Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Getting SSLHandshakeException With Apache Nifi ConsumeJMS using JNDI Configurations

Labels:
avatar
author-rank akash007
Explorer

Created ‎08-08-2024 02:25 AM

Hi We are configuring ConsumeJMS Processor using JNDI Controller service and ConsumeJMS Properties. as Shown here.

image.pngimage.png
and the controller service configurations are as follow.

image.png
This works perfectly in test pod, but when we deploy same changes in other server different environment pod we get following error.

o.apache.nifi.jms.processors.ConsumeJMS ConsumeJMS[id=xxxxxxxxxxxx] Failed to initialize JMS Connection Factory: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
↳ causes: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
↳ causes: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
↳ causes: javax.naming.CommunicationException: WFNAM00018: Failed to connect to remote host [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
↳ causes: org.apache.nifi.processor.exception.ProcessException: Could not obtain JMS Connection Factory from JNDI"}
org.apache.nifi.processor.exception.ProcessException: Could not obtain JMS Connection Factory from JNDI
    at org.apache.nifi.jms.cf.JndiJmsConnectionFactoryHandler.lookupConnectionFactory(JndiJmsConnectionFactoryHandler.java:154)
    at org.apache.nifi.jms.cf.JndiJmsConnectionFactoryHandler.getConnectionFactory(JndiJmsConnectionFactoryHandler.java:78)
    at org.apache.nifi.jms.cf.JndiJmsConnectionFactoryProvider.getConnectionFactory(JndiJmsConnectionFactoryProvider.java:68)
    at jdk.internal.reflect.GeneratedMethodAccessor170.invoke(Unknown Source)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:566)
    at org.apache.nifi.controller.service.StandardControllerServiceInvocationHandler.invoke(StandardControllerServiceInvocationHandler.java:254)
    at org.apache.nifi.controller.service.StandardControllerServiceInvocationHandler.invoke(StandardControllerServiceInvocationHandler.java:105)
    at com.sun.proxy.$Proxy176.getConnectionFactory(Unknown Source)
    at org.apache.nifi.jms.processors.AbstractJMSProcessor.buildTargetResource(AbstractJMSProcessor.java:284)
    at org.apache.nifi.jms.processors.AbstractJMSProcessor.onTrigger(AbstractJMSProcessor.java:184)
    at org.apache.nifi.processor.AbstractProcessor.onTrigger(AbstractProcessor.java:27)
    at org.apache.nifi.controller.StandardProcessorNode.onTrigger(StandardProcessorNode.java:1202)
    at org.apache.nifi.controller.tasks.ConnectableTask.invoke(ConnectableTask.java:214)
    at org.apache.nifi.controller.scheduling.TimerDrivenSchedulingAgent$1.run(TimerDrivenSchedulingAgent.java:103)
    at org.apache.nifi.engine.FlowEngine$2.run(FlowEngine.java:110)
    at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
    at java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305)
    at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: javax.naming.CommunicationException: WFNAM00018: Failed to connect to remote host
    at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:110)
    at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:53)
    at org.wildfly.naming.client.NamingProvider.getPeerIdentityForNamingUsingRetry(NamingProvider.java:103)
    at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNamingUsingRetry(RemoteNamingProvider.java:91)
    at org.wildfly.naming.client.remote.RemoteContext.lambda$lookupNative$0(RemoteContext.java:189)
    at org.wildfly.naming.client.NamingProvider.performExceptionAction(NamingProvider.java:220)
    at org.wildfly.naming.client.remote.RemoteContext.performWithRetry(RemoteContext.java:100)
    at org.wildfly.naming.client.remote.RemoteContext.lookupNative(RemoteContext.java:188)
    at org.wildfly.naming.client.AbstractFederatingContext.lookup(AbstractFederatingContext.java:74)
    at org.wildfly.naming.client.AbstractFederatingContext.lookup(AbstractFederatingContext.java:60)
    at org.wildfly.naming.client.WildFlyRootContext.lookup(WildFlyRootContext.java:144)
    at java.naming/javax.naming.InitialContext.lookup(InitialContext.java:409)
    at org.apache.nifi.jms.cf.JndiJmsConnectionFactoryHandler.lookupConnectionFactory(JndiJmsConnectionFactoryHandler.java:100)
    ... 21 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:353)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:296)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:291)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)
    at org.xnio.ssl.JsseSslConduitEngine.handleHandshake(JsseSslConduitEngine.java:549)
    at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:244)
    at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:113)
    at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:77)
    at org.xnio.conduits.ConduitStreamSinkChannel.write(ConduitStreamSinkChannel.java:154)
    at org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener.handleEvent(RemoteConnection.java:264)
    at org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener.handleEvent(RemoteConnection.java:243)
    at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
    at org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65)
    at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:94)
    at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)
    at ...asynchronous invocation...(Unknown Source)
    at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:599)
    at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:565)
    at org.jboss.remoting3.ConnectionInfo$None.getConnection(ConnectionInfo.java:82)
    at org.jboss.remoting3.ConnectionInfo.getConnection(ConnectionInfo.java:55)
    at org.jboss.remoting3.EndpointImpl.doGetConnection(EndpointImpl.java:499)
    at org.jboss.remoting3.EndpointImpl.getConnectedIdentity(EndpointImpl.java:445)
    at org.jboss.remoting3.UncloseableEndpoint.getConnectedIdentity(UncloseableEndpoint.java:52)
    at org.wildfly.naming.client.remote.RemoteNamingProvider.getFuturePeerIdentityPrivileged(RemoteNamingProvider.java:151)
    at org.wildfly.naming.client.remote.RemoteNamingProvider.lambda$getFuturePeerIdentity$0(RemoteNamingProvider.java:138)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at org.wildfly.naming.client.remote.RemoteNamingProvider.getFuturePeerIdentity(RemoteNamingProvider.java:138)
    at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentity(RemoteNamingProvider.java:126)
    at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:106)
    ... 33 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
    at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
    at java.base/sun.security.validator.Validator.validate(Validator.java:264)
    at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:276)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:632)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)
    at org.xnio.ssl.JsseSslConduitEngine.handleHandshake(JsseSslConduitEngine.java:549)
    at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:244)
    at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:113)
    at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:77)
    at org.xnio.conduits.ConduitStreamSinkChannel.write(ConduitStreamSinkChannel.java:154)
    at org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener.handleEvent(RemoteConnection.java:264)
    at org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener.handleEvent(RemoteConnection.java:243)
    at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
    at org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65)
    at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:94)
    at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
    ... 25 common frames omitted

