You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@karaf.apache.org by Gerald Kallas <ca...@mailbox.org> on 2020/08/07 08:34:10 UTC
HTTPS with Karaf 4.2.9 and underpinning undertow web server
Dear all,
following the guidance in the ticket
https://issues.apache.org/jira/browse/KARAF-6772
I was setting up a vanilla Karaf 4.2.9 with the following features
feature:repo-add camel 3.4.2
feature:install pax-http-undertow
feature:install camel camel-servlet webconsole
I wonder how I can bind the webconsole and the servlet consumer in the camel routes to the HTTPS port. My undertow.xml see below. I tried to change the org.ops4j.pax.web.cfg but with no success.
Any hints are appreciated.
Thanks
- Gerald
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<undertow xmlns="urn:org.ops4j.pax.web:undertow:1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:w="urn:jboss:domain:5.0"
xmlns:io="urn:jboss:domain:io:3.0"
xsi:schemaLocation="
urn:jboss:domain:io:3.0 http://www.jboss.org/schema/jbossas/wildfly-io_3_0.xsd
urn:jboss:domain:undertow:4.0 http://www.jboss.org/schema/jbossas/wildfly-undertow_4_0.xsd
urn:jboss:domain:5.0 http://www.jboss.org/schema/jbossas/wildfly-config_5_0.xsd">
<!--
Only "default" worker and buffer-pool are supported and can be used to override the default values
used by all listeners
buffer-pool:
- buffer-size defaults to:
- when < 64MB of Xmx: 512
- when < 128MB of Xmx: 1024
- when >= 128MB of Xmx: 16K - 20
- direct-buffers defaults to:
- when < 64MB of Xmx: false
- when >= 64MB of Xmx: true
worker:
- io-threads defaults to Math.max(Runtime.getRuntime().availableProcessors(), 2);
- task-core-threads and task-max-threads default to io-threads * 8
-->
<!--
<subsystem xmlns="urn:jboss:domain:io:3.0">
<buffer-pool name="default" buffer-size="16364" direct-buffers="true" />
<worker name="default" io-threads="8" task-core-threads="64" task-max-threads="64" />
</subsystem>
-->
<!-- https://docs.jboss.org/author/display/WFLY/Undertow+subsystem+configuration -->
<subsystem xmlns="urn:jboss:domain:undertow:4.0">
<!-- org.wildfly.extension.undertow.BufferCacheDefinition -->
<buffer-cache name="default" buffer-size="1024" buffers-per-region="1024" max-regions="10" />
<server name="default-server">
<!-- HTTP(S) Listener references Socket Binding (and indirectly - Interfaces) -->
<http-listener name="http" socket-binding="http" />
<!-- verify-client: org.xnio.SslClientAuthMode.NOT_REQUESTED, org.xnio.SslClientAuthMode.REQUESTED, org.xnio.SslClientAuthMode.REQUIRED -->
<https-listener name="https" socket-binding="https"
security-realm="https" verify-client="NOT_REQUESTED" />
<host name="default-host" alias="localhost">
<!--<location name="/" handler="welcome-content" />-->
<!--<location name="/docs" handler="docs-content" />-->
<access-log directory="${karaf.data}/log" pattern="common" prefix="access_log." suffix="log" rotate="true" />
<filter-ref name="server-header" />
<filter-ref name="x-powered-by-header" />
</host>
</server>
<servlet-container name="default">
<jsp-config />
<websockets />
<welcome-files>
<welcome-file name="index.html" />
<welcome-file name="index.txt" />
</welcome-files>
</servlet-container>
<handlers>
<file name="welcome-content" path="${karaf.home}/welcome" />
<!--<file name="docs-content" path="${karaf.home}/docs" />-->
</handlers>
<filters>
<!-- filters for reference from /host/filter-ref and /host/location/filter-ref -->
<response-header name="server-header" header-name="Server" header-value="Pax-HTTP-Undertow" />
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Pax-HTTP-Undertow/7.2.16" />
</filters>
</subsystem>
<!-- https://docs.jboss.org/author/display/WFLY/Security+Realms -->
<!--
we'll use "default" security realm by default to configure jaas/properties authentication
(io.undertow.security.idm.IdentityManager):
- w:jaas - org.ops4j.pax.web.service.undertow.internal.security.JaasIdentityManager
- w:properties - org.ops4j.pax.web.service.undertow.internal.security.PropertiesIdentityManager
-->
<security-realm name="default">
<w:authentication>
<!-- JaasIdentityManager for given realm -->
<w:jaas name="karaf" />
<!-- OR PropertiesIdentityManager (mutually exclusive with <w:jaas>) -->
<!--<w:properties path="users.properties" />-->
</w:authentication>
<user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
<role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
<!--<role-principal-class-name>...</role-principal-class-name>-->
</security-realm>
<!--
Any security realm may be referenced by https-listener to define trust/keystore, protocols and cipher suites
-->
<security-realm name="https">
<w:server-identities>
<w:ssl>
<!-- sun.security.ssl.ProtocolVersion -->
<!-- sun.security.ssl.CipherSuite -->
<!-- openssl ciphers 'ALL:eNULL' | sed -e 's/:/\n/g' | sort -->
<w:engine
enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" />
<w:keystore path="${karaf.etc}/server.p12" provider="PKCS12" alias="server"
keystore-password="password" key-password="password"
generate-self-signed-certificate-host="localhost" />
</w:ssl>
</w:server-identities>
<w:authentication>
<w:jaas name="karaf" />
<w:truststore path="${karaf.etc}/truststore.jks" provider="JKS" keystore-password="password" />
</w:authentication>
<user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
<role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
</security-realm>
<!-- Interface lists IP addresses to bind to -->
<interface name="default">
<w:inet-address value="0.0.0.0" />
<!--<w:inet-address value="127.0.0.1" />-->
</interface>
<interface name="secure">
<w:inet-address value="127.0.0.1" />
</interface>
<!-- Socket Binding adds port for each IP from referenced Interface -->
<socket-binding name="http" interface="default" port="${org.osgi.service.http.port}" />
<socket-binding name="https" interface="secure" port="${org.osgi.service.http.port.secure}" />
</undertow>
Re: HTTPS with Karaf 4.2.9 and underpinning undertow web server
Posted by Grzegorz Grzybek <gr...@gmail.com>.
Hello
czw., 3 wrz 2020 o 09:10 Gerald Kallas <ca...@mailbox.org> napisał(a):
> Thanks Grzegorz.
>
> Yes, I did found the same in between and changed the undertow.xml. Finally
> it works and undertow pax web seems a bit more flexible than jetty. Would
> it be a further part of Pax Web 8 and Karaf as well?
>
Pax Web 8 will have many improvements (for pax-web-undertow,
io.undertow.Undertow one-size-fits-all class won't be used - I explicitly
create/configure listeners/connectors/buffers almost exactly like Wildfly
does it) and the emphasis is on making the experience similar when using
Jetty, Undertow and Tomcat.
regards
Grzegorz
>
> Best
> - Gerald
>
> > Grzegorz Grzybek <gr...@gmail.com> hat am 03.09.2020 08:29
> geschrieben:
> >
> >
> > Hello
> >
> > Sorry for late response (holidays!), but I tried your example with tiny
> > (not relevant) details.
> >
> > I used Karaf 4.2.9, but Camel 2.23.2. So I used
> > "org.apache.camel.component.servlet.osgi.OsgiServletRegisterer" instead
> of
> > "org.apache.camel.component.osgi.OsgiServletRegisterer", but no more
> > changes to blueprint.xml or etc/org.ops4j.pax.web.cfg.
> >
> > However, I had ONE problem with TLS connection:
> >
> > $ curl -k -v https://localhost:8443/camel/services/hello1
> > * Trying ::1:8443...
> > * Connected to localhost (::1) port 8443 (#0)
> > * ALPN, offering h2
> > * ALPN, offering http/1.1
> > * successfully set certificate verify locations:
> > * CAfile: /etc/pki/tls/certs/ca-bundle.crt
> > CApath: none
> > * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> > * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:8443
> > * Closing connection 0
> > curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to
> > localhost:8443
> >
> > I think (and I'll review it at some point in Pax Web itself) it's the
> > mismatch between "enabled-protocols" and "enabled-cipher-suites" in
> > undertow.xml. Please remove:
> >
> > enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
> >
> > and it should work (note that change to undertow.xml WON'T automatically
> > restart relevant bundles).
> >
> > $ curl -k -v https://localhost:8443/camel/services/hello1
> > * Trying ::1:8443...
> > * Connected to localhost (::1) port 8443 (#0)
> > * ALPN, offering h2
> > * ALPN, offering http/1.1
> > * successfully set certificate verify locations:
> > * CAfile: /etc/pki/tls/certs/ca-bundle.crt
> > CApath: none
> > * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> > * TLSv1.3 (IN), TLS handshake, Server hello (2):
> > * TLSv1.2 (IN), TLS handshake, Certificate (11):
> > * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> > * TLSv1.2 (IN), TLS handshake, Server finished (14):
> > * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> > * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
> > * TLSv1.2 (OUT), TLS handshake, Finished (20):
> > * TLSv1.2 (IN), TLS handshake, Finished (20):
> > * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> > * ALPN, server did not agree to a protocol
> > * Server certificate:
> > * subject: C=PL; ST=Dolny Śląsk; L=Wrocław; O=Red Hat; CN=localhost;
> > emailAddress=ggrzybek@redhat.com
> > * start date: Aug 17 11:14:46 2017 GMT
> > * expire date: Aug 17 11:14:46 2027 GMT
> > * issuer: C=PL; ST=Dolny Śląsk; L=Wrocław; O=Red Hat; CN=everfree-ca;
> > emailAddress=ggrzybek@redhat.com
> > * SSL certificate verify result: unable to get local issuer certificate
> > (20), continuing anyway.
> > > GET /camel/services/hello1 HTTP/1.1
> > > Host: localhost:8443
> > > User-Agent: curl/7.69.1
> > > Accept: */*
> > >
> > * Mark bundle as not supporting multiuse
> > < HTTP/1.1 200 OK
> > < Accept: */*
> > < Connection: keep-alive
> > < X-Powered-By: Pax-HTTP-Undertow/7.2.16
> > < breadcrumbId: ID-everfree-forest-1599112295273-1-1
> > < Server: Pax-HTTP-Undertow
> > < Transfer-Encoding: chunked
> > < User-Agent: curl/7.69.1
> > < Date: Thu, 03 Sep 2020 05:59:31 GMT
> > <
> > * Connection #0 to host localhost left intact
> > Hello 1
> >
> > kind regards
> > Grzegorz Grzybek
> >
> > pt., 7 sie 2020 o 11:53 Gerald Kallas <ca...@mailbox.org> napisał(a):
> >
> > > Hi,
> > >
> > > I tried this out but it doesnt work properly. (keystore and truststore
> are
> > > the same as with jetty setuo, they're valid).
> > >
> > > See below my configuration and the log. The HTTPS listener starts but
> > > neither the webconsole nor the servlet does work.
> > >
> > > On client side I'm getting
> > >
> > > Error: Client network socket disconnected before secure TLS connection
> was
> > > established
> > >
> > >
> > > undertow.xml
> > >
> > > <?xml version="1.0" encoding="UTF-8"?>
> > > <!--
> > > Licensed under the Apache License, Version 2.0 (the "License");
> > > you may not use this file except in compliance with the License.
> > > You may obtain a copy of the License at
> > >
> > > http://www.apache.org/licenses/LICENSE-2.0
> > >
> > > Unless required by applicable law or agreed to in writing, software
> > > distributed under the License is distributed on an "AS IS" BASIS,
> > > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> > > implied.
> > >
> > > See the License for the specific language governing permissions and
> > > limitations under the License.
> > > -->
> > > <undertow xmlns="urn:org.ops4j.pax.web:undertow:1.0"
> > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > > xmlns:w="urn:jboss:domain:5.0"
> > > xmlns:io="urn:jboss:domain:io:3.0"
> > > xsi:schemaLocation="
> > > urn:jboss:domain:io:3.0
> > > http://www.jboss.org/schema/jbossas/wildfly-io_3_0.xsd
> > > urn:jboss:domain:undertow:4.0
> > > http://www.jboss.org/schema/jbossas/wildfly-undertow_4_0.xsd
> > > urn:jboss:domain:5.0
> > > http://www.jboss.org/schema/jbossas/wildfly-config_5_0.xsd">
> > >
> > > <!--
> > > Only "default" worker and buffer-pool are supported and can be
> > > used to override the default values
> > > used by all listeners
> > >
> > > buffer-pool:
> > > - buffer-size defaults to:
> > > - when < 64MB of Xmx: 512
> > > - when < 128MB of Xmx: 1024
> > > - when >= 128MB of Xmx: 16K - 20
> > > - direct-buffers defaults to:
> > > - when < 64MB of Xmx: false
> > > - when >= 64MB of Xmx: true
> > >
> > > worker:
> > > - io-threads defaults to
> > > Math.max(Runtime.getRuntime().availableProcessors(), 2);
> > > - task-core-threads and task-max-threads default to
> io-threads * 8
> > > -->
> > > <!--
> > > <subsystem xmlns="urn:jboss:domain:io:3.0">
> > > <buffer-pool name="default" buffer-size="16364"
> > > direct-buffers="true" />
> > > <worker name="default" io-threads="8" task-core-threads="64"
> > > task-max-threads="64" />
> > > </subsystem>
> > > -->
> > >
> > > <!--
> > >
> https://docs.jboss.org/author/display/WFLY/Undertow+subsystem+configuration
> > > -->
> > > <subsystem xmlns="urn:jboss:domain:undertow:4.0">
> > > <!-- org.wildfly.extension.undertow.BufferCacheDefinition -->
> > > <buffer-cache name="default" buffer-size="1024"
> > > buffers-per-region="1024" max-regions="10" />
> > > <server name="default-server">
> > > <!-- HTTP(S) Listener references Socket Binding (and
> > > indirectly - Interfaces) -->
> > > <!-- verify-client:
> org.xnio.SslClientAuthMode.NOT_REQUESTED,
> > > org.xnio.SslClientAuthMode.REQUESTED,
> org.xnio.SslClientAuthMode.REQUIRED
> > > -->
> > > <https-listener name="https" socket-binding="https"
> > > security-realm="https"
> verify-client="NOT_REQUESTED" />
> > > <host name="default-host" alias="localhost">
> > > <!--<location name="/" handler="welcome-content" />-->
> > > <!--<location name="/docs" handler="docs-content" />-->
> > > <access-log directory="${karaf.data}/log"
> pattern="common"
> > > prefix="access_log." suffix="log" rotate="true" />
> > > <filter-ref name="server-header" />
> > > <filter-ref name="x-powered-by-header" />
> > > </host>
> > > </server>
> > > <servlet-container name="default">
> > > <jsp-config />
> > > <websockets />
> > > <welcome-files>
> > > <welcome-file name="index.html" />
> > > <welcome-file name="index.txt" />
> > > </welcome-files>
> > > </servlet-container>
> > > <handlers>
> > > <file name="welcome-content" path="${karaf.home}/welcome"
> />
> > > <!--<file name="docs-content" path="${karaf.home}/docs"
> />-->
> > > </handlers>
> > > <filters>
> > > <!-- filters for reference from /host/filter-ref and
> > > /host/location/filter-ref -->
> > > <response-header name="server-header" header-name="Server"
> > > header-value="Pax-HTTP-Undertow" />
> > > <response-header name="x-powered-by-header"
> > > header-name="X-Powered-By" header-value="Pax-HTTP-Undertow/7.2.16" />
> > > </filters>
> > > </subsystem>
> > >
> > > <!-- https://docs.jboss.org/author/display/WFLY/Security+Realms
> -->
> > > <!--
> > > we'll use "default" security realm by default to configure
> > > jaas/properties authentication
> > > (io.undertow.security.idm.IdentityManager):
> > > - w:jaas -
> > >
> org.ops4j.pax.web.service.undertow.internal.security.JaasIdentityManager
> > > - w:properties -
> > >
> org.ops4j.pax.web.service.undertow.internal.security.PropertiesIdentityManager
> > > -->
> > > <security-realm name="default">
> > > <w:authentication>
> > > <!-- JaasIdentityManager for given realm -->
> > > <w:jaas name="karaf" />
> > > <!-- OR PropertiesIdentityManager (mutually exclusive with
> > > <w:jaas>) -->
> > > <!--<w:properties path="users.properties" />-->
> > > </w:authentication>
> > >
> > >
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > >
> > >
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > >
> <!--<role-principal-class-name>...</role-principal-class-name>-->
> > > </security-realm>
> > > <!--
> > > Any security realm may be referenced by https-listener to
> define
> > > trust/keystore, protocols and cipher suites
> > > -->
> > > <security-realm name="https">
> > > <w:server-identities>
> > > <w:ssl>
> > > <!-- sun.security.ssl.ProtocolVersion -->
> > > <!-- sun.security.ssl.CipherSuite -->
> > > <!-- openssl ciphers 'ALL:eNULL' | sed -e 's/:/\n/g' |
> > > sort -->
> > > <w:engine
> > >
> > > enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
> > > enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" />
> > > <w:keystore path="${karaf.etc}/server.p12"
> > > provider="PKCS12" alias="server"
> > > keystore-password="password"
> > > key-password="password"
> > >
> generate-self-signed-certificate-host="localhost"
> > > />
> > > </w:ssl>
> > > </w:server-identities>
> > > <w:authentication>
> > > <w:jaas name="karaf" />
> > > <w:truststore path="${karaf.etc}/truststore.jks"
> > > provider="JKS" keystore-password="password" />
> > > </w:authentication>
> > >
> > >
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > >
> > >
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > > </security-realm>
> > >
> > > <!-- Interface lists IP addresses to bind to -->
> > > <interface name="secure">
> > > <w:inet-address value="0.0.0.0" />
> > > </interface>
> > >
> > > <!-- Socket Binding adds port for each IP from referenced
> Interface -->
> > > <socket-binding name="https" interface="secure"
> > > port="${org.osgi.service.http.port.secure}" />
> > >
> > > </undertow>
> > >
> > >
> > > org.ops4j.pax.web.cfg
> > >
> > >
> > > org.osgi.service.http.enabled=false
> > >
> > > org.osgi.service.http.secure.enabled=true
> > > org.osgi.service.http.port.secure=8443
> > >
> > > javax.servlet.context.tempdir=${karaf.data}/pax-web-jsp
> > > #org.ops4j.pax.web.config.file=${karaf.etc}/undertow.properties
> > > org.ops4j.pax.web.config.file=${karaf.etc}/undertow.xml
> > > org.apache.karaf.features.configKey = org.ops4j.pax.web
> > >
> > >
> > > servlet (hello1.xml)
> > >
> > > <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
> > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > > xsi:schemaLocation="
> http://www.osgi.org/xmlns/blueprint/v1.0.0
> > > https://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd">
> > >
> > > <reference id="httpService"
> > > interface="org.osgi.service.http.HttpService" />
> > >
> > > <bean id="camelServlet"
> > > class="org.apache.camel.component.servlet.CamelHttpTransportServlet"/>
> > >
> > > <bean
> class="org.apache.camel.component.osgi.OsgiServletRegisterer"
> > > init-method="register"
> > > destroy-method="unregister">
> > > <property name="servletName" value="httpServlet" />
> > > <property name="alias" value="/camel/services" />
> > > <property name="httpService" ref="httpService" />
> > > <property name="servlet" ref="camelServlet" />
> > > </bean>
> > >
> > > <bean id="servlet"
> > > class="org.apache.camel.component.servlet.ServletComponent" />
> > >
> > > <camelContext xmlns="http://camel.apache.org/schema/blueprint
> ">
> > > <route>
> > > <from
> > > uri="servlet://hello1?servletName=httpServlet" />
> > > <setBody>
> > > <constant>Hello 1</constant>
> > > </setBody>
> > > </route>
> > > </camelContext>
> > >
> > > </blueprint>
> > >
> > >
> > > log excerpt
> > >
> > > 2020-08-07T11:47:29,596 | INFO | paxweb-config-1-thread-1 |
> > > ServerControllerImpl | 63 -
> org.ops4j.pax.web.pax-web-undertow
> > > - 7.2.16 | Using
> > > "file:/E:/apache-karaf/apache-karaf-4.2.9/etc/undertow.xml" to
> configure
> > > Undertow
> > > 2020-08-07T11:47:29,848 | INFO | paxweb-config-1-thread-1 |
> > > ServerControllerImpl | 63 -
> org.ops4j.pax.web.pax-web-undertow
> > > - 7.2.16 | Starting undertow https listener on 0.0.0.0:8443
> > > 2020-08-07T11:47:29,985 | INFO | FelixStartLevel |
> > > BlueprintContainerImpl | 69 -
> org.apache.aries.blueprint.core -
> > > 1.10.2 | Blueprint bundle hello1.xml/0.0.0 is waiting for dependencies
> > > [(objectClass=org.osgi.service.http.HttpService)]
> > > 2020-08-07T11:47:29,987 | INFO | activator-1-thread-2 |
> > > BouncyCastleSecurityProviderRegistrar | 38 - org.apache.sshd.core -
> 1.7.0 |
> > > getOrCreateProvider(BC) created instance of
> > > org.bouncycastle.jce.provider.BouncyCastleProvider
> > > 2020-08-07T11:47:30,286 | INFO | activator-1-thread-2 |
> CommandExtension
> > > | 34 - org.apache.karaf.shell.core - 4.2.9 | Registering
> > > commands for bundle org.apache.karaf.features.command/4.2.9
> > > 2020-08-07T11:47:30,446 | INFO | activator-1-thread-3 |
> CommandExtension
> > > | 34 - org.apache.karaf.shell.core - 4.2.9 | Registering
> > > commands for bundle org.apache.karaf.kar.core/4.2.9
> > > 2020-08-07T11:47:30,487 | INFO | activator-1-thread-2 | Activator
> > > | 18 - org.apache.karaf.deployer.features - 4.2.9 |
> > > Deployment finished. Registering FeatureDeploymentListener
> > > 2020-08-07T11:47:30,543 | INFO | activator-1-thread-2 | FeaturesPlugin
> > > | 140 - org.apache.karaf.webconsole.features - 4.2.9 |
> > > Features plugin deactivated
> > > 2020-08-07T11:47:30,544 | INFO | activator-1-thread-2 | FeaturesPlugin
> > > | 140 - org.apache.karaf.webconsole.features - 4.2.9 |
> > > Features plugin activated
> > > 2020-08-07T11:47:30,839 | INFO | paxweb-config-1-thread-1 |
> > > ServerControllerImpl | 63 -
> org.ops4j.pax.web.pax-web-undertow
> > > - 7.2.16 | Using in-memory session persistence
> > > 2020-08-07T11:47:30,864 | INFO | paxweb-config-1-thread-1 |
> > > HttpServiceFactoryImpl | 61 -
> org.ops4j.pax.web.pax-web-runtime -
> > > 7.2.16 | Binding bundle: [org.apache.karaf.webconsole.console [139]] to
> > > http service
> > > 2020-08-07T11:47:31,000 | INFO | paxweb-config-1-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > registering context DefaultHttpContext
> > > [bundle=org.apache.karaf.webconsole.console [139], contextID=custom],
> with
> > > context path: /
> > > 2020-08-07T11:47:31,011 | INFO | paxweb-config-1-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Starting context /
> > > 2020-08-07T11:47:31,013 | WARN | paxweb-config-1-thread-1 |
> PathMatcher
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Overwriting existing default context
> > > io.undertow.server.handlers.PathHandler@382344b0 with a new one
> > > org.ops4j.pax.web.service.undertow.internal.Context@8c1553c
> > > 2020-08-07T11:47:31,034 | INFO | paxweb-config-1-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Adding implicit "default" servlet
> > > 2020-08-07T11:47:31,047 | INFO | paxweb-config-1-thread-1 |
> > > ServletContainerInitializerScanner | 60 -
> org.ops4j.pax.web.pax-web-api -
> > > 7.2.16 | will add io.undertow.servlet.sse.ServerSentEventSCI to
> > > ServletContainerInitializers
> > > 2020-08-07T11:47:31,048 | WARN | paxweb-config-1-thread-1 |
> > > ServletContainerInitializerScanner | 60 -
> org.ops4j.pax.web.pax-web-api -
> > > 7.2.16 | failed to parse and instantiate of
> > > javax.servlet.ServletContainerInitializer in classpath
> > > 2020-08-07T11:47:31,070 | INFO | paxweb-config-1-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Creating undertow servlet deployment for context path /...
> > > 2020-08-07T11:47:31,224 | INFO | paxweb-config-1-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Creating undertow servlet deployment for context path / - done
> > > 2020-08-07T11:47:31,225 | INFO | paxweb-config-1-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Registering io.undertow.servlet.spec.ServletContextImpl@e72855b as
> OSGi
> > > service...
