WSO2 APIM Analytics Dashboard Loading Error - SSL Issue

-


Problem Statement

I have configured WSO2 APIM 3.2.0 with Analytics 3.2.0 and configured custom hostname as mydomain in WSO2 API Manager (Custom Hostname Configuration). I have also disabled the hostname Verification attribute in Analytics dashboard configuration (dashboard.yaml)

hostnameVerificationEnabled: false

however, when I started analytics dashboard, it shows the success message in the console but once I hit the dashboard url https://mydomain:9643/analytics-dashbaord, it just came with a black screen with browser console message as-

Error getting SSO Auth URL

The dashboard logs shows the below message-

Unmapped exception feign.RetryableException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target executing GET https://mydomain:9443/api/am/admin/v1/custom-urls/carbon.superttps://mydomain:9443/api/am/admin/v1/custom-urls/carbon.super
Cause
The Analytics uses SSO with WSO2 APIM and does the certification check with its client trust store for any outbound request. By default WSO2 products are shipped with self-signed certificates with localhost as hostname.
If no certificate has been imported for APIM and host verification has been set false then this type of issue should not came. However, Once the certificate (whether CA or self-signed) has been imported to APIM trust store, the same is also required by analytics. In my case, I have created a self signed certified with host mydomain and imported the same in APIM client-turst store but not for analytics.

Solution
We need to import the same certificate in client trust store of analytics as done for apim. Below are the steps for the same-
1. Stop all servers- apim, worker & dashbaord
2. Copy the certificates from apim node to analytics (mydomain & mydomain.jks)

cp $APIM_HOME/repository/resources/security/mydomain $ANALYTICS_HOME/resources/security/

cp $APIM_HOME/repository/resources/security/mydomain.jks $ANALYTICS_HOME/resources/security/

3. Import the certificates to client-truststore of analytics-
[appuser1@mydomain security]$ keytool -import -alias mydomain -file mydomain -keystore client-truststore.jks -storepass wso2carbon
Owner: CN=mydomain, OU=API-Test, O=Test, L=Delhi, ST=New Delhi, C=IN
Issuer: CN=mydomain, OU=API-Test, O=Test, L=Delhi, ST=New Delhi, C=IN
Serial number: 4d77172b
Valid from: Wed Sep 01 14:31:52 IST 2021 until: Tue Nov 30 14:31:52 IST 2021
Certificate fingerprints:
         MD5:  62:20:5B:AD:0A:72:6B:99:02:73:FC:65:3A:51:BE:0B
         SHA1: 25:D6:FD:51:8A:9C:A7:AA:24:22:A9:8B:4F:31:BB:A2:A5:C4:5E:FC
         SHA256: 85:11:C0:32:02:69:17:25:0F:3B:7E:22:45:2E:57:2F:B9:64:97:AD:32:EC:F1:BA:83:5D:AC:CF:9A:C6:64:25
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: BF D6 BB B7 2C D7 82 2A   24 9F C9 4F DE E8 64 F7  ....,..*$..O..d.
0010: 7A 18 E5 BD                                        z...
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore

Note: Make sure you supply correct password for storepass in the command

4. Start all servers in specified order as
    Worker > APIM > Dashboard

The analytics dashboard UI will now open in the web browser as expected i.e. analytics-dashboard should redirect to apim login screen if the user is not logged in!


Comments

Post a Comment

Popular posts from this blog

Oracle SOA Suite- Implementing Email Notification

-
Image
In this post, I am going to show how to implement email notifications in Oracle SOA Suite using BPEL process. So let's get started- Implementing email notification in Oracle SOA Suite consists of below steps: Environment- IDE- Oracle jDeveloper 11g Weblogic Server 12c Oracle SOA Suite 12c High Level Steps Keep ready email server settings. Configure & enable usermessagingdriver-email for target SOA servers via console. Setting up Email driver (usermessagingdriver-email )with email server settings via enterprise manager. Enable notifications for SOA workflows(make sure either All or EMail option is selected).. Create SOA composite application Deploy it on SOA server. Testing & done. 1. Keep ready email server settings. Keep ready your below email server settings: Outgoing Mail Server          : smtp.domain.com Outgoing Mail Server Port   : xxx Default From Address         : username@doamin.com Outgoing Username            : actualemailid@doma
Read more

Oracle SOA Suite 12c- PKIX path building failed & unable to find valid certification path to requested target

-
Image
Hi Everyone, in this blog I'll be writing one of the strange issue that has been encountered while working with a Oracle SOA composite running in Oracle IDAM environment and trying to invoke a SSL based remote service where SSL certification based exception has been thrown during the service invocation. Environment Oracle SOA Suite 12c  (HA Mode) Oracle IDAM 12c (HA Mode) Oracle Linux 7 External Web Service (SOAP Service) Problem Below is the exception thrown when trying to invoke an external webservice (SSL Based) via BPEL process- <bpelFault><faultType>0</faultType><remoteFault xmlns="http://schemas.oracle.com/bpel/extension"><part name="summary"><summary>oracle.fabric.common.FabricInvocationException: Unable to invoke endpoint URI "https://idam.uppclonline.com/soa-infra/services/default/DefaultOperationalApproval!5.12*soa_69e4734b-d8fe-4edf-b44e-e287f61c2ddf/SMSNotification%23ApprovalProcess/SMSNotification" succe
Read more

Migration of Oracle SOA Suite Composite from 11g to 12c

-
Image
Recently I have came across a scenario where I have a business requirement of  migration of Oracle SOA Suite 11g(11.1.1.7.0) to 12c(12.1.3.0). Below are the different mechanisms I have tried to do, few of them failed and one succeeded. Working in Oracle SOA Suite 11g is completely different from 12c. In 11g, we need to install the jDeveloper(11.1.1.7) then SOA extension separately to be installed either via offline file  (download available at  https://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/156082.xml ) or through jDeveloper top menu >>  Help >> Check for Updates >> SOA Extension.  While working with 12c doesn't involves such tedious job. Only single installer is required for jDeveloper/SOA/Weblogic and is available as QuickStart Installer(download available at https://www.oracle.com/technetwork/middleware/soasuite/downloads/index.html). Approach 1- Compress(Zip) SOA composite code of 11g version (11.1.1.7.0) and unzip to a differe
Read more