Getting SSLHandshakeException With Apache Nifi ConsumeJMS using JNDI Configurations

akash007 — Thu, 08 Aug 2024 09:25:21 GMT

Hi We are configuring ConsumeJMS Processor using JNDI Controller service and ConsumeJMS Properties. as Shown here.

and the controller service configurations are as follow.

This works perfectly in test pod, but when we deploy same changes in other server different environment pod we get following error.

o.apache.nifi.jms.processors.ConsumeJMS ConsumeJMS[id=xxxxxxxxxxxx] Failed to initialize JMS Connection Factory: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target ↳ causes: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target ↳ causes: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target ↳ causes: javax.naming.CommunicationException: WFNAM00018: Failed to connect to remote host [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] ↳ causes: org.apache.nifi.processor.exception.ProcessException: Could not obtain JMS Connection Factory from JNDI"} org.apache.nifi.processor.exception.ProcessException: Could not obtain JMS Connection Factory from JNDI at org.apache.nifi.jms.cf.JndiJmsConnectionFactoryHandler.lookupConnectionFactory(JndiJmsConnectionFactoryHandler.java:154) at org.apache.nifi.jms.cf.JndiJmsConnectionFactoryHandler.getConnectionFactory(JndiJmsConnectionFactoryHandler.java:78) at org.apache.nifi.jms.cf.JndiJmsConnectionFactoryProvider.getConnectionFactory(JndiJmsConnectionFactoryProvider.java:68) at jdk.internal.reflect.GeneratedMethodAccessor170.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.apache.nifi.controller.service.StandardControllerServiceInvocationHandler.invoke(StandardControllerServiceInvocationHandler.java:254) at org.apache.nifi.controller.service.StandardControllerServiceInvocationHandler.invoke(StandardControllerServiceInvocationHandler.java:105) at com.sun.proxy.$Proxy176.getConnectionFactory(Unknown Source) at org.apache.nifi.jms.processors.AbstractJMSProcessor.buildTargetResource(AbstractJMSProcessor.java:284) at org.apache.nifi.jms.processors.AbstractJMSProcessor.onTrigger(AbstractJMSProcessor.java:184) at org.apache.nifi.processor.AbstractProcessor.onTrigger(AbstractProcessor.java:27) at org.apache.nifi.controller.StandardProcessorNode.onTrigger(StandardProcessorNode.java:1202) at org.apache.nifi.controller.tasks.ConnectableTask.invoke(ConnectableTask.java:214) at org.apache.nifi.controller.scheduling.TimerDrivenSchedulingAgent$1.run(TimerDrivenSchedulingAgent.java:103) at org.apache.nifi.engine.FlowEngine$2.run(FlowEngine.java:110) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: javax.naming.CommunicationException: WFNAM00018: Failed to connect to remote host at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:110) at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:53) at org.wildfly.naming.client.NamingProvider.getPeerIdentityForNamingUsingRetry(NamingProvider.java:103) at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNamingUsingRetry(RemoteNamingProvider.java:91) at org.wildfly.naming.client.remote.RemoteContext.lambda$lookupNative$0(RemoteContext.java:189) at org.wildfly.naming.client.NamingProvider.performExceptionAction(NamingProvider.java:220) at org.wildfly.naming.client.remote.RemoteContext.performWithRetry(RemoteContext.java:100) at org.wildfly.naming.client.remote.RemoteContext.lookupNative(RemoteContext.java:188) at org.wildfly.naming.client.AbstractFederatingContext.lookup(AbstractFederatingContext.java:74) at org.wildfly.naming.client.AbstractFederatingContext.lookup(AbstractFederatingContext.java:60) at org.wildfly.naming.client.WildFlyRootContext.lookup(WildFlyRootContext.java:144) at java.naming/javax.naming.InitialContext.lookup(InitialContext.java:409) at org.apache.nifi.jms.cf.JndiJmsConnectionFactoryHandler.lookupConnectionFactory(JndiJmsConnectionFactoryHandler.java:100) ... 21 common frames omitted Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:353) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:296) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:291) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061) at java.base/java.security.AccessController.doPrivileged(Native Method) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008) at org.xnio.ssl.JsseSslConduitEngine.handleHandshake(JsseSslConduitEngine.java:549) at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:244) at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:113) at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:77) at org.xnio.conduits.ConduitStreamSinkChannel.write(ConduitStreamSinkChannel.java:154) at org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener.handleEvent(RemoteConnection.java:264) at org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener.handleEvent(RemoteConnection.java:243) at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) at org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65) at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:94) at org.xnio.nio.WorkerThread.run(WorkerThread.java:591) at ...asynchronous invocation...(Unknown Source) at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:599) at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:565) at org.jboss.remoting3.ConnectionInfo$None.getConnection(ConnectionInfo.java:82) at org.jboss.remoting3.ConnectionInfo.getConnection(ConnectionInfo.java:55) at org.jboss.remoting3.EndpointImpl.doGetConnection(EndpointImpl.java:499) at org.jboss.remoting3.EndpointImpl.getConnectedIdentity(EndpointImpl.java:445) at org.jboss.remoting3.UncloseableEndpoint.getConnectedIdentity(UncloseableEndpoint.java:52) at org.wildfly.naming.client.remote.RemoteNamingProvider.getFuturePeerIdentityPrivileged(RemoteNamingProvider.java:151) at org.wildfly.naming.client.remote.RemoteNamingProvider.lambda$getFuturePeerIdentity$0(RemoteNamingProvider.java:138) at java.base/java.security.AccessController.doPrivileged(Native Method) at org.wildfly.naming.client.remote.RemoteNamingProvider.getFuturePeerIdentity(RemoteNamingProvider.java:138) at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentity(RemoteNamingProvider.java:126) at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:106) ... 33 common frames omitted Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) at java.base/sun.security.validator.Validator.validate(Validator.java:264) at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:276) at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:632) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061) at java.base/java.security.AccessController.doPrivileged(Native Method) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008) at org.xnio.ssl.JsseSslConduitEngine.handleHandshake(JsseSslConduitEngine.java:549) at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:244) at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:113) at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:77) at org.xnio.conduits.ConduitStreamSinkChannel.write(ConduitStreamSinkChannel.java:154) at org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener.handleEvent(RemoteConnection.java:264) at org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener.handleEvent(RemoteConnection.java:243) at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) at org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65) at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:94) at org.xnio.nio.WorkerThread.run(WorkerThread.java:591) Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ... 25 common frames omitted