> > > 2020-08-07T11:47:31,236 | INFO | paxweb-config-1-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Registering io.undertow.servlet.spec.ServletContextImpl@e72855b as
> OSGi
> > > service - done
> > > 2020-08-07T11:47:31,237 | INFO | paxweb-config-1-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Starting Undertow web application for context path /
> > > 2020-08-07T11:47:31,271 | INFO | paxweb-config-1-thread-1 |
> > > HttpServiceFactoryImpl | 61 -
> org.ops4j.pax.web.pax-web-runtime -
> > > 7.2.16 | Binding bundle: [org.apache.karaf.http.core [126]] to http
> service
> > > 2020-08-07T11:47:31,272 | INFO | paxweb-config-1-thread-1 | Activator
> > > | 61 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 |
> > > Starting server controller
> > > org.ops4j.pax.web.service.undertow.internal.ServerControllerImpl
> > > 2020-08-07T11:47:31,332 | INFO | activator-1-thread-2 |
> CommandExtension
> > > | 34 - org.apache.karaf.shell.core - 4.2.9 | Registering
> > > commands for bundle org.apache.karaf.http.core/4.2.9
> > > 2020-08-07T11:47:31,436 | INFO | activator-1-thread-2 | HttpPlugin
> > > | 142 - org.apache.karaf.webconsole.http - 4.2.9 | Http
> > > plugin activated
> > > 2020-08-07T11:47:31,487 | INFO | Blueprint Extender: 1 |
> LRUCacheFactory
> > > | 108 - org.apache.camel.camel-support - 3.4.2 |
> Detected
> > > and using LRUCacheFactory: camel-caffeine-lrucache
> > > 2020-08-07T11:47:31,489 | INFO | CM Configuration Updater
> > > (ManagedServiceFactory Update: factoryPid=[org.ops4j.pax.web.context])
> |
> > > HttpContextProcessing | 61 -
> org.ops4j.pax.web.pax-web-runtime -
> > > 7.2.16 | Updated configuration for
> > > pid=org.ops4j.pax.web.context.dff8c6e5-f690-4ac6-9268-d87fc0dce06d
> > > 2020-08-07T11:47:31,538 | INFO | paxweb-context-2-thread-1 |
> > > HttpContextProcessing | 61 -
> org.ops4j.pax.web.pax-web-runtime -
> > > 7.2.16 | Found bundle "hello1.xml", scheduling customization of its
> > > WebContainer
> > > 2020-08-07T11:47:31,539 | INFO | paxweb-context-2-thread-1 |
> > > HttpContextProcessing | 61 -
> org.ops4j.pax.web.pax-web-runtime -
> > > 7.2.16 | Customizing WebContainer for bundle hello1.xml/0.0.0
> > > 2020-08-07T11:47:31,539 | INFO | paxweb-context-2-thread-1 |
> > > HttpServiceFactoryImpl | 61 -
> org.ops4j.pax.web.pax-web-runtime -
> > > 7.2.16 | Binding bundle: [hello1.xml [134]] to http service
> > > 2020-08-07T11:47:31,542 | INFO | paxweb-context-2-thread-1 |
> > > HttpContextProcessing | 61 -
> org.ops4j.pax.web.pax-web-runtime -
> > > 7.2.16 | Registering login configuration in WebContainer for bundle
> > > "hello1.xml": method=BASIC, realm=karaf
> > > 2020-08-07T11:47:31,545 | INFO | paxweb-context-2-thread-1 |
> > > HttpContextProcessing | 61 -
> org.ops4j.pax.web.pax-web-runtime -
> > > 7.2.16 | Registering security mappings in WebContainer for bundle
> > > "hello1.xml": SecurityConstraintsMapping{name='constraint.1',
> > > url='/camel/services/*', roles=[admin]}
> > > 2020-08-07T11:47:31,550 | INFO | paxweb-context-2-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > registering context DefaultHttpContext [bundle=hello1.xml [134],
> > > contextID=default], with context path: /
> > > 2020-08-07T11:47:31,555 | INFO | paxweb-context-2-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Starting context /
> > > 2020-08-07T11:47:31,610 | WARN | paxweb-context-2-thread-1 |
> PathMatcher
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Overwriting existing default context
> > > org.ops4j.pax.web.service.undertow.internal.Context@8c1553c with a new
> > > one org.ops4j.pax.web.service.undertow.internal.Context@681b959c
> > > 2020-08-07T11:47:31,616 | INFO | paxweb-context-2-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Adding implicit "default" servlet
> > > 2020-08-07T11:47:31,624 | INFO | paxweb-context-2-thread-1 |
> > > ServletContainerInitializerScanner | 60 -
> org.ops4j.pax.web.pax-web-api -
> > > 7.2.16 | will add io.undertow.servlet.sse.ServerSentEventSCI to
> > > ServletContainerInitializers
> > > 2020-08-07T11:47:31,686 | INFO | paxweb-context-2-thread-1 |
> > > ServletContainerInitializerScanner | 60 -
> org.ops4j.pax.web.pax-web-api -
> > > 7.2.16 | added ServletContainerInitializer:
> > > io.undertow.servlet.sse.ServerSentEventSCI
> > > 2020-08-07T11:47:31,697 | INFO | paxweb-context-2-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Creating undertow servlet deployment for context path /...
> > > 2020-08-07T11:47:31,716 | INFO | paxweb-context-2-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Creating undertow servlet deployment for context path / - done
> > > 2020-08-07T11:47:31,717 | INFO | paxweb-context-2-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Registering io.undertow.servlet.spec.ServletContextImpl@757d3a20 as
> OSGi
> > > service...
> > > 2020-08-07T11:47:31,728 | INFO | paxweb-context-2-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Registering io.undertow.servlet.spec.ServletContextImpl@757d3a20 as
> OSGi
> > > service - done
> > > 2020-08-07T11:47:31,729 | INFO | paxweb-context-2-thread-1 | Context
> > > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16
> |
> > > Starting Undertow web application for context path /
> > > 2020-08-07T11:47:32,115 | INFO | Blueprint Extender: 1 |
> > > BlueprintContainerImpl | 69 -
> org.apache.aries.blueprint.core -
> > > 1.10.2 | Blueprint bundle hello1.xml/0.0.0 has been started
> > > 2020-08-07T11:47:32,118 | INFO | Blueprint Event Dispatcher: 1 |
> > > BlueprintCamelContext | 119 -
> > > org.apache.camel.karaf.camel-blueprint - 3.4.2 | Attempting to start
> > > CamelContext: camel-1
> > > 2020-08-07T11:47:32,165 | INFO | Blueprint Event Dispatcher: 1 |
> > > JmxManagementStrategy | 98 -
> org.apache.camel.camel-management -
> > > 3.4.2 | JMX is enabled
> > > 2020-08-07T11:47:32,418 | INFO | Blueprint Event Dispatcher: 1 |
> > > AbstractCamelContext | 76 - org.apache.camel.camel-base -
> 3.4.2
> > > | Apache Camel 3.4.2 (camel-1) is starting
> > > 2020-08-07T11:47:33,264 | INFO | Blueprint Event Dispatcher: 1 |
> > > AbstractCamelContext | 76 - org.apache.camel.camel-base -
> 3.4.2
> > > | StreamCaching is not in use. If using streams then its recommended to
> > > enable stream caching. See more details at
> > > http://camel.apache.org/stream-caching.html
> > > 2020-08-07T11:47:33,265 | INFO | Blueprint Event Dispatcher: 1 |
> > > AbstractCamelContext | 76 - org.apache.camel.camel-base -
> 3.4.2
> > > | Using HealthCheck: camel-health
> > > 2020-08-07T11:47:33,361 | INFO | Blueprint Event Dispatcher: 1 |
> > > InternalRouteStartupManager | 76 - org.apache.camel.camel-base -
> 3.4.2
> > > | Route: route1 started and consuming from: servlet:/hello1
> > > 2020-08-07T11:47:33,369 | INFO | Blueprint Event Dispatcher: 1 |
> > > AbstractCamelContext | 76 - org.apache.camel.camel-base -
> 3.4.2
> > > | Total 1 routes, of which 1 are started
> > > 2020-08-07T11:47:33,370 | INFO | Blueprint Event Dispatcher: 1 |
> > > AbstractCamelContext | 76 - org.apache.camel.camel-base -
> 3.4.2
> > > | Apache Camel 3.4.2 (camel-1) started in 0.951 seconds
> > >
> > >
> > > > Grzegorz Grzybek <gr...@gmail.com> hat am 07.08.2020 11:07
> > > geschrieben:
> > > >
> > > >
> > > > Hello
> > > >
> > > > In theory (I can't check now), you have to:
> > > >
> > > > 1. comment out <http-listener name="http" socket-binding="http" />
> > > > 2. ensure that org.ops4j.pax.web PID has
> org.osgi.service.http.enabled =
> > > false (so pax-web-undertow won't try to recreate the non-secure
> listener if
> > > it's not available in etc/undertow.xml)
> > > >
> > > > regards
> > > > Grzegorz Grzybek
> > > >
> > > >
> > > > pt., 7 sie 2020 o 10:52 Gerald Kallas <ca...@mailbox.org>
> napisał(a):
> > > > > Thanks, Grzegorz for the explanation.
> > > > >
> > > > > At the moment I'd be happy to use HTTPS (on 8443) only for all web
> > > related services (web console, servlets) w/ undertow and disable HTTP
> (on
> > > 8181). Could this be reached with the setup I have?
> > > > >
> > > > > Thanks
> > > > > - Gerald
> > > > >
> > > > > > Grzegorz Grzybek <gr...@gmail.com> hat am 07.08.2020 10:47
> > > geschrieben:
> > > > > >
> > > > > >
> > > > > > Hello
> > > > > >
> > > > > > Unfortunately it is not possible to use the internal (managed by
> Pax
> > > Web) servlet runtime selectively - by specifying which listener (or
> more
> > > generally - virtual host) should be used for the servlets created and
> > > registered by Camel into HttpService (Pax Web) runtime.
> > > > > >
> > > > > > pax-web-jetty has partial (legacy, non-standard from the point of
> > > view of OSGi CMPN specification) support for virtual hosts where a
> > > Whiteboard-registered servlet (or filter, or other "web element") may
> > > specify a comma-separated list of virtual host/connector names. But
> that's
> > > only for Jetty.
> > > > > >
> > > > > > I'm still working on refactoring Pax Web 8 and I plan to have
> > > unified "experience" for dealing with separate connectors/virtual hosts
> > > across Jetty/Tomcat/Undertow runtimes, but it'll come only in Pax Web
> 8.
> > > > > >
> > > > > > regards
> > > > > > Grzegorz Grzybek
> > > > > >
> > > > > >
> > > > > > pt., 7 sie 2020 o 10:34 Gerald Kallas <ca...@mailbox.org>
> > > napisał(a):
> > > > > > > Dear all,
> > > > > > >
> > > > > > > following the guidance in the ticket
> > > > > > >
> > > > > > > https://issues.apache.org/jira/browse/KARAF-6772
> > > > > > >
> > > > > > > I was setting up a vanilla Karaf 4.2.9 with the following
> features
> > > > > > >
> > > > > > > feature:repo-add camel 3.4.2
> > > > > > > feature:install pax-http-undertow
> > > > > > > feature:install camel camel-servlet webconsole
> > > > > > >
> > > > > > > I wonder how I can bind the webconsole and the servlet
> consumer in
> > > the camel routes to the HTTPS port. My undertow.xml see below. I tried
> to
> > > change the org.ops4j.pax.web.cfg but with no success.
> > > > > > >
> > > > > > > Any hints are appreciated.
> > > > > > >
> > > > > > > Thanks
> > > > > > > - Gerald
> > > > > > >
> > > > > > >
> > > > > > > <?xml version="1.0" encoding="UTF-8"?>
> > > > > > > <!--
> > > > > > > Licensed under the Apache License, Version 2.0 (the "License");
> > > > > > > you may not use this file except in compliance with the
> License.
> > > > > > > You may obtain a copy of the License at
> > > > > > >
> > > > > > > http://www.apache.org/licenses/LICENSE-2.0
> > > > > > >
> > > > > > > Unless required by applicable law or agreed to in writing,
> software
> > > > > > > distributed under the License is distributed on an "AS IS"
> BASIS,
> > > > > > > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> > > > > > > implied.
> > > > > > >
> > > > > > > See the License for the specific language governing
> permissions and
> > > > > > > limitations under the License.
> > > > > > > -->
> > > > > > > <undertow xmlns="urn:org.ops4j.pax.web:undertow:1.0"
> > > > > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > > > > > > xmlns:w="urn:jboss:domain:5.0"
> > > > > > > xmlns:io="urn:jboss:domain:io:3.0"
> > > > > > > xsi:schemaLocation="
> > > > > > > urn:jboss:domain:io:3.0
> > > http://www.jboss.org/schema/jbossas/wildfly-io_3_0.xsd
> > > > > > > urn:jboss:domain:undertow:4.0
> > > http://www.jboss.org/schema/jbossas/wildfly-undertow_4_0.xsd
> > > > > > > urn:jboss:domain:5.0
> > > http://www.jboss.org/schema/jbossas/wildfly-config_5_0.xsd">
> > > > > > >
> > > > > > > <!--
> > > > > > > Only "default" worker and buffer-pool are supported and can be
> > > used to override the default values
> > > > > > > used by all listeners
> > > > > > >
> > > > > > > buffer-pool:
> > > > > > > - buffer-size defaults to:
> > > > > > > - when < 64MB of Xmx: 512
> > > > > > > - when < 128MB of Xmx: 1024
> > > > > > > - when >= 128MB of Xmx: 16K - 20
> > > > > > > - direct-buffers defaults to:
> > > > > > > - when < 64MB of Xmx: false
> > > > > > > - when >= 64MB of Xmx: true
> > > > > > >
> > > > > > > worker:
> > > > > > > - io-threads defaults to
> > > Math.max(Runtime.getRuntime().availableProcessors(), 2);
> > > > > > > - task-core-threads and task-max-threads default to io-threads
> * 8
> > > > > > > -->
> > > > > > > <!--
> > > > > > > <subsystem xmlns="urn:jboss:domain:io:3.0">
> > > > > > > <buffer-pool name="default" buffer-size="16364"
> > > direct-buffers="true" />
> > > > > > > <worker name="default" io-threads="8" task-core-threads="64"
> > > task-max-threads="64" />
> > > > > > > </subsystem>
> > > > > > > -->
> > > > > > >
> > > > > > > <!--
> > >
> https://docs.jboss.org/author/display/WFLY/Undertow+subsystem+configuration
> > > -->
> > > > > > > <subsystem xmlns="urn:jboss:domain:undertow:4.0">
> > > > > > > <!-- org.wildfly.extension.undertow.BufferCacheDefinition -->
> > > > > > > <buffer-cache name="default" buffer-size="1024"
> > > buffers-per-region="1024" max-regions="10" />
> > > > > > > <server name="default-server">
> > > > > > > <!-- HTTP(S) Listener references Socket Binding (and
> indirectly -
> > > Interfaces) -->
> > > > > > > <http-listener name="http" socket-binding="http" />
> > > > > > > <!-- verify-client: org.xnio.SslClientAuthMode.NOT_REQUESTED,
> > > org.xnio.SslClientAuthMode.REQUESTED,
> org.xnio.SslClientAuthMode.REQUIRED
> > > -->
> > > > > > > <https-listener name="https" socket-binding="https"
> > > > > > > security-realm="https" verify-client="NOT_REQUESTED" />
> > > > > > > <host name="default-host" alias="localhost">
> > > > > > > <!--<location name="/" handler="welcome-content" />-->
> > > > > > > <!--<location name="/docs" handler="docs-content" />-->
> > > > > > > <access-log directory="${karaf.data}/log" pattern="common"
> > > prefix="access_log." suffix="log" rotate="true" />
> > > > > > > <filter-ref name="server-header" />
> > > > > > > <filter-ref name="x-powered-by-header" />
> > > > > > > </host>
> > > > > > > </server>
> > > > > > > <servlet-container name="default">
> > > > > > > <jsp-config />
> > > > > > > <websockets />
> > > > > > > <welcome-files>
> > > > > > > <welcome-file name="index.html" />
> > > > > > > <welcome-file name="index.txt" />
> > > > > > > </welcome-files>
> > > > > > > </servlet-container>
> > > > > > > <handlers>
> > > > > > > <file name="welcome-content" path="${karaf.home}/welcome" />
> > > > > > > <!--<file name="docs-content" path="${karaf.home}/docs" />-->
> > > > > > > </handlers>
> > > > > > > <filters>
> > > > > > > <!-- filters for reference from /host/filter-ref and
> > > /host/location/filter-ref -->
> > > > > > > <response-header name="server-header" header-name="Server"
> > > header-value="Pax-HTTP-Undertow" />
> > > > > > > <response-header name="x-powered-by-header"
> > > header-name="X-Powered-By" header-value="Pax-HTTP-Undertow/7.2.16" />
> > > > > > > </filters>
> > > > > > > </subsystem>
> > > > > > >
> > > > > > > <!--
> https://docs.jboss.org/author/display/WFLY/Security+Realms
> > > -->
> > > > > > > <!--
> > > > > > > we'll use "default" security realm by default to configure
> > > jaas/properties authentication
> > > > > > > (io.undertow.security.idm.IdentityManager):
> > > > > > > - w:jaas -
> > >
> org.ops4j.pax.web.service.undertow.internal.security.JaasIdentityManager
> > > > > > > - w:properties -
> > >
> org.ops4j.pax.web.service.undertow.internal.security.PropertiesIdentityManager
> > > > > > > -->
> > > > > > > <security-realm name="default">
> > > > > > > <w:authentication>
> > > > > > > <!-- JaasIdentityManager for given realm -->
> > > > > > > <w:jaas name="karaf" />
> > > > > > > <!-- OR PropertiesIdentityManager (mutually exclusive with
> > > <w:jaas>) -->
> > > > > > > <!--<w:properties path="users.properties" />-->
> > > > > > > </w:authentication>
> > > > > > >
> > >
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > > > > > >
> > >
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > > > > > >
> <!--<role-principal-class-name>...</role-principal-class-name>-->
> > > > > > > </security-realm>
> > > > > > > <!--
> > > > > > > Any security realm may be referenced by https-listener to
> define
> > > trust/keystore, protocols and cipher suites
> > > > > > > -->
> > > > > > > <security-realm name="https">
> > > > > > > <w:server-identities>
> > > > > > > <w:ssl>
> > > > > > > <!-- sun.security.ssl.ProtocolVersion -->
> > > > > > > <!-- sun.security.ssl.CipherSuite -->
> > > > > > > <!-- openssl ciphers 'ALL:eNULL' | sed -e 's/:/\n/g' | sort -->
> > > > > > > <w:engine
> > > > > > > enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
> > > > > > > enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" />
> > > > > > > <w:keystore path="${karaf.etc}/server.p12" provider="PKCS12"
> > > alias="server"
> > > > > > > keystore-password="password" key-password="password"
> > > > > > > generate-self-signed-certificate-host="localhost" />
> > > > > > > </w:ssl>
> > > > > > > </w:server-identities>
> > > > > > > <w:authentication>
> > > > > > > <w:jaas name="karaf" />
> > > > > > > <w:truststore path="${karaf.etc}/truststore.jks" provider="JKS"
> > > keystore-password="password" />
> > > > > > > </w:authentication>
> > > > > > >
> > >
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > > > > > >
> > >
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > > > > > > </security-realm>
> > > > > > >
> > > > > > > <!-- Interface lists IP addresses to bind to -->
> > > > > > > <interface name="default">
> > > > > > > <w:inet-address value="0.0.0.0" />
> > > > > > > <!--<w:inet-address value="127.0.0.1" />-->
> > > > > > > </interface>
> > > > > > > <interface name="secure">
> > > > > > > <w:inet-address value="127.0.0.1" />
> > > > > > > </interface>
> > > > > > >
> > > > > > > <!-- Socket Binding adds port for each IP from referenced
> > > Interface -->
> > > > > > > <socket-binding name="http" interface="default"
> > > port="${org.osgi.service.http.port}" />
> > > > > > > <socket-binding name="https" interface="secure"
> > > port="${org.osgi.service.http.port.secure}" />
> > > > > > >
> > > > > > > </undertow>
> > >
>
>
Re: HTTPS with Karaf 4.2.9 and underpinning undertow web server
Posted by Gerald Kallas <ca...@mailbox.org>.
Thanks Grzegorz.
Yes, I did found the same in between and changed the undertow.xml. Finally it works and undertow pax web seems a bit more flexible than jetty. Would it be a further part of Pax Web 8 and Karaf as well?
Best
- Gerald
> Grzegorz Grzybek <gr...@gmail.com> hat am 03.09.2020 08:29 geschrieben:
>
>
> Hello
>
> Sorry for late response (holidays!), but I tried your example with tiny
> (not relevant) details.
>
> I used Karaf 4.2.9, but Camel 2.23.2. So I used
> "org.apache.camel.component.servlet.osgi.OsgiServletRegisterer" instead of
> "org.apache.camel.component.osgi.OsgiServletRegisterer", but no more
> changes to blueprint.xml or etc/org.ops4j.pax.web.cfg.
>
> However, I had ONE problem with TLS connection:
>
> $ curl -k -v https://localhost:8443/camel/services/hello1
> * Trying ::1:8443...
> * Connected to localhost (::1) port 8443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * successfully set certificate verify locations:
> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
> CApath: none
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:8443
> * Closing connection 0
> curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to
> localhost:8443
>
> I think (and I'll review it at some point in Pax Web itself) it's the
> mismatch between "enabled-protocols" and "enabled-cipher-suites" in
> undertow.xml. Please remove:
>
> enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
>
> and it should work (note that change to undertow.xml WON'T automatically
> restart relevant bundles).
>
> $ curl -k -v https://localhost:8443/camel/services/hello1
> * Trying ::1:8443...
> * Connected to localhost (::1) port 8443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * successfully set certificate verify locations:
> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
> CApath: none
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> * TLSv1.3 (IN), TLS handshake, Server hello (2):
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> * TLSv1.2 (IN), TLS handshake, Server finished (14):
> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
> * TLSv1.2 (OUT), TLS handshake, Finished (20):
> * TLSv1.2 (IN), TLS handshake, Finished (20):
> * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> * ALPN, server did not agree to a protocol
> * Server certificate:
> * subject: C=PL; ST=Dolny Śląsk; L=Wrocław; O=Red Hat; CN=localhost;
> emailAddress=ggrzybek@redhat.com
> * start date: Aug 17 11:14:46 2017 GMT
> * expire date: Aug 17 11:14:46 2027 GMT
> * issuer: C=PL; ST=Dolny Śląsk; L=Wrocław; O=Red Hat; CN=everfree-ca;
> emailAddress=ggrzybek@redhat.com
> * SSL certificate verify result: unable to get local issuer certificate
> (20), continuing anyway.
> > GET /camel/services/hello1 HTTP/1.1
> > Host: localhost:8443
> > User-Agent: curl/7.69.1
> > Accept: */*
> >
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 200 OK
> < Accept: */*
> < Connection: keep-alive
> < X-Powered-By: Pax-HTTP-Undertow/7.2.16
> < breadcrumbId: ID-everfree-forest-1599112295273-1-1
> < Server: Pax-HTTP-Undertow
> < Transfer-Encoding: chunked
> < User-Agent: curl/7.69.1
> < Date: Thu, 03 Sep 2020 05:59:31 GMT
> <
> * Connection #0 to host localhost left intact
> Hello 1
>
> kind regards
> Grzegorz Grzybek
>
> pt., 7 sie 2020 o 11:53 Gerald Kallas <ca...@mailbox.org> napisał(a):
>
> > Hi,
> >
> > I tried this out but it doesnt work properly. (keystore and truststore are
> > the same as with jetty setuo, they're valid).
> >
> > See below my configuration and the log. The HTTPS listener starts but
> > neither the webconsole nor the servlet does work.
> >
> > On client side I'm getting
> >
> > Error: Client network socket disconnected before secure TLS connection was
> > established
> >
> >
> > undertow.xml
> >
> > <?xml version="1.0" encoding="UTF-8"?>
> > <!--
> > Licensed under the Apache License, Version 2.0 (the "License");
> > you may not use this file except in compliance with the License.
> > You may obtain a copy of the License at
> >
> > http://www.apache.org/licenses/LICENSE-2.0
> >
> > Unless required by applicable law or agreed to in writing, software
> > distributed under the License is distributed on an "AS IS" BASIS,
> > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> > implied.
> >
> > See the License for the specific language governing permissions and
> > limitations under the License.
