I am trying to create a WSDL based proxy from a service. This service is running in a tomcat server that has been configured to accept only secured connections using TLSv1.2. And this service is outside the intranet where is wso2server running.
The problem appears when I test the wsdl uri in the WSDL based proxy template, launching the system the following alert: "Invalid WSDL URI (Unable to establish a connection)". I have to say that the wso2esb has connection to outside and the problem isn't accessing to this url, because:
- If I accept no SSL connections on service's server, it works well.
- I can request the WSDL information using wget command to the https wsdl url
- I can create other proxies using secured connections, for example a proxy server from: https://webservices.amazon.com/AWSECommerceService/AWSECommerceService.wsdl
According to browser connection information to the secured wsdl URL that failed, I get that the connection TLS protocol is 1.2 and the cipher is: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
More useful information:
- wso2server version: 4.8.1
- java versions tested (failed in both): 1.7.0_45 and 1.8.0_60
- Added parameter in CARBON_HOME/bin/wso2server.sh: -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2
Tomcat connector configuration from
CARBON_HOME/repository/conf/tomcat /catalina-server.xml:<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8888" bindOnInit="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" maxHttpHeaderSize="8192" acceptorThreadCount="2" maxThreads="250" minSpareThreads="50" disableUploadTimeout="false" enableLookups="false" connectionUploadTimeout="120000" maxKeepAliveRequests="200" acceptCount="200" server="WSO2 Carbon Server" clientAuth="false" compression="on" scheme="https" secure="true" SSLEnabled="true" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="..." URIEncoding="UTF-8" />- Added in axis2.xml transport sender and receiver the following parameter: TLSv1,TLSv1.1,TLSv1.2
Maybe I have missed something in wso2server configuration?
Updated problem:
After installing the public part of the SSL certificate into ESB trust-store, I could create a proxy service based on the published WSDL without any problems and I can request the WSDL template through the ESB. But the problem I think it isn't solved completely:
Trying the service using SoapUI I get the following exception in the server (read in wso2carbon.log):
TID: [0] [ESB] [2015-10-15 08:24:31,057] ERROR {org.apache.synapse.transport.passthru.TargetHandler} - I/O error: Received fatal alert: protocol_version {org.apache.synapse.transport.passthru.TargetHandler}
javax.net.ssl.SSLException: Received fatal alert: protocol_version
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1619)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1587)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1756)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1060)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:884)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap(SSLIOSession.java:228)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:263)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:380)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:118)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:160)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:342)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:320)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:280)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:106)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:604)
at java.lang.Thread.run(Thread.java:744)
TID: [0] [ESB] [2015-10-15 08:25:04,600] WARN {org.apache.synapse.transport.passthru.SourceHandler} - Connection time out after request is read: http-incoming-11 {org.apache.synapse.transport.passthru.SourceHandler}
Maybe I misses something in axis2.xml configuration file ($CARBON_HOME/repository/conf/axis2/axis2.xml)?. Here is the part related to:
- TransportReceiver (https part):
<transportReceiver name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLListener">
<parameter name="port" locked="false">8443</parameter>
<parameter name="non-blocking" locked="false">true</parameter>
<parameter name="bind-address" locked="false">XXX.XXX.XXX.XXX</parameter>
<parameter name="WSDLEPRPrefix" locked="false">https://XXX.XXX.XXX.XXX:8443</parameter>
<parameter name="httpGetProcessor" locked="false">org.wso2.carbon.transport.nhttp.api.PassThroughNHttpGetProcessor
<parameter name="HttpsProtocols">TLSv1,TLSv1.1,TLSv1.2</parameter>
<parameter name="keystore" locked="false">
<KeyStore>
<Location>repository/resources/security/wso2carbon.jks</Location>
<Type>JKS</Type>
<Password>XXX</Password>
<KeyPassword>XXX</KeyPassword>
</KeyStore>
</parameter>
<parameter name="truststore" locked="false">
<TrustStore>
<Location>repository/resources/security/client-truststore.jks</Location>
<Type>JKS</Type>
<Password>XXX</Password>
</TrustStore>
</parameter>
</transportReceiver>
- TransportSender (https part):
<transportSender name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLSender">
<parameter name="non-blocking" locked="false">true
<parameter name="HttpsProtocols">TLSv1,TLSv1.1,TLSv1.2
<parameter name="keystore" locked="false">
<KeyStore>
<Location>repository/resources/security/wso2carbon.jks</Location>
<Type>JKS</Type>
<Password>XXXX</Password>
<KeyPassword>XXXX</KeyPassword>
</KeyStore>
</parameter>
<parameter name="truststore" locked="false">
<TrustStore>
<Location>repository/resources/security/client-truststore.jks</Location>
<Type>JKS</Type>
<Password>XXXXX</Password>
</TrustStore>
</parameter>
<parameter name="HostnameVerifier">AllowAll</parameter>
</transportSender>
Thank you!
