You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@karaf.apache.org by Grzegorz Grzybek <gr...@gmail.com> on 2020/09/03 06:29:04 UTC
Re: HTTPS with Karaf 4.2.9 and underpinning undertow web server
Hello
Sorry for late response (holidays!), but I tried your example with tiny
(not relevant) details.
I used Karaf 4.2.9, but Camel 2.23.2. So I used
"org.apache.camel.component.servlet.osgi.OsgiServletRegisterer" instead of
"org.apache.camel.component.osgi.OsgiServletRegisterer", but no more
changes to blueprint.xml or etc/org.ops4j.pax.web.cfg.
However, I had ONE problem with TLS connection:
$ curl -k -v https://localhost:8443/camel/services/hello1
* Trying ::1:8443...
* Connected to localhost (::1) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:8443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to
localhost:8443
I think (and I'll review it at some point in Pax Web itself) it's the
mismatch between "enabled-protocols" and "enabled-cipher-suites" in
undertow.xml. Please remove:
enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
and it should work (note that change to undertow.xml WON'T automatically
restart relevant bundles).
$ curl -k -v https://localhost:8443/camel/services/hello1
* Trying ::1:8443...
* Connected to localhost (::1) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=PL; ST=Dolny Śląsk; L=Wrocław; O=Red Hat; CN=localhost;
emailAddress=ggrzybek@redhat.com
* start date: Aug 17 11:14:46 2017 GMT
* expire date: Aug 17 11:14:46 2027 GMT
* issuer: C=PL; ST=Dolny Śląsk; L=Wrocław; O=Red Hat; CN=everfree-ca;
emailAddress=ggrzybek@redhat.com
* SSL certificate verify result: unable to get local issuer certificate
(20), continuing anyway.
> GET /camel/services/hello1 HTTP/1.1
> Host: localhost:8443
> User-Agent: curl/7.69.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Accept: */*
< Connection: keep-alive
< X-Powered-By: Pax-HTTP-Undertow/7.2.16
< breadcrumbId: ID-everfree-forest-1599112295273-1-1
< Server: Pax-HTTP-Undertow
< Transfer-Encoding: chunked
< User-Agent: curl/7.69.1
< Date: Thu, 03 Sep 2020 05:59:31 GMT
<
* Connection #0 to host localhost left intact
Hello 1
kind regards
Grzegorz Grzybek
pt., 7 sie 2020 o 11:53 Gerald Kallas <ca...@mailbox.org> napisał(a):
> Hi,
>
> I tried this out but it doesnt work properly. (keystore and truststore are
> the same as with jetty setuo, they're valid).
>
> See below my configuration and the log. The HTTPS listener starts but
> neither the webconsole nor the servlet does work.
>
> On client side I'm getting
>
> Error: Client network socket disconnected before secure TLS connection was
> established
>
>
> undertow.xml
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!--
> Licensed under the Apache License, Version 2.0 (the "License");
> you may not use this file except in compliance with the License.
> You may obtain a copy of the License at
>
> http://www.apache.org/licenses/LICENSE-2.0
>
> Unless required by applicable law or agreed to in writing, software
> distributed under the License is distributed on an "AS IS" BASIS,
> WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> implied.
>
> See the License for the specific language governing permissions and
> limitations under the License.
> -->
> <undertow xmlns="urn:org.ops4j.pax.web:undertow:1.0"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:w="urn:jboss:domain:5.0"
> xmlns:io="urn:jboss:domain:io:3.0"
> xsi:schemaLocation="
> urn:jboss:domain:io:3.0
> http://www.jboss.org/schema/jbossas/wildfly-io_3_0.xsd
> urn:jboss:domain:undertow:4.0
> http://www.jboss.org/schema/jbossas/wildfly-undertow_4_0.xsd
> urn:jboss:domain:5.0
> http://www.jboss.org/schema/jbossas/wildfly-config_5_0.xsd">
>
> <!--
> Only "default" worker and buffer-pool are supported and can be
> used to override the default values
> used by all listeners
>
> buffer-pool:
> - buffer-size defaults to:
> - when < 64MB of Xmx: 512
> - when < 128MB of Xmx: 1024
> - when >= 128MB of Xmx: 16K - 20
> - direct-buffers defaults to:
> - when < 64MB of Xmx: false
> - when >= 64MB of Xmx: true
>
> worker:
> - io-threads defaults to
> Math.max(Runtime.getRuntime().availableProcessors(), 2);
> - task-core-threads and task-max-threads default to io-threads * 8
> -->
> <!--
> <subsystem xmlns="urn:jboss:domain:io:3.0">
> <buffer-pool name="default" buffer-size="16364"
> direct-buffers="true" />
> <worker name="default" io-threads="8" task-core-threads="64"
> task-max-threads="64" />
> </subsystem>
> -->
>
> <!--
> https://docs.jboss.org/author/display/WFLY/Undertow+subsystem+configuration
> -->
> <subsystem xmlns="urn:jboss:domain:undertow:4.0">
> <!-- org.wildfly.extension.undertow.BufferCacheDefinition -->
> <buffer-cache name="default" buffer-size="1024"
> buffers-per-region="1024" max-regions="10" />
> <server name="default-server">
> <!-- HTTP(S) Listener references Socket Binding (and
> indirectly - Interfaces) -->
> <!-- verify-client: org.xnio.SslClientAuthMode.NOT_REQUESTED,
> org.xnio.SslClientAuthMode.REQUESTED, org.xnio.SslClientAuthMode.REQUIRED
> -->
> <https-listener name="https" socket-binding="https"
> security-realm="https" verify-client="NOT_REQUESTED" />
> <host name="default-host" alias="localhost">
> <!--<location name="/" handler="welcome-content" />-->
> <!--<location name="/docs" handler="docs-content" />-->
> <access-log directory="${karaf.data}/log" pattern="common"
> prefix="access_log." suffix="log" rotate="true" />
> <filter-ref name="server-header" />
> <filter-ref name="x-powered-by-header" />
> </host>
> </server>
> <servlet-container name="default">
> <jsp-config />
> <websockets />
> <welcome-files>
> <welcome-file name="index.html" />
> <welcome-file name="index.txt" />
> </welcome-files>
> </servlet-container>
> <handlers>
> <file name="welcome-content" path="${karaf.home}/welcome" />
> <!--<file name="docs-content" path="${karaf.home}/docs" />-->
> </handlers>
> <filters>
> <!-- filters for reference from /host/filter-ref and
> /host/location/filter-ref -->
> <response-header name="server-header" header-name="Server"
> header-value="Pax-HTTP-Undertow" />
> <response-header name="x-powered-by-header"
> header-name="X-Powered-By" header-value="Pax-HTTP-Undertow/7.2.16" />
> </filters>
> </subsystem>
>
> <!-- https://docs.jboss.org/author/display/WFLY/Security+Realms -->
> <!--
> we'll use "default" security realm by default to configure
> jaas/properties authentication
> (io.undertow.security.idm.IdentityManager):
> - w:jaas -
> org.ops4j.pax.web.service.undertow.internal.security.JaasIdentityManager
> - w:properties -
> org.ops4j.pax.web.service.undertow.internal.security.PropertiesIdentityManager
> -->
> <security-realm name="default">
> <w:authentication>
> <!-- JaasIdentityManager for given realm -->
> <w:jaas name="karaf" />
> <!-- OR PropertiesIdentityManager (mutually exclusive with
> <w:jaas>) -->
> <!--<w:properties path="users.properties" />-->
> </w:authentication>
>
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
>
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> <!--<role-principal-class-name>...</role-principal-class-name>-->
> </security-realm>
> <!--
> Any security realm may be referenced by https-listener to define
> trust/keystore, protocols and cipher suites
> -->
> <security-realm name="https">
> <w:server-identities>
> <w:ssl>
> <!-- sun.security.ssl.ProtocolVersion -->
> <!-- sun.security.ssl.CipherSuite -->
> <!-- openssl ciphers 'ALL:eNULL' | sed -e 's/:/\n/g' |
> sort -->
> <w:engine
>
> enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
> enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" />
> <w:keystore path="${karaf.etc}/server.p12"
> provider="PKCS12" alias="server"
> keystore-password="password"
> key-password="password"
> generate-self-signed-certificate-host="localhost"
> />
> </w:ssl>
> </w:server-identities>
> <w:authentication>
> <w:jaas name="karaf" />
> <w:truststore path="${karaf.etc}/truststore.jks"
> provider="JKS" keystore-password="password" />
> </w:authentication>
>
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
>
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> </security-realm>
>
> <!-- Interface lists IP addresses to bind to -->
> <interface name="secure">
> <w:inet-address value="0.0.0.0" />
> </interface>
>
> <!-- Socket Binding adds port for each IP from referenced Interface -->
> <socket-binding name="https" interface="secure"
> port="${org.osgi.service.http.port.secure}" />
>
> </undertow>
>
>
> org.ops4j.pax.web.cfg
>
>
> org.osgi.service.http.enabled=false
>
> org.osgi.service.http.secure.enabled=true
> org.osgi.service.http.port.secure=8443
>
> javax.servlet.context.tempdir=${karaf.data}/pax-web-jsp
> #org.ops4j.pax.web.config.file=${karaf.etc}/undertow.properties
> org.ops4j.pax.web.config.file=${karaf.etc}/undertow.xml
> org.apache.karaf.features.configKey = org.ops4j.pax.web
>
>
> servlet (hello1.xml)
>
> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0
> https://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd">
>
> <reference id="httpService"
> interface="org.osgi.service.http.HttpService" />
>
> <bean id="camelServlet"
> class="org.apache.camel.component.servlet.CamelHttpTransportServlet"/>
>
> <bean class="org.apache.camel.component.osgi.OsgiServletRegisterer"
> init-method="register"
> destroy-method="unregister">
> <property name="servletName" value="httpServlet" />
> <property name="alias" value="/camel/services" />
> <property name="httpService" ref="httpService" />
> <property name="servlet" ref="camelServlet" />
> </bean>
>
> <bean id="servlet"
> class="org.apache.camel.component.servlet.ServletComponent" />
>
> <camelContext xmlns="http://camel.apache.org/schema/blueprint">
> <route>
> <from
> uri="servlet://hello1?servletName=httpServlet" />
> <setBody>
> <constant>Hello 1</constant>
> </setBody>
> </route>
> </camelContext>
>
> </blueprint>
>
>
> log excerpt
>
> 2020-08-07T11:47:29,596 | INFO | paxweb-config-1-thread-1 |
> ServerControllerImpl | 63 - org.ops4j.pax.web.pax-web-undertow
> - 7.2.16 | Using
> "file:/E:/apache-karaf/apache-karaf-4.2.9/etc/undertow.xml" to configure
> Undertow
> 2020-08-07T11:47:29,848 | INFO | paxweb-config-1-thread-1 |
> ServerControllerImpl | 63 - org.ops4j.pax.web.pax-web-undertow
> - 7.2.16 | Starting undertow https listener on 0.0.0.0:8443
> 2020-08-07T11:47:29,985 | INFO | FelixStartLevel |
> BlueprintContainerImpl | 69 - org.apache.aries.blueprint.core -
> 1.10.2 | Blueprint bundle hello1.xml/0.0.0 is waiting for dependencies
> [(objectClass=org.osgi.service.http.HttpService)]
> 2020-08-07T11:47:29,987 | INFO | activator-1-thread-2 |
> BouncyCastleSecurityProviderRegistrar | 38 - org.apache.sshd.core - 1.7.0 |
> getOrCreateProvider(BC) created instance of
> org.bouncycastle.jce.provider.BouncyCastleProvider
> 2020-08-07T11:47:30,286 | INFO | activator-1-thread-2 | CommandExtension
> | 34 - org.apache.karaf.shell.core - 4.2.9 | Registering
> commands for bundle org.apache.karaf.features.command/4.2.9
> 2020-08-07T11:47:30,446 | INFO | activator-1-thread-3 | CommandExtension
> | 34 - org.apache.karaf.shell.core - 4.2.9 | Registering
> commands for bundle org.apache.karaf.kar.core/4.2.9
> 2020-08-07T11:47:30,487 | INFO | activator-1-thread-2 | Activator
> | 18 - org.apache.karaf.deployer.features - 4.2.9 |
> Deployment finished. Registering FeatureDeploymentListener
> 2020-08-07T11:47:30,543 | INFO | activator-1-thread-2 | FeaturesPlugin
> | 140 - org.apache.karaf.webconsole.features - 4.2.9 |
> Features plugin deactivated
> 2020-08-07T11:47:30,544 | INFO | activator-1-thread-2 | FeaturesPlugin
> | 140 - org.apache.karaf.webconsole.features - 4.2.9 |
> Features plugin activated
> 2020-08-07T11:47:30,839 | INFO | paxweb-config-1-thread-1 |
> ServerControllerImpl | 63 - org.ops4j.pax.web.pax-web-undertow
> - 7.2.16 | Using in-memory session persistence
> 2020-08-07T11:47:30,864 | INFO | paxweb-config-1-thread-1 |
> HttpServiceFactoryImpl | 61 - org.ops4j.pax.web.pax-web-runtime -
> 7.2.16 | Binding bundle: [org.apache.karaf.webconsole.console [139]] to
> http service
> 2020-08-07T11:47:31,000 | INFO | paxweb-config-1-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> registering context DefaultHttpContext
> [bundle=org.apache.karaf.webconsole.console [139], contextID=custom], with
> context path: /
> 2020-08-07T11:47:31,011 | INFO | paxweb-config-1-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Starting context /
> 2020-08-07T11:47:31,013 | WARN | paxweb-config-1-thread-1 | PathMatcher
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Overwriting existing default context
> io.undertow.server.handlers.PathHandler@382344b0 with a new one
> org.ops4j.pax.web.service.undertow.internal.Context@8c1553c
> 2020-08-07T11:47:31,034 | INFO | paxweb-config-1-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Adding implicit "default" servlet
> 2020-08-07T11:47:31,047 | INFO | paxweb-config-1-thread-1 |
> ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api -
> 7.2.16 | will add io.undertow.servlet.sse.ServerSentEventSCI to
> ServletContainerInitializers
> 2020-08-07T11:47:31,048 | WARN | paxweb-config-1-thread-1 |
> ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api -
> 7.2.16 | failed to parse and instantiate of
> javax.servlet.ServletContainerInitializer in classpath
> 2020-08-07T11:47:31,070 | INFO | paxweb-config-1-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Creating undertow servlet deployment for context path /...