> > -->
> > <undertow xmlns="urn:org.ops4j.pax.web:undertow:1.0"
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > xmlns:w="urn:jboss:domain:5.0"
> > xmlns:io="urn:jboss:domain:io:3.0"
> > xsi:schemaLocation="
> > urn:jboss:domain:io:3.0
> > http://www.jboss.org/schema/jbossas/wildfly-io_3_0.xsd
> > urn:jboss:domain:undertow:4.0
> > http://www.jboss.org/schema/jbossas/wildfly-undertow_4_0.xsd
> > urn:jboss:domain:5.0
> > http://www.jboss.org/schema/jbossas/wildfly-config_5_0.xsd">
> >
> > <!--
> > Only "default" worker and buffer-pool are supported and can be
> > used to override the default values
> > used by all listeners
> >
> > buffer-pool:
> > - buffer-size defaults to:
> > - when < 64MB of Xmx: 512
> > - when < 128MB of Xmx: 1024
> > - when >= 128MB of Xmx: 16K - 20
> > - direct-buffers defaults to:
> > - when < 64MB of Xmx: false
> > - when >= 64MB of Xmx: true
> >
> > worker:
> > - io-threads defaults to
> > Math.max(Runtime.getRuntime().availableProcessors(), 2);
> > - task-core-threads and task-max-threads default to io-threads * 8
> > -->
> > <!--
> > <subsystem xmlns="urn:jboss:domain:io:3.0">
> > <buffer-pool name="default" buffer-size="16364"
> > direct-buffers="true" />
> > <worker name="default" io-threads="8" task-core-threads="64"
> > task-max-threads="64" />
> > </subsystem>
> > -->
> >
> > <!--
> > https://docs.jboss.org/author/display/WFLY/Undertow+subsystem+configuration
> > -->
> > <subsystem xmlns="urn:jboss:domain:undertow:4.0">
> > <!-- org.wildfly.extension.undertow.BufferCacheDefinition -->
> > <buffer-cache name="default" buffer-size="1024"
> > buffers-per-region="1024" max-regions="10" />
> > <server name="default-server">
> > <!-- HTTP(S) Listener references Socket Binding (and
> > indirectly - Interfaces) -->
> > <!-- verify-client: org.xnio.SslClientAuthMode.NOT_REQUESTED,
> > org.xnio.SslClientAuthMode.REQUESTED, org.xnio.SslClientAuthMode.REQUIRED
> > -->
> > <https-listener name="https" socket-binding="https"
> > security-realm="https" verify-client="NOT_REQUESTED" />
> > <host name="default-host" alias="localhost">
> > <!--<location name="/" handler="welcome-content" />-->
> > <!--<location name="/docs" handler="docs-content" />-->
> > <access-log directory="${karaf.data}/log" pattern="common"
> > prefix="access_log." suffix="log" rotate="true" />
> > <filter-ref name="server-header" />
> > <filter-ref name="x-powered-by-header" />
> > </host>
> > </server>
> > <servlet-container name="default">
> > <jsp-config />
> > <websockets />
> > <welcome-files>
> > <welcome-file name="index.html" />
> > <welcome-file name="index.txt" />
> > </welcome-files>
> > </servlet-container>
> > <handlers>
> > <file name="welcome-content" path="${karaf.home}/welcome" />
> > <!--<file name="docs-content" path="${karaf.home}/docs" />-->
> > </handlers>
> > <filters>
> > <!-- filters for reference from /host/filter-ref and
> > /host/location/filter-ref -->
> > <response-header name="server-header" header-name="Server"
> > header-value="Pax-HTTP-Undertow" />
> > <response-header name="x-powered-by-header"
> > header-name="X-Powered-By" header-value="Pax-HTTP-Undertow/7.2.16" />
> > </filters>
> > </subsystem>
> >
> > <!-- https://docs.jboss.org/author/display/WFLY/Security+Realms -->
> > <!--
> > we'll use "default" security realm by default to configure
> > jaas/properties authentication
> > (io.undertow.security.idm.IdentityManager):
> > - w:jaas -
> > org.ops4j.pax.web.service.undertow.internal.security.JaasIdentityManager
> > - w:properties -
> > org.ops4j.pax.web.service.undertow.internal.security.PropertiesIdentityManager
> > -->
> > <security-realm name="default">
> > <w:authentication>
> > <!-- JaasIdentityManager for given realm -->
> > <w:jaas name="karaf" />
> > <!-- OR PropertiesIdentityManager (mutually exclusive with
> > <w:jaas>) -->
> > <!--<w:properties path="users.properties" />-->
> > </w:authentication>
> >
> > <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> >
> > <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > <!--<role-principal-class-name>...</role-principal-class-name>-->
> > </security-realm>
> > <!--
> > Any security realm may be referenced by https-listener to define
> > trust/keystore, protocols and cipher suites
> > -->
> > <security-realm name="https">
> > <w:server-identities>
> > <w:ssl>
> > <!-- sun.security.ssl.ProtocolVersion -->
> > <!-- sun.security.ssl.CipherSuite -->
> > <!-- openssl ciphers 'ALL:eNULL' | sed -e 's/:/\n/g' |
> > sort -->
> > <w:engine
> >
> > enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
> > enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" />
> > <w:keystore path="${karaf.etc}/server.p12"
> > provider="PKCS12" alias="server"
> > keystore-password="password"
> > key-password="password"
> > generate-self-signed-certificate-host="localhost"
> > />
> > </w:ssl>
> > </w:server-identities>
> > <w:authentication>
> > <w:jaas name="karaf" />
> > <w:truststore path="${karaf.etc}/truststore.jks"
> > provider="JKS" keystore-password="password" />
> > </w:authentication>
> >
> > <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> >
> > <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > </security-realm>
> >
> > <!-- Interface lists IP addresses to bind to -->
> > <interface name="secure">
> > <w:inet-address value="0.0.0.0" />
> > </interface>
> >
> > <!-- Socket Binding adds port for each IP from referenced Interface -->
> > <socket-binding name="https" interface="secure"
> > port="${org.osgi.service.http.port.secure}" />
> >
> > </undertow>
> >
> >
> > org.ops4j.pax.web.cfg
> >
> >
> > org.osgi.service.http.enabled=false
> >
> > org.osgi.service.http.secure.enabled=true
> > org.osgi.service.http.port.secure=8443
> >
> > javax.servlet.context.tempdir=${karaf.data}/pax-web-jsp
> > #org.ops4j.pax.web.config.file=${karaf.etc}/undertow.properties
> > org.ops4j.pax.web.config.file=${karaf.etc}/undertow.xml
> > org.apache.karaf.features.configKey = org.ops4j.pax.web
> >
> >
> > servlet (hello1.xml)
> >
> > <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0
> > https://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd">
> >
> > <reference id="httpService"
> > interface="org.osgi.service.http.HttpService" />
> >
> > <bean id="camelServlet"
> > class="org.apache.camel.component.servlet.CamelHttpTransportServlet"/>
> >
> > <bean class="org.apache.camel.component.osgi.OsgiServletRegisterer"
> > init-method="register"
> > destroy-method="unregister">
> > <property name="servletName" value="httpServlet" />
> > <property name="alias" value="/camel/services" />
> > <property name="httpService" ref="httpService" />
> > <property name="servlet" ref="camelServlet" />
> > </bean>
> >
> > <bean id="servlet"
> > class="org.apache.camel.component.servlet.ServletComponent" />
> >
> > <camelContext xmlns="http://camel.apache.org/schema/blueprint">
> > <route>
> > <from
> > uri="servlet://hello1?servletName=httpServlet" />
> > <setBody>
> > <constant>Hello 1</constant>
> > </setBody>
> > </route>
> > </camelContext>
> >
> > </blueprint>
> >
> >
> > log excerpt
> >
> > 2020-08-07T11:47:29,596 | INFO | paxweb-config-1-thread-1 |
> > ServerControllerImpl | 63 - org.ops4j.pax.web.pax-web-undertow
> > - 7.2.16 | Using
> > "file:/E:/apache-karaf/apache-karaf-4.2.9/etc/undertow.xml" to configure
> > Undertow
> > 2020-08-07T11:47:29,848 | INFO | paxweb-config-1-thread-1 |
> > ServerControllerImpl | 63 - org.ops4j.pax.web.pax-web-undertow
> > - 7.2.16 | Starting undertow https listener on 0.0.0.0:8443
> > 2020-08-07T11:47:29,985 | INFO | FelixStartLevel |
> > BlueprintContainerImpl | 69 - org.apache.aries.blueprint.core -
> > 1.10.2 | Blueprint bundle hello1.xml/0.0.0 is waiting for dependencies
> > [(objectClass=org.osgi.service.http.HttpService)]
> > 2020-08-07T11:47:29,987 | INFO | activator-1-thread-2 |
> > BouncyCastleSecurityProviderRegistrar | 38 - org.apache.sshd.core - 1.7.0 |
> > getOrCreateProvider(BC) created instance of
> > org.bouncycastle.jce.provider.BouncyCastleProvider
> > 2020-08-07T11:47:30,286 | INFO | activator-1-thread-2 | CommandExtension
> > | 34 - org.apache.karaf.shell.core - 4.2.9 | Registering
> > commands for bundle org.apache.karaf.features.command/4.2.9
> > 2020-08-07T11:47:30,446 | INFO | activator-1-thread-3 | CommandExtension
> > | 34 - org.apache.karaf.shell.core - 4.2.9 | Registering
> > commands for bundle org.apache.karaf.kar.core/4.2.9
> > 2020-08-07T11:47:30,487 | INFO | activator-1-thread-2 | Activator
> > | 18 - org.apache.karaf.deployer.features - 4.2.9 |
> > Deployment finished. Registering FeatureDeploymentListener
> > 2020-08-07T11:47:30,543 | INFO | activator-1-thread-2 | FeaturesPlugin
> > | 140 - org.apache.karaf.webconsole.features - 4.2.9 |
> > Features plugin deactivated
> > 2020-08-07T11:47:30,544 | INFO | activator-1-thread-2 | FeaturesPlugin
> > | 140 - org.apache.karaf.webconsole.features - 4.2.9 |
> > Features plugin activated
> > 2020-08-07T11:47:30,839 | INFO | paxweb-config-1-thread-1 |
> > ServerControllerImpl | 63 - org.ops4j.pax.web.pax-web-undertow
> > - 7.2.16 | Using in-memory session persistence
> > 2020-08-07T11:47:30,864 | INFO | paxweb-config-1-thread-1 |
> > HttpServiceFactoryImpl | 61 - org.ops4j.pax.web.pax-web-runtime -
> > 7.2.16 | Binding bundle: [org.apache.karaf.webconsole.console [139]] to
> > http service
> > 2020-08-07T11:47:31,000 | INFO | paxweb-config-1-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > registering context DefaultHttpContext
> > [bundle=org.apache.karaf.webconsole.console [139], contextID=custom], with
> > context path: /
> > 2020-08-07T11:47:31,011 | INFO | paxweb-config-1-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Starting context /
> > 2020-08-07T11:47:31,013 | WARN | paxweb-config-1-thread-1 | PathMatcher
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Overwriting existing default context
> > io.undertow.server.handlers.PathHandler@382344b0 with a new one
> > org.ops4j.pax.web.service.undertow.internal.Context@8c1553c
> > 2020-08-07T11:47:31,034 | INFO | paxweb-config-1-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Adding implicit "default" servlet
> > 2020-08-07T11:47:31,047 | INFO | paxweb-config-1-thread-1 |
> > ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api -
> > 7.2.16 | will add io.undertow.servlet.sse.ServerSentEventSCI to
> > ServletContainerInitializers
> > 2020-08-07T11:47:31,048 | WARN | paxweb-config-1-thread-1 |
> > ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api -
> > 7.2.16 | failed to parse and instantiate of
> > javax.servlet.ServletContainerInitializer in classpath
> > 2020-08-07T11:47:31,070 | INFO | paxweb-config-1-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Creating undertow servlet deployment for context path /...
> > 2020-08-07T11:47:31,224 | INFO | paxweb-config-1-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Creating undertow servlet deployment for context path / - done
> > 2020-08-07T11:47:31,225 | INFO | paxweb-config-1-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Registering io.undertow.servlet.spec.ServletContextImpl@e72855b as OSGi
> > service...
> > 2020-08-07T11:47:31,236 | INFO | paxweb-config-1-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Registering io.undertow.servlet.spec.ServletContextImpl@e72855b as OSGi
> > service - done
> > 2020-08-07T11:47:31,237 | INFO | paxweb-config-1-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Starting Undertow web application for context path /
> > 2020-08-07T11:47:31,271 | INFO | paxweb-config-1-thread-1 |
> > HttpServiceFactoryImpl | 61 - org.ops4j.pax.web.pax-web-runtime -
> > 7.2.16 | Binding bundle: [org.apache.karaf.http.core [126]] to http service
> > 2020-08-07T11:47:31,272 | INFO | paxweb-config-1-thread-1 | Activator
> > | 61 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 |
> > Starting server controller
> > org.ops4j.pax.web.service.undertow.internal.ServerControllerImpl
> > 2020-08-07T11:47:31,332 | INFO | activator-1-thread-2 | CommandExtension
> > | 34 - org.apache.karaf.shell.core - 4.2.9 | Registering
> > commands for bundle org.apache.karaf.http.core/4.2.9
> > 2020-08-07T11:47:31,436 | INFO | activator-1-thread-2 | HttpPlugin
> > | 142 - org.apache.karaf.webconsole.http - 4.2.9 | Http
> > plugin activated
> > 2020-08-07T11:47:31,487 | INFO | Blueprint Extender: 1 | LRUCacheFactory
> > | 108 - org.apache.camel.camel-support - 3.4.2 | Detected
> > and using LRUCacheFactory: camel-caffeine-lrucache
> > 2020-08-07T11:47:31,489 | INFO | CM Configuration Updater
> > (ManagedServiceFactory Update: factoryPid=[org.ops4j.pax.web.context]) |
> > HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime -
> > 7.2.16 | Updated configuration for
> > pid=org.ops4j.pax.web.context.dff8c6e5-f690-4ac6-9268-d87fc0dce06d
> > 2020-08-07T11:47:31,538 | INFO | paxweb-context-2-thread-1 |
> > HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime -
> > 7.2.16 | Found bundle "hello1.xml", scheduling customization of its
> > WebContainer
> > 2020-08-07T11:47:31,539 | INFO | paxweb-context-2-thread-1 |
> > HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime -
> > 7.2.16 | Customizing WebContainer for bundle hello1.xml/0.0.0
> > 2020-08-07T11:47:31,539 | INFO | paxweb-context-2-thread-1 |
> > HttpServiceFactoryImpl | 61 - org.ops4j.pax.web.pax-web-runtime -
> > 7.2.16 | Binding bundle: [hello1.xml [134]] to http service
> > 2020-08-07T11:47:31,542 | INFO | paxweb-context-2-thread-1 |
> > HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime -
> > 7.2.16 | Registering login configuration in WebContainer for bundle
> > "hello1.xml": method=BASIC, realm=karaf
> > 2020-08-07T11:47:31,545 | INFO | paxweb-context-2-thread-1 |
> > HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime -
> > 7.2.16 | Registering security mappings in WebContainer for bundle
> > "hello1.xml": SecurityConstraintsMapping{name='constraint.1',
> > url='/camel/services/*', roles=[admin]}
> > 2020-08-07T11:47:31,550 | INFO | paxweb-context-2-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > registering context DefaultHttpContext [bundle=hello1.xml [134],
> > contextID=default], with context path: /
> > 2020-08-07T11:47:31,555 | INFO | paxweb-context-2-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Starting context /
> > 2020-08-07T11:47:31,610 | WARN | paxweb-context-2-thread-1 | PathMatcher
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Overwriting existing default context
> > org.ops4j.pax.web.service.undertow.internal.Context@8c1553c with a new
> > one org.ops4j.pax.web.service.undertow.internal.Context@681b959c
> > 2020-08-07T11:47:31,616 | INFO | paxweb-context-2-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Adding implicit "default" servlet
> > 2020-08-07T11:47:31,624 | INFO | paxweb-context-2-thread-1 |
> > ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api -
> > 7.2.16 | will add io.undertow.servlet.sse.ServerSentEventSCI to
> > ServletContainerInitializers
> > 2020-08-07T11:47:31,686 | INFO | paxweb-context-2-thread-1 |
> > ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api -
> > 7.2.16 | added ServletContainerInitializer:
> > io.undertow.servlet.sse.ServerSentEventSCI
> > 2020-08-07T11:47:31,697 | INFO | paxweb-context-2-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Creating undertow servlet deployment for context path /...
> > 2020-08-07T11:47:31,716 | INFO | paxweb-context-2-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Creating undertow servlet deployment for context path / - done
> > 2020-08-07T11:47:31,717 | INFO | paxweb-context-2-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Registering io.undertow.servlet.spec.ServletContextImpl@757d3a20 as OSGi
> > service...
> > 2020-08-07T11:47:31,728 | INFO | paxweb-context-2-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Registering io.undertow.servlet.spec.ServletContextImpl@757d3a20 as OSGi
> > service - done
> > 2020-08-07T11:47:31,729 | INFO | paxweb-context-2-thread-1 | Context
> > | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> > Starting Undertow web application for context path /
> > 2020-08-07T11:47:32,115 | INFO | Blueprint Extender: 1 |
> > BlueprintContainerImpl | 69 - org.apache.aries.blueprint.core -
> > 1.10.2 | Blueprint bundle hello1.xml/0.0.0 has been started
> > 2020-08-07T11:47:32,118 | INFO | Blueprint Event Dispatcher: 1 |
> > BlueprintCamelContext | 119 -
> > org.apache.camel.karaf.camel-blueprint - 3.4.2 | Attempting to start
> > CamelContext: camel-1
> > 2020-08-07T11:47:32,165 | INFO | Blueprint Event Dispatcher: 1 |
> > JmxManagementStrategy | 98 - org.apache.camel.camel-management -
> > 3.4.2 | JMX is enabled
> > 2020-08-07T11:47:32,418 | INFO | Blueprint Event Dispatcher: 1 |
> > AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2
> > | Apache Camel 3.4.2 (camel-1) is starting
> > 2020-08-07T11:47:33,264 | INFO | Blueprint Event Dispatcher: 1 |
> > AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2
> > | StreamCaching is not in use. If using streams then its recommended to
> > enable stream caching. See more details at
> > http://camel.apache.org/stream-caching.html
> > 2020-08-07T11:47:33,265 | INFO | Blueprint Event Dispatcher: 1 |
> > AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2
> > | Using HealthCheck: camel-health
> > 2020-08-07T11:47:33,361 | INFO | Blueprint Event Dispatcher: 1 |
> > InternalRouteStartupManager | 76 - org.apache.camel.camel-base - 3.4.2
> > | Route: route1 started and consuming from: servlet:/hello1
> > 2020-08-07T11:47:33,369 | INFO | Blueprint Event Dispatcher: 1 |
> > AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2
> > | Total 1 routes, of which 1 are started
> > 2020-08-07T11:47:33,370 | INFO | Blueprint Event Dispatcher: 1 |
> > AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2
> > | Apache Camel 3.4.2 (camel-1) started in 0.951 seconds
> >
> >
> > > Grzegorz Grzybek <gr...@gmail.com> hat am 07.08.2020 11:07
> > geschrieben:
> > >
> > >
> > > Hello
> > >
> > > In theory (I can't check now), you have to:
> > >
> > > 1. comment out <http-listener name="http" socket-binding="http" />
> > > 2. ensure that org.ops4j.pax.web PID has org.osgi.service.http.enabled =
> > false (so pax-web-undertow won't try to recreate the non-secure listener if
> > it's not available in etc/undertow.xml)
> > >
> > > regards
> > > Grzegorz Grzybek
> > >
> > >
> > > pt., 7 sie 2020 o 10:52 Gerald Kallas <ca...@mailbox.org> napisał(a):
> > > > Thanks, Grzegorz for the explanation.
> > > >
> > > > At the moment I'd be happy to use HTTPS (on 8443) only for all web
> > related services (web console, servlets) w/ undertow and disable HTTP (on
> > 8181). Could this be reached with the setup I have?
> > > >
> > > > Thanks
> > > > - Gerald
> > > >
> > > > > Grzegorz Grzybek <gr...@gmail.com> hat am 07.08.2020 10:47
> > geschrieben:
> > > > >
> > > > >
> > > > > Hello
> > > > >
> > > > > Unfortunately it is not possible to use the internal (managed by Pax
> > Web) servlet runtime selectively - by specifying which listener (or more
> > generally - virtual host) should be used for the servlets created and
> > registered by Camel into HttpService (Pax Web) runtime.
> > > > >
> > > > > pax-web-jetty has partial (legacy, non-standard from the point of
> > view of OSGi CMPN specification) support for virtual hosts where a
> > Whiteboard-registered servlet (or filter, or other "web element") may
> > specify a comma-separated list of virtual host/connector names. But that's
> > only for Jetty.
> > > > >
> > > > > I'm still working on refactoring Pax Web 8 and I plan to have
> > unified "experience" for dealing with separate connectors/virtual hosts
> > across Jetty/Tomcat/Undertow runtimes, but it'll come only in Pax Web 8.
> > > > >
> > > > > regards
> > > > > Grzegorz Grzybek
> > > > >
> > > > >
> > > > > pt., 7 sie 2020 o 10:34 Gerald Kallas <ca...@mailbox.org>
> > napisał(a):
> > > > > > Dear all,
> > > > > >
> > > > > > following the guidance in the ticket
> > > > > >
> > > > > > https://issues.apache.org/jira/browse/KARAF-6772
> > > > > >
> > > > > > I was setting up a vanilla Karaf 4.2.9 with the following features
> > > > > >
> > > > > > feature:repo-add camel 3.4.2
> > > > > > feature:install pax-http-undertow
> > > > > > feature:install camel camel-servlet webconsole
> > > > > >
> > > > > > I wonder how I can bind the webconsole and the servlet consumer in
> > the camel routes to the HTTPS port. My undertow.xml see below. I tried to
> > change the org.ops4j.pax.web.cfg but with no success.
> > > > > >
> > > > > > Any hints are appreciated.
> > > > > >
> > > > > > Thanks
> > > > > > - Gerald
> > > > > >
> > > > > >
> > > > > > <?xml version="1.0" encoding="UTF-8"?>
> > > > > > <!--
> > > > > > Licensed under the Apache License, Version 2.0 (the "License");
> > > > > > you may not use this file except in compliance with the License.
> > > > > > You may obtain a copy of the License at
> > > > > >
> > > > > > http://www.apache.org/licenses/LICENSE-2.0
> > > > > >
> > > > > > Unless required by applicable law or agreed to in writing, software
> > > > > > distributed under the License is distributed on an "AS IS" BASIS,
> > > > > > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> > > > > > implied.
> > > > > >
> > > > > > See the License for the specific language governing permissions and
> > > > > > limitations under the License.
> > > > > > -->
> > > > > > <undertow xmlns="urn:org.ops4j.pax.web:undertow:1.0"
> > > > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > > > > > xmlns:w="urn:jboss:domain:5.0"
> > > > > > xmlns:io="urn:jboss:domain:io:3.0"
> > > > > > xsi:schemaLocation="
> > > > > > urn:jboss:domain:io:3.0
> > http://www.jboss.org/schema/jbossas/wildfly-io_3_0.xsd
> > > > > > urn:jboss:domain:undertow:4.0
> > http://www.jboss.org/schema/jbossas/wildfly-undertow_4_0.xsd
> > > > > > urn:jboss:domain:5.0
> > http://www.jboss.org/schema/jbossas/wildfly-config_5_0.xsd">
> > > > > >
> > > > > > <!--
> > > > > > Only "default" worker and buffer-pool are supported and can be
> > used to override the default values
> > > > > > used by all listeners
> > > > > >
> > > > > > buffer-pool:
> > > > > > - buffer-size defaults to:
> > > > > > - when < 64MB of Xmx: 512
> > > > > > - when < 128MB of Xmx: 1024
> > > > > > - when >= 128MB of Xmx: 16K - 20
> > > > > > - direct-buffers defaults to:
> > > > > > - when < 64MB of Xmx: false
> > > > > > - when >= 64MB of Xmx: true
> > > > > >
> > > > > > worker:
> > > > > > - io-threads defaults to
> > Math.max(Runtime.getRuntime().availableProcessors(), 2);
> > > > > > - task-core-threads and task-max-threads default to io-threads * 8
> > > > > > -->
> > > > > > <!--
> > > > > > <subsystem xmlns="urn:jboss:domain:io:3.0">
> > > > > > <buffer-pool name="default" buffer-size="16364"
> > direct-buffers="true" />
> > > > > > <worker name="default" io-threads="8" task-core-threads="64"
> > task-max-threads="64" />
> > > > > > </subsystem>
> > > > > > -->
> > > > > >
> > > > > > <!--
> > https://docs.jboss.org/author/display/WFLY/Undertow+subsystem+configuration
> > -->
> > > > > > <subsystem xmlns="urn:jboss:domain:undertow:4.0">
> > > > > > <!-- org.wildfly.extension.undertow.BufferCacheDefinition -->
> > > > > > <buffer-cache name="default" buffer-size="1024"
> > buffers-per-region="1024" max-regions="10" />
> > > > > > <server name="default-server">
> > > > > > <!-- HTTP(S) Listener references Socket Binding (and indirectly -
> > Interfaces) -->
> > > > > > <http-listener name="http" socket-binding="http" />
> > > > > > <!-- verify-client: org.xnio.SslClientAuthMode.NOT_REQUESTED,
> > org.xnio.SslClientAuthMode.REQUESTED, org.xnio.SslClientAuthMode.REQUIRED
> > -->
> > > > > > <https-listener name="https" socket-binding="https"
> > > > > > security-realm="https" verify-client="NOT_REQUESTED" />
> > > > > > <host name="default-host" alias="localhost">
> > > > > > <!--<location name="/" handler="welcome-content" />-->
> > > > > > <!--<location name="/docs" handler="docs-content" />-->
> > > > > > <access-log directory="${karaf.data}/log" pattern="common"
> > prefix="access_log." suffix="log" rotate="true" />
> > > > > > <filter-ref name="server-header" />
> > > > > > <filter-ref name="x-powered-by-header" />
> > > > > > </host>
> > > > > > </server>
> > > > > > <servlet-container name="default">
> > > > > > <jsp-config />
> > > > > > <websockets />
> > > > > > <welcome-files>
> > > > > > <welcome-file name="index.html" />
> > > > > > <welcome-file name="index.txt" />
> > > > > > </welcome-files>
> > > > > > </servlet-container>
> > > > > > <handlers>
> > > > > > <file name="welcome-content" path="${karaf.home}/welcome" />
> > > > > > <!--<file name="docs-content" path="${karaf.home}/docs" />-->
> > > > > > </handlers>
> > > > > > <filters>
> > > > > > <!-- filters for reference from /host/filter-ref and
> > /host/location/filter-ref -->
> > > > > > <response-header name="server-header" header-name="Server"
> > header-value="Pax-HTTP-Undertow" />
> > > > > > <response-header name="x-powered-by-header"
> > header-name="X-Powered-By" header-value="Pax-HTTP-Undertow/7.2.16" />
> > > > > > </filters>
> > > > > > </subsystem>
> > > > > >
> > > > > > <!-- https://docs.jboss.org/author/display/WFLY/Security+Realms
> > -->
> > > > > > <!--
> > > > > > we'll use "default" security realm by default to configure
> > jaas/properties authentication
> > > > > > (io.undertow.security.idm.IdentityManager):
> > > > > > - w:jaas -
> > org.ops4j.pax.web.service.undertow.internal.security.JaasIdentityManager
> > > > > > - w:properties -
> > org.ops4j.pax.web.service.undertow.internal.security.PropertiesIdentityManager
> > > > > > -->
> > > > > > <security-realm name="default">
> > > > > > <w:authentication>
> > > > > > <!-- JaasIdentityManager for given realm -->
> > > > > > <w:jaas name="karaf" />
> > > > > > <!-- OR PropertiesIdentityManager (mutually exclusive with
> > <w:jaas>) -->
> > > > > > <!--<w:properties path="users.properties" />-->
> > > > > > </w:authentication>
> > > > > >
> > <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > > > > >
> > <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > > > > > <!--<role-principal-class-name>...</role-principal-class-name>-->
> > > > > > </security-realm>
> > > > > > <!--
> > > > > > Any security realm may be referenced by https-listener to define
> > trust/keystore, protocols and cipher suites
> > > > > > -->
> > > > > > <security-realm name="https">
> > > > > > <w:server-identities>
> > > > > > <w:ssl>
> > > > > > <!-- sun.security.ssl.ProtocolVersion -->
> > > > > > <!-- sun.security.ssl.CipherSuite -->
> > > > > > <!-- openssl ciphers 'ALL:eNULL' | sed -e 's/:/\n/g' | sort -->
> > > > > > <w:engine
> > > > > > enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
> > > > > > enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" />
> > > > > > <w:keystore path="${karaf.etc}/server.p12" provider="PKCS12"
> > alias="server"
> > > > > > keystore-password="password" key-password="password"
> > > > > > generate-self-signed-certificate-host="localhost" />
> > > > > > </w:ssl>
> > > > > > </w:server-identities>
> > > > > > <w:authentication>
> > > > > > <w:jaas name="karaf" />
> > > > > > <w:truststore path="${karaf.etc}/truststore.jks" provider="JKS"
> > keystore-password="password" />
> > > > > > </w:authentication>
> > > > > >
> > <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > > > > >
> > <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > > > > > </security-realm>
> > > > > >
> > > > > > <!-- Interface lists IP addresses to bind to -->
> > > > > > <interface name="default">
> > > > > > <w:inet-address value="0.0.0.0" />
> > > > > > <!--<w:inet-address value="127.0.0.1" />-->
> > > > > > </interface>
> > > > > > <interface name="secure">
> > > > > > <w:inet-address value="127.0.0.1" />
> > > > > > </interface>
> > > > > >
> > > > > > <!-- Socket Binding adds port for each IP from referenced
> > Interface -->
> > > > > > <socket-binding name="http" interface="default"
> > port="${org.osgi.service.http.port}" />
> > > > > > <socket-binding name="https" interface="secure"
> > port="${org.osgi.service.http.port.secure}" />
> > > > > >
> > > > > > </undertow>
> >
Re: HTTPS with Karaf 4.2.9 and underpinning undertow web server
Posted by Grzegorz Grzybek <gr...@gmail.com>.
