduler so that Jetty serves requests using HTTPS.

In summary, I have edited config/web/settings.ini in order to set web.https to true.

Once done, the Scheduler and all services start properly. However, it is not possible to authenticate to RM or Scheduler Web portals (no error message in Scheduler logs).

capture d ecran de 2016-02-28 16-54-56

I remember that unpacked WAR files associated to RM and Scheduler Web apps contain configuration files. Consequently, I have tried to edit them:

dist/war/rm/rm.conf to set rm.rest.url=https://localhost:8080/rest
dist/war/scheduler/scheduler.conf to set sched.rest.url=https://localhost:8080/rest

After applying these configurations, the Scheduler starts but authentication is still not working (endless connection):

capture d ecran de 2016-02-28 16-57-50

When I look at the logs on Scheduler side, I get the following error message:

[2016-02-28 16:57:41,718 INFO  .p.s.a.SchedulerAuthentication] admin is trying to connect
[2016-02-28 16:57:41,718 INFO  .p.s.a.SchedulerAuthentication] User admin logged successfully
[2016-02-28 16:57:41,718 INFO  .p.s.a.SchedulerAuthentication] user : admin
[2016-02-28 16:57:41,719 INFO     o.o.p.s.c.SchedulingService] admin successfully connected !
[2016-02-28 16:57:41,727 INFO     o.o.p.s.c.SchedulingService] USER space for user admin is at [file:/home/lpellegr/Bureau/HODAC%20PoC/activeeon-pws-enterprise-7.3.1-windows-x64/data/defaultuser/admin, pappnp://leonard:64738/UserSpaces?proactive_vfs_provider_path=/admin]
[2016-02-28 16:57:41,836 WARN                      /scheduler] Exception while dispatching incoming RPC call
com.google.gwt.user.server.rpc.UnexpectedException: Service method 'public abstract java.lang.String org.ow2.proactive_grid_cloud_portal.scheduler.client.SchedulerService.getVersion() throws org.ow2.proactive_grid_cloud_portal.common.shared.RestServerException,org.ow2.proactive_grid_cloud_portal.common.shared.ServiceException' threw an unexpected exception: javax.ws.rs.ProcessingException: RESTEASY004655: Unable to invoke request
    at com.google.gwt.user.server.rpc.RPC.encodeResponseForFailure(RPC.java:415)
    at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:605)
    at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:333)
    at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:303)
    at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:373)
    at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
    at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
    at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:52)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
    at org.eclipse.jetty.server.Server.handle(Server.java:499)
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
    at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
    at java.lang.Thread.run(Thread.java:745)
Caused by: javax.ws.rs.ProcessingException: RESTEASY004655: Unable to invoke request
    at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:287)
    at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:436)
    at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102)
    at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:64)
    at com.sun.proxy.$Proxy253.getVersion(Unknown Source)
    at org.ow2.proactive_grid_cloud_portal.scheduler.server.SchedulerServiceImpl$26.apply(SchedulerServiceImpl.java:918)
    at org.ow2.proactive_grid_cloud_portal.scheduler.server.SchedulerServiceImpl$26.apply(SchedulerServiceImpl.java:915)
    at org.ow2.proactive_grid_cloud_portal.scheduler.server.SchedulerServiceImpl.executeFunctionReturnStreamAsString(SchedulerServiceImpl.java:1113)
    at org.ow2.proactive_grid_cloud_portal.scheduler.server.SchedulerServiceImpl.getVersion(SchedulerServiceImpl.java:915)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:587)
    ... 25 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
    at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:535)
    at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403)
    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
    at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304)
    at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
    at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
    at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
    at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:283)
    ... 38 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
    ... 55 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
    ... 61 more
[2016-02-28 16:58:11,426 INFO            o.o.p.r.n.NodeSource] [LocalNodes] Pinging alive nodes

A quick search lets suppose it is a configuration issue on my side (e.g. certificate that is not trusted). However, the documentation gives no explanation about how to solve such a problem.

The default HTTPS configuration with provided keystore should work out-of-the box.

I performed the tests on Fedora 22 and OS X Yosemite with PWS 7.3.1 Enterprise version.

lpellegr commented 8 years ago

Java version used was 1.8.0_65-b17.

A direct call to the REST API with curl works as expected.

Since try is configured with HTTPS and everything works as expected, I suspect that the issue is due to the self signed certificate or the Java version.

lpellegr commented 8 years ago

Quick analysis of the keystore that is used by default shows several problems: at least certificate that has expired.

keytool -v -list -keystore /Users/lpellegr/Desktop/activeeon-pws-enterprise/config/web/keystore
Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: jetty
Creation date: Jul 8, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Unknown, OU=Unknown, O=Activeeon, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=Unknown, OU=Unknown, O=Activeeon, L=Unknown, ST=Unknown, C=Unknown
Serial number: 7668a1c6
Valid from: Tue Jul 08 12:59:41 BST 2014 until: Mon Oct 06 12:59:41 BST 2014
Certificate fingerprints:
     MD5:  53:5E:9B:B8:E9:00:80:84:94:48:28:77:46:23:A0:08
     SHA1: 5C:8B:D7:1A:1F:02:D7:9D:8F:EA:88:9C:25:A7:A1:DE:CB:59:19:44
     SHA256: CA:A0:E5:C4:E0:8C:93:BA:0A:42:02:9E:52:1B:C6:51:2C:51:D2:8E:CD:A2:C1:DF:4B:A7:41:4E:B5:94:44:31
     Signature algorithm name: SHA256withRSA
     Version: 3

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AB 0A 6C 20 BE E1 35 F8   2F 09 EE C8 B5 55 35 26  ..l ..5./....U5&
0010: C1 42 6B 91                                        .Bk.
]
]

*******************************************
*******************************************

ow2-proactive / scheduling-portal

Authentication fails when HTTPS is enabled #279