Support Questions

Find answers, ask questions, and share your expertise

Getting SSLHandshakeException With Apache Nifi ConsumeJMS using JNDI Configurations

avatar
Explorer

Hi We are configuring ConsumeJMS Processor using JNDI Controller service and ConsumeJMS Properties. as Shown here.

image.pngimage.png
and the controller service configurations are as follow.

image.png
This works perfectly in test pod, but when we deploy same changes in other server different environment pod we get following error.

o.apache.nifi.jms.processors.ConsumeJMS ConsumeJMS[id=xxxxxxxxxxxx] Failed to initialize JMS Connection Factory: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
↳ causes: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
↳ causes: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
↳ causes: javax.naming.CommunicationException: WFNAM00018: Failed to connect to remote host [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
↳ causes: org.apache.nifi.processor.exception.ProcessException: Could not obtain JMS Connection Factory from JNDI"}
org.apache.nifi.processor.exception.ProcessException: Could not obtain JMS Connection Factory from JNDI
    at org.apache.nifi.jms.cf.JndiJmsConnectionFactoryHandler.lookupConnectionFactory(JndiJmsConnectionFactoryHandler.java:154)
    at org.apache.nifi.jms.cf.JndiJmsConnectionFactoryHandler.getConnectionFactory(JndiJmsConnectionFactoryHandler.java:78)
    at org.apache.nifi.jms.cf.JndiJmsConnectionFactoryProvider.getConnectionFactory(JndiJmsConnectionFactoryProvider.java:68)
    at jdk.internal.reflect.GeneratedMethodAccessor170.invoke(Unknown Source)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:566)
    at org.apache.nifi.controller.service.StandardControllerServiceInvocationHandler.invoke(StandardControllerServiceInvocationHandler.java:254)
    at org.apache.nifi.controller.service.StandardControllerServiceInvocationHandler.invoke(StandardControllerServiceInvocationHandler.java:105)
    at com.sun.proxy.$Proxy176.getConnectionFactory(Unknown Source)
    at org.apache.nifi.jms.processors.AbstractJMSProcessor.buildTargetResource(AbstractJMSProcessor.java:284)
    at org.apache.nifi.jms.processors.AbstractJMSProcessor.onTrigger(AbstractJMSProcessor.java:184)
    at org.apache.nifi.processor.AbstractProcessor.onTrigger(AbstractProcessor.java:27)
    at org.apache.nifi.controller.StandardProcessorNode.onTrigger(StandardProcessorNode.java:1202)
    at org.apache.nifi.controller.tasks.ConnectableTask.invoke(ConnectableTask.java:214)
    at org.apache.nifi.controller.scheduling.TimerDrivenSchedulingAgent$1.run(TimerDrivenSchedulingAgent.java:103)
    at org.apache.nifi.engine.FlowEngine$2.run(FlowEngine.java:110)
    at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
    at java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305)
    at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: javax.naming.CommunicationException: WFNAM00018: Failed to connect to remote host
    at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:110)
    at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:53)
    at org.wildfly.naming.client.NamingProvider.getPeerIdentityForNamingUsingRetry(NamingProvider.java:103)
    at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNamingUsingRetry(RemoteNamingProvider.java:91)
    at org.wildfly.naming.client.remote.RemoteContext.lambda$lookupNative$0(RemoteContext.java:189)
    at org.wildfly.naming.client.NamingProvider.performExceptionAction(NamingProvider.java:220)
    at org.wildfly.naming.client.remote.RemoteContext.performWithRetry(RemoteContext.java:100)
    at org.wildfly.naming.client.remote.RemoteContext.lookupNative(RemoteContext.java:188)
    at org.wildfly.naming.client.AbstractFederatingContext.lookup(AbstractFederatingContext.java:74)
    at org.wildfly.naming.client.AbstractFederatingContext.lookup(AbstractFederatingContext.java:60)
    at org.wildfly.naming.client.WildFlyRootContext.lookup(WildFlyRootContext.java:144)
    at java.naming/javax.naming.InitialContext.lookup(InitialContext.java:409)
    at org.apache.nifi.jms.cf.JndiJmsConnectionFactoryHandler.lookupConnectionFactory(JndiJmsConnectionFactoryHandler.java:100)
    ... 21 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:353)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:296)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:291)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)
    at org.xnio.ssl.JsseSslConduitEngine.handleHandshake(JsseSslConduitEngine.java:549)
    at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:244)
    at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:113)
    at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:77)
    at org.xnio.conduits.ConduitStreamSinkChannel.write(ConduitStreamSinkChannel.java:154)
    at org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener.handleEvent(RemoteConnection.java:264)
    at org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener.handleEvent(RemoteConnection.java:243)
    at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
    at org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65)
    at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:94)
    at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)
    at ...asynchronous invocation...(Unknown Source)
    at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:599)
    at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:565)
    at org.jboss.remoting3.ConnectionInfo$None.getConnection(ConnectionInfo.java:82)
    at org.jboss.remoting3.ConnectionInfo.getConnection(ConnectionInfo.java:55)
    at org.jboss.remoting3.EndpointImpl.doGetConnection(EndpointImpl.java:499)
    at org.jboss.remoting3.EndpointImpl.getConnectedIdentity(EndpointImpl.java:445)
    at org.jboss.remoting3.UncloseableEndpoint.getConnectedIdentity(UncloseableEndpoint.java:52)
    at org.wildfly.naming.client.remote.RemoteNamingProvider.getFuturePeerIdentityPrivileged(RemoteNamingProvider.java:151)
    at org.wildfly.naming.client.remote.RemoteNamingProvider.lambda$getFuturePeerIdentity$0(RemoteNamingProvider.java:138)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at org.wildfly.naming.client.remote.RemoteNamingProvider.getFuturePeerIdentity(RemoteNamingProvider.java:138)
    at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentity(RemoteNamingProvider.java:126)
    at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:106)
    ... 33 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
    at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
    at java.base/sun.security.validator.Validator.validate(Validator.java:264)
    at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:276)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:632)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)
    at org.xnio.ssl.JsseSslConduitEngine.handleHandshake(JsseSslConduitEngine.java:549)
    at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:244)
    at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:113)
    at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:77)
    at org.xnio.conduits.ConduitStreamSinkChannel.write(ConduitStreamSinkChannel.java:154)
    at org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener.handleEvent(RemoteConnection.java:264)
    at org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener.handleEvent(RemoteConnection.java:243)
    at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
    at org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65)
    at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:94)
    at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
    ... 25 common frames omitted

