New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide TrustManager to OkHttpClient #300
Conversation
I haven't looked at this change deeply, but remember each managed server (remote DMR or remote JMX) can be given a security-realm when it needs to talk securely to external servers - https://github.com/hawkular/hawkular-agent/blob/master/hawkular-wildfly-agent/src/main/resources/schema/hawkular-agent-monitor-subsystem.xsd#L328 This still works, right? :) |
Is OkHttp used to do that? I tested this with hawkular-services https with its local agent and a remote eap6 agent talking over https to hawkular-services. |
It should work. I didn't touch any of that. |
@josejulio sounds like we should probably update one of our itests so that the agent can go through a secure remote-dmr. if its possible to do that, we should add an itest like that - or at least change one of the itests so it goes through a remote secure endpoint rather than an unsecured one |
I can confirm that this works on EAP 7.1 talking to Hawkular Server, remote DMR and remote JMX endpoints all over HTTPS with security realms defined. However, EAP 6.4 does not work due to a partially implemented class in an EAP 6.4 library. From my email to hawkular-dev I sent today:
There is no much we can do about that. This PR can be merged as it is because it isn't making the agent on EAP 6.4 any more broken than it already was. |
BTW: I take that back. This can't be merged yet until we fix the installer so it creates the proper security realm that we now need. @josejulio knows what this means :) This has to be fixed: Need to generate truststore subsection under authentication now:
Note that we should deprecate the KEY_PASSWORD related stuff since that isn't needed. |
|
1309eea
to
70cebcb
Compare
I haven't tested this yet. Might need to update tests if any of these used the KEY_PASSWORD or KEY_ALIAS. |
Just tested and it works, see the generated <security-realm name="HawkularRealm">
<authentication>
<truststore keystore-password="hawkular" path="hawkular.keystore" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm> Only issue is that i had to specify the
|
70cebcb
to
57ee3b0
Compare
I'll try to have EAP6 working with ssl. |
Yes, the installer by default will attempt to download the module distribution from your server-url. If the server-url requires SSL, the installer doesn't support that. But in that case, you can tell the installer another URL (one that is http, for example) using the --download-server-url option (that simply overrides --server-url for when the installer wants to download the extension zip.) |
Ok, there is more to do. We have to do the server-side portion that the installer uses. The installer calls this servlet to download and build the agent extension jar. We need to remove those unused key password and alias properties. Remove these and related code: We also need to remove them from the installer's default config file: and the test config: |
Wasn't aware of the --download-server-url , thanks! |
Done |
just ran some quick smoke tests and all looks good. |
- When loading from keystore. - When loading from the realm data. Update installer to set trustore instead of keystore - This means we no longer need key_alias and key_password Added EAP6 support by using reflection.
68f32d8
to
f6947f3
Compare
travis just timed out - that's why its red. If you look at the raw log output of the test run, mvn shows it all succeeded. |
I hate travis - now it failed because it can't start the itest servers due to:
So screw it, this all passes on my box, so I'm merging. |
OkHttpClient
was trying to guess [1] the TrustManager when using a secure connection. The guessing was failing and this exception was being raised:One workaround would be to downgrade OkHttp to
3.0.1
[2] but the solution is (as done on this PR) to pass the X509TrustManager to theOkHttpClient
.[1] https://github.com/square/okhttp/blob/master/okhttp/src/main/java/okhttp3/internal/platform/Platform.java#L92-L95
[2] http://stackoverflow.com/questions/37277679/using-okhttpclient-on-wildfly-causing-an-exception#comment62087487_37277679