Hello
Sorry for late response (holidays!), but I tried your example with tiny
(not relevant) details.
I used Karaf 4.2.9, but Camel 2.23.2. So I used
"org.apache.camel.component.servlet.osgi.OsgiServletRegisterer" instead of
"org.apache.camel.component.osgi.OsgiServletRegisterer", but no more
changes to blueprint.xml or etc/org.ops4j.pax.web.cfg.
However, I had ONE problem with TLS connection:
$ curl -k -v https://localhost:8443/camel/services/hello1
* Trying ::1:8443...
* Connected to localhost (::1) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:8443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to
localhost:8443
I think (and I'll review it at some point in Pax Web itself) it's the
mismatch between "enabled-protocols" and "enabled-cipher-suites" in
undertow.xml. Please remove:
enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
and it should work (note that change to undertow.xml WON'T automatically
restart relevant bundles).
$ curl -k -v https://localhost:8443/camel/services/hello1
* Trying ::1:8443...
* Connected to localhost (::1) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=PL; ST=Dolny Śląsk; L=Wrocław; O=Red Hat; CN=localhost;
emailAddress=ggrzybek@redhat.com
* start date: Aug 17 11:14:46 2017 GMT
* expire date: Aug 17 11:14:46 2027 GMT
* issuer: C=PL; ST=Dolny Śląsk; L=Wrocław; O=Red Hat; CN=everfree-ca;
emailAddress=ggrzybek@redhat.com
* SSL certificate verify result: unable to get local issuer certificate
(20), continuing anyway.
> GET /camel/services/hello1 HTTP/1.1
> Host: localhost:8443
> User-Agent: curl/7.69.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Accept: */*
< Connection: keep-alive
< X-Powered-By: Pax-HTTP-Undertow/7.2.16
< breadcrumbId: ID-everfree-forest-1599112295273-1-1
< Server: Pax-HTTP-Undertow
< Transfer-Encoding: chunked
< User-Agent: curl/7.69.1
< Date: Thu, 03 Sep 2020 05:59:31 GMT
<
* Connection #0 to host localhost left intact
Hello 1
kind regards
Grzegorz Grzybek
pt., 7 sie 2020 o 11:53 Gerald Kallas <ca...@mailbox.org> napisał(a):
> Hi,
>
> I tried this out but it doesnt work properly. (keystore and truststore are
> the same as with jetty setuo, they're valid).
>
> See below my configuration and the log. The HTTPS listener starts but
> neither the webconsole nor the servlet does work.
>
> On client side I'm getting
>
> Error: Client network socket disconnected before secure TLS connection was
> established
>
>
> undertow.xml
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!--
> Licensed under the Apache License, Version 2.0 (the "License");
> you may not use this file except in compliance with the License.
> You may obtain a copy of the License at
>
> http://www.apache.org/licenses/LICENSE-2.0
>
> Unless required by applicable law or agreed to in writing, software
> distributed under the License is distributed on an "AS IS" BASIS,
> WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> implied.
>
> See the License for the specific language governing permissions and
> limitations under the License.
> -->
> <undertow xmlns="urn:org.ops4j.pax.web:undertow:1.0"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:w="urn:jboss:domain:5.0"
> xmlns:io="urn:jboss:domain:io:3.0"
> xsi:schemaLocation="
> urn:jboss:domain:io:3.0
> http://www.jboss.org/schema/jbossas/wildfly-io_3_0.xsd
> urn:jboss:domain:undertow:4.0
> http://www.jboss.org/schema/jbossas/wildfly-undertow_4_0.xsd
> urn:jboss:domain:5.0
> http://www.jboss.org/schema/jbossas/wildfly-config_5_0.xsd">
>
> <!--
> Only "default" worker and buffer-pool are supported and can be
> used to override the default values
> used by all listeners
>
> buffer-pool:
> - buffer-size defaults to:
> - when < 64MB of Xmx: 512
> - when < 128MB of Xmx: 1024
> - when >= 128MB of Xmx: 16K - 20
> - direct-buffers defaults to:
> - when < 64MB of Xmx: false
> - when >= 64MB of Xmx: true
>
> worker:
> - io-threads defaults to
> Math.max(Runtime.getRuntime().availableProcessors(), 2);
> - task-core-threads and task-max-threads default to io-threads * 8
> -->
> <!--
> <subsystem xmlns="urn:jboss:domain:io:3.0">
> <buffer-pool name="default" buffer-size="16364"
> direct-buffers="true" />
> <worker name="default" io-threads="8" task-core-threads="64"
> task-max-threads="64" />
> </subsystem>
> -->
>
> <!--
> https://docs.jboss.org/author/display/WFLY/Undertow+subsystem+configuration
> -->
> <subsystem xmlns="urn:jboss:domain:undertow:4.0">
> <!-- org.wildfly.extension.undertow.BufferCacheDefinition -->
> <buffer-cache name="default" buffer-size="1024"
> buffers-per-region="1024" max-regions="10" />
> <server name="default-server">
> <!-- HTTP(S) Listener references Socket Binding (and
> indirectly - Interfaces) -->
> <!-- verify-client: org.xnio.SslClientAuthMode.NOT_REQUESTED,
> org.xnio.SslClientAuthMode.REQUESTED, org.xnio.SslClientAuthMode.REQUIRED
> -->
> <https-listener name="https" socket-binding="https"
> security-realm="https" verify-client="NOT_REQUESTED" />
> <host name="default-host" alias="localhost">
> <!--<location name="/" handler="welcome-content" />-->
> <!--<location name="/docs" handler="docs-content" />-->
> <access-log directory="${karaf.data}/log" pattern="common"
> prefix="access_log." suffix="log" rotate="true" />
> <filter-ref name="server-header" />
> <filter-ref name="x-powered-by-header" />
> </host>
> </server>
> <servlet-container name="default">
> <jsp-config />
> <websockets />
> <welcome-files>
> <welcome-file name="index.html" />
> <welcome-file name="index.txt" />
> </welcome-files>
> </servlet-container>
> <handlers>
> <file name="welcome-content" path="${karaf.home}/welcome" />
> <!--<file name="docs-content" path="${karaf.home}/docs" />-->
> </handlers>
> <filters>
> <!-- filters for reference from /host/filter-ref and
> /host/location/filter-ref -->
> <response-header name="server-header" header-name="Server"
> header-value="Pax-HTTP-Undertow" />
> <response-header name="x-powered-by-header"
> header-name="X-Powered-By" header-value="Pax-HTTP-Undertow/7.2.16" />
> </filters>
> </subsystem>
>
> <!-- https://docs.jboss.org/author/display/WFLY/Security+Realms -->
> <!--
> we'll use "default" security realm by default to configure
> jaas/properties authentication
> (io.undertow.security.idm.IdentityManager):
> - w:jaas -
> org.ops4j.pax.web.service.undertow.internal.security.JaasIdentityManager
> - w:properties -
> org.ops4j.pax.web.service.undertow.internal.security.PropertiesIdentityManager
> -->
> <security-realm name="default">
> <w:authentication>
> <!-- JaasIdentityManager for given realm -->
> <w:jaas name="karaf" />
> <!-- OR PropertiesIdentityManager (mutually exclusive with
> <w:jaas>) -->
> <!--<w:properties path="users.properties" />-->
> </w:authentication>
>
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
>
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> <!--<role-principal-class-name>...</role-principal-class-name>-->
> </security-realm>
> <!--
> Any security realm may be referenced by https-listener to define
> trust/keystore, protocols and cipher suites
> -->
> <security-realm name="https">
> <w:server-identities>
> <w:ssl>
> <!-- sun.security.ssl.ProtocolVersion -->
> <!-- sun.security.ssl.CipherSuite -->
> <!-- openssl ciphers 'ALL:eNULL' | sed -e 's/:/\n/g' |
> sort -->
> <w:engine
>
> enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
> enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" />
> <w:keystore path="${karaf.etc}/server.p12"
> provider="PKCS12" alias="server"
> keystore-password="password"
> key-password="password"
> generate-self-signed-certificate-host="localhost"
> />
> </w:ssl>
> </w:server-identities>
> <w:authentication>
> <w:jaas name="karaf" />
> <w:truststore path="${karaf.etc}/truststore.jks"
> provider="JKS" keystore-password="password" />
> </w:authentication>
>
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
>
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> </security-realm>
>
> <!-- Interface lists IP addresses to bind to -->
> <interface name="secure">
> <w:inet-address value="0.0.0.0" />
> </interface>
>
> <!-- Socket Binding adds port for each IP from referenced Interface -->
> <socket-binding name="https" interface="secure"
> port="${org.osgi.service.http.port.secure}" />
>
> </undertow>
>
>
> org.ops4j.pax.web.cfg
>
>
> org.osgi.service.http.enabled=false
>
> org.osgi.service.http.secure.enabled=true
> org.osgi.service.http.port.secure=8443
>
> javax.servlet.context.tempdir=${karaf.data}/pax-web-jsp
> #org.ops4j.pax.web.config.file=${karaf.etc}/undertow.properties
> org.ops4j.pax.web.config.file=${karaf.etc}/undertow.xml
> org.apache.karaf.features.configKey = org.ops4j.pax.web
>
>
> servlet (hello1.xml)
>
> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0
> https://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd">
>
> <reference id="httpService"
> interface="org.osgi.service.http.HttpService" />
>
> <bean id="camelServlet"
> class="org.apache.camel.component.servlet.CamelHttpTransportServlet"/>
>
> <bean class="org.apache.camel.component.osgi.OsgiServletRegisterer"
> init-method="register"
> destroy-method="unregister">
> <property name="servletName" value="httpServlet" />
> <property name="alias" value="/camel/services" />
> <property name="httpService" ref="httpService" />
> <property name="servlet" ref="camelServlet" />
> </bean>
>
> <bean id="servlet"
> class="org.apache.camel.component.servlet.ServletComponent" />
>
> <camelContext xmlns="http://camel.apache.org/schema/blueprint">
> <route>
> <from
> uri="servlet://hello1?servletName=httpServlet" />
> <setBody>
> <constant>Hello 1</constant>
> </setBody>
> </route>
> </camelContext>
>
> </blueprint>
>
>
> log excerpt
>
> 2020-08-07T11:47:29,596 | INFO | paxweb-config-1-thread-1 |
> ServerControllerImpl | 63 - org.ops4j.pax.web.pax-web-undertow
> - 7.2.16 | Using
> "file:/E:/apache-karaf/apache-karaf-4.2.9/etc/undertow.xml" to configure
> Undertow
> 2020-08-07T11:47:29,848 | INFO | paxweb-config-1-thread-1 |
> ServerControllerImpl | 63 - org.ops4j.pax.web.pax-web-undertow
> - 7.2.16 | Starting undertow https listener on 0.0.0.0:8443
> 2020-08-07T11:47:29,985 | INFO | FelixStartLevel |
> BlueprintContainerImpl | 69 - org.apache.aries.blueprint.core -
> 1.10.2 | Blueprint bundle hello1.xml/0.0.0 is waiting for dependencies
> [(objectClass=org.osgi.service.http.HttpService)]
> 2020-08-07T11:47:29,987 | INFO | activator-1-thread-2 |
> BouncyCastleSecurityProviderRegistrar | 38 - org.apache.sshd.core - 1.7.0 |
> getOrCreateProvider(BC) created instance of
> org.bouncycastle.jce.provider.BouncyCastleProvider
> 2020-08-07T11:47:30,286 | INFO | activator-1-thread-2 | CommandExtension
> | 34 - org.apache.karaf.shell.core - 4.2.9 | Registering
> commands for bundle org.apache.karaf.features.command/4.2.9
> 2020-08-07T11:47:30,446 | INFO | activator-1-thread-3 | CommandExtension
> | 34 - org.apache.karaf.shell.core - 4.2.9 | Registering
> commands for bundle org.apache.karaf.kar.core/4.2.9
> 2020-08-07T11:47:30,487 | INFO | activator-1-thread-2 | Activator
> | 18 - org.apache.karaf.deployer.features - 4.2.9 |
> Deployment finished. Registering FeatureDeploymentListener
> 2020-08-07T11:47:30,543 | INFO | activator-1-thread-2 | FeaturesPlugin
> | 140 - org.apache.karaf.webconsole.features - 4.2.9 |
> Features plugin deactivated
> 2020-08-07T11:47:30,544 | INFO | activator-1-thread-2 | FeaturesPlugin
> | 140 - org.apache.karaf.webconsole.features - 4.2.9 |
> Features plugin activated
> 2020-08-07T11:47:30,839 | INFO | paxweb-config-1-thread-1 |
> ServerControllerImpl | 63 - org.ops4j.pax.web.pax-web-undertow
> - 7.2.16 | Using in-memory session persistence
> 2020-08-07T11:47:30,864 | INFO | paxweb-config-1-thread-1 |
> HttpServiceFactoryImpl | 61 - org.ops4j.pax.web.pax-web-runtime -
> 7.2.16 | Binding bundle: [org.apache.karaf.webconsole.console [139]] to
> http service
> 2020-08-07T11:47:31,000 | INFO | paxweb-config-1-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> registering context DefaultHttpContext
> [bundle=org.apache.karaf.webconsole.console [139], contextID=custom], with
> context path: /
> 2020-08-07T11:47:31,011 | INFO | paxweb-config-1-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Starting context /
> 2020-08-07T11:47:31,013 | WARN | paxweb-config-1-thread-1 | PathMatcher
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Overwriting existing default context
> io.undertow.server.handlers.PathHandler@382344b0 with a new one
> org.ops4j.pax.web.service.undertow.internal.Context@8c1553c
> 2020-08-07T11:47:31,034 | INFO | paxweb-config-1-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Adding implicit "default" servlet
> 2020-08-07T11:47:31,047 | INFO | paxweb-config-1-thread-1 |
> ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api -
> 7.2.16 | will add io.undertow.servlet.sse.ServerSentEventSCI to
> ServletContainerInitializers
> 2020-08-07T11:47:31,048 | WARN | paxweb-config-1-thread-1 |
> ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api -
> 7.2.16 | failed to parse and instantiate of
> javax.servlet.ServletContainerInitializer in classpath
> 2020-08-07T11:47:31,070 | INFO | paxweb-config-1-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Creating undertow servlet deployment for context path /...
> 2020-08-07T11:47:31,224 | INFO | paxweb-config-1-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Creating undertow servlet deployment for context path / - done
> 2020-08-07T11:47:31,225 | INFO | paxweb-config-1-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Registering io.undertow.servlet.spec.ServletContextImpl@e72855b as OSGi
> service...
> 2020-08-07T11:47:31,236 | INFO | paxweb-config-1-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Registering io.undertow.servlet.spec.ServletContextImpl@e72855b as OSGi
> service - done
> 2020-08-07T11:47:31,237 | INFO | paxweb-config-1-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Starting Undertow web application for context path /
> 2020-08-07T11:47:31,271 | INFO | paxweb-config-1-thread-1 |
> HttpServiceFactoryImpl | 61 - org.ops4j.pax.web.pax-web-runtime -
> 7.2.16 | Binding bundle: [org.apache.karaf.http.core [126]] to http service
> 2020-08-07T11:47:31,272 | INFO | paxweb-config-1-thread-1 | Activator
> | 61 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 |
> Starting server controller
> org.ops4j.pax.web.service.undertow.internal.ServerControllerImpl
> 2020-08-07T11:47:31,332 | INFO | activator-1-thread-2 | CommandExtension
> | 34 - org.apache.karaf.shell.core - 4.2.9 | Registering
> commands for bundle org.apache.karaf.http.core/4.2.9
> 2020-08-07T11:47:31,436 | INFO | activator-1-thread-2 | HttpPlugin
> | 142 - org.apache.karaf.webconsole.http - 4.2.9 | Http
> plugin activated
> 2020-08-07T11:47:31,487 | INFO | Blueprint Extender: 1 | LRUCacheFactory
> | 108 - org.apache.camel.camel-support - 3.4.2 | Detected
> and using LRUCacheFactory: camel-caffeine-lrucache
> 2020-08-07T11:47:31,489 | INFO | CM Configuration Updater
> (ManagedServiceFactory Update: factoryPid=[org.ops4j.pax.web.context]) |
> HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime -
> 7.2.16 | Updated configuration for
> pid=org.ops4j.pax.web.context.dff8c6e5-f690-4ac6-9268-d87fc0dce06d
> 2020-08-07T11:47:31,538 | INFO | paxweb-context-2-thread-1 |
> HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime -
> 7.2.16 | Found bundle "hello1.xml", scheduling customization of its
> WebContainer
> 2020-08-07T11:47:31,539 | INFO | paxweb-context-2-thread-1 |
> HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime -
> 7.2.16 | Customizing WebContainer for bundle hello1.xml/0.0.0
> 2020-08-07T11:47:31,539 | INFO | paxweb-context-2-thread-1 |
> HttpServiceFactoryImpl | 61 - org.ops4j.pax.web.pax-web-runtime -
> 7.2.16 | Binding bundle: [hello1.xml [134]] to http service
> 2020-08-07T11:47:31,542 | INFO | paxweb-context-2-thread-1 |
> HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime -
> 7.2.16 | Registering login configuration in WebContainer for bundle
> "hello1.xml": method=BASIC, realm=karaf
> 2020-08-07T11:47:31,545 | INFO | paxweb-context-2-thread-1 |
> HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime -
> 7.2.16 | Registering security mappings in WebContainer for bundle
> "hello1.xml": SecurityConstraintsMapping{name='constraint.1',
> url='/camel/services/*', roles=[admin]}
> 2020-08-07T11:47:31,550 | INFO | paxweb-context-2-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> registering context DefaultHttpContext [bundle=hello1.xml [134],
> contextID=default], with context path: /
> 2020-08-07T11:47:31,555 | INFO | paxweb-context-2-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Starting context /
> 2020-08-07T11:47:31,610 | WARN | paxweb-context-2-thread-1 | PathMatcher
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Overwriting existing default context
> org.ops4j.pax.web.service.undertow.internal.Context@8c1553c with a new
> one org.ops4j.pax.web.service.undertow.internal.Context@681b959c
> 2020-08-07T11:47:31,616 | INFO | paxweb-context-2-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Adding implicit "default" servlet
> 2020-08-07T11:47:31,624 | INFO | paxweb-context-2-thread-1 |
> ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api -
> 7.2.16 | will add io.undertow.servlet.sse.ServerSentEventSCI to
> ServletContainerInitializers
> 2020-08-07T11:47:31,686 | INFO | paxweb-context-2-thread-1 |
> ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api -
> 7.2.16 | added ServletContainerInitializer:
> io.undertow.servlet.sse.ServerSentEventSCI
> 2020-08-07T11:47:31,697 | INFO | paxweb-context-2-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Creating undertow servlet deployment for context path /...
> 2020-08-07T11:47:31,716 | INFO | paxweb-context-2-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Creating undertow servlet deployment for context path / - done
> 2020-08-07T11:47:31,717 | INFO | paxweb-context-2-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Registering io.undertow.servlet.spec.ServletContextImpl@757d3a20 as OSGi
> service...
> 2020-08-07T11:47:31,728 | INFO | paxweb-context-2-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Registering io.undertow.servlet.spec.ServletContextImpl@757d3a20 as OSGi
> service - done
> 2020-08-07T11:47:31,729 | INFO | paxweb-context-2-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Starting Undertow web application for context path /
> 2020-08-07T11:47:32,115 | INFO | Blueprint Extender: 1 |
> BlueprintContainerImpl | 69 - org.apache.aries.blueprint.core -
> 1.10.2 | Blueprint bundle hello1.xml/0.0.0 has been started
> 2020-08-07T11:47:32,118 | INFO | Blueprint Event Dispatcher: 1 |
> BlueprintCamelContext | 119 -
> org.apache.camel.karaf.camel-blueprint - 3.4.2 | Attempting to start
> CamelContext: camel-1
> 2020-08-07T11:47:32,165 | INFO | Blueprint Event Dispatcher: 1 |
> JmxManagementStrategy | 98 - org.apache.camel.camel-management -
> 3.4.2 | JMX is enabled
> 2020-08-07T11:47:32,418 | INFO | Blueprint Event Dispatcher: 1 |
> AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2
> | Apache Camel 3.4.2 (camel-1) is starting
> 2020-08-07T11:47:33,264 | INFO | Blueprint Event Dispatcher: 1 |
> AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2
> | StreamCaching is not in use. If using streams then its recommended to
> enable stream caching. See more details at
> http://camel.apache.org/stream-caching.html
> 2020-08-07T11:47:33,265 | INFO | Blueprint Event Dispatcher: 1 |
> AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2
> | Using HealthCheck: camel-health
> 2020-08-07T11:47:33,361 | INFO | Blueprint Event Dispatcher: 1 |
> InternalRouteStartupManager | 76 - org.apache.camel.camel-base - 3.4.2
> | Route: route1 started and consuming from: servlet:/hello1
> 2020-08-07T11:47:33,369 | INFO | Blueprint Event Dispatcher: 1 |
> AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2
> | Total 1 routes, of which 1 are started
> 2020-08-07T11:47:33,370 | INFO | Blueprint Event Dispatcher: 1 |
> AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2
> | Apache Camel 3.4.2 (camel-1) started in 0.951 seconds
>
>
> > Grzegorz Grzybek <gr...@gmail.com> hat am 07.08.2020 11:07
> geschrieben:
> >
> >
> > Hello
> >
> > In theory (I can't check now), you have to:
> >
> > 1. comment out <http-listener name="http" socket-binding="http" />
> > 2. ensure that org.ops4j.pax.web PID has org.osgi.service.http.enabled =
> false (so pax-web-undertow won't try to recreate the non-secure listener if
> it's not available in etc/undertow.xml)
> >
> > regards
> > Grzegorz Grzybek
> >
> >
> > pt., 7 sie 2020 o 10:52 Gerald Kallas <ca...@mailbox.org> napisał(a):
> > > Thanks, Grzegorz for the explanation.
> > >
> > > At the moment I'd be happy to use HTTPS (on 8443) only for all web
> related services (web console, servlets) w/ undertow and disable HTTP (on
> 8181). Could this be reached with the setup I have?
> > >
> > > Thanks
> > > - Gerald
> > >
> > > > Grzegorz Grzybek <gr...@gmail.com> hat am 07.08.2020 10:47
> geschrieben:
> > > >
> > > >
> > > > Hello
> > > >
> > > > Unfortunately it is not possible to use the internal (managed by Pax
> Web) servlet runtime selectively - by specifying which listener (or more
> generally - virtual host) should be used for the servlets created and
> registered by Camel into HttpService (Pax Web) runtime.
> > > >
> > > > pax-web-jetty has partial (legacy, non-standard from the point of
> view of OSGi CMPN specification) support for virtual hosts where a
> Whiteboard-registered servlet (or filter, or other "web element") may
> specify a comma-separated list of virtual host/connector names. But that's
> only for Jetty.
> > > >
> > > > I'm still working on refactoring Pax Web 8 and I plan to have
> unified "experience" for dealing with separate connectors/virtual hosts
> across Jetty/Tomcat/Undertow runtimes, but it'll come only in Pax Web 8.
> > > >
> > > > regards
> > > > Grzegorz Grzybek
> > > >
> > > >
> > > > pt., 7 sie 2020 o 10:34 Gerald Kallas <ca...@mailbox.org>
> napisał(a):
> > > > > Dear all,
> > > > >
> > > > > following the guidance in the ticket
> > > > >
> > > > > https://issues.apache.org/jira/browse/KARAF-6772
> > > > >
> > > > > I was setting up a vanilla Karaf 4.2.9 with the following features
> > > > >
> > > > > feature:repo-add camel 3.4.2
> > > > > feature:install pax-http-undertow
> > > > > feature:install camel camel-servlet webconsole
> > > > >
> > > > > I wonder how I can bind the webconsole and the servlet consumer in
> the camel routes to the HTTPS port. My undertow.xml see below. I tried to
> change the org.ops4j.pax.web.cfg but with no success.