> 2020-08-07T11:47:31,224 | INFO | paxweb-config-1-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Creating undertow servlet deployment for context path / - done
> 2020-08-07T11:47:31,225 | INFO | paxweb-config-1-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Registering io.undertow.servlet.spec.ServletContextImpl@e72855b as OSGi
> service...
> 2020-08-07T11:47:31,236 | INFO | paxweb-config-1-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Registering io.undertow.servlet.spec.ServletContextImpl@e72855b as OSGi
> service - done
> 2020-08-07T11:47:31,237 | INFO | paxweb-config-1-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Starting Undertow web application for context path /
> 2020-08-07T11:47:31,271 | INFO | paxweb-config-1-thread-1 |
> HttpServiceFactoryImpl | 61 - org.ops4j.pax.web.pax-web-runtime -
> 7.2.16 | Binding bundle: [org.apache.karaf.http.core [126]] to http service
> 2020-08-07T11:47:31,272 | INFO | paxweb-config-1-thread-1 | Activator
> | 61 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 |
> Starting server controller
> org.ops4j.pax.web.service.undertow.internal.ServerControllerImpl
> 2020-08-07T11:47:31,332 | INFO | activator-1-thread-2 | CommandExtension
> | 34 - org.apache.karaf.shell.core - 4.2.9 | Registering
> commands for bundle org.apache.karaf.http.core/4.2.9
> 2020-08-07T11:47:31,436 | INFO | activator-1-thread-2 | HttpPlugin
> | 142 - org.apache.karaf.webconsole.http - 4.2.9 | Http
> plugin activated
> 2020-08-07T11:47:31,487 | INFO | Blueprint Extender: 1 | LRUCacheFactory
> | 108 - org.apache.camel.camel-support - 3.4.2 | Detected
> and using LRUCacheFactory: camel-caffeine-lrucache
> 2020-08-07T11:47:31,489 | INFO | CM Configuration Updater
> (ManagedServiceFactory Update: factoryPid=[org.ops4j.pax.web.context]) |
> HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime -
> 7.2.16 | Updated configuration for
> pid=org.ops4j.pax.web.context.dff8c6e5-f690-4ac6-9268-d87fc0dce06d
> 2020-08-07T11:47:31,538 | INFO | paxweb-context-2-thread-1 |
> HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime -
> 7.2.16 | Found bundle "hello1.xml", scheduling customization of its
> WebContainer
> 2020-08-07T11:47:31,539 | INFO | paxweb-context-2-thread-1 |
> HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime -
> 7.2.16 | Customizing WebContainer for bundle hello1.xml/0.0.0
> 2020-08-07T11:47:31,539 | INFO | paxweb-context-2-thread-1 |
> HttpServiceFactoryImpl | 61 - org.ops4j.pax.web.pax-web-runtime -
> 7.2.16 | Binding bundle: [hello1.xml [134]] to http service
> 2020-08-07T11:47:31,542 | INFO | paxweb-context-2-thread-1 |
> HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime -
> 7.2.16 | Registering login configuration in WebContainer for bundle
> "hello1.xml": method=BASIC, realm=karaf
> 2020-08-07T11:47:31,545 | INFO | paxweb-context-2-thread-1 |
> HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime -
> 7.2.16 | Registering security mappings in WebContainer for bundle
> "hello1.xml": SecurityConstraintsMapping{name='constraint.1',
> url='/camel/services/*', roles=[admin]}
> 2020-08-07T11:47:31,550 | INFO | paxweb-context-2-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> registering context DefaultHttpContext [bundle=hello1.xml [134],
> contextID=default], with context path: /
> 2020-08-07T11:47:31,555 | INFO | paxweb-context-2-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Starting context /
> 2020-08-07T11:47:31,610 | WARN | paxweb-context-2-thread-1 | PathMatcher
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Overwriting existing default context
> org.ops4j.pax.web.service.undertow.internal.Context@8c1553c with a new
> one org.ops4j.pax.web.service.undertow.internal.Context@681b959c
> 2020-08-07T11:47:31,616 | INFO | paxweb-context-2-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Adding implicit "default" servlet
> 2020-08-07T11:47:31,624 | INFO | paxweb-context-2-thread-1 |
> ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api -
> 7.2.16 | will add io.undertow.servlet.sse.ServerSentEventSCI to
> ServletContainerInitializers
> 2020-08-07T11:47:31,686 | INFO | paxweb-context-2-thread-1 |
> ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api -
> 7.2.16 | added ServletContainerInitializer:
> io.undertow.servlet.sse.ServerSentEventSCI
> 2020-08-07T11:47:31,697 | INFO | paxweb-context-2-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Creating undertow servlet deployment for context path /...
> 2020-08-07T11:47:31,716 | INFO | paxweb-context-2-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Creating undertow servlet deployment for context path / - done
> 2020-08-07T11:47:31,717 | INFO | paxweb-context-2-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Registering io.undertow.servlet.spec.ServletContextImpl@757d3a20 as OSGi
> service...
> 2020-08-07T11:47:31,728 | INFO | paxweb-context-2-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Registering io.undertow.servlet.spec.ServletContextImpl@757d3a20 as OSGi
> service - done
> 2020-08-07T11:47:31,729 | INFO | paxweb-context-2-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Starting Undertow web application for context path /
> 2020-08-07T11:47:32,115 | INFO | Blueprint Extender: 1 |
> BlueprintContainerImpl | 69 - org.apache.aries.blueprint.core -
> 1.10.2 | Blueprint bundle hello1.xml/0.0.0 has been started
> 2020-08-07T11:47:32,118 | INFO | Blueprint Event Dispatcher: 1 |
> BlueprintCamelContext | 119 -
> org.apache.camel.karaf.camel-blueprint - 3.4.2 | Attempting to start
> CamelContext: camel-1
> 2020-08-07T11:47:32,165 | INFO | Blueprint Event Dispatcher: 1 |
> JmxManagementStrategy | 98 - org.apache.camel.camel-management -
> 3.4.2 | JMX is enabled
> 2020-08-07T11:47:32,418 | INFO | Blueprint Event Dispatcher: 1 |
> AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2
> | Apache Camel 3.4.2 (camel-1) is starting
> 2020-08-07T11:47:33,264 | INFO | Blueprint Event Dispatcher: 1 |
> AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2
> | StreamCaching is not in use. If using streams then its recommended to
> enable stream caching. See more details at
> http://camel.apache.org/stream-caching.html
> 2020-08-07T11:47:33,265 | INFO | Blueprint Event Dispatcher: 1 |
> AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2
> | Using HealthCheck: camel-health
> 2020-08-07T11:47:33,361 | INFO | Blueprint Event Dispatcher: 1 |
> InternalRouteStartupManager | 76 - org.apache.camel.camel-base - 3.4.2
> | Route: route1 started and consuming from: servlet:/hello1
> 2020-08-07T11:47:33,369 | INFO | Blueprint Event Dispatcher: 1 |
> AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2
> | Total 1 routes, of which 1 are started
> 2020-08-07T11:47:33,370 | INFO | Blueprint Event Dispatcher: 1 |
> AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2
> | Apache Camel 3.4.2 (camel-1) started in 0.951 seconds
>
>
> > Grzegorz Grzybek <gr...@gmail.com> hat am 07.08.2020 11:07
> geschrieben:
> >
> >
> > Hello
> >
> > In theory (I can't check now), you have to:
> >
> > 1. comment out <http-listener name="http" socket-binding="http" />
> > 2. ensure that org.ops4j.pax.web PID has org.osgi.service.http.enabled =
> false (so pax-web-undertow won't try to recreate the non-secure listener if
> it's not available in etc/undertow.xml)
> >
> > regards
> > Grzegorz Grzybek
> >
> >
> > pt., 7 sie 2020 o 10:52 Gerald Kallas <ca...@mailbox.org> napisał(a):
> > > Thanks, Grzegorz for the explanation.
> > >
> > > At the moment I'd be happy to use HTTPS (on 8443) only for all web
> related services (web console, servlets) w/ undertow and disable HTTP (on
> 8181). Could this be reached with the setup I have?
> > >
> > > Thanks
> > > - Gerald
> > >
> > > > Grzegorz Grzybek <gr...@gmail.com> hat am 07.08.2020 10:47
> geschrieben:
> > > >
> > > >
> > > > Hello
> > > >
> > > > Unfortunately it is not possible to use the internal (managed by Pax
> Web) servlet runtime selectively - by specifying which listener (or more
> generally - virtual host) should be used for the servlets created and
> registered by Camel into HttpService (Pax Web) runtime.
> > > >
> > > > pax-web-jetty has partial (legacy, non-standard from the point of
> view of OSGi CMPN specification) support for virtual hosts where a
> Whiteboard-registered servlet (or filter, or other "web element") may
> specify a comma-separated list of virtual host/connector names. But that's
> only for Jetty.
> > > >
> > > > I'm still working on refactoring Pax Web 8 and I plan to have
> unified "experience" for dealing with separate connectors/virtual hosts
> across Jetty/Tomcat/Undertow runtimes, but it'll come only in Pax Web 8.
> > > >
> > > > regards
> > > > Grzegorz Grzybek
> > > >
> > > >
> > > > pt., 7 sie 2020 o 10:34 Gerald Kallas <ca...@mailbox.org>
> napisał(a):
> > > > > Dear all,
> > > > >
> > > > > following the guidance in the ticket
> > > > >
> > > > > https://issues.apache.org/jira/browse/KARAF-6772
> > > > >
> > > > > I was setting up a vanilla Karaf 4.2.9 with the following features
> > > > >
> > > > > feature:repo-add camel 3.4.2
> > > > > feature:install pax-http-undertow
> > > > > feature:install camel camel-servlet webconsole
> > > > >
> > > > > I wonder how I can bind the webconsole and the servlet consumer in
> the camel routes to the HTTPS port. My undertow.xml see below. I tried to
> change the org.ops4j.pax.web.cfg but with no success.
> > > > >
> > > > > Any hints are appreciated.
> > > > >
> > > > > Thanks
> > > > > - Gerald
> > > > >
> > > > >
> > > > > <?xml version="1.0" encoding="UTF-8"?>
> > > > > <!--
> > > > > Licensed under the Apache License, Version 2.0 (the "License");
> > > > > you may not use this file except in compliance with the License.
> > > > > You may obtain a copy of the License at
> > > > >
> > > > > http://www.apache.org/licenses/LICENSE-2.0
> > > > >
> > > > > Unless required by applicable law or agreed to in writing, software
> > > > > distributed under the License is distributed on an "AS IS" BASIS,
> > > > > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> > > > > implied.
> > > > >
> > > > > See the License for the specific language governing permissions and
> > > > > limitations under the License.
