Solving "Unable to Connect to SSL Services due to PKIX Path Building Failed sun.security.provider.certpath.SunCertPathBuilder" Exception

Problem

In this post I explain how to solve the issue that throws the following exception.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
 at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
 at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
 at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:846)
 at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
 at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
 at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)
 at InstallCert.main(InstallCert.java:63)

Solution

The reason for this exception is that the certificate of one or both applications is not trusted by the other application, due to not being imported into the trust store of the JVM running that application. We need to install the SSL certificates that the application needs to connect over SSL, into our local keystore. 

First download InstallCert from here and compile the InstallCert.java.

javac InstallCert.java

Assume that we need to download the SSL certificate of the server at https://example.com.

To add it to your local store. Run:

java InstallCert example.com:443

These commands will create a file called jssecacerts and will be updating it with more SSL certificates every time you want to add a certificate. 

Copy this file to your java security folder (usually at $JAVA_HOME/jre/lib/security):

sudo cp jssecacerts $JAVA_HOME/jre/lib/security

And now our Java applications will be able to connect to the servers that we allowed over SSL.

Additional Operations:

Access server, and retrieve certificate.
java InstallCert [host]:[port]

Extract certificate from created jssecacerts keystore
keytool -exportcert -alias [host]-1 -keystore jssecacerts -storepass changeit -file [host].cer

Import certificate into system keystore
keytool -importcert -alias [host] -keystore [path to system keystore] -storepass changeit -file [host].cer

WSO2 Clustering Briefings

Intro

• High availability AND Scaling
• How to?
• Vertical scaling
• Horizontal scaling - have a load balancer
• Clustering for the scalability
• nodes should be stateless
• Clustering for availability
• Session/state replication
• TCP communication is involved. TCP communication is done via sockets. So it requires IP/port for each member node.
• Static membership - can't add nodes without restarting the cluster
• Dynamic membership - nodes can join/leave
• Hybrid membership  - dynamic nodes revolves around the static members

Membership management- membership discovery
1. Multicast based membership mgt

• After the discovery, communication is happening p2p
• Only for testing purposes

2. Well-known Address based(WKA)

• no need of public channel
• At-least 2 well-known members
• Well-known members notify the newly joined dynamic members

• In cloud and internet you can't multicast, so WKA is preferred
• Hazlecast, apache tribes handles membership mgt
• Hazlecast
• Clustering and highly scalable data distribution
• Partitions the data-> in-memory data grid which is distributed too
• Auto-scaling
• allocation/deallocation of nodes based on the current load
• Deployment types
• Single node
• Primary-secondary
• Have a secondary node in case of primary node failures
• Primary-secondary with multiple LB
• multi datacenters
• Management and Worker nodes separation
• Management nodes controls the cluster, upload artifacts, do the management work etc.
• Workers perform the main work, shouldn't do any mgt work
• This Separation is done using sub domains, mainly routing the requests based on it
• A usecase- deployment synchronization
• Caching- when expensive data transfers to be done
• JCache

ELB - Elastic load balancing

• Only HTTP traffic, not TCP
• Proxy port
• When multiple HTTP/HTTPs ports are there portmapping should be done - axis2.xml
• Tenant-aware LB
• tenant partitioning - define a tenant range
• LB routes the tenant requests to the relevant cluster based on the tenant range
• Private Jet Mode - dont share the resources with others - done using tenant range
• loadbalancer.conf

LB Cluster

In case of failure of LB node, secondary node has to learn from the beginning. To avoid this state replication is done.

Receiving an email & reading the content or attachments using WSO2 ESB

Introduction

We can receive emails that are intended for some email address of a mail server, process the content of the email including email body content, attachments etc. I am using WSO2 ESB 4.8.1 and the latest version of the product can be downloaded from here.

Enabling the Mail Transport

We should enable mail transport listeners in WSO2 ESB in order to receive emails. For that go to {ESB_HOME}/repository/conf/axis2/axis2.xml and uncomment the following line:

Configuring the Proxy Service

Configure the mail proxy with your receiving email address and the mail server settings. 
In this example my email address is wso2esb481@gmail.com and password is password.

Preparing the Attachment File

Insert the content that you want to process inside a SOAP11 envelope body into the file that should be attached. In this post I put some XML content that should be processed and the attachment file would look like this: Send the email to the specified address (in this case wso2esb481@gmail.com) and it would print something like this in the carbon console. 
As you can see, the content of the attachment and email body content are printed in the carbon console. You can process them as you wish.

Setting up a MySQL server for WSO2 API Manager

Introduction

WSO2 API Manager is a complete solution for designing and publishing APIs, creating and managing a developer community, and for scalably routing API traffic. Download and try the product here. 

API Manager uses three databases. The following databases are shared among the server nodes.

• User Manager Database - Stores information related to users and user roles. This information is shared among the Key Manager Server, Store, and Publisher. Users can access the Publisher for API creation and the Store for consuming the APIs.
• API Manager Database - Stores information related to the APIs along with the API subscription details. The Key Manager Server uses this database to store user access tokens that are used for verification of API calls.
• Registry Database - Shares information between the Publisher and Store. When an API is published through the Publisher, it is made available in the Store via the sharing registry database.