> > > > >
> > > > > Any hints are appreciated.
> > > > >
> > > > > Thanks
> > > > > - Gerald
> > > > >
> > > > >
> > > > > <?xml version="1.0" encoding="UTF-8"?>
> > > > > <!--
> > > > > Licensed under the Apache License, Version 2.0 (the "License");
> > > > > you may not use this file except in compliance with the License.
> > > > > You may obtain a copy of the License at
> > > > >
> > > > > http://www.apache.org/licenses/LICENSE-2.0
> > > > >
> > > > > Unless required by applicable law or agreed to in writing, software
> > > > > distributed under the License is distributed on an "AS IS" BASIS,
> > > > > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> > > > > implied.
> > > > >
> > > > > See the License for the specific language governing permissions and
> > > > > limitations under the License.
> > > > > -->
> > > > > <undertow xmlns="urn:org.ops4j.pax.web:undertow:1.0"
> > > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > > > > xmlns:w="urn:jboss:domain:5.0"
> > > > > xmlns:io="urn:jboss:domain:io:3.0"
> > > > > xsi:schemaLocation="
> > > > > urn:jboss:domain:io:3.0
> http://www.jboss.org/schema/jbossas/wildfly-io_3_0.xsd
> > > > > urn:jboss:domain:undertow:4.0
> http://www.jboss.org/schema/jbossas/wildfly-undertow_4_0.xsd
> > > > > urn:jboss:domain:5.0
> http://www.jboss.org/schema/jbossas/wildfly-config_5_0.xsd">
> > > > >
> > > > > <!--
> > > > > Only "default" worker and buffer-pool are supported and can be
> used to override the default values
> > > > > used by all listeners
> > > > >
> > > > > buffer-pool:
> > > > > - buffer-size defaults to:
> > > > > - when < 64MB of Xmx: 512
> > > > > - when < 128MB of Xmx: 1024
> > > > > - when >= 128MB of Xmx: 16K - 20
> > > > > - direct-buffers defaults to:
> > > > > - when < 64MB of Xmx: false
> > > > > - when >= 64MB of Xmx: true
> > > > >
> > > > > worker:
> > > > > - io-threads defaults to
> Math.max(Runtime.getRuntime().availableProcessors(), 2);
> > > > > - task-core-threads and task-max-threads default to io-threads * 8
> > > > > -->
> > > > > <!--
> > > > > <subsystem xmlns="urn:jboss:domain:io:3.0">
> > > > > <buffer-pool name="default" buffer-size="16364"
> direct-buffers="true" />
> > > > > <worker name="default" io-threads="8" task-core-threads="64"
> task-max-threads="64" />
> > > > > </subsystem>
> > > > > -->
> > > > >
> > > > > <!--
> https://docs.jboss.org/author/display/WFLY/Undertow+subsystem+configuration
> -->
> > > > > <subsystem xmlns="urn:jboss:domain:undertow:4.0">
> > > > > <!-- org.wildfly.extension.undertow.BufferCacheDefinition -->
> > > > > <buffer-cache name="default" buffer-size="1024"
> buffers-per-region="1024" max-regions="10" />
> > > > > <server name="default-server">
> > > > > <!-- HTTP(S) Listener references Socket Binding (and indirectly -
> Interfaces) -->
> > > > > <http-listener name="http" socket-binding="http" />
> > > > > <!-- verify-client: org.xnio.SslClientAuthMode.NOT_REQUESTED,
> org.xnio.SslClientAuthMode.REQUESTED, org.xnio.SslClientAuthMode.REQUIRED
> -->
> > > > > <https-listener name="https" socket-binding="https"
> > > > > security-realm="https" verify-client="NOT_REQUESTED" />
> > > > > <host name="default-host" alias="localhost">
> > > > > <!--<location name="/" handler="welcome-content" />-->
> > > > > <!--<location name="/docs" handler="docs-content" />-->
> > > > > <access-log directory="${karaf.data}/log" pattern="common"
> prefix="access_log." suffix="log" rotate="true" />
> > > > > <filter-ref name="server-header" />
> > > > > <filter-ref name="x-powered-by-header" />
> > > > > </host>
> > > > > </server>
> > > > > <servlet-container name="default">
> > > > > <jsp-config />
> > > > > <websockets />
> > > > > <welcome-files>
> > > > > <welcome-file name="index.html" />
> > > > > <welcome-file name="index.txt" />
> > > > > </welcome-files>
> > > > > </servlet-container>
> > > > > <handlers>
> > > > > <file name="welcome-content" path="${karaf.home}/welcome" />
> > > > > <!--<file name="docs-content" path="${karaf.home}/docs" />-->
> > > > > </handlers>
> > > > > <filters>
> > > > > <!-- filters for reference from /host/filter-ref and
> /host/location/filter-ref -->
> > > > > <response-header name="server-header" header-name="Server"
> header-value="Pax-HTTP-Undertow" />
> > > > > <response-header name="x-powered-by-header"
> header-name="X-Powered-By" header-value="Pax-HTTP-Undertow/7.2.16" />
> > > > > </filters>
> > > > > </subsystem>
> > > > >
> > > > > <!-- https://docs.jboss.org/author/display/WFLY/Security+Realms
> -->
> > > > > <!--
> > > > > we'll use "default" security realm by default to configure
> jaas/properties authentication
> > > > > (io.undertow.security.idm.IdentityManager):
> > > > > - w:jaas -
> org.ops4j.pax.web.service.undertow.internal.security.JaasIdentityManager
> > > > > - w:properties -
> org.ops4j.pax.web.service.undertow.internal.security.PropertiesIdentityManager
> > > > > -->
> > > > > <security-realm name="default">
> > > > > <w:authentication>
> > > > > <!-- JaasIdentityManager for given realm -->
> > > > > <w:jaas name="karaf" />
> > > > > <!-- OR PropertiesIdentityManager (mutually exclusive with
> <w:jaas>) -->
> > > > > <!--<w:properties path="users.properties" />-->
> > > > > </w:authentication>
> > > > >
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > > > >
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > > > > <!--<role-principal-class-name>...</role-principal-class-name>-->
> > > > > </security-realm>
> > > > > <!--
> > > > > Any security realm may be referenced by https-listener to define
> trust/keystore, protocols and cipher suites
> > > > > -->
> > > > > <security-realm name="https">
> > > > > <w:server-identities>
> > > > > <w:ssl>
> > > > > <!-- sun.security.ssl.ProtocolVersion -->
> > > > > <!-- sun.security.ssl.CipherSuite -->
> > > > > <!-- openssl ciphers 'ALL:eNULL' | sed -e 's/:/\n/g' | sort -->
> > > > > <w:engine
> > > > > enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
> > > > > enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" />
> > > > > <w:keystore path="${karaf.etc}/server.p12" provider="PKCS12"
> alias="server"
> > > > > keystore-password="password" key-password="password"
> > > > > generate-self-signed-certificate-host="localhost" />
> > > > > </w:ssl>
> > > > > </w:server-identities>
> > > > > <w:authentication>
> > > > > <w:jaas name="karaf" />
> > > > > <w:truststore path="${karaf.etc}/truststore.jks" provider="JKS"
> keystore-password="password" />
> > > > > </w:authentication>
> > > > >
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > > > >
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > > > > </security-realm>
> > > > >
> > > > > <!-- Interface lists IP addresses to bind to -->
> > > > > <interface name="default">
> > > > > <w:inet-address value="0.0.0.0" />
> > > > > <!--<w:inet-address value="127.0.0.1" />-->
> > > > > </interface>
> > > > > <interface name="secure">
> > > > > <w:inet-address value="127.0.0.1" />
> > > > > </interface>
> > > > >
> > > > > <!-- Socket Binding adds port for each IP from referenced
> Interface -->
> > > > > <socket-binding name="http" interface="default"
> port="${org.osgi.service.http.port}" />
> > > > > <socket-binding name="https" interface="secure"
> port="${org.osgi.service.http.port.secure}" />
> > > > >
> > > > > </undertow>
>
Re: HTTPS with Karaf 4.2.9 and underpinning undertow web server
Posted by Grzegorz Grzybek <gr...@gmail.com>.
Hello
Sorry for late response (holidays!), but I tried your example with tiny
(not relevant) details.
I used Karaf 4.2.9, but Camel 2.23.2. So I used
"org.apache.camel.component.servlet.osgi.OsgiServletRegisterer" instead of
"org.apache.camel.component.osgi.OsgiServletRegisterer", but no more
changes to blueprint.xml or etc/org.ops4j.pax.web.cfg.
However, I had ONE problem with TLS connection:
$ curl -k -v https://localhost:8443/camel/services/hello1
* Trying ::1:8443...
* Connected to localhost (::1) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:8443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to
localhost:8443
I think (and I'll review it at some point in Pax Web itself) it's the
mismatch between "enabled-protocols" and "enabled-cipher-suites" in
undertow.xml. Please remove:
enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
and it should work (note that change to undertow.xml WON'T automatically
restart relevant bundles).
$ curl -k -v https://localhost:8443/camel/services/hello1
* Trying ::1:8443...
* Connected to localhost (::1) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=PL; ST=Dolny Śląsk; L=Wrocław; O=Red Hat; CN=localhost;
emailAddress=ggrzybek@redhat.com
* start date: Aug 17 11:14:46 2017 GMT
* expire date: Aug 17 11:14:46 2027 GMT
* issuer: C=PL; ST=Dolny Śląsk; L=Wrocław; O=Red Hat; CN=everfree-ca;
emailAddress=ggrzybek@redhat.com
* SSL certificate verify result: unable to get local issuer certificate
(20), continuing anyway.
> GET /camel/services/hello1 HTTP/1.1
> Host: localhost:8443
> User-Agent: curl/7.69.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Accept: */*
< Connection: keep-alive
< X-Powered-By: Pax-HTTP-Undertow/7.2.16
< breadcrumbId: ID-everfree-forest-1599112295273-1-1
< Server: Pax-HTTP-Undertow
< Transfer-Encoding: chunked
< User-Agent: curl/7.69.1
< Date: Thu, 03 Sep 2020 05:59:31 GMT
<
* Connection #0 to host localhost left intact
Hello 1
kind regards
Grzegorz Grzybek
pt., 7 sie 2020 o 11:53 Gerald Kallas <ca...@mailbox.org> napisał(a):
> Hi,
>
> I tried this out but it doesnt work properly. (keystore and truststore are
> the same as with jetty setuo, they're valid).
>
> See below my configuration and the log. The HTTPS listener starts but
> neither the webconsole nor the servlet does work.
>
> On client side I'm getting
>
> Error: Client network socket disconnected before secure TLS connection was
> established
>
>
> undertow.xml
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!--
> Licensed under the Apache License, Version 2.0 (the "License");
> you may not use this file except in compliance with the License.
> You may obtain a copy of the License at
>
> http://www.apache.org/licenses/LICENSE-2.0
>
> Unless required by applicable law or agreed to in writing, software
> distributed under the License is distributed on an "AS IS" BASIS,
> WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> implied.
>
> See the License for the specific language governing permissions and
> limitations under the License.
> -->
> <undertow xmlns="urn:org.ops4j.pax.web:undertow:1.0"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:w="urn:jboss:domain:5.0"
> xmlns:io="urn:jboss:domain:io:3.0"
> xsi:schemaLocation="
> urn:jboss:domain:io:3.0
> http://www.jboss.org/schema/jbossas/wildfly-io_3_0.xsd
> urn:jboss:domain:undertow:4.0
> http://www.jboss.org/schema/jbossas/wildfly-undertow_4_0.xsd
> urn:jboss:domain:5.0
> http://www.jboss.org/schema/jbossas/wildfly-config_5_0.xsd">
>
> <!--
> Only "default" worker and buffer-pool are supported and can be
> used to override the default values
> used by all listeners
>
> buffer-pool:
> - buffer-size defaults to:
> - when < 64MB of Xmx: 512
> - when < 128MB of Xmx: 1024
> - when >= 128MB of Xmx: 16K - 20
> - direct-buffers defaults to:
> - when < 64MB of Xmx: false
> - when >= 64MB of Xmx: true
>
> worker:
> - io-threads defaults to
> Math.max(Runtime.getRuntime().availableProcessors(), 2);
> - task-core-threads and task-max-threads default to io-threads * 8
> -->
> <!--
> <subsystem xmlns="urn:jboss:domain:io:3.0">
> <buffer-pool name="default" buffer-size="16364"
> direct-buffers="true" />
> <worker name="default" io-threads="8" task-core-threads="64"
> task-max-threads="64" />
> </subsystem>
> -->
>
> <!--
> https://docs.jboss.org/author/display/WFLY/Undertow+subsystem+configuration
> -->
> <subsystem xmlns="urn:jboss:domain:undertow:4.0">
> <!-- org.wildfly.extension.undertow.BufferCacheDefinition -->
> <buffer-cache name="default" buffer-size="1024"
> buffers-per-region="1024" max-regions="10" />
> <server name="default-server">
> <!-- HTTP(S) Listener references Socket Binding (and
> indirectly - Interfaces) -->
> <!-- verify-client: org.xnio.SslClientAuthMode.NOT_REQUESTED,
> org.xnio.SslClientAuthMode.REQUESTED, org.xnio.SslClientAuthMode.REQUIRED
> -->
> <https-listener name="https" socket-binding="https"
> security-realm="https" verify-client="NOT_REQUESTED" />
> <host name="default-host" alias="localhost">
> <!--<location name="/" handler="welcome-content" />-->
> <!--<location name="/docs" handler="docs-content" />-->
> <access-log directory="${karaf.data}/log" pattern="common"
> prefix="access_log." suffix="log" rotate="true" />
> <filter-ref name="server-header" />
> <filter-ref name="x-powered-by-header" />
> </host>
> </server>
> <servlet-container name="default">
> <jsp-config />
> <websockets />
> <welcome-files>
> <welcome-file name="index.html" />
> <welcome-file name="index.txt" />
> </welcome-files>
> </servlet-container>
> <handlers>
> <file name="welcome-content" path="${karaf.home}/welcome" />
> <!--<file name="docs-content" path="${karaf.home}/docs" />-->
> </handlers>
> <filters>
> <!-- filters for reference from /host/filter-ref and
> /host/location/filter-ref -->
> <response-header name="server-header" header-name="Server"
> header-value="Pax-HTTP-Undertow" />
> <response-header name="x-powered-by-header"
> header-name="X-Powered-By" header-value="Pax-HTTP-Undertow/7.2.16" />
> </filters>
> </subsystem>
>
> <!-- https://docs.jboss.org/author/display/WFLY/Security+Realms -->
> <!--
> we'll use "default" security realm by default to configure
> jaas/properties authentication
> (io.undertow.security.idm.IdentityManager):
> - w:jaas -
> org.ops4j.pax.web.service.undertow.internal.security.JaasIdentityManager
> - w:properties -
> org.ops4j.pax.web.service.undertow.internal.security.PropertiesIdentityManager
> -->
> <security-realm name="default">
> <w:authentication>
> <!-- JaasIdentityManager for given realm -->
> <w:jaas name="karaf" />
> <!-- OR PropertiesIdentityManager (mutually exclusive with
> <w:jaas>) -->
> <!--<w:properties path="users.properties" />-->
> </w:authentication>
>
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
>
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> <!--<role-principal-class-name>...</role-principal-class-name>-->
> </security-realm>
> <!--
> Any security realm may be referenced by https-listener to define
> trust/keystore, protocols and cipher suites
> -->
> <security-realm name="https">
> <w:server-identities>
> <w:ssl>
> <!-- sun.security.ssl.ProtocolVersion -->
> <!-- sun.security.ssl.CipherSuite -->
> <!-- openssl ciphers 'ALL:eNULL' | sed -e 's/:/\n/g' |
> sort -->
> <w:engine
>
> enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
> enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" />
> <w:keystore path="${karaf.etc}/server.p12"
> provider="PKCS12" alias="server"
> keystore-password="password"
> key-password="password"
> generate-self-signed-certificate-host="localhost"
> />
> </w:ssl>
> </w:server-identities>
> <w:authentication>
> <w:jaas name="karaf" />
> <w:truststore path="${karaf.etc}/truststore.jks"
> provider="JKS" keystore-password="password" />
> </w:authentication>
>
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
>
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> </security-realm>
>
> <!-- Interface lists IP addresses to bind to -->
> <interface name="secure">
> <w:inet-address value="0.0.0.0" />
> </interface>
>
> <!-- Socket Binding adds port for each IP from referenced Interface -->
> <socket-binding name="https" interface="secure"
> port="${org.osgi.service.http.port.secure}" />
>
> </undertow>
>
>
> org.ops4j.pax.web.cfg
>
>
> org.osgi.service.http.enabled=false
>
> org.osgi.service.http.secure.enabled=true
> org.osgi.service.http.port.secure=8443
>
> javax.servlet.context.tempdir=${karaf.data}/pax-web-jsp
> #org.ops4j.pax.web.config.file=${karaf.etc}/undertow.properties
> org.ops4j.pax.web.config.file=${karaf.etc}/undertow.xml
> org.apache.karaf.features.configKey = org.ops4j.pax.web
>
>
> servlet (hello1.xml)
>
> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0
> https://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd">
>
> <reference id="httpService"
> interface="org.osgi.service.http.HttpService" />
>
> <bean id="camelServlet"
> class="org.apache.camel.component.servlet.CamelHttpTransportServlet"/>
>
> <bean class="org.apache.camel.component.osgi.OsgiServletRegisterer"
> init-method="register"
> destroy-method="unregister">
> <property name="servletName" value="httpServlet" />
> <property name="alias" value="/camel/services" />
> <property name="httpService" ref="httpService" />
> <property name="servlet" ref="camelServlet" />
> </bean>
>
> <bean id="servlet"
> class="org.apache.camel.component.servlet.ServletComponent" />
>
> <camelContext xmlns="http://camel.apache.org/schema/blueprint">
> <route>
> <from
> uri="servlet://hello1?servletName=httpServlet" />
> <setBody>
> <constant>Hello 1</constant>
> </setBody>
> </route>
> </camelContext>
>
> </blueprint>
>
>
> log excerpt
>
> 2020-08-07T11:47:29,596 | INFO | paxweb-config-1-thread-1 |
> ServerControllerImpl | 63 - org.ops4j.pax.web.pax-web-undertow
> - 7.2.16 | Using
> "file:/E:/apache-karaf/apache-karaf-4.2.9/etc/undertow.xml" to configure
> Undertow
> 2020-08-07T11:47:29,848 | INFO | paxweb-config-1-thread-1 |
> ServerControllerImpl | 63 - org.ops4j.pax.web.pax-web-undertow
> - 7.2.16 | Starting undertow https listener on 0.0.0.0:8443
> 2020-08-07T11:47:29,985 | INFO | FelixStartLevel |
> BlueprintContainerImpl | 69 - org.apache.aries.blueprint.core -
> 1.10.2 | Blueprint bundle hello1.xml/0.0.0 is waiting for dependencies
> [(objectClass=org.osgi.service.http.HttpService)]
> 2020-08-07T11:47:29,987 | INFO | activator-1-thread-2 |
> BouncyCastleSecurityProviderRegistrar | 38 - org.apache.sshd.core - 1.7.0 |
> getOrCreateProvider(BC) created instance of
> org.bouncycastle.jce.provider.BouncyCastleProvider
> 2020-08-07T11:47:30,286 | INFO | activator-1-thread-2 | CommandExtension
> | 34 - org.apache.karaf.shell.core - 4.2.9 | Registering
> commands for bundle org.apache.karaf.features.command/4.2.9
> 2020-08-07T11:47:30,446 | INFO | activator-1-thread-3 | CommandExtension
> | 34 - org.apache.karaf.shell.core - 4.2.9 | Registering
> commands for bundle org.apache.karaf.kar.core/4.2.9
> 2020-08-07T11:47:30,487 | INFO | activator-1-thread-2 | Activator
> | 18 - org.apache.karaf.deployer.features - 4.2.9 |
> Deployment finished. Registering FeatureDeploymentListener
> 2020-08-07T11:47:30,543 | INFO | activator-1-thread-2 | FeaturesPlugin
> | 140 - org.apache.karaf.webconsole.features - 4.2.9 |
> Features plugin deactivated
> 2020-08-07T11:47:30,544 | INFO | activator-1-thread-2 | FeaturesPlugin
> | 140 - org.apache.karaf.webconsole.features - 4.2.9 |
> Features plugin activated
> 2020-08-07T11:47:30,839 | INFO | paxweb-config-1-thread-1 |
> ServerControllerImpl | 63 - org.ops4j.pax.web.pax-web-undertow
> - 7.2.16 | Using in-memory session persistence
> 2020-08-07T11:47:30,864 | INFO | paxweb-config-1-thread-1 |
> HttpServiceFactoryImpl | 61 - org.ops4j.pax.web.pax-web-runtime -
> 7.2.16 | Binding bundle: [org.apache.karaf.webconsole.console [139]] to
> http service
> 2020-08-07T11:47:31,000 | INFO | paxweb-config-1-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> registering context DefaultHttpContext
> [bundle=org.apache.karaf.webconsole.console [139], contextID=custom], with
> context path: /
> 2020-08-07T11:47:31,011 | INFO | paxweb-config-1-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Starting context /
> 2020-08-07T11:47:31,013 | WARN | paxweb-config-1-thread-1 | PathMatcher
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Overwriting existing default context
> io.undertow.server.handlers.PathHandler@382344b0 with a new one
> org.ops4j.pax.web.service.undertow.internal.Context@8c1553c
> 2020-08-07T11:47:31,034 | INFO | paxweb-config-1-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Adding implicit "default" servlet
> 2020-08-07T11:47:31,047 | INFO | paxweb-config-1-thread-1 |
> ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api -
> 7.2.16 | will add io.undertow.servlet.sse.ServerSentEventSCI to
> ServletContainerInitializers
> 2020-08-07T11:47:31,048 | WARN | paxweb-config-1-thread-1 |
> ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api -
> 7.2.16 | failed to parse and instantiate of
> javax.servlet.ServletContainerInitializer in classpath
> 2020-08-07T11:47:31,070 | INFO | paxweb-config-1-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Creating undertow servlet deployment for context path /...
> 2020-08-07T11:47:31,224 | INFO | paxweb-config-1-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Creating undertow servlet deployment for context path / - done
> 2020-08-07T11:47:31,225 | INFO | paxweb-config-1-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Registering io.undertow.servlet.spec.ServletContextImpl@e72855b as OSGi
> service...
> 2020-08-07T11:47:31,236 | INFO | paxweb-config-1-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Registering io.undertow.servlet.spec.ServletContextImpl@e72855b as OSGi
> service - done
> 2020-08-07T11:47:31,237 | INFO | paxweb-config-1-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Starting Undertow web application for context path /
> 2020-08-07T11:47:31,271 | INFO | paxweb-config-1-thread-1 |
> HttpServiceFactoryImpl | 61 - org.ops4j.pax.web.pax-web-runtime -
> 7.2.16 | Binding bundle: [org.apache.karaf.http.core [126]] to http service
> 2020-08-07T11:47:31,272 | INFO | paxweb-config-1-thread-1 | Activator
> | 61 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 |
> Starting server controller
> org.ops4j.pax.web.service.undertow.internal.ServerControllerImpl
> 2020-08-07T11:47:31,332 | INFO | activator-1-thread-2 | CommandExtension
> | 34 - org.apache.karaf.shell.core - 4.2.9 | Registering
> commands for bundle org.apache.karaf.http.core/4.2.9
> 2020-08-07T11:47:31,436 | INFO | activator-1-thread-2 | HttpPlugin
> | 142 - org.apache.karaf.webconsole.http - 4.2.9 | Http
> plugin activated
> 2020-08-07T11:47:31,487 | INFO | Blueprint Extender: 1 | LRUCacheFactory
> | 108 - org.apache.camel.camel-support - 3.4.2 | Detected
> and using LRUCacheFactory: camel-caffeine-lrucache
> 2020-08-07T11:47:31,489 | INFO | CM Configuration Updater
> (ManagedServiceFactory Update: factoryPid=[org.ops4j.pax.web.context]) |
> HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime -
> 7.2.16 | Updated configuration for
> pid=org.ops4j.pax.web.context.dff8c6e5-f690-4ac6-9268-d87fc0dce06d
> 2020-08-07T11:47:31,538 | INFO | paxweb-context-2-thread-1 |
> HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime -
> 7.2.16 | Found bundle "hello1.xml", scheduling customization of its
> WebContainer
> 2020-08-07T11:47:31,539 | INFO | paxweb-context-2-thread-1 |
> HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime -
> 7.2.16 | Customizing WebContainer for bundle hello1.xml/0.0.0
> 2020-08-07T11:47:31,539 | INFO | paxweb-context-2-thread-1 |
> HttpServiceFactoryImpl | 61 - org.ops4j.pax.web.pax-web-runtime -
> 7.2.16 | Binding bundle: [hello1.xml [134]] to http service
> 2020-08-07T11:47:31,542 | INFO | paxweb-context-2-thread-1 |
> HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime -
> 7.2.16 | Registering login configuration in WebContainer for bundle
> "hello1.xml": method=BASIC, realm=karaf
> 2020-08-07T11:47:31,545 | INFO | paxweb-context-2-thread-1 |
> HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime -
> 7.2.16 | Registering security mappings in WebContainer for bundle
> "hello1.xml": SecurityConstraintsMapping{name='constraint.1',
> url='/camel/services/*', roles=[admin]}
> 2020-08-07T11:47:31,550 | INFO | paxweb-context-2-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> registering context DefaultHttpContext [bundle=hello1.xml [134],
> contextID=default], with context path: /
> 2020-08-07T11:47:31,555 | INFO | paxweb-context-2-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Starting context /
> 2020-08-07T11:47:31,610 | WARN | paxweb-context-2-thread-1 | PathMatcher
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Overwriting existing default context
> org.ops4j.pax.web.service.undertow.internal.Context@8c1553c with a new
> one org.ops4j.pax.web.service.undertow.internal.Context@681b959c
> 2020-08-07T11:47:31,616 | INFO | paxweb-context-2-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Adding implicit "default" servlet
> 2020-08-07T11:47:31,624 | INFO | paxweb-context-2-thread-1 |
> ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api -
> 7.2.16 | will add io.undertow.servlet.sse.ServerSentEventSCI to
> ServletContainerInitializers
> 2020-08-07T11:47:31,686 | INFO | paxweb-context-2-thread-1 |
> ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api -
> 7.2.16 | added ServletContainerInitializer:
> io.undertow.servlet.sse.ServerSentEventSCI
> 2020-08-07T11:47:31,697 | INFO | paxweb-context-2-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Creating undertow servlet deployment for context path /...