> > > > > -->
> > > > > <undertow xmlns="urn:org.ops4j.pax.web:undertow:1.0"
> > > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > > > > xmlns:w="urn:jboss:domain:5.0"
> > > > > xmlns:io="urn:jboss:domain:io:3.0"
> > > > > xsi:schemaLocation="
> > > > > urn:jboss:domain:io:3.0
> http://www.jboss.org/schema/jbossas/wildfly-io_3_0.xsd
> > > > > urn:jboss:domain:undertow:4.0
> http://www.jboss.org/schema/jbossas/wildfly-undertow_4_0.xsd
> > > > > urn:jboss:domain:5.0
> http://www.jboss.org/schema/jbossas/wildfly-config_5_0.xsd">
> > > > >
> > > > > <!--
> > > > > Only "default" worker and buffer-pool are supported and can be
> used to override the default values
> > > > > used by all listeners
> > > > >
> > > > > buffer-pool:
> > > > > - buffer-size defaults to:
> > > > > - when < 64MB of Xmx: 512
> > > > > - when < 128MB of Xmx: 1024
> > > > > - when >= 128MB of Xmx: 16K - 20
> > > > > - direct-buffers defaults to:
> > > > > - when < 64MB of Xmx: false
> > > > > - when >= 64MB of Xmx: true
> > > > >
> > > > > worker:
> > > > > - io-threads defaults to
> Math.max(Runtime.getRuntime().availableProcessors(), 2);
> > > > > - task-core-threads and task-max-threads default to io-threads * 8
> > > > > -->
> > > > > <!--
> > > > > <subsystem xmlns="urn:jboss:domain:io:3.0">
> > > > > <buffer-pool name="default" buffer-size="16364"
> direct-buffers="true" />
> > > > > <worker name="default" io-threads="8" task-core-threads="64"
> task-max-threads="64" />
> > > > > </subsystem>
> > > > > -->
> > > > >
> > > > > <!--
> https://docs.jboss.org/author/display/WFLY/Undertow+subsystem+configuration
> -->
> > > > > <subsystem xmlns="urn:jboss:domain:undertow:4.0">
> > > > > <!-- org.wildfly.extension.undertow.BufferCacheDefinition -->
> > > > > <buffer-cache name="default" buffer-size="1024"
> buffers-per-region="1024" max-regions="10" />
> > > > > <server name="default-server">
> > > > > <!-- HTTP(S) Listener references Socket Binding (and indirectly -
> Interfaces) -->
> > > > > <http-listener name="http" socket-binding="http" />
> > > > > <!-- verify-client: org.xnio.SslClientAuthMode.NOT_REQUESTED,
> org.xnio.SslClientAuthMode.REQUESTED, org.xnio.SslClientAuthMode.REQUIRED
> -->
> > > > > <https-listener name="https" socket-binding="https"
> > > > > security-realm="https" verify-client="NOT_REQUESTED" />
> > > > > <host name="default-host" alias="localhost">
> > > > > <!--<location name="/" handler="welcome-content" />-->
> > > > > <!--<location name="/docs" handler="docs-content" />-->
> > > > > <access-log directory="${karaf.data}/log" pattern="common"
> prefix="access_log." suffix="log" rotate="true" />
> > > > > <filter-ref name="server-header" />
> > > > > <filter-ref name="x-powered-by-header" />
> > > > > </host>
> > > > > </server>
> > > > > <servlet-container name="default">
> > > > > <jsp-config />
> > > > > <websockets />
> > > > > <welcome-files>
> > > > > <welcome-file name="index.html" />
> > > > > <welcome-file name="index.txt" />
> > > > > </welcome-files>
> > > > > </servlet-container>
> > > > > <handlers>
> > > > > <file name="welcome-content" path="${karaf.home}/welcome" />
> > > > > <!--<file name="docs-content" path="${karaf.home}/docs" />-->
> > > > > </handlers>
> > > > > <filters>
> > > > > <!-- filters for reference from /host/filter-ref and
> /host/location/filter-ref -->
> > > > > <response-header name="server-header" header-name="Server"
> header-value="Pax-HTTP-Undertow" />
> > > > > <response-header name="x-powered-by-header"
> header-name="X-Powered-By" header-value="Pax-HTTP-Undertow/7.2.16" />
> > > > > </filters>
> > > > > </subsystem>
> > > > >
> > > > > <!-- https://docs.jboss.org/author/display/WFLY/Security+Realms
> -->
> > > > > <!--
> > > > > we'll use "default" security realm by default to configure
> jaas/properties authentication
> > > > > (io.undertow.security.idm.IdentityManager):
> > > > > - w:jaas -
> org.ops4j.pax.web.service.undertow.internal.security.JaasIdentityManager
> > > > > - w:properties -
> org.ops4j.pax.web.service.undertow.internal.security.PropertiesIdentityManager
> > > > > -->
> > > > > <security-realm name="default">
> > > > > <w:authentication>
> > > > > <!-- JaasIdentityManager for given realm -->
> > > > > <w:jaas name="karaf" />
> > > > > <!-- OR PropertiesIdentityManager (mutually exclusive with
> <w:jaas>) -->
> > > > > <!--<w:properties path="users.properties" />-->
> > > > > </w:authentication>
> > > > >
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > > > >
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > > > > <!--<role-principal-class-name>...</role-principal-class-name>-->
> > > > > </security-realm>
> > > > > <!--
> > > > > Any security realm may be referenced by https-listener to define
> trust/keystore, protocols and cipher suites
> > > > > -->
> > > > > <security-realm name="https">
> > > > > <w:server-identities>
> > > > > <w:ssl>
> > > > > <!-- sun.security.ssl.ProtocolVersion -->
> > > > > <!-- sun.security.ssl.CipherSuite -->
> > > > > <!-- openssl ciphers 'ALL:eNULL' | sed -e 's/:/\n/g' | sort -->
> > > > > <w:engine
> > > > > enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
> > > > > enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" />
> > > > > <w:keystore path="${karaf.etc}/server.p12" provider="PKCS12"
> alias="server"
> > > > > keystore-password="password" key-password="password"
> > > > > generate-self-signed-certificate-host="localhost" />
> > > > > </w:ssl>
> > > > > </w:server-identities>
> > > > > <w:authentication>
> > > > > <w:jaas name="karaf" />
> > > > > <w:truststore path="${karaf.etc}/truststore.jks" provider="JKS"
> keystore-password="password" />
> > > > > </w:authentication>
> > > > >
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > > > >
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > > > > </security-realm>
> > > > >
> > > > > <!-- Interface lists IP addresses to bind to -->
> > > > > <interface name="default">
> > > > > <w:inet-address value="0.0.0.0" />
> > > > > <!--<w:inet-address value="127.0.0.1" />-->
> > > > > </interface>
> > > > > <interface name="secure">
> > > > > <w:inet-address value="127.0.0.1" />
> > > > > </interface>
> > > > >
> > > > > <!-- Socket Binding adds port for each IP from referenced
> Interface -->
> > > > > <socket-binding name="http" interface="default"
> port="${org.osgi.service.http.port}" />
> > > > > <socket-binding name="https" interface="secure"
> port="${org.osgi.service.http.port.secure}" />
> > > > >
> > > > > </undertow>
>
Re: HTTPS with Karaf 4.2.9 and underpinning undertow web server
Posted by Grzegorz Grzybek <gr...@gmail.com>.
Hello
czw., 3 wrz 2020 o 09:10 Gerald Kallas <ca...@mailbox.org> napisał(a):
> Thanks Grzegorz.
>
> Yes, I did found the same in between and changed the undertow.xml. Finally
> it works and undertow pax web seems a bit more flexible than jetty. Would
> it be a further part of Pax Web 8 and Karaf as well?
>
Pax Web 8 will have many improvements (for pax-web-undertow,
io.undertow.Undertow one-size-fits-all class won't be used - I explicitly
create/configure listeners/connectors/buffers almost exactly like Wildfly
does it) and the emphasis is on making the experience similar when using
Jetty, Undertow and Tomcat.
regards
Grzegorz
>
> Best
> - Gerald
>
> > Grzegorz Grzybek <gr...@gmail.com> hat am 03.09.2020 08:29
> geschrieben:
> >
> >
> > Hello
> >
> > Sorry for late response (holidays!), but I tried your example with tiny
> > (not relevant) details.
> >
> > I used Karaf 4.2.9, but Camel 2.23.2. So I used
> > "org.apache.camel.component.servlet.osgi.OsgiServletRegisterer" instead
> of
> > "org.apache.camel.component.osgi.OsgiServletRegisterer", but no more
> > changes to blueprint.xml or etc/org.ops4j.pax.web.cfg.
> >
> > However, I had ONE problem with TLS connection:
> >
> > $ curl -k -v https://localhost:8443/camel/services/hello1
> > * Trying ::1:8443...
> > * Connected to localhost (::1) port 8443 (#0)
> > * ALPN, offering h2
> > * ALPN, offering http/1.1
> > * successfully set certificate verify locations:
> > * CAfile: /etc/pki/tls/certs/ca-bundle.crt
> > CApath: none
> > * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> > * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:8443
> > * Closing connection 0
> > curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to
> > localhost:8443
> >
> > I think (and I'll review it at some point in Pax Web itself) it's the
> > mismatch between "enabled-protocols" and "enabled-cipher-suites" in
> > undertow.xml. Please remove:
> >
> > enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
> >
> > and it should work (note that change to undertow.xml WON'T automatically
> > restart relevant bundles).
> >
> > $ curl -k -v https://localhost:8443/camel/services/hello1
> > * Trying ::1:8443...
> > * Connected to localhost (::1) port 8443 (#0)
> > * ALPN, offering h2
> > * ALPN, offering http/1.1
> > * successfully set certificate verify locations:
> > * CAfile: /etc/pki/tls/certs/ca-bundle.crt
> > CApath: none
> > * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> > * TLSv1.3 (IN), TLS handshake, Server hello (2):
> > * TLSv1.2 (IN), TLS handshake, Certificate (11):
> > * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> > * TLSv1.2 (IN), TLS handshake, Server finished (14):
> > * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> > * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
> > * TLSv1.2 (OUT), TLS handshake, Finished (20):
> > * TLSv1.2 (IN), TLS handshake, Finished (20):
> > * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> > * ALPN, server did not agree to a protocol
> > * Server certificate:
> > * subject: C=PL; ST=Dolny Śląsk; L=Wrocław; O=Red Hat; CN=localhost;
> > emailAddress=ggrzybek@redhat.com
> > * start date: Aug 17 11:14:46 2017 GMT
> > * expire date: Aug 17 11:14:46 2027 GMT
> > * issuer: C=PL; ST=Dolny Śląsk; L=Wrocław; O=Red Hat; CN=everfree-ca;
> > emailAddress=ggrzybek@redhat.com
> > * SSL certificate verify result: unable to get local issuer certificate
> > (20), continuing anyway.
> > > GET /camel/services/hello1 HTTP/1.1
> > > Host: localhost:8443
> > > User-Agent: curl/7.69.1
> > > Accept: */*
> > >
> > * Mark bundle as not supporting multiuse
> > < HTTP/1.1 200 OK
> > < Accept: */*
> > < Connection: keep-alive
> > < X-Powered-By: Pax-HTTP-Undertow/7.2.16
> > < breadcrumbId: ID-everfree-forest-1599112295273-1-1
> > < Server: Pax-HTTP-Undertow
> > < Transfer-Encoding: chunked
> > < User-Agent: curl/7.69.1
> > < Date: Thu, 03 Sep 2020 05:59:31 GMT
> > <
> > * Connection #0 to host localhost left intact
> > Hello 1
> >
> > kind regards
> > Grzegorz Grzybek
> >
> > pt., 7 sie 2020 o 11:53 Gerald Kallas <ca...@mailbox.org> napisał(a):
> >
> > > Hi,
> > >
> > > I tried this out but it doesnt work properly. (keystore and truststore
> are
> > > the same as with jetty setuo, they're valid).
> > >
> > > See below my configuration and the log. The HTTPS listener starts but
> > > neither the webconsole nor the servlet does work.
> > >
> > > On client side I'm getting
> > >
> > > Error: Client network socket disconnected before secure TLS connection
> was
> > > established
> > >
> > >
> > > undertow.xml
> > >
> > > <?xml version="1.0" encoding="UTF-8"?>
> > > <!--
> > > Licensed under the Apache License, Version 2.0 (the "License");
> > > you may not use this file except in compliance with the License.
> > > You may obtain a copy of the License at
> > >
> > > http://www.apache.org/licenses/LICENSE-2.0
> > >
> > > Unless required by applicable law or agreed to in writing, software
> > > distributed under the License is distributed on an "AS IS" BASIS,
> > > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> > > implied.
> > >
> > > See the License for the specific language governing permissions and
> > > limitations under the License.