In this post we are going to install MySQL as the database server, create the above three databases and configure the WSO2AM 1.7.0 to use the MySQL server 5.5.

Installing and Configuring

1. Download and install MySQL Server. Start and run the MySQL server.
2. Download the MySQL JDBC driver.
3. Unzip the downloaded MySQL driver zipped archive, and copy the MySQL JDBC driver JAR (mysql-connector-java-x.x.xx-bin.jar) into the {APIM_HOME}/repository/components/lib directory.
4. Create the three databases using the following commands, where  is the path to any of the API Manager instances you installed, and username and password can be your intended credentials.
5. Open the {APIM_HOME}/repository/conf/datasources/master-datasources.xml file. Enable access to the the API Manager, User Manager and Registry databases by modifying the WSO2AM_DB, WSO2UM_DB and WSO2REG_DB data sources in the master-datasources.xml file as follows:
6. Modify the /etc/hosts entries to map the IP addresses to the data source URLs:
• 127.0.0.1 apimgtdb.mysql-wso2.com
• 127.0.0.1 userdb.mysql-wso2.com
• 127.0.0.1 regdb.mysql-wso2.com
7. To give component access to the API Manager database, open the {APIM_HOME}/repository/conf/api-manager.xml file and add the following line as the first child node of the root element (if it is not already there):
    
8. To give access to the users database with shared permissions, open the {APIM_HOME}/repository/conf/user-mgt.xml file and add or modify the dataSource property of the  element as follows:
9. To give access to the registry database, open the {APIM_HOME}/repository/conf/registry.xml file and modify the dataSource attribute of the  element as follows:

WSO2 ESB Performance Round 7.5

The latest round of performance testing results has been published by WSO2: WSO2 ESB Performance Round 7.5

These latest performance study has been conducted with the latest release of WSO2 ESB 4.8.1.

It compares WSO2 ESB performance against a number of leading open source ESBs. Results show the latest WSO2 ESB convincingly outperforms all other open-source ESBs, like in the case of the previous round (6.5).

Observations

The results indicate that WSO2 ESB 4.8.1 has continued to outperform all other compared ESBs in almost all scenarios.

Getting system Information via Ubuntu terminal

In addition to the system monitor we can get a detailed view of the hardware specifications and system information about the machine via the terminal using lshw command.

lshw | more

GPU information

lspci | grep -i vga

Installing Berkeley UPC on a Linux cluster

You have 3 options as mentioned in the Berkeley UPC download site.

1. Download  Berkeley UPC runtime source distribution , build it. Then the  'upcc' compiler  will  use their HTTP-based public UPC-to-C translator during compilation. 
2. OR download both the runtime and  UPC-to-C translator, build them, and then point the runtime at the translator. This allows to compile UPC code without the Internet hence faster compilation times.
3. OR download both the runtime and the GCC UPC binary compiler, build them, and point the runtime at GCC UPC installation.

I go with the first option.

Please consider that you need C/C++ and MPI compilers in order to install Berkeley UPC.

1. Download the .tar from here and extract it.

2. Create a new directory to build the Berkeley UPC. I name my build directory as 'build'
mkdir build

 cd build

3. From the build directory, run the configure script in the extracted source directory. 

../berkeley_upc-2.xx.x/configure CC="" CXX="" MPI_CC=""

Replace the " " with the compilers you have installed in the machine. In my case it's gcc, g++ and mpicc. If you have more efficient compilers please use them. It would take sometime to configure.  
e.g. ../berkeley_upc-2.xx.x/configure CC=gcc CXX=g++ MPI_CC=mpicc

4. Using the Makefile in the build directory, build the Berkeley upc source.
make

5. The Berkeley UPC compiler operates by invoking a UPC-to-C translator and then using a backend C compiler to generate native objects. After building the source you can define the UPC-C translator location. You can either build a local translator(as I explain next) or use the default network translator hosted by Berkeley.

6. Building the local UPC-C translator
   6.1. Download the source from here and extract it.
   6.2. Go to the extracted directory and build the source using make.
     make
 6.3 Now you have successfully built the translator.


7. After completion of successful build, it will show you the translator location path. Copy it to the clipboard. Path would be something like this.
~/upc/berkeley_upc_translator-2.18.0/open64/osprey1.0/targia32_ia64_nodebug

8. Move back to the build directory of Berkeley UPC compiler and you can see 2 folders called 'dbg' and 'opt'. In each folder there is a configuration file called 'upcc.conf'. Open these files in a text editor and replace the translator="path to default location" with the copied path to the location of the local UPC-C translator in the clipboard.

9. Test the Berkeley UPC build using following:
env UPCC_FLAGS= ./upcc --norc --version

This would show the specifications and version details of the UPC compiler and translator.

10. You may use the examples in the berkeley_upc-2.xx.x/upc-examples directory to test the build before installation.

11. Finally install the UPC compiler and run time.

make install 

You have completed the installation successfully. To try the compiler use:

upcc --version and upcrun commands.