> 2020-08-07T11:47:31,716 | INFO | paxweb-context-2-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Creating undertow servlet deployment for context path / - done
> 2020-08-07T11:47:31,717 | INFO | paxweb-context-2-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Registering io.undertow.servlet.spec.ServletContextImpl@757d3a20 as OSGi
> service...
> 2020-08-07T11:47:31,728 | INFO | paxweb-context-2-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Registering io.undertow.servlet.spec.ServletContextImpl@757d3a20 as OSGi
> service - done
> 2020-08-07T11:47:31,729 | INFO | paxweb-context-2-thread-1 | Context
> | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 |
> Starting Undertow web application for context path /
> 2020-08-07T11:47:32,115 | INFO | Blueprint Extender: 1 |
> BlueprintContainerImpl | 69 - org.apache.aries.blueprint.core -
> 1.10.2 | Blueprint bundle hello1.xml/0.0.0 has been started
> 2020-08-07T11:47:32,118 | INFO | Blueprint Event Dispatcher: 1 |
> BlueprintCamelContext | 119 -
> org.apache.camel.karaf.camel-blueprint - 3.4.2 | Attempting to start
> CamelContext: camel-1
> 2020-08-07T11:47:32,165 | INFO | Blueprint Event Dispatcher: 1 |
> JmxManagementStrategy | 98 - org.apache.camel.camel-management -
> 3.4.2 | JMX is enabled
> 2020-08-07T11:47:32,418 | INFO | Blueprint Event Dispatcher: 1 |
> AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2
> | Apache Camel 3.4.2 (camel-1) is starting
> 2020-08-07T11:47:33,264 | INFO | Blueprint Event Dispatcher: 1 |
> AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2
> | StreamCaching is not in use. If using streams then its recommended to
> enable stream caching. See more details at
> http://camel.apache.org/stream-caching.html
> 2020-08-07T11:47:33,265 | INFO | Blueprint Event Dispatcher: 1 |
> AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2
> | Using HealthCheck: camel-health
> 2020-08-07T11:47:33,361 | INFO | Blueprint Event Dispatcher: 1 |
> InternalRouteStartupManager | 76 - org.apache.camel.camel-base - 3.4.2
> | Route: route1 started and consuming from: servlet:/hello1
> 2020-08-07T11:47:33,369 | INFO | Blueprint Event Dispatcher: 1 |
> AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2
> | Total 1 routes, of which 1 are started
> 2020-08-07T11:47:33,370 | INFO | Blueprint Event Dispatcher: 1 |
> AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2
> | Apache Camel 3.4.2 (camel-1) started in 0.951 seconds
>
>
> > Grzegorz Grzybek <gr...@gmail.com> hat am 07.08.2020 11:07
> geschrieben:
> >
> >
> > Hello
> >
> > In theory (I can't check now), you have to:
> >
> > 1. comment out <http-listener name="http" socket-binding="http" />
> > 2. ensure that org.ops4j.pax.web PID has org.osgi.service.http.enabled =
> false (so pax-web-undertow won't try to recreate the non-secure listener if
> it's not available in etc/undertow.xml)
> >
> > regards
> > Grzegorz Grzybek
> >
> >
> > pt., 7 sie 2020 o 10:52 Gerald Kallas <ca...@mailbox.org> napisał(a):
> > > Thanks, Grzegorz for the explanation.
> > >
> > > At the moment I'd be happy to use HTTPS (on 8443) only for all web
> related services (web console, servlets) w/ undertow and disable HTTP (on
> 8181). Could this be reached with the setup I have?
> > >
> > > Thanks
> > > - Gerald
> > >
> > > > Grzegorz Grzybek <gr...@gmail.com> hat am 07.08.2020 10:47
> geschrieben:
> > > >
> > > >
> > > > Hello
> > > >
> > > > Unfortunately it is not possible to use the internal (managed by Pax
> Web) servlet runtime selectively - by specifying which listener (or more
> generally - virtual host) should be used for the servlets created and
> registered by Camel into HttpService (Pax Web) runtime.
> > > >
> > > > pax-web-jetty has partial (legacy, non-standard from the point of
> view of OSGi CMPN specification) support for virtual hosts where a
> Whiteboard-registered servlet (or filter, or other "web element") may
> specify a comma-separated list of virtual host/connector names. But that's
> only for Jetty.
> > > >
> > > > I'm still working on refactoring Pax Web 8 and I plan to have
> unified "experience" for dealing with separate connectors/virtual hosts
> across Jetty/Tomcat/Undertow runtimes, but it'll come only in Pax Web 8.
> > > >
> > > > regards
> > > > Grzegorz Grzybek
> > > >
> > > >
> > > > pt., 7 sie 2020 o 10:34 Gerald Kallas <ca...@mailbox.org>
> napisał(a):
> > > > > Dear all,
> > > > >
> > > > > following the guidance in the ticket
> > > > >
> > > > > https://issues.apache.org/jira/browse/KARAF-6772
> > > > >
> > > > > I was setting up a vanilla Karaf 4.2.9 with the following features
> > > > >
> > > > > feature:repo-add camel 3.4.2
> > > > > feature:install pax-http-undertow
> > > > > feature:install camel camel-servlet webconsole
> > > > >
> > > > > I wonder how I can bind the webconsole and the servlet consumer in
> the camel routes to the HTTPS port. My undertow.xml see below. I tried to
> change the org.ops4j.pax.web.cfg but with no success.
> > > > >
> > > > > Any hints are appreciated.
> > > > >
> > > > > Thanks
> > > > > - Gerald
> > > > >
> > > > >
> > > > > <?xml version="1.0" encoding="UTF-8"?>
> > > > > <!--
> > > > > Licensed under the Apache License, Version 2.0 (the "License");
> > > > > you may not use this file except in compliance with the License.
> > > > > You may obtain a copy of the License at
> > > > >
> > > > > http://www.apache.org/licenses/LICENSE-2.0
> > > > >
> > > > > Unless required by applicable law or agreed to in writing, software
> > > > > distributed under the License is distributed on an "AS IS" BASIS,
> > > > > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> > > > > implied.
> > > > >
> > > > > See the License for the specific language governing permissions and
> > > > > limitations under the License.
> > > > > -->
> > > > > <undertow xmlns="urn:org.ops4j.pax.web:undertow:1.0"
> > > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > > > > xmlns:w="urn:jboss:domain:5.0"
> > > > > xmlns:io="urn:jboss:domain:io:3.0"
> > > > > xsi:schemaLocation="
> > > > > urn:jboss:domain:io:3.0
> http://www.jboss.org/schema/jbossas/wildfly-io_3_0.xsd
> > > > > urn:jboss:domain:undertow:4.0
> http://www.jboss.org/schema/jbossas/wildfly-undertow_4_0.xsd
> > > > > urn:jboss:domain:5.0
> http://www.jboss.org/schema/jbossas/wildfly-config_5_0.xsd">
> > > > >
> > > > > <!--
> > > > > Only "default" worker and buffer-pool are supported and can be
> used to override the default values
> > > > > used by all listeners
> > > > >
> > > > > buffer-pool:
> > > > > - buffer-size defaults to:
> > > > > - when < 64MB of Xmx: 512
> > > > > - when < 128MB of Xmx: 1024
> > > > > - when >= 128MB of Xmx: 16K - 20
> > > > > - direct-buffers defaults to:
> > > > > - when < 64MB of Xmx: false
> > > > > - when >= 64MB of Xmx: true
> > > > >
> > > > > worker:
> > > > > - io-threads defaults to
> Math.max(Runtime.getRuntime().availableProcessors(), 2);
> > > > > - task-core-threads and task-max-threads default to io-threads * 8
> > > > > -->
> > > > > <!--
> > > > > <subsystem xmlns="urn:jboss:domain:io:3.0">
> > > > > <buffer-pool name="default" buffer-size="16364"
> direct-buffers="true" />
> > > > > <worker name="default" io-threads="8" task-core-threads="64"
> task-max-threads="64" />
> > > > > </subsystem>
> > > > > -->
> > > > >
> > > > > <!--
> https://docs.jboss.org/author/display/WFLY/Undertow+subsystem+configuration
> -->
> > > > > <subsystem xmlns="urn:jboss:domain:undertow:4.0">
> > > > > <!-- org.wildfly.extension.undertow.BufferCacheDefinition -->
> > > > > <buffer-cache name="default" buffer-size="1024"
> buffers-per-region="1024" max-regions="10" />
> > > > > <server name="default-server">
> > > > > <!-- HTTP(S) Listener references Socket Binding (and indirectly -
> Interfaces) -->
> > > > > <http-listener name="http" socket-binding="http" />
> > > > > <!-- verify-client: org.xnio.SslClientAuthMode.NOT_REQUESTED,
> org.xnio.SslClientAuthMode.REQUESTED, org.xnio.SslClientAuthMode.REQUIRED
> -->
> > > > > <https-listener name="https" socket-binding="https"
> > > > > security-realm="https" verify-client="NOT_REQUESTED" />
> > > > > <host name="default-host" alias="localhost">
> > > > > <!--<location name="/" handler="welcome-content" />-->
> > > > > <!--<location name="/docs" handler="docs-content" />-->
> > > > > <access-log directory="${karaf.data}/log" pattern="common"
> prefix="access_log." suffix="log" rotate="true" />
> > > > > <filter-ref name="server-header" />
> > > > > <filter-ref name="x-powered-by-header" />
> > > > > </host>
> > > > > </server>
> > > > > <servlet-container name="default">
> > > > > <jsp-config />
> > > > > <websockets />
> > > > > <welcome-files>
> > > > > <welcome-file name="index.html" />
> > > > > <welcome-file name="index.txt" />
> > > > > </welcome-files>
> > > > > </servlet-container>
> > > > > <handlers>
> > > > > <file name="welcome-content" path="${karaf.home}/welcome" />
> > > > > <!--<file name="docs-content" path="${karaf.home}/docs" />-->
> > > > > </handlers>
> > > > > <filters>
> > > > > <!-- filters for reference from /host/filter-ref and
> /host/location/filter-ref -->
> > > > > <response-header name="server-header" header-name="Server"
> header-value="Pax-HTTP-Undertow" />
> > > > > <response-header name="x-powered-by-header"
> header-name="X-Powered-By" header-value="Pax-HTTP-Undertow/7.2.16" />
> > > > > </filters>
> > > > > </subsystem>
> > > > >
> > > > > <!-- https://docs.jboss.org/author/display/WFLY/Security+Realms
> -->
> > > > > <!--
> > > > > we'll use "default" security realm by default to configure
> jaas/properties authentication
> > > > > (io.undertow.security.idm.IdentityManager):
> > > > > - w:jaas -
> org.ops4j.pax.web.service.undertow.internal.security.JaasIdentityManager
> > > > > - w:properties -
> org.ops4j.pax.web.service.undertow.internal.security.PropertiesIdentityManager
> > > > > -->
> > > > > <security-realm name="default">
> > > > > <w:authentication>
> > > > > <!-- JaasIdentityManager for given realm -->
> > > > > <w:jaas name="karaf" />
> > > > > <!-- OR PropertiesIdentityManager (mutually exclusive with
> <w:jaas>) -->
> > > > > <!--<w:properties path="users.properties" />-->
> > > > > </w:authentication>
> > > > >
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > > > >
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > > > > <!--<role-principal-class-name>...</role-principal-class-name>-->
> > > > > </security-realm>
> > > > > <!--
> > > > > Any security realm may be referenced by https-listener to define
> trust/keystore, protocols and cipher suites
> > > > > -->
> > > > > <security-realm name="https">
> > > > > <w:server-identities>
> > > > > <w:ssl>
> > > > > <!-- sun.security.ssl.ProtocolVersion -->
> > > > > <!-- sun.security.ssl.CipherSuite -->
> > > > > <!-- openssl ciphers 'ALL:eNULL' | sed -e 's/:/\n/g' | sort -->
> > > > > <w:engine
> > > > > enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
> > > > > enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" />
> > > > > <w:keystore path="${karaf.etc}/server.p12" provider="PKCS12"
> alias="server"
> > > > > keystore-password="password" key-password="password"
> > > > > generate-self-signed-certificate-host="localhost" />
> > > > > </w:ssl>
> > > > > </w:server-identities>
> > > > > <w:authentication>
> > > > > <w:jaas name="karaf" />
> > > > > <w:truststore path="${karaf.etc}/truststore.jks" provider="JKS"
> keystore-password="password" />
> > > > > </w:authentication>
> > > > >
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > > > >
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > > > > </security-realm>
> > > > >
> > > > > <!-- Interface lists IP addresses to bind to -->
> > > > > <interface name="default">
> > > > > <w:inet-address value="0.0.0.0" />
> > > > > <!--<w:inet-address value="127.0.0.1" />-->
> > > > > </interface>
> > > > > <interface name="secure">
> > > > > <w:inet-address value="127.0.0.1" />
> > > > > </interface>
> > > > >
> > > > > <!-- Socket Binding adds port for each IP from referenced
> Interface -->
> > > > > <socket-binding name="http" interface="default"
> port="${org.osgi.service.http.port}" />
> > > > > <socket-binding name="https" interface="secure"
> port="${org.osgi.service.http.port.secure}" />
> > > > >
> > > > > </undertow>
>
Re: HTTPS with Karaf 4.2.9 and underpinning undertow web server
Posted by Gerald Kallas <ca...@mailbox.org>.
Hi,
I tried this out but it doesnt work properly. (keystore and truststore are the same as with jetty setuo, they're valid).
See below my configuration and the log. The HTTPS listener starts but neither the webconsole nor the servlet does work.
On client side I'm getting
Error: Client network socket disconnected before secure TLS connection was established
undertow.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<undertow xmlns="urn:org.ops4j.pax.web:undertow:1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:w="urn:jboss:domain:5.0"
xmlns:io="urn:jboss:domain:io:3.0"
xsi:schemaLocation="
urn:jboss:domain:io:3.0 http://www.jboss.org/schema/jbossas/wildfly-io_3_0.xsd
urn:jboss:domain:undertow:4.0 http://www.jboss.org/schema/jbossas/wildfly-undertow_4_0.xsd
urn:jboss:domain:5.0 http://www.jboss.org/schema/jbossas/wildfly-config_5_0.xsd">
<!--
Only "default" worker and buffer-pool are supported and can be used to override the default values
used by all listeners
buffer-pool:
- buffer-size defaults to:
- when < 64MB of Xmx: 512
- when < 128MB of Xmx: 1024
- when >= 128MB of Xmx: 16K - 20
- direct-buffers defaults to:
- when < 64MB of Xmx: false
- when >= 64MB of Xmx: true
worker:
- io-threads defaults to Math.max(Runtime.getRuntime().availableProcessors(), 2);
- task-core-threads and task-max-threads default to io-threads * 8
-->
<!--
<subsystem xmlns="urn:jboss:domain:io:3.0">
<buffer-pool name="default" buffer-size="16364" direct-buffers="true" />
<worker name="default" io-threads="8" task-core-threads="64" task-max-threads="64" />
</subsystem>
-->
<!-- https://docs.jboss.org/author/display/WFLY/Undertow+subsystem+configuration -->
<subsystem xmlns="urn:jboss:domain:undertow:4.0">
<!-- org.wildfly.extension.undertow.BufferCacheDefinition -->
<buffer-cache name="default" buffer-size="1024" buffers-per-region="1024" max-regions="10" />
<server name="default-server">
<!-- HTTP(S) Listener references Socket Binding (and indirectly - Interfaces) -->
<!-- verify-client: org.xnio.SslClientAuthMode.NOT_REQUESTED, org.xnio.SslClientAuthMode.REQUESTED, org.xnio.SslClientAuthMode.REQUIRED -->
<https-listener name="https" socket-binding="https"
security-realm="https" verify-client="NOT_REQUESTED" />
<host name="default-host" alias="localhost">
<!--<location name="/" handler="welcome-content" />-->
<!--<location name="/docs" handler="docs-content" />-->
<access-log directory="${karaf.data}/log" pattern="common" prefix="access_log." suffix="log" rotate="true" />
<filter-ref name="server-header" />
<filter-ref name="x-powered-by-header" />
</host>
</server>
<servlet-container name="default">
<jsp-config />
<websockets />
<welcome-files>
<welcome-file name="index.html" />
<welcome-file name="index.txt" />
</welcome-files>
</servlet-container>
<handlers>
<file name="welcome-content" path="${karaf.home}/welcome" />
<!--<file name="docs-content" path="${karaf.home}/docs" />-->
</handlers>
<filters>
<!-- filters for reference from /host/filter-ref and /host/location/filter-ref -->
<response-header name="server-header" header-name="Server" header-value="Pax-HTTP-Undertow" />
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Pax-HTTP-Undertow/7.2.16" />
</filters>
</subsystem>
<!-- https://docs.jboss.org/author/display/WFLY/Security+Realms -->
<!--
we'll use "default" security realm by default to configure jaas/properties authentication
(io.undertow.security.idm.IdentityManager):
- w:jaas - org.ops4j.pax.web.service.undertow.internal.security.JaasIdentityManager
- w:properties - org.ops4j.pax.web.service.undertow.internal.security.PropertiesIdentityManager
-->
<security-realm name="default">
<w:authentication>
<!-- JaasIdentityManager for given realm -->
<w:jaas name="karaf" />
<!-- OR PropertiesIdentityManager (mutually exclusive with <w:jaas>) -->
<!--<w:properties path="users.properties" />-->
</w:authentication>
<user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
<role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
<!--<role-principal-class-name>...</role-principal-class-name>-->
</security-realm>
<!--
Any security realm may be referenced by https-listener to define trust/keystore, protocols and cipher suites
-->
<security-realm name="https">
<w:server-identities>
<w:ssl>
<!-- sun.security.ssl.ProtocolVersion -->
<!-- sun.security.ssl.CipherSuite -->
<!-- openssl ciphers 'ALL:eNULL' | sed -e 's/:/\n/g' | sort -->
<w:engine
enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" />
<w:keystore path="${karaf.etc}/server.p12" provider="PKCS12" alias="server"
keystore-password="password" key-password="password"
generate-self-signed-certificate-host="localhost" />
</w:ssl>
</w:server-identities>
<w:authentication>
<w:jaas name="karaf" />
<w:truststore path="${karaf.etc}/truststore.jks" provider="JKS" keystore-password="password" />
</w:authentication>
<user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
<role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
</security-realm>
<!-- Interface lists IP addresses to bind to -->
<interface name="secure">
<w:inet-address value="0.0.0.0" />
</interface>
<!-- Socket Binding adds port for each IP from referenced Interface -->
<socket-binding name="https" interface="secure" port="${org.osgi.service.http.port.secure}" />
</undertow>
org.ops4j.pax.web.cfg
org.osgi.service.http.enabled=false
org.osgi.service.http.secure.enabled=true
org.osgi.service.http.port.secure=8443
javax.servlet.context.tempdir=${karaf.data}/pax-web-jsp
#org.ops4j.pax.web.config.file=${karaf.etc}/undertow.properties
org.ops4j.pax.web.config.file=${karaf.etc}/undertow.xml
org.apache.karaf.features.configKey = org.ops4j.pax.web
servlet (hello1.xml)
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0
https://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd">
<reference id="httpService" interface="org.osgi.service.http.HttpService" />
<bean id="camelServlet" class="org.apache.camel.component.servlet.CamelHttpTransportServlet"/>
<bean class="org.apache.camel.component.osgi.OsgiServletRegisterer"
init-method="register"
destroy-method="unregister">
<property name="servletName" value="httpServlet" />
<property name="alias" value="/camel/services" />
<property name="httpService" ref="httpService" />
<property name="servlet" ref="camelServlet" />
</bean>
<bean id="servlet" class="org.apache.camel.component.servlet.ServletComponent" />
<camelContext xmlns="http://camel.apache.org/schema/blueprint">
<route>
<from uri="servlet://hello1?servletName=httpServlet" />
<setBody>
<constant>Hello 1</constant>
</setBody>
</route>
</camelContext>
</blueprint>
log excerpt
2020-08-07T11:47:29,596 | INFO | paxweb-config-1-thread-1 | ServerControllerImpl | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Using "file:/E:/apache-karaf/apache-karaf-4.2.9/etc/undertow.xml" to configure Undertow
2020-08-07T11:47:29,848 | INFO | paxweb-config-1-thread-1 | ServerControllerImpl | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Starting undertow https listener on 0.0.0.0:8443
2020-08-07T11:47:29,985 | INFO | FelixStartLevel | BlueprintContainerImpl | 69 - org.apache.aries.blueprint.core - 1.10.2 | Blueprint bundle hello1.xml/0.0.0 is waiting for dependencies [(objectClass=org.osgi.service.http.HttpService)]
2020-08-07T11:47:29,987 | INFO | activator-1-thread-2 | BouncyCastleSecurityProviderRegistrar | 38 - org.apache.sshd.core - 1.7.0 | getOrCreateProvider(BC) created instance of org.bouncycastle.jce.provider.BouncyCastleProvider
2020-08-07T11:47:30,286 | INFO | activator-1-thread-2 | CommandExtension | 34 - org.apache.karaf.shell.core - 4.2.9 | Registering commands for bundle org.apache.karaf.features.command/4.2.9
2020-08-07T11:47:30,446 | INFO | activator-1-thread-3 | CommandExtension | 34 - org.apache.karaf.shell.core - 4.2.9 | Registering commands for bundle org.apache.karaf.kar.core/4.2.9
2020-08-07T11:47:30,487 | INFO | activator-1-thread-2 | Activator | 18 - org.apache.karaf.deployer.features - 4.2.9 | Deployment finished. Registering FeatureDeploymentListener
2020-08-07T11:47:30,543 | INFO | activator-1-thread-2 | FeaturesPlugin | 140 - org.apache.karaf.webconsole.features - 4.2.9 | Features plugin deactivated
2020-08-07T11:47:30,544 | INFO | activator-1-thread-2 | FeaturesPlugin | 140 - org.apache.karaf.webconsole.features - 4.2.9 | Features plugin activated
2020-08-07T11:47:30,839 | INFO | paxweb-config-1-thread-1 | ServerControllerImpl | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Using in-memory session persistence
2020-08-07T11:47:30,864 | INFO | paxweb-config-1-thread-1 | HttpServiceFactoryImpl | 61 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 | Binding bundle: [org.apache.karaf.webconsole.console [139]] to http service
2020-08-07T11:47:31,000 | INFO | paxweb-config-1-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | registering context DefaultHttpContext [bundle=org.apache.karaf.webconsole.console [139], contextID=custom], with context path: /
2020-08-07T11:47:31,011 | INFO | paxweb-config-1-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Starting context /
2020-08-07T11:47:31,013 | WARN | paxweb-config-1-thread-1 | PathMatcher | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Overwriting existing default context io.undertow.server.handlers.PathHandler@382344b0 with a new one org.ops4j.pax.web.service.undertow.internal.Context@8c1553c
2020-08-07T11:47:31,034 | INFO | paxweb-config-1-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Adding implicit "default" servlet
2020-08-07T11:47:31,047 | INFO | paxweb-config-1-thread-1 | ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api - 7.2.16 | will add io.undertow.servlet.sse.ServerSentEventSCI to ServletContainerInitializers
2020-08-07T11:47:31,048 | WARN | paxweb-config-1-thread-1 | ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api - 7.2.16 | failed to parse and instantiate of javax.servlet.ServletContainerInitializer in classpath
2020-08-07T11:47:31,070 | INFO | paxweb-config-1-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Creating undertow servlet deployment for context path /...
2020-08-07T11:47:31,224 | INFO | paxweb-config-1-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Creating undertow servlet deployment for context path / - done
2020-08-07T11:47:31,225 | INFO | paxweb-config-1-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Registering io.undertow.servlet.spec.ServletContextImpl@e72855b as OSGi service...