> > > -->
> > > <undertow xmlns="urn:org.ops4j.pax.web:undertow:1.0"
> > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > > xmlns:w="urn:jboss:domain:5.0"
> > > xmlns:io="urn:jboss:domain:io:3.0"
> > > xsi:schemaLocation="
> > > urn:jboss:domain:io:3.0
> > > http://www.jboss.org/schema/jbossas/wildfly-io_3_0.xsd
> > > urn:jboss:domain:undertow:4.0
> > > http://www.jboss.org/schema/jbossas/wildfly-undertow_4_0.xsd
> > > urn:jboss:domain:5.0
> > > http://www.jboss.org/schema/jbossas/wildfly-config_5_0.xsd">
> > >
> > > <!--
> > > Only "default" worker and buffer-pool are supported and can be
> > > used to override the default values
> > > used by all listeners
> > >
> > > buffer-pool:
> > > - buffer-size defaults to:
> > > - when < 64MB of Xmx: 512
> > > - when < 128MB of Xmx: 1024
> > > - when >= 128MB of Xmx: 16K - 20
> > > - direct-buffers defaults to:
> > > - when < 64MB of Xmx: false
> > > - when >= 64MB of Xmx: true
> > >
> > > worker:
> > > - io-threads defaults to
> > > Math.max(Runtime.getRuntime().availableProcessors(), 2);
> > > - task-core-threads and task-max-threads default to
> io-threads * 8
> > > -->
> > > <!--
> > > <subsystem xmlns="urn:jboss:domain:io:3.0">
> > > <buffer-pool name="default" buffer-size="16364"
> > > direct-buffers="true" />
> > > <worker name="default" io-threads="8" task-core-threads="64"
> > > task-max-threads="64" />
> > > </subsystem>
> > > -->
> > >
> > > <!--
> > >
> https://docs.jboss.org/author/display/WFLY/Undertow+subsystem+configuration
> > > -->
> > > <subsystem xmlns="urn:jboss:domain:undertow:4.0">
> > > <!-- org.wildfly.extension.undertow.BufferCacheDefinition -->
> > > <buffer-cache name="default" buffer-size="1024"
> > > buffers-per-region="1024" max-regions="10" />
> > > <server name="default-server">
> > > <!-- HTTP(S) Listener references Socket Binding (and
> > > indirectly - Interfaces) -->
> > > <!-- verify-client:
> org.xnio.SslClientAuthMode.NOT_REQUESTED,
> > > org.xnio.SslClientAuthMode.REQUESTED,
> org.xnio.SslClientAuthMode.REQUIRED
> > > -->
> > > <https-listener name="https" socket-binding="https"
> > > security-realm="https"
> verify-client="NOT_REQUESTED" />
> > > <host name="default-host" alias="localhost">
> > > <!--<location name="/" handler="welcome-content" />-->
> > > <!--<location name="/docs" handler="docs-content" />-->
> > > <access-log directory="${karaf.data}/log"
> pattern="common"
> > > prefix="access_log." suffix="log" rotate="true" />
> > > <filter-ref name="server-header" />
> > > <filter-ref name="x-powered-by-header" />
> > > </host>
> > > </server>
> > > <servlet-container name="default">
> > > <jsp-config />
> > > <websockets />
> > > <welcome-files>
> > > <welcome-file name="index.html" />
> > > <welcome-file name="index.txt" />
> > > </welcome-files>
> > > </servlet-container>
> > > <handlers>
> > > <file name="welcome-content" path="${karaf.home}/welcome"
> />
> > > <!--<file name="docs-content" path="${karaf.home}/docs"
> />-->
> > > </handlers>
> > > <filters>
> > > <!-- filters for reference from /host/filter-ref and
> > > /host/location/filter-ref -->
> > > <response-header name="server-header" header-name="Server"
> > > header-value="Pax-HTTP-Undertow" />
> > > <response-header name="x-powered-by-header"
> > > header-name="X-Powered-By" header-value="Pax-HTTP-Undertow/7.2.16" />
> > > </filters>
> > > </subsystem>
> > >
> > > <!-- https://docs.jboss.org/author/display/WFLY/Security+Realms
> -->
> > > <!--
> > > we'll use "default" security realm by default to configure
> > > jaas/properties authentication
> > > (io.undertow.security.idm.IdentityManager):
> > > - w:jaas -
> > >
> org.ops4j.pax.web.service.undertow.internal.security.JaasIdentityManager
> > > - w:properties -
> > >
> org.ops4j.pax.web.service.undertow.internal.security.PropertiesIdentityManager
> > > -->
> > > <security-realm name="default">
> > > <w:authentication>
> > > <!-- JaasIdentityManager for given realm -->
> > > <w:jaas name="karaf" />
> > > <!-- OR PropertiesIdentityManager (mutually exclusive with
> > > <w:jaas>) -->
> > > <!--<w:properties path="users.properties" />-->
> > > </w:authentication>
> > >
> > >
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > >
> > >
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > >
> <!--<role-principal-class-name>...</role-principal-class-name>-->
> > > </security-realm>
> > > <!--
> > > Any security realm may be referenced by https-listener to
> define
> > > trust/keystore, protocols and cipher suites
> > > -->
> > > <security-realm name="https">
> > > <w:server-identities>
> > > <w:ssl>
> > > <!-- sun.security.ssl.ProtocolVersion -->
> > > <!-- sun.security.ssl.CipherSuite -->
> > > <!-- openssl ciphers 'ALL:eNULL' | sed -e 's/:/\n/g' |
> > > sort -->
> > > <w:engine
> > >
> > > enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
> > > enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" />
> > > <w:keystore path="${karaf.etc}/server.p12"
> > > provider="PKCS12" alias="server"
> > > keystore-password="password"
> > > key-password="password"
> > >
> generate-self-signed-certificate-host="localhost"
> > > />
> > > </w:ssl>
> > > </w:server-identities>
> > > <w:authentication>
> > > <w:jaas name="karaf" />
> > > <w:truststore path="${karaf.etc}/truststore.jks"
> > > provider="JKS" keystore-password="password" />
> > > </w:authentication>
> > >
> > >
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > >
> > >
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > > </security-realm>
> > >
> > > <!-- Interface lists IP addresses to bind to -->
> > > <interface name="secure">
> > > <w:inet-address value="0.0.0.0" />
> > > </interface>
> > >
> > > <!-- Socket Binding adds port for each IP from referenced
> Interface -->
> > > <socket-binding name="https" interface="secure"
> > > port="${org.osgi.service.http.port.secure}" />
> > >
> > > </undertow>
> > >
> > >
> > > org.ops4j.pax.web.cfg
> > >
> > >
> > > org.osgi.service.http.enabled=false
> > >
> > > org.osgi.service.http.secure.enabled=true
> > > org.osgi.service.http.port.secure=8443
> > >
> > > javax.servlet.context.tempdir=${karaf.data}/pax-web-jsp
> > > #org.ops4j.pax.web.config.file=${karaf.etc}/undertow.properties
> > > org.ops4j.pax.web.config.file=${karaf.etc}/undertow.xml
> > > org.apache.karaf.features.configKey = org.ops4j.pax.web
> > >
> > >
> > > servlet (hello1.xml)
> > >
> > > <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
> > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > > xsi:schemaLocation="
> http://www.osgi.org/xmlns/blueprint/v1.0.0
> > > https://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd">
> > >
> > > <reference id="httpService"
> > > interface="org.osgi.service.http.HttpService" />
> > >
> > > <bean id="camelServlet"
> > > class="org.apache.camel.component.servlet.CamelHttpTransportServlet"/>
> > >
> > > <bean
> class="org.apache.camel.component.osgi.OsgiServletRegisterer"
> > > init-method="register"
> > > destroy-method="unregister">
> > > <property name="servletName" value="httpServlet" />
> > > <property name="alias" value="/camel/services" />
> > > <property name="httpService" ref="httpService" />
> > > <property name="servlet" ref="camelServlet" />
> > > </bean>
> > >
> > > <bean id="servlet"
> > > class="org.apache.camel.component.servlet.ServletComponent" />
> > >
> > > <camelContext xmlns="http://camel.apache.org/schema/blueprint
> ">
> > > <route>
> > > <from
> > > uri="servlet://hello1?servletName=httpServlet" />
> > > <setBody>
> > > <constant>Hello 1</constant>
> > > </setBody>
> > > </route>
> > > </camelContext>
> > >
> > > </blueprint>
> > >
> > >
> > > log excerpt
> > >
> > > 2020-08-07T11:47:29,596 | INFO | paxweb-config-1-thread-1 |
> > > ServerControllerImpl | 63 -
> org.ops4j.pax.web.pax-web-undertow
> > > - 7.2.16 | Using
> > > "file:/E:/apache-karaf/apache-karaf-4.2.9/etc/undertow.xml" to
> configure
> > > Undertow
> > > 2020-08-07T11:47:29,848 | INFO | paxweb-config-1-thread-1 |
> > > ServerControllerImpl | 63 -
> org.ops4j.pax.web.pax-web-undertow
> > > - 7.2.16 | Starting undertow https listener on 0.0.0.0:8443
> > > 2020-08-07T11:47:29,985 | INFO | FelixStartLevel |
> > > BlueprintContainerImpl | 69 -
> org.apache.aries.blueprint.core -
> > > 1.10.2 | Blueprint bundle hello1.xml/0.0.0 is waiting for dependencies
> > > [(objectClass=org.osgi.service.http.HttpService)]
> > > 2020-08-07T11:47:29,987 | INFO | activator-1-thread-2 |
> > > BouncyCastleSecurityProviderRegistrar | 38 - org.apache.sshd.core -
> 1.7.0 |
> > > getOrCreateProvider(BC) created instance of
> > > org.bouncycastle.jce.provider.BouncyCastleProvider
> > > 2020-08-07T11:47:30,286 | INFO | activator-1-thread-2 |
> CommandExtension
> > > | 34 - org.apache.karaf.shell.core - 4.2.9 | Registering
> > > commands for bundle org.apache.karaf.features.command/4.2.9
> > > 2020-08-07T11:47:30,446 | INFO | activator-1-thread-3 |
> CommandExtension
> > > | 34 - org.apache.karaf.shell.core - 4.2.9 | Registering
> > > commands for bundle org.apache.karaf.kar.core/4.2.9
> > > 2020-08-07T11:47:30,487 | INFO | activator-1-thread-2 | Activator
> > > | 18 - org.apache.karaf.deployer.features - 4.2.9 |
> > > Deployment finished. Registering FeatureDeploymentListener
> > > 2020-08-07T11:47:30,543 | INFO | activator-1-thread-2 | FeaturesPlugin
> > > | 140 - org.apache.karaf.webconsole.features - 4.2.9 |
> > > Features plugin deactivated
> > > 2020-08-07T11:47:30,544 | INFO | activator-1-thread-2 | FeaturesPlugin
> > > | 140 - org.apache.karaf.webconsole.features - 4.2.9 |
> > > Features plugin activated
> > > 2020-08-07T11:47:30,839 | INFO | paxweb-config-1-thread-1 |
> > > ServerControllerImpl | 63 -
> org.ops4j.pax.web.pax-web-undertow
> > > - 7.2.16 | Using in-memory session persistence
> > > 2020-08-07T11:47:30,864 | INFO | paxweb-config-1-thread-1 |
> > > HttpServiceFactoryImpl | 61 -
> org.ops4j.pax.web.pax-web-runtime -
> > > 7.2.16 | Binding bundle: [org.apache.karaf.webconsole.console [139]] to
> > > http service
> > > 2020-08-07T11:47:31,000 | INFO | paxweb-config-1-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > registering context DefaultHttpContext
> > > [bundle=org.apache.karaf.webconsole.console [139], contextID=custom],
> with
> > > context path: /
> > > 2020-08-07T11:47:31,011 | INFO | paxweb-config-1-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Starting context /
> > > 2020-08-07T11:47:31,013 | WARN | paxweb-config-1-thread-1 |
> PathMatcher
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Overwriting existing default context
> > > io.undertow.server.handlers.PathHandler@382344b0 with a new one
> > > org.ops4j.pax.web.service.undertow.internal.Context@8c1553c
> > > 2020-08-07T11:47:31,034 | INFO | paxweb-config-1-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Adding implicit "default" servlet
> > > 2020-08-07T11:47:31,047 | INFO | paxweb-config-1-thread-1 |
> > > ServletContainerInitializerScanner | 60 -
> org.ops4j.pax.web.pax-web-api -
> > > 7.2.16 | will add io.undertow.servlet.sse.ServerSentEventSCI to
> > > ServletContainerInitializers
> > > 2020-08-07T11:47:31,048 | WARN | paxweb-config-1-thread-1 |
> > > ServletContainerInitializerScanner | 60 -
> org.ops4j.pax.web.pax-web-api -
> > > 7.2.16 | failed to parse and instantiate of
> > > javax.servlet.ServletContainerInitializer in classpath
> > > 2020-08-07T11:47:31,070 | INFO | paxweb-config-1-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Creating undertow servlet deployment for context path /...
> > > 2020-08-07T11:47:31,224 | INFO | paxweb-config-1-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Creating undertow servlet deployment for context path / - done
> > > 2020-08-07T11:47:31,225 | INFO | paxweb-config-1-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Registering io.undertow.servlet.spec.ServletContextImpl@e72855b as
> OSGi
> > > service...