I had try  setting the env while building the InitialContext in Nifi code as follow.

private Context createInitialContext() throws NamingException {
        final Hashtable<String, String> env = new Hashtable<>();
        env.put(Context.INITIAL_CONTEXT_FACTORY, context.getProperty(JNDI_INITIAL_CONTEXT_FACTORY).evaluateAttributeExpressions().getValue().trim());
        env.put(Context.PROVIDER_URL, context.getProperty(JNDI_PROVIDER_URL).evaluateAttributeExpressions().getValue().trim());

        final String principal = context.getProperty(JNDI_PRINCIPAL).evaluateAttributeExpressions().getValue();
        if (principal != null) {
            env.put(Context.SECURITY_PRINCIPAL, principal);
        }

        final String credentials = context.getProperty(JNDI_CREDENTIALS).getValue();
        if (credentials != null) {
            env.put(Context.SECURITY_CREDENTIALS, credentials);
        }

        propertyDescriptors.forEach(descriptor -> {
            if (descriptor.isDynamic()) {
                env.put(descriptor.getName(), context.getProperty(descriptor).evaluateAttributeExpressions().getValue());
            }
        });
        
        final String enableSSL = context.getProperty(JndiJmsConnectionFactoryProperties.ENABLE_SSL).evaluateAttributeExpressions().getValue();
        logger.info("enableSSL: "+enableSSL);
        if (!enableSSL.equals("true")) {
            env.put("java.naming.security.authentification", "none");
            env.put("jboss.naming.client.connect.options.org.xnio.Options.SSL_STARTTLS", "false");
            env.put("jboss.naming.client.remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "false");
            env.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
        }
        
        final Context initialContext = new InitialContext(env);
        return initialContext;
    }

Is there any way to bypass the default JVM Truststore and use other way to do a initialLookup using a different truststore.

2 REPLIES 2

avatar
Explorer

 @SAMSAL @MattWho @mburgess Please suggest what should i try to fix this issue.

avatar
Explorer

I tried a fix and it works but not as expected.
This updates the default global SSL Context,
I want similar logic which should be specific to this consume jms processor and should not affect the global SSL Context.

        try {
        	String jndiTruststorePath =  context.getProperty(JNDI_TRUSTSTORE).evaluateAttributeExpressions().getValue().trim();
            // Load the truststore
            KeyStore trustStore = KeyStore.getInstance("JKS");
            FileInputStream file = null;
            try {
                file = new FileInputStream(jndiTruststorePath);
                trustStore.load(file, "changeit".toCharArray());
            } finally {
                if (file != null) {
                    file.close();
                }
            }

            // Initialize TrustManager
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(trustStore);

            // Set up SSLContext
            SSLContext sslContext = SSLContext.getInstance("TLS");
            sslContext.init(null, trustManagerFactory.getTrustManagers(), null);
            
            // Set the default SSL context
            SSLContext.setDefault(sslContext);

            logger.info("Successfully configured the default SSL context");

        } catch (Exception e) {
            logger.error("Failed to configure SSL context", e);
            throw new ProcessException(e);
        }