2020-08-07T11:47:31,236 | INFO | paxweb-config-1-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Registering io.undertow.servlet.spec.ServletContextImpl@e72855b as OSGi service - done
2020-08-07T11:47:31,237 | INFO | paxweb-config-1-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Starting Undertow web application for context path /
2020-08-07T11:47:31,271 | INFO | paxweb-config-1-thread-1 | HttpServiceFactoryImpl | 61 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 | Binding bundle: [org.apache.karaf.http.core [126]] to http service
2020-08-07T11:47:31,272 | INFO | paxweb-config-1-thread-1 | Activator | 61 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 | Starting server controller org.ops4j.pax.web.service.undertow.internal.ServerControllerImpl
2020-08-07T11:47:31,332 | INFO | activator-1-thread-2 | CommandExtension | 34 - org.apache.karaf.shell.core - 4.2.9 | Registering commands for bundle org.apache.karaf.http.core/4.2.9
2020-08-07T11:47:31,436 | INFO | activator-1-thread-2 | HttpPlugin | 142 - org.apache.karaf.webconsole.http - 4.2.9 | Http plugin activated
2020-08-07T11:47:31,487 | INFO | Blueprint Extender: 1 | LRUCacheFactory | 108 - org.apache.camel.camel-support - 3.4.2 | Detected and using LRUCacheFactory: camel-caffeine-lrucache
2020-08-07T11:47:31,489 | INFO | CM Configuration Updater (ManagedServiceFactory Update: factoryPid=[org.ops4j.pax.web.context]) | HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 | Updated configuration for pid=org.ops4j.pax.web.context.dff8c6e5-f690-4ac6-9268-d87fc0dce06d
2020-08-07T11:47:31,538 | INFO | paxweb-context-2-thread-1 | HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 | Found bundle "hello1.xml", scheduling customization of its WebContainer
2020-08-07T11:47:31,539 | INFO | paxweb-context-2-thread-1 | HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 | Customizing WebContainer for bundle hello1.xml/0.0.0
2020-08-07T11:47:31,539 | INFO | paxweb-context-2-thread-1 | HttpServiceFactoryImpl | 61 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 | Binding bundle: [hello1.xml [134]] to http service
2020-08-07T11:47:31,542 | INFO | paxweb-context-2-thread-1 | HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 | Registering login configuration in WebContainer for bundle "hello1.xml": method=BASIC, realm=karaf
2020-08-07T11:47:31,545 | INFO | paxweb-context-2-thread-1 | HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 | Registering security mappings in WebContainer for bundle "hello1.xml": SecurityConstraintsMapping{name='constraint.1', url='/camel/services/*', roles=[admin]}
2020-08-07T11:47:31,550 | INFO | paxweb-context-2-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | registering context DefaultHttpContext [bundle=hello1.xml [134], contextID=default], with context path: /
2020-08-07T11:47:31,555 | INFO | paxweb-context-2-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Starting context /
2020-08-07T11:47:31,610 | WARN | paxweb-context-2-thread-1 | PathMatcher | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Overwriting existing default context org.ops4j.pax.web.service.undertow.internal.Context@8c1553c with a new one org.ops4j.pax.web.service.undertow.internal.Context@681b959c
2020-08-07T11:47:31,616 | INFO | paxweb-context-2-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Adding implicit "default" servlet
2020-08-07T11:47:31,624 | INFO | paxweb-context-2-thread-1 | ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api - 7.2.16 | will add io.undertow.servlet.sse.ServerSentEventSCI to ServletContainerInitializers
2020-08-07T11:47:31,686 | INFO | paxweb-context-2-thread-1 | ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api - 7.2.16 | added ServletContainerInitializer: io.undertow.servlet.sse.ServerSentEventSCI
2020-08-07T11:47:31,697 | INFO | paxweb-context-2-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Creating undertow servlet deployment for context path /...
2020-08-07T11:47:31,716 | INFO | paxweb-context-2-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Creating undertow servlet deployment for context path / - done
2020-08-07T11:47:31,717 | INFO | paxweb-context-2-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Registering io.undertow.servlet.spec.ServletContextImpl@757d3a20 as OSGi service...
2020-08-07T11:47:31,728 | INFO | paxweb-context-2-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Registering io.undertow.servlet.spec.ServletContextImpl@757d3a20 as OSGi service - done
2020-08-07T11:47:31,729 | INFO | paxweb-context-2-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Starting Undertow web application for context path /
2020-08-07T11:47:32,115 | INFO | Blueprint Extender: 1 | BlueprintContainerImpl | 69 - org.apache.aries.blueprint.core - 1.10.2 | Blueprint bundle hello1.xml/0.0.0 has been started
2020-08-07T11:47:32,118 | INFO | Blueprint Event Dispatcher: 1 | BlueprintCamelContext | 119 - org.apache.camel.karaf.camel-blueprint - 3.4.2 | Attempting to start CamelContext: camel-1
2020-08-07T11:47:32,165 | INFO | Blueprint Event Dispatcher: 1 | JmxManagementStrategy | 98 - org.apache.camel.camel-management - 3.4.2 | JMX is enabled
2020-08-07T11:47:32,418 | INFO | Blueprint Event Dispatcher: 1 | AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2 | Apache Camel 3.4.2 (camel-1) is starting
2020-08-07T11:47:33,264 | INFO | Blueprint Event Dispatcher: 1 | AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2 | StreamCaching is not in use. If using streams then its recommended to enable stream caching. See more details at http://camel.apache.org/stream-caching.html
2020-08-07T11:47:33,265 | INFO | Blueprint Event Dispatcher: 1 | AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2 | Using HealthCheck: camel-health
2020-08-07T11:47:33,361 | INFO | Blueprint Event Dispatcher: 1 | InternalRouteStartupManager | 76 - org.apache.camel.camel-base - 3.4.2 | Route: route1 started and consuming from: servlet:/hello1
2020-08-07T11:47:33,369 | INFO | Blueprint Event Dispatcher: 1 | AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2 | Total 1 routes, of which 1 are started
2020-08-07T11:47:33,370 | INFO | Blueprint Event Dispatcher: 1 | AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2 | Apache Camel 3.4.2 (camel-1) started in 0.951 seconds
> Grzegorz Grzybek <gr...@gmail.com> hat am 07.08.2020 11:07 geschrieben:
>
>
> Hello
>
> In theory (I can't check now), you have to:
>
> 1. comment out <http-listener name="http" socket-binding="http" />
> 2. ensure that org.ops4j.pax.web PID has org.osgi.service.http.enabled = false (so pax-web-undertow won't try to recreate the non-secure listener if it's not available in etc/undertow.xml)
>
> regards
> Grzegorz Grzybek
>
>
> pt., 7 sie 2020 o 10:52 Gerald Kallas <ca...@mailbox.org> napisał(a):
> > Thanks, Grzegorz for the explanation.
> >
> > At the moment I'd be happy to use HTTPS (on 8443) only for all web related services (web console, servlets) w/ undertow and disable HTTP (on 8181). Could this be reached with the setup I have?
> >
> > Thanks
> > - Gerald
> >
> > > Grzegorz Grzybek <gr...@gmail.com> hat am 07.08.2020 10:47 geschrieben:
> > >
> > >
> > > Hello
> > >
> > > Unfortunately it is not possible to use the internal (managed by Pax Web) servlet runtime selectively - by specifying which listener (or more generally - virtual host) should be used for the servlets created and registered by Camel into HttpService (Pax Web) runtime.
> > >
> > > pax-web-jetty has partial (legacy, non-standard from the point of view of OSGi CMPN specification) support for virtual hosts where a Whiteboard-registered servlet (or filter, or other "web element") may specify a comma-separated list of virtual host/connector names. But that's only for Jetty.
> > >
> > > I'm still working on refactoring Pax Web 8 and I plan to have unified "experience" for dealing with separate connectors/virtual hosts across Jetty/Tomcat/Undertow runtimes, but it'll come only in Pax Web 8.
> > >
> > > regards
> > > Grzegorz Grzybek
> > >
> > >
> > > pt., 7 sie 2020 o 10:34 Gerald Kallas <ca...@mailbox.org> napisał(a):
> > > > Dear all,
> > > >
> > > > following the guidance in the ticket
> > > >
> > > > https://issues.apache.org/jira/browse/KARAF-6772
> > > >
> > > > I was setting up a vanilla Karaf 4.2.9 with the following features
> > > >
> > > > feature:repo-add camel 3.4.2
> > > > feature:install pax-http-undertow
> > > > feature:install camel camel-servlet webconsole
> > > >
> > > > I wonder how I can bind the webconsole and the servlet consumer in the camel routes to the HTTPS port. My undertow.xml see below. I tried to change the org.ops4j.pax.web.cfg but with no success.
> > > >
> > > > Any hints are appreciated.
> > > >
> > > > Thanks
> > > > - Gerald
> > > >
> > > >
> > > > <?xml version="1.0" encoding="UTF-8"?>
> > > > <!--
> > > > Licensed under the Apache License, Version 2.0 (the "License");
> > > > you may not use this file except in compliance with the License.
> > > > You may obtain a copy of the License at
> > > >
> > > > http://www.apache.org/licenses/LICENSE-2.0
> > > >
> > > > Unless required by applicable law or agreed to in writing, software
> > > > distributed under the License is distributed on an "AS IS" BASIS,
> > > > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> > > > implied.
> > > >
> > > > See the License for the specific language governing permissions and
> > > > limitations under the License.
> > > > -->
> > > > <undertow xmlns="urn:org.ops4j.pax.web:undertow:1.0"
> > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > > > xmlns:w="urn:jboss:domain:5.0"
> > > > xmlns:io="urn:jboss:domain:io:3.0"
> > > > xsi:schemaLocation="
> > > > urn:jboss:domain:io:3.0 http://www.jboss.org/schema/jbossas/wildfly-io_3_0.xsd
> > > > urn:jboss:domain:undertow:4.0 http://www.jboss.org/schema/jbossas/wildfly-undertow_4_0.xsd
> > > > urn:jboss:domain:5.0 http://www.jboss.org/schema/jbossas/wildfly-config_5_0.xsd">
> > > >
> > > > <!--
> > > > Only "default" worker and buffer-pool are supported and can be used to override the default values
> > > > used by all listeners
> > > >
> > > > buffer-pool:
> > > > - buffer-size defaults to:
> > > > - when < 64MB of Xmx: 512
> > > > - when < 128MB of Xmx: 1024
> > > > - when >= 128MB of Xmx: 16K - 20
> > > > - direct-buffers defaults to:
> > > > - when < 64MB of Xmx: false
> > > > - when >= 64MB of Xmx: true
> > > >
> > > > worker:
> > > > - io-threads defaults to Math.max(Runtime.getRuntime().availableProcessors(), 2);
> > > > - task-core-threads and task-max-threads default to io-threads * 8
> > > > -->
> > > > <!--
> > > > <subsystem xmlns="urn:jboss:domain:io:3.0">
> > > > <buffer-pool name="default" buffer-size="16364" direct-buffers="true" />
> > > > <worker name="default" io-threads="8" task-core-threads="64" task-max-threads="64" />
> > > > </subsystem>
> > > > -->
> > > >
> > > > <!-- https://docs.jboss.org/author/display/WFLY/Undertow+subsystem+configuration -->
> > > > <subsystem xmlns="urn:jboss:domain:undertow:4.0">
> > > > <!-- org.wildfly.extension.undertow.BufferCacheDefinition -->
> > > > <buffer-cache name="default" buffer-size="1024" buffers-per-region="1024" max-regions="10" />
> > > > <server name="default-server">
> > > > <!-- HTTP(S) Listener references Socket Binding (and indirectly - Interfaces) -->
> > > > <http-listener name="http" socket-binding="http" />
> > > > <!-- verify-client: org.xnio.SslClientAuthMode.NOT_REQUESTED, org.xnio.SslClientAuthMode.REQUESTED, org.xnio.SslClientAuthMode.REQUIRED -->
> > > > <https-listener name="https" socket-binding="https"
> > > > security-realm="https" verify-client="NOT_REQUESTED" />
> > > > <host name="default-host" alias="localhost">
> > > > <!--<location name="/" handler="welcome-content" />-->
> > > > <!--<location name="/docs" handler="docs-content" />-->
> > > > <access-log directory="${karaf.data}/log" pattern="common" prefix="access_log." suffix="log" rotate="true" />
> > > > <filter-ref name="server-header" />
> > > > <filter-ref name="x-powered-by-header" />
> > > > </host>
> > > > </server>
> > > > <servlet-container name="default">
> > > > <jsp-config />
> > > > <websockets />
> > > > <welcome-files>
> > > > <welcome-file name="index.html" />
> > > > <welcome-file name="index.txt" />
> > > > </welcome-files>
> > > > </servlet-container>
> > > > <handlers>
> > > > <file name="welcome-content" path="${karaf.home}/welcome" />
> > > > <!--<file name="docs-content" path="${karaf.home}/docs" />-->
> > > > </handlers>
> > > > <filters>
> > > > <!-- filters for reference from /host/filter-ref and /host/location/filter-ref -->
> > > > <response-header name="server-header" header-name="Server" header-value="Pax-HTTP-Undertow" />
> > > > <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Pax-HTTP-Undertow/7.2.16" />
> > > > </filters>
> > > > </subsystem>
> > > >
> > > > <!-- https://docs.jboss.org/author/display/WFLY/Security+Realms -->
> > > > <!--
> > > > we'll use "default" security realm by default to configure jaas/properties authentication
> > > > (io.undertow.security.idm.IdentityManager):
> > > > - w:jaas - org.ops4j.pax.web.service.undertow.internal.security.JaasIdentityManager
> > > > - w:properties - org.ops4j.pax.web.service.undertow.internal.security.PropertiesIdentityManager
> > > > -->
> > > > <security-realm name="default">
> > > > <w:authentication>
> > > > <!-- JaasIdentityManager for given realm -->
> > > > <w:jaas name="karaf" />
> > > > <!-- OR PropertiesIdentityManager (mutually exclusive with <w:jaas>) -->
> > > > <!--<w:properties path="users.properties" />-->
> > > > </w:authentication>
> > > > <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > > > <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > > > <!--<role-principal-class-name>...</role-principal-class-name>-->
> > > > </security-realm>
> > > > <!--
> > > > Any security realm may be referenced by https-listener to define trust/keystore, protocols and cipher suites
> > > > -->
> > > > <security-realm name="https">
> > > > <w:server-identities>
> > > > <w:ssl>
> > > > <!-- sun.security.ssl.ProtocolVersion -->
> > > > <!-- sun.security.ssl.CipherSuite -->
> > > > <!-- openssl ciphers 'ALL:eNULL' | sed -e 's/:/\n/g' | sort -->
> > > > <w:engine
> > > > enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
> > > > enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" />
> > > > <w:keystore path="${karaf.etc}/server.p12" provider="PKCS12" alias="server"
> > > > keystore-password="password" key-password="password"
> > > > generate-self-signed-certificate-host="localhost" />
> > > > </w:ssl>
> > > > </w:server-identities>
> > > > <w:authentication>
> > > > <w:jaas name="karaf" />
> > > > <w:truststore path="${karaf.etc}/truststore.jks" provider="JKS" keystore-password="password" />
> > > > </w:authentication>
> > > > <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > > > <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > > > </security-realm>
> > > >
> > > > <!-- Interface lists IP addresses to bind to -->
> > > > <interface name="default">
> > > > <w:inet-address value="0.0.0.0" />
> > > > <!--<w:inet-address value="127.0.0.1" />-->
> > > > </interface>
> > > > <interface name="secure">
> > > > <w:inet-address value="127.0.0.1" />
> > > > </interface>
> > > >
> > > > <!-- Socket Binding adds port for each IP from referenced Interface -->
> > > > <socket-binding name="http" interface="default" port="${org.osgi.service.http.port}" />
> > > > <socket-binding name="https" interface="secure" port="${org.osgi.service.http.port.secure}" />
> > > >
> > > > </undertow>
Re: HTTPS with Karaf 4.2.9 and underpinning undertow web server
Posted by Gerald Kallas <ca...@mailbox.org>.
Hi,
I tried this out but it doesnt work properly. (keystore and truststore are the same as with jetty setuo, they're valid).
See below my configuration and the log. The HTTPS listener starts but neither the webconsole nor the servlet does work.
On client side I'm getting
Error: Client network socket disconnected before secure TLS connection was established
undertow.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<undertow xmlns="urn:org.ops4j.pax.web:undertow:1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:w="urn:jboss:domain:5.0"
xmlns:io="urn:jboss:domain:io:3.0"
xsi:schemaLocation="
urn:jboss:domain:io:3.0 http://www.jboss.org/schema/jbossas/wildfly-io_3_0.xsd
urn:jboss:domain:undertow:4.0 http://www.jboss.org/schema/jbossas/wildfly-undertow_4_0.xsd
urn:jboss:domain:5.0 http://www.jboss.org/schema/jbossas/wildfly-config_5_0.xsd">
<!--
Only "default" worker and buffer-pool are supported and can be used to override the default values
used by all listeners
buffer-pool:
- buffer-size defaults to:
- when < 64MB of Xmx: 512
- when < 128MB of Xmx: 1024
- when >= 128MB of Xmx: 16K - 20
- direct-buffers defaults to:
- when < 64MB of Xmx: false
- when >= 64MB of Xmx: true
worker:
- io-threads defaults to Math.max(Runtime.getRuntime().availableProcessors(), 2);
- task-core-threads and task-max-threads default to io-threads * 8
-->
<!--
<subsystem xmlns="urn:jboss:domain:io:3.0">
<buffer-pool name="default" buffer-size="16364" direct-buffers="true" />
<worker name="default" io-threads="8" task-core-threads="64" task-max-threads="64" />
</subsystem>
-->
<!-- https://docs.jboss.org/author/display/WFLY/Undertow+subsystem+configuration -->
<subsystem xmlns="urn:jboss:domain:undertow:4.0">
<!-- org.wildfly.extension.undertow.BufferCacheDefinition -->
<buffer-cache name="default" buffer-size="1024" buffers-per-region="1024" max-regions="10" />
<server name="default-server">
<!-- HTTP(S) Listener references Socket Binding (and indirectly - Interfaces) -->
<!-- verify-client: org.xnio.SslClientAuthMode.NOT_REQUESTED, org.xnio.SslClientAuthMode.REQUESTED, org.xnio.SslClientAuthMode.REQUIRED -->
<https-listener name="https" socket-binding="https"
security-realm="https" verify-client="NOT_REQUESTED" />
<host name="default-host" alias="localhost">
<!--<location name="/" handler="welcome-content" />-->
<!--<location name="/docs" handler="docs-content" />-->
<access-log directory="${karaf.data}/log" pattern="common" prefix="access_log." suffix="log" rotate="true" />
<filter-ref name="server-header" />
<filter-ref name="x-powered-by-header" />
</host>
</server>
<servlet-container name="default">
<jsp-config />
<websockets />
<welcome-files>
<welcome-file name="index.html" />
<welcome-file name="index.txt" />
</welcome-files>
</servlet-container>
<handlers>
<file name="welcome-content" path="${karaf.home}/welcome" />
<!--<file name="docs-content" path="${karaf.home}/docs" />-->
</handlers>
<filters>
<!-- filters for reference from /host/filter-ref and /host/location/filter-ref -->
<response-header name="server-header" header-name="Server" header-value="Pax-HTTP-Undertow" />
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Pax-HTTP-Undertow/7.2.16" />
</filters>
</subsystem>
<!-- https://docs.jboss.org/author/display/WFLY/Security+Realms -->
<!--
we'll use "default" security realm by default to configure jaas/properties authentication
(io.undertow.security.idm.IdentityManager):
- w:jaas - org.ops4j.pax.web.service.undertow.internal.security.JaasIdentityManager
- w:properties - org.ops4j.pax.web.service.undertow.internal.security.PropertiesIdentityManager
-->
<security-realm name="default">
<w:authentication>
<!-- JaasIdentityManager for given realm -->
<w:jaas name="karaf" />
<!-- OR PropertiesIdentityManager (mutually exclusive with <w:jaas>) -->
<!--<w:properties path="users.properties" />-->
</w:authentication>
<user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
<role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
<!--<role-principal-class-name>...</role-principal-class-name>-->
</security-realm>
<!--
Any security realm may be referenced by https-listener to define trust/keystore, protocols and cipher suites
-->
<security-realm name="https">
<w:server-identities>
<w:ssl>
<!-- sun.security.ssl.ProtocolVersion -->
<!-- sun.security.ssl.CipherSuite -->
<!-- openssl ciphers 'ALL:eNULL' | sed -e 's/:/\n/g' | sort -->
<w:engine
enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" />
<w:keystore path="${karaf.etc}/server.p12" provider="PKCS12" alias="server"
keystore-password="password" key-password="password"
generate-self-signed-certificate-host="localhost" />
</w:ssl>
</w:server-identities>
<w:authentication>
<w:jaas name="karaf" />
<w:truststore path="${karaf.etc}/truststore.jks" provider="JKS" keystore-password="password" />
</w:authentication>
<user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
<role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
</security-realm>
<!-- Interface lists IP addresses to bind to -->
<interface name="secure">
<w:inet-address value="0.0.0.0" />
</interface>
<!-- Socket Binding adds port for each IP from referenced Interface -->
<socket-binding name="https" interface="secure" port="${org.osgi.service.http.port.secure}" />
</undertow>
org.ops4j.pax.web.cfg
org.osgi.service.http.enabled=false
org.osgi.service.http.secure.enabled=true
org.osgi.service.http.port.secure=8443
javax.servlet.context.tempdir=${karaf.data}/pax-web-jsp
#org.ops4j.pax.web.config.file=${karaf.etc}/undertow.properties
org.ops4j.pax.web.config.file=${karaf.etc}/undertow.xml
org.apache.karaf.features.configKey = org.ops4j.pax.web
servlet (hello1.xml)
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0
https://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd">
<reference id="httpService" interface="org.osgi.service.http.HttpService" />
<bean id="camelServlet" class="org.apache.camel.component.servlet.CamelHttpTransportServlet"/>
<bean class="org.apache.camel.component.osgi.OsgiServletRegisterer"
init-method="register"
destroy-method="unregister">
<property name="servletName" value="httpServlet" />
<property name="alias" value="/camel/services" />
<property name="httpService" ref="httpService" />
<property name="servlet" ref="camelServlet" />
</bean>
<bean id="servlet" class="org.apache.camel.component.servlet.ServletComponent" />
<camelContext xmlns="http://camel.apache.org/schema/blueprint">
<route>
<from uri="servlet://hello1?servletName=httpServlet" />
<setBody>
<constant>Hello 1</constant>
</setBody>
</route>
</camelContext>
</blueprint>
log excerpt
2020-08-07T11:47:29,596 | INFO | paxweb-config-1-thread-1 | ServerControllerImpl | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Using "file:/E:/apache-karaf/apache-karaf-4.2.9/etc/undertow.xml" to configure Undertow
2020-08-07T11:47:29,848 | INFO | paxweb-config-1-thread-1 | ServerControllerImpl | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Starting undertow https listener on 0.0.0.0:8443
2020-08-07T11:47:29,985 | INFO | FelixStartLevel | BlueprintContainerImpl | 69 - org.apache.aries.blueprint.core - 1.10.2 | Blueprint bundle hello1.xml/0.0.0 is waiting for dependencies [(objectClass=org.osgi.service.http.HttpService)]
2020-08-07T11:47:29,987 | INFO | activator-1-thread-2 | BouncyCastleSecurityProviderRegistrar | 38 - org.apache.sshd.core - 1.7.0 | getOrCreateProvider(BC) created instance of org.bouncycastle.jce.provider.BouncyCastleProvider
2020-08-07T11:47:30,286 | INFO | activator-1-thread-2 | CommandExtension | 34 - org.apache.karaf.shell.core - 4.2.9 | Registering commands for bundle org.apache.karaf.features.command/4.2.9
2020-08-07T11:47:30,446 | INFO | activator-1-thread-3 | CommandExtension | 34 - org.apache.karaf.shell.core - 4.2.9 | Registering commands for bundle org.apache.karaf.kar.core/4.2.9
2020-08-07T11:47:30,487 | INFO | activator-1-thread-2 | Activator | 18 - org.apache.karaf.deployer.features - 4.2.9 | Deployment finished. Registering FeatureDeploymentListener
2020-08-07T11:47:30,543 | INFO | activator-1-thread-2 | FeaturesPlugin | 140 - org.apache.karaf.webconsole.features - 4.2.9 | Features plugin deactivated
2020-08-07T11:47:30,544 | INFO | activator-1-thread-2 | FeaturesPlugin | 140 - org.apache.karaf.webconsole.features - 4.2.9 | Features plugin activated
2020-08-07T11:47:30,839 | INFO | paxweb-config-1-thread-1 | ServerControllerImpl | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Using in-memory session persistence
2020-08-07T11:47:30,864 | INFO | paxweb-config-1-thread-1 | HttpServiceFactoryImpl | 61 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 | Binding bundle: [org.apache.karaf.webconsole.console [139]] to http service
2020-08-07T11:47:31,000 | INFO | paxweb-config-1-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | registering context DefaultHttpContext [bundle=org.apache.karaf.webconsole.console [139], contextID=custom], with context path: /
2020-08-07T11:47:31,011 | INFO | paxweb-config-1-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Starting context /
2020-08-07T11:47:31,013 | WARN | paxweb-config-1-thread-1 | PathMatcher | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Overwriting existing default context io.undertow.server.handlers.PathHandler@382344b0 with a new one org.ops4j.pax.web.service.undertow.internal.Context@8c1553c
2020-08-07T11:47:31,034 | INFO | paxweb-config-1-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Adding implicit "default" servlet
2020-08-07T11:47:31,047 | INFO | paxweb-config-1-thread-1 | ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api - 7.2.16 | will add io.undertow.servlet.sse.ServerSentEventSCI to ServletContainerInitializers
2020-08-07T11:47:31,048 | WARN | paxweb-config-1-thread-1 | ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api - 7.2.16 | failed to parse and instantiate of javax.servlet.ServletContainerInitializer in classpath
2020-08-07T11:47:31,070 | INFO | paxweb-config-1-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Creating undertow servlet deployment for context path /...
2020-08-07T11:47:31,224 | INFO | paxweb-config-1-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Creating undertow servlet deployment for context path / - done
2020-08-07T11:47:31,225 | INFO | paxweb-config-1-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Registering io.undertow.servlet.spec.ServletContextImpl@e72855b as OSGi service...