> > > 2020-08-07T11:47:31,236 | INFO | paxweb-config-1-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Registering io.undertow.servlet.spec.ServletContextImpl@e72855b as
> OSGi
> > > service - done
> > > 2020-08-07T11:47:31,237 | INFO | paxweb-config-1-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Starting Undertow web application for context path /
> > > 2020-08-07T11:47:31,271 | INFO | paxweb-config-1-thread-1 |
> > > HttpServiceFactoryImpl | 61 -
> org.ops4j.pax.web.pax-web-runtime -
> > > 7.2.16 | Binding bundle: [org.apache.karaf.http.core [126]] to http
> service
> > > 2020-08-07T11:47:31,272 | INFO | paxweb-config-1-thread-1 | Activator
> > > | 61 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 |
> > > Starting server controller
> > > org.ops4j.pax.web.service.undertow.internal.ServerControllerImpl
> > > 2020-08-07T11:47:31,332 | INFO | activator-1-thread-2 |
> CommandExtension
> > > | 34 - org.apache.karaf.shell.core - 4.2.9 | Registering
> > > commands for bundle org.apache.karaf.http.core/4.2.9
> > > 2020-08-07T11:47:31,436 | INFO | activator-1-thread-2 | HttpPlugin
> > > | 142 - org.apache.karaf.webconsole.http - 4.2.9 | Http
> > > plugin activated
> > > 2020-08-07T11:47:31,487 | INFO | Blueprint Extender: 1 |
> LRUCacheFactory
> > > | 108 - org.apache.camel.camel-support - 3.4.2 |
> Detected
> > > and using LRUCacheFactory: camel-caffeine-lrucache
> > > 2020-08-07T11:47:31,489 | INFO | CM Configuration Updater
> > > (ManagedServiceFactory Update: factoryPid=[org.ops4j.pax.web.context])
> |
> > > HttpContextProcessing | 61 -
> org.ops4j.pax.web.pax-web-runtime -
> > > 7.2.16 | Updated configuration for
> > > pid=org.ops4j.pax.web.context.dff8c6e5-f690-4ac6-9268-d87fc0dce06d
> > > 2020-08-07T11:47:31,538 | INFO | paxweb-context-2-thread-1 |
> > > HttpContextProcessing | 61 -
> org.ops4j.pax.web.pax-web-runtime -
> > > 7.2.16 | Found bundle "hello1.xml", scheduling customization of its
> > > WebContainer
> > > 2020-08-07T11:47:31,539 | INFO | paxweb-context-2-thread-1 |
> > > HttpContextProcessing | 61 -
> org.ops4j.pax.web.pax-web-runtime -
> > > 7.2.16 | Customizing WebContainer for bundle hello1.xml/0.0.0
> > > 2020-08-07T11:47:31,539 | INFO | paxweb-context-2-thread-1 |
> > > HttpServiceFactoryImpl | 61 -
> org.ops4j.pax.web.pax-web-runtime -
> > > 7.2.16 | Binding bundle: [hello1.xml [134]] to http service
> > > 2020-08-07T11:47:31,542 | INFO | paxweb-context-2-thread-1 |
> > > HttpContextProcessing | 61 -
> org.ops4j.pax.web.pax-web-runtime -
> > > 7.2.16 | Registering login configuration in WebContainer for bundle
> > > "hello1.xml": method=BASIC, realm=karaf
> > > 2020-08-07T11:47:31,545 | INFO | paxweb-context-2-thread-1 |
> > > HttpContextProcessing | 61 -
> org.ops4j.pax.web.pax-web-runtime -
> > > 7.2.16 | Registering security mappings in WebContainer for bundle
> > > "hello1.xml": SecurityConstraintsMapping{name='constraint.1',
> > > url='/camel/services/*', roles=[admin]}
> > > 2020-08-07T11:47:31,550 | INFO | paxweb-context-2-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > registering context DefaultHttpContext [bundle=hello1.xml [134],
> > > contextID=default], with context path: /
> > > 2020-08-07T11:47:31,555 | INFO | paxweb-context-2-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Starting context /
> > > 2020-08-07T11:47:31,610 | WARN | paxweb-context-2-thread-1 |
> PathMatcher
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Overwriting existing default context
> > > org.ops4j.pax.web.service.undertow.internal.Context@8c1553c with a new
> > > one org.ops4j.pax.web.service.undertow.internal.Context@681b959c
> > > 2020-08-07T11:47:31,616 | INFO | paxweb-context-2-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Adding implicit "default" servlet
> > > 2020-08-07T11:47:31,624 | INFO | paxweb-context-2-thread-1 |
> > > ServletContainerInitializerScanner | 60 -
> org.ops4j.pax.web.pax-web-api -
> > > 7.2.16 | will add io.undertow.servlet.sse.ServerSentEventSCI to
> > > ServletContainerInitializers
> > > 2020-08-07T11:47:31,686 | INFO | paxweb-context-2-thread-1 |
> > > ServletContainerInitializerScanner | 60 -
> org.ops4j.pax.web.pax-web-api -
> > > 7.2.16 | added ServletContainerInitializer:
> > > io.undertow.servlet.sse.ServerSentEventSCI
> > > 2020-08-07T11:47:31,697 | INFO | paxweb-context-2-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Creating undertow servlet deployment for context path /...
> > > 2020-08-07T11:47:31,716 | INFO | paxweb-context-2-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Creating undertow servlet deployment for context path / - done
> > > 2020-08-07T11:47:31,717 | INFO | paxweb-context-2-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Registering io.undertow.servlet.spec.ServletContextImpl@757d3a20 as
> OSGi
> > > service...
> > > 2020-08-07T11:47:31,728 | INFO | paxweb-context-2-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Registering io.undertow.servlet.spec.ServletContextImpl@757d3a20 as
> OSGi
> > > service - done
> > > 2020-08-07T11:47:31,729 | INFO | paxweb-context-2-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Starting Undertow web application for context path /
> > > 2020-08-07T11:47:32,115 | INFO | Blueprint Extender: 1 |
> > > BlueprintContainerImpl | 69 -
> org.apache.aries.blueprint.core -
> > > 1.10.2 | Blueprint bundle hello1.xml/0.0.0 has been started
> > > 2020-08-07T11:47:32,118 | INFO | Blueprint Event Dispatcher: 1 |
> > > BlueprintCamelContext | 119 -
> > > org.apache.camel.karaf.camel-blueprint - 3.4.2 | Attempting to start
> > > CamelContext: camel-1
> > > 2020-08-07T11:47:32,165 | INFO | Blueprint Event Dispatcher: 1 |
> > > JmxManagementStrategy | 98 -
> org.apache.camel.camel-management -
> > > 3.4.2 | JMX is enabled
> > > 2020-08-07T11:47:32,418 | INFO | Blueprint Event Dispatcher: 1 |
> > > AbstractCamelContext | 76 - org.apache.camel.camel-base -
> 3.4.2
> > > | Apache Camel 3.4.2 (camel-1) is starting
> > > 2020-08-07T11:47:33,264 | INFO | Blueprint Event Dispatcher: 1 |
> > > AbstractCamelContext | 76 - org.apache.camel.camel-base -
> 3.4.2
> > > | StreamCaching is not in use. If using streams then its recommended to
> > > enable stream caching. See more details at
> > > http://camel.apache.org/stream-caching.html
> > > 2020-08-07T11:47:33,265 | INFO | Blueprint Event Dispatcher: 1 |
> > > AbstractCamelContext | 76 - org.apache.camel.camel-base -
> 3.4.2
> > > | Using HealthCheck: camel-health
> > > 2020-08-07T11:47:33,361 | INFO | Blueprint Event Dispatcher: 1 |
> > > InternalRouteStartupManager | 76 - org.apache.camel.camel-base -
> 3.4.2
> > > | Route: route1 started and consuming from: servlet:/hello1
> > > 2020-08-07T11:47:33,369 | INFO | Blueprint Event Dispatcher: 1 |
> > > AbstractCamelContext | 76 - org.apache.camel.camel-base -
> 3.4.2
> > > | Total 1 routes, of which 1 are started
> > > 2020-08-07T11:47:33,370 | INFO | Blueprint Event Dispatcher: 1 |
> > > AbstractCamelContext | 76 - org.apache.camel.camel-base -
> 3.4.2
> > > | Apache Camel 3.4.2 (camel-1) started in 0.951 seconds
> > >
> > >
> > > > Grzegorz Grzybek <gr...@gmail.com> hat am 07.08.2020 11:07
> > > geschrieben:
> > > >
> > > >
> > > > Hello
> > > >
> > > > In theory (I can't check now), you have to:
> > > >
> > > > 1. comment out <http-listener name="http" socket-binding="http" />
> > > > 2. ensure that org.ops4j.pax.web PID has
> org.osgi.service.http.enabled =
> > > false (so pax-web-undertow won't try to recreate the non-secure
> listener if
> > > it's not available in etc/undertow.xml)
> > > >
> > > > regards
> > > > Grzegorz Grzybek
> > > >
> > > >
> > > > pt., 7 sie 2020 o 10:52 Gerald Kallas <ca...@mailbox.org>
> napisał(a):
> > > > > Thanks, Grzegorz for the explanation.
> > > > >
> > > > > At the moment I'd be happy to use HTTPS (on 8443) only for all web
> > > related services (web console, servlets) w/ undertow and disable HTTP
> (on
> > > 8181). Could this be reached with the setup I have?
> > > > >
> > > > > Thanks
> > > > > - Gerald
> > > > >
> > > > > > Grzegorz Grzybek <gr...@gmail.com> hat am 07.08.2020 10:47
> > > geschrieben:
> > > > > >
> > > > > >
> > > > > > Hello
> > > > > >
> > > > > > Unfortunately it is not possible to use the internal (managed by
> Pax
> > > Web) servlet runtime selectively - by specifying which listener (or
> more
> > > generally - virtual host) should be used for the servlets created and
> > > registered by Camel into HttpService (Pax Web) runtime.
> > > > > >
> > > > > > pax-web-jetty has partial (legacy, non-standard from the point of
> > > view of OSGi CMPN specification) support for virtual hosts where a
> > > Whiteboard-registered servlet (or filter, or other "web element") may
> > > specify a comma-separated list of virtual host/connector names. But
> that's
> > > only for Jetty.
> > > > > >
> > > > > > I'm still working on refactoring Pax Web 8 and I plan to have
> > > unified "experience" for dealing with separate connectors/virtual hosts
> > > across Jetty/Tomcat/Undertow runtimes, but it'll come only in Pax Web
> 8.
> > > > > >
> > > > > > regards
> > > > > > Grzegorz Grzybek
> > > > > >
> > > > > >
> > > > > > pt., 7 sie 2020 o 10:34 Gerald Kallas <ca...@mailbox.org>
> > > napisał(a):
> > > > > > > Dear all,
> > > > > > >
> > > > > > > following the guidance in the ticket
> > > > > > >
> > > > > > > https://issues.apache.org/jira/browse/KARAF-6772
> > > > > > >
> > > > > > > I was setting up a vanilla Karaf 4.2.9 with the following
> features
> > > > > > >
> > > > > > > feature:repo-add camel 3.4.2
> > > > > > > feature:install pax-http-undertow
> > > > > > > feature:install camel camel-servlet webconsole
> > > > > > >
> > > > > > > I wonder how I can bind the webconsole and the servlet
> consumer in
> > > the camel routes to the HTTPS port. My undertow.xml see below. I tried
> to
> > > change the org.ops4j.pax.web.cfg but with no success.
> > > > > > >
> > > > > > > Any hints are appreciated.
> > > > > > >
> > > > > > > Thanks
> > > > > > > - Gerald
> > > > > > >
> > > > > > >
> > > > > > > <?xml version="1.0" encoding="UTF-8"?>
> > > > > > > <!--
> > > > > > > Licensed under the Apache License, Version 2.0 (the "License");
> > > > > > > you may not use this file except in compliance with the
> License.
> > > > > > > You may obtain a copy of the License at
> > > > > > >
> > > > > > > http://www.apache.org/licenses/LICENSE-2.0
> > > > > > >
> > > > > > > Unless required by applicable law or agreed to in writing,
> software
> > > > > > > distributed under the License is distributed on an "AS IS"
> BASIS,
> > > > > > > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> > > > > > > implied.
> > > > > > >
> > > > > > > See the License for the specific language governing
> permissions and
> > > > > > > limitations under the License.
