Member since
08-05-2024
5
Posts
2
Kudos Received
0
Solutions
08-08-2024
02:16 PM
1 Kudo
I tried a fix and it works but not as expected. This updates the default global SSL Context, I want similar logic which should be specific to this consume jms processor and should not affect the global SSL Context. try {
String jndiTruststorePath = context.getProperty(JNDI_TRUSTSTORE).evaluateAttributeExpressions().getValue().trim();
// Load the truststore
KeyStore trustStore = KeyStore.getInstance("JKS");
FileInputStream file = null;
try {
file = new FileInputStream(jndiTruststorePath);
trustStore.load(file, "changeit".toCharArray());
} finally {
if (file != null) {
file.close();
}
}
// Initialize TrustManager
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
// Set up SSLContext
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, trustManagerFactory.getTrustManagers(), null);
// Set the default SSL context
SSLContext.setDefault(sslContext);
logger.info("Successfully configured the default SSL context");
} catch (Exception e) {
logger.error("Failed to configure SSL context", e);
throw new ProcessException(e);
}
... View more
08-08-2024
02:29 AM
1 Kudo
@SAMSAL @MattWho @mburgess Please suggest what should i try to fix this issue.
... View more
08-08-2024
02:25 AM
Hi We are configuring ConsumeJMS Processor using JNDI Controller service and ConsumeJMS Properties. as Shown here. and the controller service configurations are as follow. This works perfectly in test pod, but when we deploy same changes in other server different environment pod we get following error. o.apache.nifi.jms.processors.ConsumeJMS ConsumeJMS[id=xxxxxxxxxxxx] Failed to initialize JMS Connection Factory: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
↳ causes: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
↳ causes: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
↳ causes: javax.naming.CommunicationException: WFNAM00018: Failed to connect to remote host [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
↳ causes: org.apache.nifi.processor.exception.ProcessException: Could not obtain JMS Connection Factory from JNDI"}
org.apache.nifi.processor.exception.ProcessException: Could not obtain JMS Connection Factory from JNDI
at org.apache.nifi.jms.cf.JndiJmsConnectionFactoryHandler.lookupConnectionFactory(JndiJmsConnectionFactoryHandler.java:154)
at org.apache.nifi.jms.cf.JndiJmsConnectionFactoryHandler.getConnectionFactory(JndiJmsConnectionFactoryHandler.java:78)
at org.apache.nifi.jms.cf.JndiJmsConnectionFactoryProvider.getConnectionFactory(JndiJmsConnectionFactoryProvider.java:68)
at jdk.internal.reflect.GeneratedMethodAccessor170.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.nifi.controller.service.StandardControllerServiceInvocationHandler.invoke(StandardControllerServiceInvocationHandler.java:254)
at org.apache.nifi.controller.service.StandardControllerServiceInvocationHandler.invoke(StandardControllerServiceInvocationHandler.java:105)
at com.sun.proxy.$Proxy176.getConnectionFactory(Unknown Source)
at org.apache.nifi.jms.processors.AbstractJMSProcessor.buildTargetResource(AbstractJMSProcessor.java:284)
at org.apache.nifi.jms.processors.AbstractJMSProcessor.onTrigger(AbstractJMSProcessor.java:184)
at org.apache.nifi.processor.AbstractProcessor.onTrigger(AbstractProcessor.java:27)
at org.apache.nifi.controller.StandardProcessorNode.onTrigger(StandardProcessorNode.java:1202)
at org.apache.nifi.controller.tasks.ConnectableTask.invoke(ConnectableTask.java:214)
at org.apache.nifi.controller.scheduling.TimerDrivenSchedulingAgent$1.run(TimerDrivenSchedulingAgent.java:103)
at org.apache.nifi.engine.FlowEngine$2.run(FlowEngine.java:110)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305)
at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: javax.naming.CommunicationException: WFNAM00018: Failed to connect to remote host
at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:110)
at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:53)
at org.wildfly.naming.client.NamingProvider.getPeerIdentityForNamingUsingRetry(NamingProvider.java:103)
at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNamingUsingRetry(RemoteNamingProvider.java:91)
at org.wildfly.naming.client.remote.RemoteContext.lambda$lookupNative$0(RemoteContext.java:189)
at org.wildfly.naming.client.NamingProvider.performExceptionAction(NamingProvider.java:220)
at org.wildfly.naming.client.remote.RemoteContext.performWithRetry(RemoteContext.java:100)
at org.wildfly.naming.client.remote.RemoteContext.lookupNative(RemoteContext.java:188)
at org.wildfly.naming.client.AbstractFederatingContext.lookup(AbstractFederatingContext.java:74)
at org.wildfly.naming.client.AbstractFederatingContext.lookup(AbstractFederatingContext.java:60)
at org.wildfly.naming.client.WildFlyRootContext.lookup(WildFlyRootContext.java:144)
at java.naming/javax.naming.InitialContext.lookup(InitialContext.java:409)
at org.apache.nifi.jms.cf.JndiJmsConnectionFactoryHandler.lookupConnectionFactory(JndiJmsConnectionFactoryHandler.java:100)
... 21 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:353)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:296)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:291)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)
at org.xnio.ssl.JsseSslConduitEngine.handleHandshake(JsseSslConduitEngine.java:549)