I had try setting the env while building the InitialContext in Nifi code as follow.

private Context createInitialContext() throws NamingException { final Hashtable<String, String> env = new Hashtable<>(); env.put(Context.INITIAL_CONTEXT_FACTORY, context.getProperty(JNDI_INITIAL_CONTEXT_FACTORY).evaluateAttributeExpressions().getValue().trim()); env.put(Context.PROVIDER_URL, context.getProperty(JNDI_PROVIDER_URL).evaluateAttributeExpressions().getValue().trim()); final String principal = context.getProperty(JNDI_PRINCIPAL).evaluateAttributeExpressions().getValue(); if (principal != null) { env.put(Context.SECURITY_PRINCIPAL, principal); } final String credentials = context.getProperty(JNDI_CREDENTIALS).getValue(); if (credentials != null) { env.put(Context.SECURITY_CREDENTIALS, credentials); } propertyDescriptors.forEach(descriptor -> { if (descriptor.isDynamic()) { env.put(descriptor.getName(), context.getProperty(descriptor).evaluateAttributeExpressions().getValue()); } }); final String enableSSL = context.getProperty(JndiJmsConnectionFactoryProperties.ENABLE_SSL).evaluateAttributeExpressions().getValue(); logger.info("enableSSL: "+enableSSL); if (!enableSSL.equals("true")) { env.put("java.naming.security.authentification", "none"); env.put("jboss.naming.client.connect.options.org.xnio.Options.SSL_STARTTLS", "false"); env.put("jboss.naming.client.remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "false"); env.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false"); } final Context initialContext = new InitialContext(env); return initialContext; }

Is there any way to bypass the default JVM Truststore and use other way to do a initialLookup using a different truststore.

Re: Getting SSLHandshakeException With Apache Nifi ConsumeJMS using JNDI Configurations

akash007 — Thu, 08 Aug 2024 09:29:29 GMT

@SAMSAL @MattWho @mburgess Please suggest what should i try to fix this issue.

Re: Getting SSLHandshakeException With Apache Nifi ConsumeJMS using JNDI Configurations

akash007 — Thu, 08 Aug 2024 21:16:27 GMT

I tried a fix and it works but not as expected.
This updates the default global SSL Context,
I want similar logic which should be specific to this consume jms processor and should not affect the global SSL Context.

try { String jndiTruststorePath = context.getProperty(JNDI_TRUSTSTORE).evaluateAttributeExpressions().getValue().trim(); // Load the truststore KeyStore trustStore = KeyStore.getInstance("JKS"); FileInputStream file = null; try { file = new FileInputStream(jndiTruststorePath); trustStore.load(file, "changeit".toCharArray()); } finally { if (file != null) { file.close(); } } // Initialize TrustManager TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(trustStore); // Set up SSLContext SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(null, trustManagerFactory.getTrustManagers(), null); // Set the default SSL context SSLContext.setDefault(sslContext); logger.info("Successfully configured the default SSL context"); } catch (Exception e) { logger.error("Failed to configure SSL context", e); throw new ProcessException(e); }

question Re: Getting SSLHandshakeException With Apache Nifi ConsumeJMS using JNDI Configurations in Support Questions

Getting SSLHandshakeException With Apache Nifi ConsumeJMS using JNDI Configurations

Re: Getting SSLHandshakeException With Apache Nifi ConsumeJMS using JNDI Configurations

Re: Getting SSLHandshakeException With Apache Nifi ConsumeJMS using JNDI Configurations