> > > > > > > -->
> > > > > > > <undertow xmlns="urn:org.ops4j.pax.web:undertow:1.0"
> > > > > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > > > > > > xmlns:w="urn:jboss:domain:5.0"
> > > > > > > xmlns:io="urn:jboss:domain:io:3.0"
> > > > > > > xsi:schemaLocation="
> > > > > > > urn:jboss:domain:io:3.0
> > > http://www.jboss.org/schema/jbossas/wildfly-io_3_0.xsd
> > > > > > > urn:jboss:domain:undertow:4.0
> > > http://www.jboss.org/schema/jbossas/wildfly-undertow_4_0.xsd
> > > > > > > urn:jboss:domain:5.0
> > > http://www.jboss.org/schema/jbossas/wildfly-config_5_0.xsd">
> > > > > > >
> > > > > > > <!--
> > > > > > > Only "default" worker and buffer-pool are supported and can be
> > > used to override the default values
> > > > > > > used by all listeners
> > > > > > >
> > > > > > > buffer-pool:
> > > > > > > - buffer-size defaults to:
> > > > > > > - when < 64MB of Xmx: 512
> > > > > > > - when < 128MB of Xmx: 1024
> > > > > > > - when >= 128MB of Xmx: 16K - 20
> > > > > > > - direct-buffers defaults to:
> > > > > > > - when < 64MB of Xmx: false
> > > > > > > - when >= 64MB of Xmx: true
> > > > > > >
> > > > > > > worker:
> > > > > > > - io-threads defaults to
> > > Math.max(Runtime.getRuntime().availableProcessors(), 2);
> > > > > > > - task-core-threads and task-max-threads default to io-threads
> * 8
> > > > > > > -->
> > > > > > > <!--
> > > > > > > <subsystem xmlns="urn:jboss:domain:io:3.0">
> > > > > > > <buffer-pool name="default" buffer-size="16364"
> > > direct-buffers="true" />
> > > > > > > <worker name="default" io-threads="8" task-core-threads="64"
> > > task-max-threads="64" />
> > > > > > > </subsystem>
> > > > > > > -->
> > > > > > >
> > > > > > > <!--
> > >
> https://docs.jboss.org/author/display/WFLY/Undertow+subsystem+configuration
> > > -->
> > > > > > > <subsystem xmlns="urn:jboss:domain:undertow:4.0">
> > > > > > > <!-- org.wildfly.extension.undertow.BufferCacheDefinition -->
> > > > > > > <buffer-cache name="default" buffer-size="1024"
> > > buffers-per-region="1024" max-regions="10" />
> > > > > > > <server name="default-server">
> > > > > > > <!-- HTTP(S) Listener references Socket Binding (and
> indirectly -
> > > Interfaces) -->
> > > > > > > <http-listener name="http" socket-binding="http" />
> > > > > > > <!-- verify-client: org.xnio.SslClientAuthMode.NOT_REQUESTED,
> > > org.xnio.SslClientAuthMode.REQUESTED,
> org.xnio.SslClientAuthMode.REQUIRED
> > > -->
> > > > > > > <https-listener name="https" socket-binding="https"
> > > > > > > security-realm="https" verify-client="NOT_REQUESTED" />
> > > > > > > <host name="default-host" alias="localhost">
> > > > > > > <!--<location name="/" handler="welcome-content" />-->
> > > > > > > <!--<location name="/docs" handler="docs-content" />-->
> > > > > > > <access-log directory="${karaf.data}/log" pattern="common"
> > > prefix="access_log." suffix="log" rotate="true" />
> > > > > > > <filter-ref name="server-header" />
> > > > > > > <filter-ref name="x-powered-by-header" />
> > > > > > > </host>
> > > > > > > </server>
> > > > > > > <servlet-container name="default">
> > > > > > > <jsp-config />
> > > > > > > <websockets />
> > > > > > > <welcome-files>
> > > > > > > <welcome-file name="index.html" />
> > > > > > > <welcome-file name="index.txt" />
> > > > > > > </welcome-files>
> > > > > > > </servlet-container>
> > > > > > > <handlers>
> > > > > > > <file name="welcome-content" path="${karaf.home}/welcome" />
> > > > > > > <!--<file name="docs-content" path="${karaf.home}/docs" />-->
> > > > > > > </handlers>
> > > > > > > <filters>
> > > > > > > <!-- filters for reference from /host/filter-ref and
> > > /host/location/filter-ref -->
> > > > > > > <response-header name="server-header" header-name="Server"
> > > header-value="Pax-HTTP-Undertow" />
> > > > > > > <response-header name="x-powered-by-header"
> > > header-name="X-Powered-By" header-value="Pax-HTTP-Undertow/7.2.16" />
> > > > > > > </filters>
> > > > > > > </subsystem>
> > > > > > >
> > > > > > > <!--
> https://docs.jboss.org/author/display/WFLY/Security+Realms
> > > -->
> > > > > > > <!--
> > > > > > > we'll use "default" security realm by default to configure
> > > jaas/properties authentication
> > > > > > > (io.undertow.security.idm.IdentityManager):
> > > > > > > - w:jaas -
> > >
> org.ops4j.pax.web.service.undertow.internal.security.JaasIdentityManager
> > > > > > > - w:properties -
> > >
> org.ops4j.pax.web.service.undertow.internal.security.PropertiesIdentityManager
> > > > > > > -->
> > > > > > > <security-realm name="default">
> > > > > > > <w:authentication>
> > > > > > > <!-- JaasIdentityManager for given realm -->
> > > > > > > <w:jaas name="karaf" />
> > > > > > > <!-- OR PropertiesIdentityManager (mutually exclusive with
> > > <w:jaas>) -->
> > > > > > > <!--<w:properties path="users.properties" />-->
> > > > > > > </w:authentication>
> > > > > > >
> > >
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > > > > > >
> > >
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > > > > > >
> <!--<role-principal-class-name>...</role-principal-class-name>-->
> > > > > > > </security-realm>
> > > > > > > <!--
> > > > > > > Any security realm may be referenced by https-listener to
> define
> > > trust/keystore, protocols and cipher suites
> > > > > > > -->
> > > > > > > <security-realm name="https">
> > > > > > > <w:server-identities>
> > > > > > > <w:ssl>
> > > > > > > <!-- sun.security.ssl.ProtocolVersion -->
> > > > > > > <!-- sun.security.ssl.CipherSuite -->
> > > > > > > <!-- openssl ciphers 'ALL:eNULL' | sed -e 's/:/\n/g' | sort -->
> > > > > > > <w:engine
> > > > > > > enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
> > > > > > > enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" />
> > > > > > > <w:keystore path="${karaf.etc}/server.p12" provider="PKCS12"
> > > alias="server"
> > > > > > > keystore-password="password" key-password="password"
> > > > > > > generate-self-signed-certificate-host="localhost" />
> > > > > > > </w:ssl>
> > > > > > > </w:server-identities>
> > > > > > > <w:authentication>
> > > > > > > <w:jaas name="karaf" />
> > > > > > > <w:truststore path="${karaf.etc}/truststore.jks" provider="JKS"
> > > keystore-password="password" />
> > > > > > > </w:authentication>
> > > > > > >
> > >
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > > > > > >
> > >
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > > > > > > </security-realm>
> > > > > > >
> > > > > > > <!-- Interface lists IP addresses to bind to -->
> > > > > > > <interface name="default">
> > > > > > > <w:inet-address value="0.0.0.0" />
> > > > > > > <!--<w:inet-address value="127.0.0.1" />-->
> > > > > > > </interface>
> > > > > > > <interface name="secure">
> > > > > > > <w:inet-address value="127.0.0.1" />
> > > > > > > </interface>
> > > > > > >
> > > > > > > <!-- Socket Binding adds port for each IP from referenced
> > > Interface -->
> > > > > > > <socket-binding name="http" interface="default"
> > > port="${org.osgi.service.http.port}" />
> > > > > > > <socket-binding name="https" interface="secure"
> > > port="${org.osgi.service.http.port.secure}" />
> > > > > > >
> > > > > > > </undertow>
> > >
>
>
Re: HTTPS with Karaf 4.2.9 and underpinning undertow web server
Posted by Gerald Kallas <ca...@mailbox.org>.
Thanks Grzegorz.
Yes, I did found the same in between and changed the undertow.xml. Finally it works and undertow pax web seems a bit more flexible than jetty. Would it be a further part of Pax Web 8 and Karaf as well?
Best
- Gerald
> Grzegorz Grzybek <gr...@gmail.com> hat am 03.09.2020 08:29 geschrieben:
>
>
> Hello
>
> Sorry for late response (holidays!), but I tried your example with tiny
> (not relevant) details.
>
> I used Karaf 4.2.9, but Camel 2.23.2. So I used
> "org.apache.camel.component.servlet.osgi.OsgiServletRegisterer" instead of
> "org.apache.camel.component.osgi.OsgiServletRegisterer", but no more
> changes to blueprint.xml or etc/org.ops4j.pax.web.cfg.
>
> However, I had ONE problem with TLS connection:
>
> $ curl -k -v https://localhost:8443/camel/services/hello1
> * Trying ::1:8443...
> * Connected to localhost (::1) port 8443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * successfully set certificate verify locations:
> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
> CApath: none
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:8443
> * Closing connection 0
> curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to
> localhost:8443
>
> I think (and I'll review it at some point in Pax Web itself) it's the
> mismatch between "enabled-protocols" and "enabled-cipher-suites" in
> undertow.xml. Please remove:
>
> enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
>
> and it should work (note that change to undertow.xml WON'T automatically
> restart relevant bundles).
>
> $ curl -k -v https://localhost:8443/camel/services/hello1
> * Trying ::1:8443...
> * Connected to localhost (::1) port 8443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * successfully set certificate verify locations:
> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
> CApath: none
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> * TLSv1.3 (IN), TLS handshake, Server hello (2):
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> * TLSv1.2 (IN), TLS handshake, Server finished (14):
> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
> * TLSv1.2 (OUT), TLS handshake, Finished (20):
> * TLSv1.2 (IN), TLS handshake, Finished (20):
> * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> * ALPN, server did not agree to a protocol
> * Server certificate:
> * subject: C=PL; ST=Dolny Śląsk; L=Wrocław; O=Red Hat; CN=localhost;
> emailAddress=ggrzybek@redhat.com
> * start date: Aug 17 11:14:46 2017 GMT
> * expire date: Aug 17 11:14:46 2027 GMT
> * issuer: C=PL; ST=Dolny Śląsk; L=Wrocław; O=Red Hat; CN=everfree-ca;
> emailAddress=ggrzybek@redhat.com
> * SSL certificate verify result: unable to get local issuer certificate
> (20), continuing anyway.
> > GET /camel/services/hello1 HTTP/1.1
> > Host: localhost:8443
> > User-Agent: curl/7.69.1
> > Accept: */*
> >
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 200 OK
> < Accept: */*
> < Connection: keep-alive
> < X-Powered-By: Pax-HTTP-Undertow/7.2.16
> < breadcrumbId: ID-everfree-forest-1599112295273-1-1
> < Server: Pax-HTTP-Undertow
> < Transfer-Encoding: chunked
> < User-Agent: curl/7.69.1
> < Date: Thu, 03 Sep 2020 05:59:31 GMT
> <
> * Connection #0 to host localhost left intact
> Hello 1
>
> kind regards
> Grzegorz Grzybek
>
> pt., 7 sie 2020 o 11:53 Gerald Kallas <ca...@mailbox.org> napisał(a):
>
> > Hi,
> >
> > I tried this out but it doesnt work properly. (keystore and truststore are
> > the same as with jetty setuo, they're valid).
> >
> > See below my configuration and the log. The HTTPS listener starts but
> > neither the webconsole nor the servlet does work.
> >
> > On client side I'm getting
> >
> > Error: Client network socket disconnected before secure TLS connection was
> > established
> >
> >
> > undertow.xml
> >
> > <?xml version="1.0" encoding="UTF-8"?>
> > <!--
> > Licensed under the Apache License, Version 2.0 (the "License");
> > you may not use this file except in compliance with the License.
> > You may obtain a copy of the License at
> >
> > http://www.apache.org/licenses/LICENSE-2.0
> >
> > Unless required by applicable law or agreed to in writing, software
> > distributed under the License is distributed on an "AS IS" BASIS,
> > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> > implied.
> >
> > See the License for the specific language governing permissions and
> > limitations under the License.