at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:244)
at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:113)
at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:77)
at org.xnio.conduits.ConduitStreamSinkChannel.write(ConduitStreamSinkChannel.java:154)
at org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener.handleEvent(RemoteConnection.java:264)
at org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener.handleEvent(RemoteConnection.java:243)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65)
at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:94)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)
at ...asynchronous invocation...(Unknown Source)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:599)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:565)
at org.jboss.remoting3.ConnectionInfo$None.getConnection(ConnectionInfo.java:82)
at org.jboss.remoting3.ConnectionInfo.getConnection(ConnectionInfo.java:55)
at org.jboss.remoting3.EndpointImpl.doGetConnection(EndpointImpl.java:499)
at org.jboss.remoting3.EndpointImpl.getConnectedIdentity(EndpointImpl.java:445)
at org.jboss.remoting3.UncloseableEndpoint.getConnectedIdentity(UncloseableEndpoint.java:52)
at org.wildfly.naming.client.remote.RemoteNamingProvider.getFuturePeerIdentityPrivileged(RemoteNamingProvider.java:151)
at org.wildfly.naming.client.remote.RemoteNamingProvider.lambda$getFuturePeerIdentity$0(RemoteNamingProvider.java:138)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at org.wildfly.naming.client.remote.RemoteNamingProvider.getFuturePeerIdentity(RemoteNamingProvider.java:138)
at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentity(RemoteNamingProvider.java:126)
at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:106)
... 33 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:276)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:632)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)
at org.xnio.ssl.JsseSslConduitEngine.handleHandshake(JsseSslConduitEngine.java:549)
at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:244)
at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:113)
at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:77)
at org.xnio.conduits.ConduitStreamSinkChannel.write(ConduitStreamSinkChannel.java:154)
at org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener.handleEvent(RemoteConnection.java:264)
at org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener.handleEvent(RemoteConnection.java:243)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65)
at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:94)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
... 25 common frames omitted I had try setting the env while building the InitialContext in Nifi code as follow. private Context createInitialContext() throws NamingException {
final Hashtable<String, String> env = new Hashtable<>();
env.put(Context.INITIAL_CONTEXT_FACTORY, context.getProperty(JNDI_INITIAL_CONTEXT_FACTORY).evaluateAttributeExpressions().getValue().trim());
env.put(Context.PROVIDER_URL, context.getProperty(JNDI_PROVIDER_URL).evaluateAttributeExpressions().getValue().trim());
final String principal = context.getProperty(JNDI_PRINCIPAL).evaluateAttributeExpressions().getValue();
if (principal != null) {
env.put(Context.SECURITY_PRINCIPAL, principal);
}
final String credentials = context.getProperty(JNDI_CREDENTIALS).getValue();
if (credentials != null) {
env.put(Context.SECURITY_CREDENTIALS, credentials);
}
propertyDescriptors.forEach(descriptor -> {
if (descriptor.isDynamic()) {
env.put(descriptor.getName(), context.getProperty(descriptor).evaluateAttributeExpressions().getValue());
}
});
final String enableSSL = context.getProperty(JndiJmsConnectionFactoryProperties.ENABLE_SSL).evaluateAttributeExpressions().getValue();
logger.info("enableSSL: "+enableSSL);
if (!enableSSL.equals("true")) {
env.put("java.naming.security.authentification", "none");
env.put("jboss.naming.client.connect.options.org.xnio.Options.SSL_STARTTLS", "false");
env.put("jboss.naming.client.remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "false");
env.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
}
final Context initialContext = new InitialContext(env);
return initialContext;
} Is there any way to bypass the default JVM Truststore and use other way to do a initialLookup using a different truststore.
... View more
Labels:
- Labels:
-
Apache NiFi
08-06-2024
06:35 AM
@MattWho We are using Jndi Configurations, there is no option to pass ssl with jndi configurations.
... View more
08-05-2024
11:21 AM
I have ConsumeJMS Processor in Nifi, which i have setup using JndiJmsConnectionFactoryHandler. I want to execute this nifi processor with a custom keystore. like how we do when we run java class as follow $JAVA_HOME/bin/java -Djavax.net.ssl.trustStore=keystore -Djavax.net.ssl.keystore=keystore -Djavax.net.ssl.trustStorePassword=**** -Djavax.net.ssl.keyStorePassword=**** -classpath ___ com.example.Application I have checked the truststore we have at the root nifi directory. which is configured in bootstrap configuration file we don't want to touch it we just want to run consumeJMS Processor with a some specific keystore and truststore.
... View more
Labels:
- Labels:
-
Apache NiFi