Enabling Role-Based Access Control Using XACML - Error occurred while evaluating the policy

2
votes

I followed the Enabling Role-Based Access Control Using XACML. I could setup all with out any issue. But when invoking the API it responds with below error. 

<am:fault xmlns:am="http://wso2.org/apimanager"><am:code>0</am:code><am:type>Status report</am:type><am:message>Runtime Error</am:message><am:description>Error occurred while evaluating the policy</am:description></am:fault>

And in the APIM log I can see the below error. I'm running the APIM 2.6 and IS 5.3 in the same machine with offset of 2 in AM. It seems the issue is with the remoteServiceUrl="https://127.0.0.1:9443/services" url in EntitlementMediator.xml mentioned in the step 14 of the Given Guide.

[2019-05-28 12:33:05,162] INFO - HTTPSender Unable to sendViaPost to url[https://127.0.0.1:9443/services/EntitlementService] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431) at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(SSLProtocolSocketFactory.java:276) at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:186) at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) at org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:704) at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:199) at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:81) at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:459) at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:286) at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442) at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:441) at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:227) at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149) at org.wso2.carbon.identity.entitlement.stub.EntitlementServiceStub.getDecision(EntitlementServiceStub.java:836) at org.wso2.carbon.identity.entitlement.proxy.soap.basicAuth.BasicAuthEntitlementServiceClient.getDecision(BasicAuthEntitlementServiceClient.java:259) at org.wso2.carbon.identity.entitlement.proxy.soap.basicAuth.BasicAuthEntitlementServiceClient.getDecision(BasicAuthEntitlementServiceClient.java:123) at org.wso2.carbon.identity.entitlement.proxy.PEPProxy.getDecision(PEPProxy.java:94) at org.wso2.carbon.identity.entitlement.proxy.PEPProxy.getDecision(PEPProxy.java:66) at org.wso2.carbon.identity.entitlement.mediator.EntitlementMediator.mediate(EntitlementMediator.java:203) at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:108) at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:70) at org.apache.synapse.mediators.base.SequenceMediator.mediate(SequenceMediator.java:158) at org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerExtensionHandler.mediate(APIManagerExtensionHandler.java:66) at org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerExtensionHandler.handleRequest(APIManagerExtensionHandler.java:75) at org.apache.synapse.rest.API.process(API.java:325) at org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:149) at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95) at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:71) at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:303) at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:92) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:337) at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:158) at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) [2019-05-28 12:33:05,164] ERROR - EntitlementMediator Error occurred while evaluating the policy org.apache.axis2.AxisFault: peer not authenticated at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430) at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:203) at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:81) at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:459) at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:286) at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442) at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:441) at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:227) at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149) at org.wso2.carbon.identity.entitlement.stub.EntitlementServiceStub.getDecision(EntitlementServiceStub.java:836) at org.wso2.carbon.identity.entitlement.proxy.soap.basicAuth.BasicAuthEntitlementServiceClient.getDecision(BasicAuthEntitlementServiceClient.java:259) at org.wso2.carbon.identity.entitlement.proxy.soap.basicAuth.BasicAuthEntitlementServiceClient.getDecision(BasicAuthEntitlementServiceClient.java:123) at org.wso2.carbon.identity.entitlement.proxy.PEPProxy.getDecision(PEPProxy.java:94) at org.wso2.carbon.identity.entitlement.proxy.PEPProxy.getDecision(PEPProxy.java:66) at org.wso2.carbon.identity.entitlement.mediator.EntitlementMediator.mediate(EntitlementMediator.java:203) at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:108) at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:70) at org.apache.synapse.mediators.base.SequenceMediator.mediate(SequenceMediator.java:158) at org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerExtensionHandler.mediate(APIManagerExtensionHandler.java:66) at org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerExtensionHandler.handleRequest(APIManagerExtensionHandler.java:75) at org.apache.synapse.rest.API.process(API.java:325) at org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:149) at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95) at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:71) at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:303) at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:92) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:337) at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:158) at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431) at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(SSLProtocolSocketFactory.java:276) at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:186) at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) at org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:704) at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:199) ... 31 more [2019-05-28 12:33:05,172] INFO - LogMediator STATUS = Executing default 'fault' sequence, ERROR_CODE = 0, ERROR_MESSAGE = Error occurred while evaluating the policy

1
wso2wso2iswso2-amxacml

1 Answers

3
votes

There is a host name verification issue when entitlement mediator try to invoke EntitlementService exposed by WSO2 IS.

You need to correctly export public cert from APIM and import to WSO2 IS trust store. In public cert CN value should be equal to hostname or IP address.

As I can remember primary key store key length is different in APIM 2.6.0 and IS 5.3.0. However above step should resolve your issue.

Further more this should work out of the box if you have used later version of WSO2 IS than 5.3.0 with default host names and default public certs.