> > -->
> > <undertow xmlns="urn:org.ops4j.pax.web:undertow:1.0"
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > xmlns:w="urn:jboss:domain:5.0"
> > xmlns:io="urn:jboss:domain:io:3.0"
> > xsi:schemaLocation="
> > urn:jboss:domain:io:3.0
> > http://www.jboss.org/schema/jbossas/wildfly-io_3_0.xsd
> > urn:jboss:domain:undertow:4.0
> > http://www.jboss.org/schema/jbossas/wildfly-undertow_4_0.xsd
> > urn:jboss:domain:5.0
> > http://www.jboss.org/schema/jbossas/wildfly-config_5_0.xsd">
> >
> > <!--
> > Only "default" worker and buffer-pool are supported and can be
> > used to override the default values
> > used by all listeners
> >
> > buffer-pool:
> > - buffer-size defaults to:
> > - when < 64MB of Xmx: 512
> > - when < 128MB of Xmx: 1024
> > - when >= 128MB of Xmx: 16K - 20
> > - direct-buffers defaults to:
> > - when < 64MB of Xmx: false
> > - when >= 64MB of Xmx: true
> >
> > worker:
> > - io-threads defaults to
> > Math.max(Runtime.getRuntime().availableProcessors(), 2);
> > - task-core-threads and task-max-threads default to io-threads * 8
> > -->
> > <!--
> > <subsystem xmlns="urn:jboss:domain:io:3.0">
> > <buffer-pool name="default" buffer-size="16364"
> > direct-buffers="true" />
> > <worker name="default" io-threads="8" task-core-threads="64"
> > task-max-threads="64" />
> > </subsystem>
> > -->
> >
> > <!--
> > https://docs.jboss.org/author/display/WFLY/Undertow+subsystem+configuration
> > -->
> > <subsystem xmlns="urn:jboss:domain:undertow:4.0">
> > <!-- org.wildfly.extension.undertow.BufferCacheDefinition -->
> > <buffer-cache name="default" buffer-size="1024"
> > buffers-per-region="1024" max-regions="10" />
> > <server name="default-server">
> > <!-- HTTP(S) Listener references Socket Binding (and
> > indirectly - Interfaces) -->
> > <!-- verify-client: org.xnio.SslClientAuthMode.NOT_REQUESTED,
> > org.xnio.SslClientAuthMode.REQUESTED, org.xnio.SslClientAuthMode.REQUIRED
> > -->
> > <https-listener name="https" socket-binding="https"
> > security-realm="https" verify-client="NOT_REQUESTED" />
> > <host name="default-host" alias="localhost">
> > <!--<location name="/" handler="welcome-content" />-->
> > <!--<location name="/docs" handler="docs-content" />-->
> > <access-log directory="${karaf.data}/log" pattern="common"
> > prefix="access_log." suffix="log" rotate="true" />
> > <filter-ref name="server-header" />
> > <filter-ref name="x-powered-by-header" />
> > </host>
> > </server>
> > <servlet-container name="default">
> > <jsp-config />
> > <websockets />
> > <welcome-files>
> > <welcome-file name="index.html" />
> > <welcome-file name="index.txt" />
> > </welcome-files>
> > </servlet-container>
> > <handlers>
> > <file name="welcome-content" path="${karaf.home}/welcome" />
> > <!--<file name="docs-content" path="${karaf.home}/docs" />-->
> > </handlers>
> > <filters>
> > <!-- filters for reference from /host/filter-ref and
> > /host/location/filter-ref -->
> > <response-header name="server-header" header-name="Server"
> > header-value="Pax-HTTP-Undertow" />
> > <response-header name="x-powered-by-header"
> > header-name="X-Powered-By" header-value="Pax-HTTP-Undertow/7.2.16" />
> > </filters>
> > </subsystem>
> >
> > <!-- https://docs.jboss.org/author/display/WFLY/Security+Realms -->
> > <!--
> > we'll use "default" security realm by default to configure
> > jaas/properties authentication
> > (io.undertow.security.idm.IdentityManager):
> > - w:jaas -
> > org.ops4j.pax.web.service.undertow.internal.security.JaasIdentityManager
> > - w:properties -
> > org.ops4j.pax.web.service.undertow.internal.security.PropertiesIdentityManager
> > -->
> > <security-realm name="default">
> > <w:authentication>
> > <!-- JaasIdentityManager for given realm -->
> > <w:jaas name="karaf" />
> > <!-- OR PropertiesIdentityManager (mutually exclusive with
> > <w:jaas>) -->
> > <!--<w:properties path="users.properties" />-->
> > </w:authentication>
> >
> > <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> >
> > <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > <!--<role-principal-class-name>...</role-principal-class-name>-->
> > </security-realm>
> > <!--
> > Any security realm may be referenced by https-listener to define
> > trust/keystore, protocols and cipher suites
> > -->
> > <security-realm name="https">
> > <w:server-identities>
> > <w:ssl>
> > <!-- sun.security.ssl.ProtocolVersion -->
> > <!-- sun.security.ssl.CipherSuite -->
> > <!-- openssl ciphers 'ALL:eNULL' | sed -e 's/:/\n/g' |
> > sort -->
> > <w:engine
> >
> > enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
> > enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" />
> > <w:keystore path="${karaf.etc}/server.p12"
> > provider="PKCS12" alias="server"
> > keystore-password="password"
> > key-password="password"
> > generate-self-signed-certificate-host="localhost"
> > />
> > </w:ssl>
> > </w:server-identities>
> > <w:authentication>
> > <w:jaas name="karaf" />
> > <w:truststore path="${karaf.etc}/truststore.jks"
> > provider="JKS" keystore-password="password" />
> > </w:authentication>
> >
> > <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> >
> > <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > </security-realm>
> >
> > <!-- Interface lists IP addresses to bind to -->
> > <interface name="secure">
> > <w:inet-address value="0.0.0.0" />
> > </interface>
> >
> > <!-- Socket Binding adds port for each IP from referenced Interface -->
> > <socket-binding name="https" interface="secure"
> > port="${org.osgi.service.http.port.secure}" />
> >
> > </undertow>
> >
> >
> > org.ops4j.pax.web.cfg
> >
> >
> > org.osgi.service.http.enabled=false
> >
> > org.osgi.service.http.secure.enabled=true
> > org.osgi.service.http.port.secure=8443
> >
> > javax.servlet.context.tempdir=${karaf.data}/pax-web-jsp
> > #org.ops4j.pax.web.config.file=${karaf.etc}/undertow.properties
> > org.ops4j.pax.web.config.file=${karaf.etc}/undertow.xml
> > org.apache.karaf.features.configKey = org.ops4j.pax.web
> >
> >
> > servlet (hello1.xml)
> >
> > <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0
> > https://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd">
> >
> > <reference id="httpService"
> > interface="org.osgi.service.http.HttpService" />
> >
> > <bean id="camelServlet"
> > class="org.apache.camel.component.servlet.CamelHttpTransportServlet"/>
> >
> > <bean class="org.apache.camel.component.osgi.OsgiServletRegisterer"
> > init-method="register"
> > destroy-method="unregister">
> > <property name="servletName" value="httpServlet" />
> > <property name="alias" value="/camel/services" />
> > <property name="httpService" ref="httpService" />
> > <property name="servlet" ref="camelServlet" />
> > </bean>
> >
> > <bean id="servlet"
> > class="org.apache.camel.component.servlet.ServletComponent" />
> >
> > <camelContext xmlns="http://camel.apache.org/schema/blueprint">
> > <route>
> > <from
> > uri="servlet://hello1?servletName=httpServlet" />
> > <setBody>
> > <constant>Hello 1</constant>
> > </setBody>
> > </route>
> > </camelContext>
> >
> > </blueprint>
> >
> >
> > log excerpt
> >
> > 2020-08-07T11:47:29,596 | INFO | paxweb-config-1-thread-1 |
> > ServerControllerImpl | 63 - org.ops4j.pax.web.pax-web-undertow
> > - 7.2.16 | Using
> > "file:/E:/apache-karaf/apache-karaf-4.2.9/etc/undertow.xml" to configure
> > Undertow
> > 2020-08-07T11:47:29,848 | INFO | paxweb-config-1-thread-1 |
> > ServerControllerImpl | 63 - org.ops4j.pax.web.pax-web-undertow
> > - 7.2.16 | Starting undertow https listener on 0.0.0.0:8443
> > 2020-08-07T11:47:29,985 | INFO | FelixStartLevel |
> > BlueprintContainerImpl | 69 - org.apache.aries.blueprint.core -
> > 1.10.2 | Blueprint bundle hello1.xml/0.0.0 is waiting for dependencies
> > [(objectClass=org.osgi.service.http.HttpService)]
> > 2020-08-07T11:47:29,987 | INFO | activator-1-thread-2 |
> > BouncyCastleSecurityProviderRegistrar | 38 - org.apache.sshd.core - 1.7.0 |
> > getOrCreateProvider(BC) created instance of
> > org.bouncycastle.jce.provider.BouncyCastleProvider
> > 2020-08-07T11:47:30,286 | INFO | activator-1-thread-2 | CommandExtension
> > | 34 - org.apache.karaf.shell.core - 4.2.9 | Registering
> > commands for bundle org.apache.karaf.features.command/4.2.9
> > 2020-08-07T11:47:30,446 | INFO | activator-1-thread-3 | CommandExtension
> > | 34 - org.apache.karaf.shell.core - 4.2.9 | Registering
> > commands for bundle org.apache.karaf.kar.core/4.2.9
> > 2020-08-07T11:47:30,487 | INFO | activator-1-thread-2 | Activator
> > | 18 - org.apache.karaf.deployer.features - 4.2.9 |
> > Deployment finished. Registering FeatureDeploymentListener
> > 2020-08-07T11:47:30,543 | INFO | activator-1-thread-2 | FeaturesPlugin
> > | 140 - org.apache.karaf.webconsole.features - 4.2.9 |
> > Features plugin deactivated
> > 2020-08-07T11:47:30,544 | INFO | activator-1-thread-2 | FeaturesPlugin
> > | 140 - org.apache.karaf.webconsole.features - 4.2.9 |
> > Features plugin activated
> > 2020-08-07T11:47:30,839 | INFO | paxweb-config-1-thread-1 |
> > ServerControllerImpl | 63 - org.ops4j.pax.web.pax-web-undertow
> > - 7.2.16 | Using in-memory session persistence
> > 2020-08-07T11:47:30,864 | INFO | paxweb-config-1-thread-1 |
> > HttpServiceFactoryImpl | 61 - org.ops4j.pax.web.pax-web-runtime -
> > 7.2.16 | Binding bundle: [org.apache.karaf.webconsole.console [139]] to
> > http service
> > 2020-08-07T11:47:31,000 | INFO | paxweb-config-1-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > registering context DefaultHttpContext
> > [bundle=org.apache.karaf.webconsole.console [139], contextID=custom], with
> > context path: /
> > 2020-08-07T11:47:31,011 | INFO | paxweb-config-1-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Starting context /
> > 2020-08-07T11:47:31,013 | WARN | paxweb-config-1-thread-1 | PathMatcher
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Overwriting existing default context
> > io.undertow.server.handlers.PathHandler@382344b0 with a new one
> > org.ops4j.pax.web.service.undertow.internal.Context@8c1553c
> > 2020-08-07T11:47:31,034 | INFO | paxweb-config-1-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Adding implicit "default" servlet
> > 2020-08-07T11:47:31,047 | INFO | paxweb-config-1-thread-1 |
> > ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api -
> > 7.2.16 | will add io.undertow.servlet.sse.ServerSentEventSCI to
> > ServletContainerInitializers
> > 2020-08-07T11:47:31,048 | WARN | paxweb-config-1-thread-1 |
> > ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api -
> > 7.2.16 | failed to parse and instantiate of
> > javax.servlet.ServletContainerInitializer in classpath
> > 2020-08-07T11:47:31,070 | INFO | paxweb-config-1-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Creating undertow servlet deployment for context path /...
> > 2020-08-07T11:47:31,224 | INFO | paxweb-config-1-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Creating undertow servlet deployment for context path / - done
> > 2020-08-07T11:47:31,225 | INFO | paxweb-config-1-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Registering io.undertow.servlet.spec.ServletContextImpl@e72855b as OSGi
> > service...
> > 2020-08-07T11:47:31,236 | INFO | paxweb-config-1-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Registering io.undertow.servlet.spec.ServletContextImpl@e72855b as OSGi
> > service - done
> > 2020-08-07T11:47:31,237 | INFO | paxweb-config-1-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Starting Undertow web application for context path /
> > 2020-08-07T11:47:31,271 | INFO | paxweb-config-1-thread-1 |
> > HttpServiceFactoryImpl | 61 - org.ops4j.pax.web.pax-web-runtime -
> > 7.2.16 | Binding bundle: [org.apache.karaf.http.core [126]] to http service
> > 2020-08-07T11:47:31,272 | INFO | paxweb-config-1-thread-1 | Activator
> > | 61 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 |
> > Starting server controller
> > org.ops4j.pax.web.service.undertow.internal.ServerControllerImpl
> > 2020-08-07T11:47:31,332 | INFO | activator-1-thread-2 | CommandExtension
> > | 34 - org.apache.karaf.shell.core - 4.2.9 | Registering
> > commands for bundle org.apache.karaf.http.core/4.2.9
> > 2020-08-07T11:47:31,436 | INFO | activator-1-thread-2 | HttpPlugin
> > | 142 - org.apache.karaf.webconsole.http - 4.2.9 | Http
> > plugin activated
> > 2020-08-07T11:47:31,487 | INFO | Blueprint Extender: 1 | LRUCacheFactory
> > | 108 - org.apache.camel.camel-support - 3.4.2 | Detected
> > and using LRUCacheFactory: camel-caffeine-lrucache
> > 2020-08-07T11:47:31,489 | INFO | CM Configuration Updater
> > (ManagedServiceFactory Update: factoryPid=[org.ops4j.pax.web.context]) |
> > HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime -
> > 7.2.16 | Updated configuration for
> > pid=org.ops4j.pax.web.context.dff8c6e5-f690-4ac6-9268-d87fc0dce06d
> > 2020-08-07T11:47:31,538 | INFO | paxweb-context-2-thread-1 |
> > HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime -
> > 7.2.16 | Found bundle "hello1.xml", scheduling customization of its
> > WebContainer
> > 2020-08-07T11:47:31,539 | INFO | paxweb-context-2-thread-1 |
> > HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime -
> > 7.2.16 | Customizing WebContainer for bundle hello1.xml/0.0.0
> > 2020-08-07T11:47:31,539 | INFO | paxweb-context-2-thread-1 |
> > HttpServiceFactoryImpl | 61 - org.ops4j.pax.web.pax-web-runtime -
> > 7.2.16 | Binding bundle: [hello1.xml [134]] to http service
> > 2020-08-07T11:47:31,542 | INFO | paxweb-context-2-thread-1 |
> > HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime -
> > 7.2.16 | Registering login configuration in WebContainer for bundle
> > "hello1.xml": method=BASIC, realm=karaf
> > 2020-08-07T11:47:31,545 | INFO | paxweb-context-2-thread-1 |
> > HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime -
> > 7.2.16 | Registering security mappings in WebContainer for bundle
> > "hello1.xml": SecurityConstraintsMapping{name='constraint.1',
> > url='/camel/services/*', roles=[admin]}
> > 2020-08-07T11:47:31,550 | INFO | paxweb-context-2-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > registering context DefaultHttpContext [bundle=hello1.xml [134],
> > contextID=default], with context path: /
> > 2020-08-07T11:47:31,555 | INFO | paxweb-context-2-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Starting context /
> > 2020-08-07T11:47:31,610 | WARN | paxweb-context-2-thread-1 | PathMatcher
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Overwriting existing default context
> > org.ops4j.pax.web.service.undertow.internal.Context@8c1553c with a new
> > one org.ops4j.pax.web.service.undertow.internal.Context@681b959c
> > 2020-08-07T11:47:31,616 | INFO | paxweb-context-2-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Adding implicit "default" servlet
> > 2020-08-07T11:47:31,624 | INFO | paxweb-context-2-thread-1 |
> > ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api -
> > 7.2.16 | will add io.undertow.servlet.sse.ServerSentEventSCI to
> > ServletContainerInitializers
> > 2020-08-07T11:47:31,686 | INFO | paxweb-context-2-thread-1 |
> > ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api -
> > 7.2.16 | added ServletContainerInitializer:
> > io.undertow.servlet.sse.ServerSentEventSCI
> > 2020-08-07T11:47:31,697 | INFO | paxweb-context-2-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Creating undertow servlet deployment for context path /...
> > 2020-08-07T11:47:31,716 | INFO | paxweb-context-2-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Creating undertow servlet deployment for context path / - done
> > 2020-08-07T11:47:31,717 | INFO | paxweb-context-2-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Registering io.undertow.servlet.spec.ServletContextImpl@757d3a20 as OSGi
> > service...