I had try  setting the env while building the InitialContext in Nifi code as follow.

private Context createInitialContext() throws NamingException {
        final Hashtable<String, String> env = new Hashtable<>();
        env.put(Context.INITIAL_CONTEXT_FACTORY, context.getProperty(JNDI_INITIAL_CONTEXT_FACTORY).evaluateAttributeExpressions().getValue().trim());
        env.put(Context.PROVIDER_URL, context.getProperty(JNDI_PROVIDER_URL).evaluateAttributeExpressions().getValue().trim());

        final String principal = context.getProperty(JNDI_PRINCIPAL).evaluateAttributeExpressions().getValue();
        if (principal != null) {
            env.put(Context.SECURITY_PRINCIPAL, principal);
        }

        final String credentials = context.getProperty(JNDI_CREDENTIALS).getValue();
        if (credentials != null) {
            env.put(Context.SECURITY_CREDENTIALS, credentials);
        }

        propertyDescriptors.forEach(descriptor -> {
            if (descriptor.isDynamic()) {
                env.put(descriptor.getName(), context.getProperty(descriptor).evaluateAttributeExpressions().getValue());
            }
        });
        
        final String enableSSL = context.getProperty(JndiJmsConnectionFactoryProperties.ENABLE_SSL).evaluateAttributeExpressions().getValue();
        logger.info("enableSSL: "+enableSSL);
        if (!enableSSL.equals("true")) {
            env.put("java.naming.security.authentification", "none");
            env.put("jboss.naming.client.connect.options.org.xnio.Options.SSL_STARTTLS", "false");
            env.put("jboss.naming.client.remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "false");
            env.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
        }
        
        final Context initialContext = new InitialContext(env);
        return initialContext;
    }

Is there any way to bypass the default JVM Truststore and use other way to do a initialLookup using a different truststore.

252 Views
0 Kudos
2 REPLIES 2

avatar
author-rank akash007
Explorer

Created ‎08-08-2024 02:29 AM

 @SAMSAL @MattWho @mburgess Please suggest what should i try to fix this issue.

247 Views

avatar
author-rank akash007
Explorer

Created ‎08-08-2024 02:16 PM

I tried a fix and it works but not as expected.
This updates the default global SSL Context,
I want similar logic which should be specific to this consume jms processor and should not affect the global SSL Context.

        try {
        	String jndiTruststorePath =  context.getProperty(JNDI_TRUSTSTORE).evaluateAttributeExpressions().getValue().trim();
            // Load the truststore
            KeyStore trustStore = KeyStore.getInstance("JKS");
            FileInputStream file = null;
            try {
                file = new FileInputStream(jndiTruststorePath);
                trustStore.load(file, "changeit".toCharArray());
            } finally {
                if (file != null) {
                    file.close();
                }
            }

            // Initialize TrustManager
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(trustStore);

            // Set up SSLContext
            SSLContext sslContext = SSLContext.getInstance("TLS");
            sslContext.init(null, trustManagerFactory.getTrustManagers(), null);
            
            // Set the default SSL context
            SSLContext.setDefault(sslContext);

            logger.info("Successfully configured the default SSL context");

        } catch (Exception e) {
            logger.error("Failed to configure SSL context", e);
            throw new ProcessException(e);
        }

 

205 Views
Announcements
Community Announcements
September 2024 Community Highlights
What's New @ Cloudera
Cloudera Streams Messaging Operator 1.1
What's New @ Cloudera
From Silos to Synergy: Unifying Data Warehousing and AI
What's New @ Cloudera
Cloudera Streaming Analytics 1.13 for Private Cloud Base
What's New @ Cloudera
Get started with Cloudera Data Engineering on AWS Graviton a...
View More Announcements