> > 2020-08-07T11:47:31,728 | INFO | paxweb-context-2-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Registering io.undertow.servlet.spec.ServletContextImpl@757d3a20 as OSGi
> > service - done
> > 2020-08-07T11:47:31,729 | INFO | paxweb-context-2-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Starting Undertow web application for context path /
> > 2020-08-07T11:47:32,115 | INFO | Blueprint Extender: 1 |
> > BlueprintContainerImpl | 69 - org.apache.aries.blueprint.core -
> > 1.10.2 | Blueprint bundle hello1.xml/0.0.0 has been started
> > 2020-08-07T11:47:32,118 | INFO | Blueprint Event Dispatcher: 1 |
> > BlueprintCamelContext | 119 -
> > org.apache.camel.karaf.camel-blueprint - 3.4.2 | Attempting to start
> > CamelContext: camel-1
> > 2020-08-07T11:47:32,165 | INFO | Blueprint Event Dispatcher: 1 |
> > JmxManagementStrategy | 98 - org.apache.camel.camel-management -
> > 3.4.2 | JMX is enabled
> > 2020-08-07T11:47:32,418 | INFO | Blueprint Event Dispatcher: 1 |
> > AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2
> > | Apache Camel 3.4.2 (camel-1) is starting
> > 2020-08-07T11:47:33,264 | INFO | Blueprint Event Dispatcher: 1 |
> > AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2
> > | StreamCaching is not in use. If using streams then its recommended to
> > enable stream caching. See more details at
> > http://camel.apache.org/stream-caching.html
> > 2020-08-07T11:47:33,265 | INFO | Blueprint Event Dispatcher: 1 |
> > AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2
> > | Using HealthCheck: camel-health
> > 2020-08-07T11:47:33,361 | INFO | Blueprint Event Dispatcher: 1 |
> > InternalRouteStartupManager | 76 - org.apache.camel.camel-base - 3.4.2
> > | Route: route1 started and consuming from: servlet:/hello1
> > 2020-08-07T11:47:33,369 | INFO | Blueprint Event Dispatcher: 1 |
> > AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2
> > | Total 1 routes, of which 1 are started
> > 2020-08-07T11:47:33,370 | INFO | Blueprint Event Dispatcher: 1 |
> > AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2
> > | Apache Camel 3.4.2 (camel-1) started in 0.951 seconds
> >
> >
> > > Grzegorz Grzybek <gr...@gmail.com> hat am 07.08.2020 11:07
> > geschrieben:
> > >
> > >
> > > Hello
> > >
> > > In theory (I can't check now), you have to:
> > >
> > > 1. comment out <http-listener name="http" socket-binding="http" />
> > > 2. ensure that org.ops4j.pax.web PID has org.osgi.service.http.enabled =
> > false (so pax-web-undertow won't try to recreate the non-secure listener if
> > it's not available in etc/undertow.xml)
> > >
> > > regards
> > > Grzegorz Grzybek
> > >
> > >
> > > pt., 7 sie 2020 o 10:52 Gerald Kallas <ca...@mailbox.org> napisał(a):
> > > > Thanks, Grzegorz for the explanation.
> > > >
> > > > At the moment I'd be happy to use HTTPS (on 8443) only for all web
> > related services (web console, servlets) w/ undertow and disable HTTP (on
> > 8181). Could this be reached with the setup I have?
> > > >
> > > > Thanks
> > > > - Gerald
> > > >
> > > > > Grzegorz Grzybek <gr...@gmail.com> hat am 07.08.2020 10:47
> > geschrieben:
> > > > >
> > > > >
> > > > > Hello
> > > > >
> > > > > Unfortunately it is not possible to use the internal (managed by Pax
> > Web) servlet runtime selectively - by specifying which listener (or more
> > generally - virtual host) should be used for the servlets created and
> > registered by Camel into HttpService (Pax Web) runtime.
> > > > >
> > > > > pax-web-jetty has partial (legacy, non-standard from the point of
> > view of OSGi CMPN specification) support for virtual hosts where a
> > Whiteboard-registered servlet (or filter, or other "web element") may
> > specify a comma-separated list of virtual host/connector names. But that's
> > only for Jetty.
> > > > >
> > > > > I'm still working on refactoring Pax Web 8 and I plan to have
> > unified "experience" for dealing with separate connectors/virtual hosts
> > across Jetty/Tomcat/Undertow runtimes, but it'll come only in Pax Web 8.
> > > > >
> > > > > regards
> > > > > Grzegorz Grzybek
> > > > >
> > > > >
> > > > > pt., 7 sie 2020 o 10:34 Gerald Kallas <ca...@mailbox.org>
> > napisał(a):
> > > > > > Dear all,
> > > > > >
> > > > > > following the guidance in the ticket
> > > > > >
> > > > > > https://issues.apache.org/jira/browse/KARAF-6772
> > > > > >
> > > > > > I was setting up a vanilla Karaf 4.2.9 with the following features
> > > > > >
> > > > > > feature:repo-add camel 3.4.2
> > > > > > feature:install pax-http-undertow
> > > > > > feature:install camel camel-servlet webconsole
> > > > > >
> > > > > > I wonder how I can bind the webconsole and the servlet consumer in
> > the camel routes to the HTTPS port. My undertow.xml see below. I tried to
> > change the org.ops4j.pax.web.cfg but with no success.
> > > > > >
> > > > > > Any hints are appreciated.
> > > > > >
> > > > > > Thanks
> > > > > > - Gerald
> > > > > >
> > > > > >
> > > > > > <?xml version="1.0" encoding="UTF-8"?>
> > > > > > <!--
> > > > > > Licensed under the Apache License, Version 2.0 (the "License");
> > > > > > you may not use this file except in compliance with the License.
> > > > > > You may obtain a copy of the License at
> > > > > >
> > > > > > http://www.apache.org/licenses/LICENSE-2.0
> > > > > >
> > > > > > Unless required by applicable law or agreed to in writing, software
> > > > > > distributed under the License is distributed on an "AS IS" BASIS,
> > > > > > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> > > > > > implied.
> > > > > >
> > > > > > See the License for the specific language governing permissions and
> > > > > > limitations under the License.
> > > > > > -->
> > > > > > <undertow xmlns="urn:org.ops4j.pax.web:undertow:1.0"
> > > > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > > > > > xmlns:w="urn:jboss:domain:5.0"
> > > > > > xmlns:io="urn:jboss:domain:io:3.0"
> > > > > > xsi:schemaLocation="
> > > > > > urn:jboss:domain:io:3.0
> > http://www.jboss.org/schema/jbossas/wildfly-io_3_0.xsd
> > > > > > urn:jboss:domain:undertow:4.0
> > http://www.jboss.org/schema/jbossas/wildfly-undertow_4_0.xsd
> > > > > > urn:jboss:domain:5.0
> > http://www.jboss.org/schema/jbossas/wildfly-config_5_0.xsd">
> > > > > >
> > > > > > <!--
> > > > > > Only "default" worker and buffer-pool are supported and can be
> > used to override the default values
> > > > > > used by all listeners
> > > > > >
> > > > > > buffer-pool:
> > > > > > - buffer-size defaults to:
> > > > > > - when < 64MB of Xmx: 512
> > > > > > - when < 128MB of Xmx: 1024
> > > > > > - when >= 128MB of Xmx: 16K - 20
> > > > > > - direct-buffers defaults to:
> > > > > > - when < 64MB of Xmx: false
> > > > > > - when >= 64MB of Xmx: true
> > > > > >
> > > > > > worker:
> > > > > > - io-threads defaults to
> > Math.max(Runtime.getRuntime().availableProcessors(), 2);
> > > > > > - task-core-threads and task-max-threads default to io-threads * 8
> > > > > > -->
> > > > > > <!--
> > > > > > <subsystem xmlns="urn:jboss:domain:io:3.0">
> > > > > > <buffer-pool name="default" buffer-size="16364"
> > direct-buffers="true" />
> > > > > > <worker name="default" io-threads="8" task-core-threads="64"
> > task-max-threads="64" />
> > > > > > </subsystem>
> > > > > > -->
> > > > > >
> > > > > > <!--
> > https://docs.jboss.org/author/display/WFLY/Undertow+subsystem+configuration
> > -->
> > > > > > <subsystem xmlns="urn:jboss:domain:undertow:4.0">
> > > > > > <!-- org.wildfly.extension.undertow.BufferCacheDefinition -->
> > > > > > <buffer-cache name="default" buffer-size="1024"
> > buffers-per-region="1024" max-regions="10" />
> > > > > > <server name="default-server">
> > > > > > <!-- HTTP(S) Listener references Socket Binding (and indirectly -
> > Interfaces) -->
> > > > > > <http-listener name="http" socket-binding="http" />
> > > > > > <!-- verify-client: org.xnio.SslClientAuthMode.NOT_REQUESTED,
> > org.xnio.SslClientAuthMode.REQUESTED, org.xnio.SslClientAuthMode.REQUIRED
> > -->
> > > > > > <https-listener name="https" socket-binding="https"
> > > > > > security-realm="https" verify-client="NOT_REQUESTED" />
> > > > > > <host name="default-host" alias="localhost">
> > > > > > <!--<location name="/" handler="welcome-content" />-->
> > > > > > <!--<location name="/docs" handler="docs-content" />-->
> > > > > > <access-log directory="${karaf.data}/log" pattern="common"
> > prefix="access_log." suffix="log" rotate="true" />
> > > > > > <filter-ref name="server-header" />
> > > > > > <filter-ref name="x-powered-by-header" />
> > > > > > </host>
> > > > > > </server>
> > > > > > <servlet-container name="default">
> > > > > > <jsp-config />
> > > > > > <websockets />
> > > > > > <welcome-files>
> > > > > > <welcome-file name="index.html" />
> > > > > > <welcome-file name="index.txt" />
> > > > > > </welcome-files>
> > > > > > </servlet-container>
> > > > > > <handlers>
> > > > > > <file name="welcome-content" path="${karaf.home}/welcome" />
> > > > > > <!--<file name="docs-content" path="${karaf.home}/docs" />-->
> > > > > > </handlers>
> > > > > > <filters>
> > > > > > <!-- filters for reference from /host/filter-ref and
> > /host/location/filter-ref -->
> > > > > > <response-header name="server-header" header-name="Server"
> > header-value="Pax-HTTP-Undertow" />
> > > > > > <response-header name="x-powered-by-header"
> > header-name="X-Powered-By" header-value="Pax-HTTP-Undertow/7.2.16" />
> > > > > > </filters>
> > > > > > </subsystem>
> > > > > >
> > > > > > <!-- https://docs.jboss.org/author/display/WFLY/Security+Realms
> > -->
> > > > > > <!--
> > > > > > we'll use "default" security realm by default to configure
> > jaas/properties authentication
> > > > > > (io.undertow.security.idm.IdentityManager):
> > > > > > - w:jaas -
> > org.ops4j.pax.web.service.undertow.internal.security.JaasIdentityManager
> > > > > > - w:properties -
> > org.ops4j.pax.web.service.undertow.internal.security.PropertiesIdentityManager
> > > > > > -->
> > > > > > <security-realm name="default">
> > > > > > <w:authentication>
> > > > > > <!-- JaasIdentityManager for given realm -->
> > > > > > <w:jaas name="karaf" />
> > > > > > <!-- OR PropertiesIdentityManager (mutually exclusive with
> > <w:jaas>) -->
> > > > > > <!--<w:properties path="users.properties" />-->
> > > > > > </w:authentication>
> > > > > >
> > <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > > > > >
> > <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > > > > > <!--<role-principal-class-name>...</role-principal-class-name>-->
> > > > > > </security-realm>
> > > > > > <!--
> > > > > > Any security realm may be referenced by https-listener to define
> > trust/keystore, protocols and cipher suites
> > > > > > -->
> > > > > > <security-realm name="https">
> > > > > > <w:server-identities>
> > > > > > <w:ssl>
> > > > > > <!-- sun.security.ssl.ProtocolVersion -->
> > > > > > <!-- sun.security.ssl.CipherSuite -->
> > > > > > <!-- openssl ciphers 'ALL:eNULL' | sed -e 's/:/\n/g' | sort -->
> > > > > > <w:engine
> > > > > > enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
> > > > > > enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" />
> > > > > > <w:keystore path="${karaf.etc}/server.p12" provider="PKCS12"
> > alias="server"
> > > > > > keystore-password="password" key-password="password"
> > > > > > generate-self-signed-certificate-host="localhost" />
> > > > > > </w:ssl>
> > > > > > </w:server-identities>
> > > > > > <w:authentication>
> > > > > > <w:jaas name="karaf" />
> > > > > > <w:truststore path="${karaf.etc}/truststore.jks" provider="JKS"
> > keystore-password="password" />
> > > > > > </w:authentication>
> > > > > >
> > <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > > > > >
> > <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > > > > > </security-realm>
> > > > > >
> > > > > > <!-- Interface lists IP addresses to bind to -->
> > > > > > <interface name="default">
> > > > > > <w:inet-address value="0.0.0.0" />
> > > > > > <!--<w:inet-address value="127.0.0.1" />-->
> > > > > > </interface>
> > > > > > <interface name="secure">
> > > > > > <w:inet-address value="127.0.0.1" />
> > > > > > </interface>
> > > > > >
> > > > > > <!-- Socket Binding adds port for each IP from referenced
> > Interface -->
> > > > > > <socket-binding name="http" interface="default"
> > port="${org.osgi.service.http.port}" />
> > > > > > <socket-binding name="https" interface="secure"
> > port="${org.osgi.service.http.port.secure}" />
> > > > > >
> > > > > > </undertow>
> >