2020-08-07T11:47:31,236 | INFO | paxweb-config-1-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Registering io.undertow.servlet.spec.ServletContextImpl@e72855b as OSGi service - done
2020-08-07T11:47:31,237 | INFO | paxweb-config-1-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Starting Undertow web application for context path /
2020-08-07T11:47:31,271 | INFO | paxweb-config-1-thread-1 | HttpServiceFactoryImpl | 61 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 | Binding bundle: [org.apache.karaf.http.core [126]] to http service
2020-08-07T11:47:31,272 | INFO | paxweb-config-1-thread-1 | Activator | 61 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 | Starting server controller org.ops4j.pax.web.service.undertow.internal.ServerControllerImpl
2020-08-07T11:47:31,332 | INFO | activator-1-thread-2 | CommandExtension | 34 - org.apache.karaf.shell.core - 4.2.9 | Registering commands for bundle org.apache.karaf.http.core/4.2.9
2020-08-07T11:47:31,436 | INFO | activator-1-thread-2 | HttpPlugin | 142 - org.apache.karaf.webconsole.http - 4.2.9 | Http plugin activated
2020-08-07T11:47:31,487 | INFO | Blueprint Extender: 1 | LRUCacheFactory | 108 - org.apache.camel.camel-support - 3.4.2 | Detected and using LRUCacheFactory: camel-caffeine-lrucache
2020-08-07T11:47:31,489 | INFO | CM Configuration Updater (ManagedServiceFactory Update: factoryPid=[org.ops4j.pax.web.context]) | HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 | Updated configuration for pid=org.ops4j.pax.web.context.dff8c6e5-f690-4ac6-9268-d87fc0dce06d
2020-08-07T11:47:31,538 | INFO | paxweb-context-2-thread-1 | HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 | Found bundle "hello1.xml", scheduling customization of its WebContainer
2020-08-07T11:47:31,539 | INFO | paxweb-context-2-thread-1 | HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 | Customizing WebContainer for bundle hello1.xml/0.0.0
2020-08-07T11:47:31,539 | INFO | paxweb-context-2-thread-1 | HttpServiceFactoryImpl | 61 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 | Binding bundle: [hello1.xml [134]] to http service
2020-08-07T11:47:31,542 | INFO | paxweb-context-2-thread-1 | HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 | Registering login configuration in WebContainer for bundle "hello1.xml": method=BASIC, realm=karaf
2020-08-07T11:47:31,545 | INFO | paxweb-context-2-thread-1 | HttpContextProcessing | 61 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 | Registering security mappings in WebContainer for bundle "hello1.xml": SecurityConstraintsMapping{name='constraint.1', url='/camel/services/*', roles=[admin]}
2020-08-07T11:47:31,550 | INFO | paxweb-context-2-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | registering context DefaultHttpContext [bundle=hello1.xml [134], contextID=default], with context path: /
2020-08-07T11:47:31,555 | INFO | paxweb-context-2-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Starting context /
2020-08-07T11:47:31,610 | WARN | paxweb-context-2-thread-1 | PathMatcher | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Overwriting existing default context org.ops4j.pax.web.service.undertow.internal.Context@8c1553c with a new one org.ops4j.pax.web.service.undertow.internal.Context@681b959c
2020-08-07T11:47:31,616 | INFO | paxweb-context-2-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Adding implicit "default" servlet
2020-08-07T11:47:31,624 | INFO | paxweb-context-2-thread-1 | ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api - 7.2.16 | will add io.undertow.servlet.sse.ServerSentEventSCI to ServletContainerInitializers
2020-08-07T11:47:31,686 | INFO | paxweb-context-2-thread-1 | ServletContainerInitializerScanner | 60 - org.ops4j.pax.web.pax-web-api - 7.2.16 | added ServletContainerInitializer: io.undertow.servlet.sse.ServerSentEventSCI
2020-08-07T11:47:31,697 | INFO | paxweb-context-2-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Creating undertow servlet deployment for context path /...
2020-08-07T11:47:31,716 | INFO | paxweb-context-2-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Creating undertow servlet deployment for context path / - done
2020-08-07T11:47:31,717 | INFO | paxweb-context-2-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Registering io.undertow.servlet.spec.ServletContextImpl@757d3a20 as OSGi service...
2020-08-07T11:47:31,728 | INFO | paxweb-context-2-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Registering io.undertow.servlet.spec.ServletContextImpl@757d3a20 as OSGi service - done
2020-08-07T11:47:31,729 | INFO | paxweb-context-2-thread-1 | Context | 63 - org.ops4j.pax.web.pax-web-undertow - 7.2.16 | Starting Undertow web application for context path /
2020-08-07T11:47:32,115 | INFO | Blueprint Extender: 1 | BlueprintContainerImpl | 69 - org.apache.aries.blueprint.core - 1.10.2 | Blueprint bundle hello1.xml/0.0.0 has been started
2020-08-07T11:47:32,118 | INFO | Blueprint Event Dispatcher: 1 | BlueprintCamelContext | 119 - org.apache.camel.karaf.camel-blueprint - 3.4.2 | Attempting to start CamelContext: camel-1
2020-08-07T11:47:32,165 | INFO | Blueprint Event Dispatcher: 1 | JmxManagementStrategy | 98 - org.apache.camel.camel-management - 3.4.2 | JMX is enabled
2020-08-07T11:47:32,418 | INFO | Blueprint Event Dispatcher: 1 | AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2 | Apache Camel 3.4.2 (camel-1) is starting
2020-08-07T11:47:33,264 | INFO | Blueprint Event Dispatcher: 1 | AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2 | StreamCaching is not in use. If using streams then its recommended to enable stream caching. See more details at http://camel.apache.org/stream-caching.html
2020-08-07T11:47:33,265 | INFO | Blueprint Event Dispatcher: 1 | AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2 | Using HealthCheck: camel-health
2020-08-07T11:47:33,361 | INFO | Blueprint Event Dispatcher: 1 | InternalRouteStartupManager | 76 - org.apache.camel.camel-base - 3.4.2 | Route: route1 started and consuming from: servlet:/hello1
2020-08-07T11:47:33,369 | INFO | Blueprint Event Dispatcher: 1 | AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2 | Total 1 routes, of which 1 are started
2020-08-07T11:47:33,370 | INFO | Blueprint Event Dispatcher: 1 | AbstractCamelContext | 76 - org.apache.camel.camel-base - 3.4.2 | Apache Camel 3.4.2 (camel-1) started in 0.951 seconds
> Grzegorz Grzybek <gr...@gmail.com> hat am 07.08.2020 11:07 geschrieben:
>
>
> Hello
>
> In theory (I can't check now), you have to:
>
> 1. comment out <http-listener name="http" socket-binding="http" />
> 2. ensure that org.ops4j.pax.web PID has org.osgi.service.http.enabled = false (so pax-web-undertow won't try to recreate the non-secure listener if it's not available in etc/undertow.xml)
>
> regards
> Grzegorz Grzybek
>
>
> pt., 7 sie 2020 o 10:52 Gerald Kallas <ca...@mailbox.org> napisał(a):
> > Thanks, Grzegorz for the explanation.
> >
> > At the moment I'd be happy to use HTTPS (on 8443) only for all web related services (web console, servlets) w/ undertow and disable HTTP (on 8181). Could this be reached with the setup I have?
> >
> > Thanks
> > - Gerald
> >
> > > Grzegorz Grzybek <gr...@gmail.com> hat am 07.08.2020 10:47 geschrieben:
> > >
> > >
> > > Hello
> > >
> > > Unfortunately it is not possible to use the internal (managed by Pax Web) servlet runtime selectively - by specifying which listener (or more generally - virtual host) should be used for the servlets created and registered by Camel into HttpService (Pax Web) runtime.
> > >
> > > pax-web-jetty has partial (legacy, non-standard from the point of view of OSGi CMPN specification) support for virtual hosts where a Whiteboard-registered servlet (or filter, or other "web element") may specify a comma-separated list of virtual host/connector names. But that's only for Jetty.
> > >
> > > I'm still working on refactoring Pax Web 8 and I plan to have unified "experience" for dealing with separate connectors/virtual hosts across Jetty/Tomcat/Undertow runtimes, but it'll come only in Pax Web 8.
> > >
> > > regards
> > > Grzegorz Grzybek
> > >
> > >
> > > pt., 7 sie 2020 o 10:34 Gerald Kallas <ca...@mailbox.org> napisał(a):
> > > > Dear all,
> > > >
> > > > following the guidance in the ticket
> > > >
> > > > https://issues.apache.org/jira/browse/KARAF-6772
> > > >
> > > > I was setting up a vanilla Karaf 4.2.9 with the following features
> > > >
> > > > feature:repo-add camel 3.4.2
> > > > feature:install pax-http-undertow
> > > > feature:install camel camel-servlet webconsole
> > > >
> > > > I wonder how I can bind the webconsole and the servlet consumer in the camel routes to the HTTPS port. My undertow.xml see below. I tried to change the org.ops4j.pax.web.cfg but with no success.
> > > >
> > > > Any hints are appreciated.
> > > >
> > > > Thanks
> > > > - Gerald
> > > >
> > > >
> > > > <?xml version="1.0" encoding="UTF-8"?>
> > > > <!--
> > > > Licensed under the Apache License, Version 2.0 (the "License");
> > > > you may not use this file except in compliance with the License.
> > > > You may obtain a copy of the License at
> > > >
> > > > http://www.apache.org/licenses/LICENSE-2.0
> > > >
> > > > Unless required by applicable law or agreed to in writing, software
> > > > distributed under the License is distributed on an "AS IS" BASIS,
> > > > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> > > > implied.
> > > >
> > > > See the License for the specific language governing permissions and
> > > > limitations under the License.
> > > > -->
> > > > <undertow xmlns="urn:org.ops4j.pax.web:undertow:1.0"
> > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > > > xmlns:w="urn:jboss:domain:5.0"
> > > > xmlns:io="urn:jboss:domain:io:3.0"
> > > > xsi:schemaLocation="
> > > > urn:jboss:domain:io:3.0 http://www.jboss.org/schema/jbossas/wildfly-io_3_0.xsd
> > > > urn:jboss:domain:undertow:4.0 http://www.jboss.org/schema/jbossas/wildfly-undertow_4_0.xsd
> > > > urn:jboss:domain:5.0 http://www.jboss.org/schema/jbossas/wildfly-config_5_0.xsd">
> > > >
> > > > <!--
> > > > Only "default" worker and buffer-pool are supported and can be used to override the default values
> > > > used by all listeners
> > > >
> > > > buffer-pool:
> > > > - buffer-size defaults to:
> > > > - when < 64MB of Xmx: 512
> > > > - when < 128MB of Xmx: 1024
> > > > - when >= 128MB of Xmx: 16K - 20
> > > > - direct-buffers defaults to:
> > > > - when < 64MB of Xmx: false
> > > > - when >= 64MB of Xmx: true
> > > >
> > > > worker:
> > > > - io-threads defaults to Math.max(Runtime.getRuntime().availableProcessors(), 2);
> > > > - task-core-threads and task-max-threads default to io-threads * 8
> > > > -->
> > > > <!--
> > > > <subsystem xmlns="urn:jboss:domain:io:3.0">
> > > > <buffer-pool name="default" buffer-size="16364" direct-buffers="true" />
> > > > <worker name="default" io-threads="8" task-core-threads="64" task-max-threads="64" />
> > > > </subsystem>
> > > > -->
> > > >
> > > > <!-- https://docs.jboss.org/author/display/WFLY/Undertow+subsystem+configuration -->
> > > > <subsystem xmlns="urn:jboss:domain:undertow:4.0">
> > > > <!-- org.wildfly.extension.undertow.BufferCacheDefinition -->
> > > > <buffer-cache name="default" buffer-size="1024" buffers-per-region="1024" max-regions="10" />
> > > > <server name="default-server">
> > > > <!-- HTTP(S) Listener references Socket Binding (and indirectly - Interfaces) -->
> > > > <http-listener name="http" socket-binding="http" />
> > > > <!-- verify-client: org.xnio.SslClientAuthMode.NOT_REQUESTED, org.xnio.SslClientAuthMode.REQUESTED, org.xnio.SslClientAuthMode.REQUIRED -->
> > > > <https-listener name="https" socket-binding="https"
> > > > security-realm="https" verify-client="NOT_REQUESTED" />
> > > > <host name="default-host" alias="localhost">
> > > > <!--<location name="/" handler="welcome-content" />-->
> > > > <!--<location name="/docs" handler="docs-content" />-->
> > > > <access-log directory="${karaf.data}/log" pattern="common" prefix="access_log." suffix="log" rotate="true" />
> > > > <filter-ref name="server-header" />
> > > > <filter-ref name="x-powered-by-header" />
> > > > </host>
> > > > </server>
> > > > <servlet-container name="default">
> > > > <jsp-config />
> > > > <websockets />
> > > > <welcome-files>
> > > > <welcome-file name="index.html" />
> > > > <welcome-file name="index.txt" />
> > > > </welcome-files>
> > > > </servlet-container>
> > > > <handlers>
> > > > <file name="welcome-content" path="${karaf.home}/welcome" />
> > > > <!--<file name="docs-content" path="${karaf.home}/docs" />-->
> > > > </handlers>
> > > > <filters>
> > > > <!-- filters for reference from /host/filter-ref and /host/location/filter-ref -->
> > > > <response-header name="server-header" header-name="Server" header-value="Pax-HTTP-Undertow" />
> > > > <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Pax-HTTP-Undertow/7.2.16" />
> > > > </filters>
> > > > </subsystem>
> > > >
> > > > <!-- https://docs.jboss.org/author/display/WFLY/Security+Realms -->
> > > > <!--
> > > > we'll use "default" security realm by default to configure jaas/properties authentication
> > > > (io.undertow.security.idm.IdentityManager):
> > > > - w:jaas - org.ops4j.pax.web.service.undertow.internal.security.JaasIdentityManager
> > > > - w:properties - org.ops4j.pax.web.service.undertow.internal.security.PropertiesIdentityManager
> > > > -->
> > > > <security-realm name="default">
> > > > <w:authentication>
> > > > <!-- JaasIdentityManager for given realm -->
> > > > <w:jaas name="karaf" />
> > > > <!-- OR PropertiesIdentityManager (mutually exclusive with <w:jaas>) -->
> > > > <!--<w:properties path="users.properties" />-->
> > > > </w:authentication>
> > > > <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > > > <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > > > <!--<role-principal-class-name>...</role-principal-class-name>-->
> > > > </security-realm>
> > > > <!--
> > > > Any security realm may be referenced by https-listener to define trust/keystore, protocols and cipher suites
> > > > -->
> > > > <security-realm name="https">
> > > > <w:server-identities>
> > > > <w:ssl>
> > > > <!-- sun.security.ssl.ProtocolVersion -->
> > > > <!-- sun.security.ssl.CipherSuite -->
> > > > <!-- openssl ciphers 'ALL:eNULL' | sed -e 's/:/\n/g' | sort -->
> > > > <w:engine
> > > > enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
> > > > enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" />
> > > > <w:keystore path="${karaf.etc}/server.p12" provider="PKCS12" alias="server"
> > > > keystore-password="password" key-password="password"
> > > > generate-self-signed-certificate-host="localhost" />
> > > > </w:ssl>
> > > > </w:server-identities>
> > > > <w:authentication>
> > > > <w:jaas name="karaf" />
> > > > <w:truststore path="${karaf.etc}/truststore.jks" provider="JKS" keystore-password="password" />
> > > > </w:authentication>
> > > > <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > > > <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > > > </security-realm>
> > > >
> > > > <!-- Interface lists IP addresses to bind to -->
> > > > <interface name="default">
> > > > <w:inet-address value="0.0.0.0" />
> > > > <!--<w:inet-address value="127.0.0.1" />-->
> > > > </interface>
> > > > <interface name="secure">
> > > > <w:inet-address value="127.0.0.1" />
> > > > </interface>
> > > >
> > > > <!-- Socket Binding adds port for each IP from referenced Interface -->
> > > > <socket-binding name="http" interface="default" port="${org.osgi.service.http.port}" />
> > > > <socket-binding name="https" interface="secure" port="${org.osgi.service.http.port.secure}" />
> > > >
> > > > </undertow>
Re: HTTPS with Karaf 4.2.9 and underpinning undertow web server
Posted by Grzegorz Grzybek <gr...@gmail.com>.
Hello
In theory (I can't check now), you have to:
1. comment out <http-listener name="http" socket-binding="http" />
2. ensure that org.ops4j.pax.web PID has org.osgi.service.http.enabled =
false (so pax-web-undertow won't try to recreate the non-secure listener if
it's not available in etc/undertow.xml)
regards
Grzegorz Grzybek
pt., 7 sie 2020 o 10:52 Gerald Kallas <ca...@mailbox.org> napisał(a):
> Thanks, Grzegorz for the explanation.
>
> At the moment I'd be happy to use HTTPS (on 8443) only for all web related
> services (web console, servlets) w/ undertow and disable HTTP (on 8181).
> Could this be reached with the setup I have?
>
> Thanks
> - Gerald
>
> > Grzegorz Grzybek <gr...@gmail.com> hat am 07.08.2020 10:47
> geschrieben:
> >
> >
> > Hello
> >
> > Unfortunately it is not possible to use the internal (managed by Pax
> Web) servlet runtime selectively - by specifying which listener (or more
> generally - virtual host) should be used for the servlets created and
> registered by Camel into HttpService (Pax Web) runtime.
> >
> > pax-web-jetty has partial (legacy, non-standard from the point of view
> of OSGi CMPN specification) support for virtual hosts where a
> Whiteboard-registered servlet (or filter, or other "web element") may
> specify a comma-separated list of virtual host/connector names. But that's
> only for Jetty.
> >
> > I'm still working on refactoring Pax Web 8 and I plan to have unified
> "experience" for dealing with separate connectors/virtual hosts across
> Jetty/Tomcat/Undertow runtimes, but it'll come only in Pax Web 8.
> >
> > regards
> > Grzegorz Grzybek
> >
> >
> > pt., 7 sie 2020 o 10:34 Gerald Kallas <ca...@mailbox.org> napisał(a):
> > > Dear all,
> > >
> > > following the guidance in the ticket
> > >
> > > https://issues.apache.org/jira/browse/KARAF-6772
> > >
> > > I was setting up a vanilla Karaf 4.2.9 with the following features
> > >
> > > feature:repo-add camel 3.4.2
> > > feature:install pax-http-undertow
> > > feature:install camel camel-servlet webconsole
> > >
> > > I wonder how I can bind the webconsole and the servlet consumer in the
> camel routes to the HTTPS port. My undertow.xml see below. I tried to
> change the org.ops4j.pax.web.cfg but with no success.
> > >
> > > Any hints are appreciated.
> > >
> > > Thanks
> > > - Gerald
> > >
> > >
> > > <?xml version="1.0" encoding="UTF-8"?>
> > > <!--
> > > Licensed under the Apache License, Version 2.0 (the "License");
> > > you may not use this file except in compliance with the License.
> > > You may obtain a copy of the License at
> > >
> > > http://www.apache.org/licenses/LICENSE-2.0
> > >
> > > Unless required by applicable law or agreed to in writing, software
> > > distributed under the License is distributed on an "AS IS" BASIS,
> > > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> > > implied.
> > >
> > > See the License for the specific language governing permissions and
> > > limitations under the License.
> > > -->
> > > <undertow xmlns="urn:org.ops4j.pax.web:undertow:1.0"
> > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > > xmlns:w="urn:jboss:domain:5.0"
> > > xmlns:io="urn:jboss:domain:io:3.0"
> > > xsi:schemaLocation="
> > > urn:jboss:domain:io:3.0
> http://www.jboss.org/schema/jbossas/wildfly-io_3_0.xsd
> > > urn:jboss:domain:undertow:4.0
> http://www.jboss.org/schema/jbossas/wildfly-undertow_4_0.xsd
> > > urn:jboss:domain:5.0
> http://www.jboss.org/schema/jbossas/wildfly-config_5_0.xsd">
> > >
> > > <!--
> > > Only "default" worker and buffer-pool are supported and can be used
> to override the default values
> > > used by all listeners
> > >
> > > buffer-pool:
> > > - buffer-size defaults to:
> > > - when < 64MB of Xmx: 512
> > > - when < 128MB of Xmx: 1024
> > > - when >= 128MB of Xmx: 16K - 20
> > > - direct-buffers defaults to:
> > > - when < 64MB of Xmx: false
> > > - when >= 64MB of Xmx: true
> > >
> > > worker:
> > > - io-threads defaults to
> Math.max(Runtime.getRuntime().availableProcessors(), 2);
> > > - task-core-threads and task-max-threads default to io-threads * 8
> > > -->
> > > <!--
> > > <subsystem xmlns="urn:jboss:domain:io:3.0">
> > > <buffer-pool name="default" buffer-size="16364" direct-buffers="true"
> />
> > > <worker name="default" io-threads="8" task-core-threads="64"
> task-max-threads="64" />
> > > </subsystem>
> > > -->
> > >
> > > <!--
> https://docs.jboss.org/author/display/WFLY/Undertow+subsystem+configuration
> -->
> > > <subsystem xmlns="urn:jboss:domain:undertow:4.0">
> > > <!-- org.wildfly.extension.undertow.BufferCacheDefinition -->
> > > <buffer-cache name="default" buffer-size="1024"
> buffers-per-region="1024" max-regions="10" />
> > > <server name="default-server">
> > > <!-- HTTP(S) Listener references Socket Binding (and indirectly -
> Interfaces) -->
> > > <http-listener name="http" socket-binding="http" />
> > > <!-- verify-client: org.xnio.SslClientAuthMode.NOT_REQUESTED,
> org.xnio.SslClientAuthMode.REQUESTED, org.xnio.SslClientAuthMode.REQUIRED
> -->
> > > <https-listener name="https" socket-binding="https"
> > > security-realm="https" verify-client="NOT_REQUESTED" />
> > > <host name="default-host" alias="localhost">
> > > <!--<location name="/" handler="welcome-content" />-->
> > > <!--<location name="/docs" handler="docs-content" />-->
> > > <access-log directory="${karaf.data}/log" pattern="common"
> prefix="access_log." suffix="log" rotate="true" />
> > > <filter-ref name="server-header" />
> > > <filter-ref name="x-powered-by-header" />
> > > </host>
> > > </server>
> > > <servlet-container name="default">
> > > <jsp-config />
> > > <websockets />
> > > <welcome-files>
> > > <welcome-file name="index.html" />
> > > <welcome-file name="index.txt" />
> > > </welcome-files>
> > > </servlet-container>
> > > <handlers>
> > > <file name="welcome-content" path="${karaf.home}/welcome" />
> > > <!--<file name="docs-content" path="${karaf.home}/docs" />-->
> > > </handlers>
> > > <filters>
> > > <!-- filters for reference from /host/filter-ref and
> /host/location/filter-ref -->
> > > <response-header name="server-header" header-name="Server"
> header-value="Pax-HTTP-Undertow" />
> > > <response-header name="x-powered-by-header"
> header-name="X-Powered-By" header-value="Pax-HTTP-Undertow/7.2.16" />
> > > </filters>
> > > </subsystem>
> > >
> > > <!-- https://docs.jboss.org/author/display/WFLY/Security+Realms -->
> > > <!--
> > > we'll use "default" security realm by default to configure
> jaas/properties authentication
> > > (io.undertow.security.idm.IdentityManager):
> > > - w:jaas -
> org.ops4j.pax.web.service.undertow.internal.security.JaasIdentityManager
> > > - w:properties -
> org.ops4j.pax.web.service.undertow.internal.security.PropertiesIdentityManager
> > > -->
> > > <security-realm name="default">
> > > <w:authentication>
> > > <!-- JaasIdentityManager for given realm -->
> > > <w:jaas name="karaf" />
> > > <!-- OR PropertiesIdentityManager (mutually exclusive with <w:jaas>)
> -->
> > > <!--<w:properties path="users.properties" />-->
> > > </w:authentication>
> > >
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > >
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > > <!--<role-principal-class-name>...</role-principal-class-name>-->
> > > </security-realm>
> > > <!--
> > > Any security realm may be referenced by https-listener to define
> trust/keystore, protocols and cipher suites
> > > -->
> > > <security-realm name="https">
> > > <w:server-identities>
> > > <w:ssl>
> > > <!-- sun.security.ssl.ProtocolVersion -->
> > > <!-- sun.security.ssl.CipherSuite -->
> > > <!-- openssl ciphers 'ALL:eNULL' | sed -e 's/:/\n/g' | sort -->
> > > <w:engine
> > > enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
> > > enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" />
> > > <w:keystore path="${karaf.etc}/server.p12" provider="PKCS12"
> alias="server"
> > > keystore-password="password" key-password="password"
> > > generate-self-signed-certificate-host="localhost" />
> > > </w:ssl>
> > > </w:server-identities>
> > > <w:authentication>
> > > <w:jaas name="karaf" />
> > > <w:truststore path="${karaf.etc}/truststore.jks" provider="JKS"
> keystore-password="password" />
> > > </w:authentication>
> > >
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > >
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > > </security-realm>
> > >
> > > <!-- Interface lists IP addresses to bind to -->
> > > <interface name="default">
> > > <w:inet-address value="0.0.0.0" />
> > > <!--<w:inet-address value="127.0.0.1" />-->
> > > </interface>
> > > <interface name="secure">
> > > <w:inet-address value="127.0.0.1" />
> > > </interface>
> > >
> > > <!-- Socket Binding adds port for each IP from referenced Interface
> -->
> > > <socket-binding name="http" interface="default"
> port="${org.osgi.service.http.port}" />
> > > <socket-binding name="https" interface="secure"
> port="${org.osgi.service.http.port.secure}" />
> > >
> > > </undertow>
>
Re: HTTPS with Karaf 4.2.9 and underpinning undertow web server
Posted by Grzegorz Grzybek <gr...@gmail.com>.
Hello
In theory (I can't check now), you have to:
1. comment out <http-listener name="http" socket-binding="http" />
2. ensure that org.ops4j.pax.web PID has org.osgi.service.http.enabled =
false (so pax-web-undertow won't try to recreate the non-secure listener if
it's not available in etc/undertow.xml)
regards
Grzegorz Grzybek
pt., 7 sie 2020 o 10:52 Gerald Kallas <ca...@mailbox.org> napisał(a):
> Thanks, Grzegorz for the explanation.
>
> At the moment I'd be happy to use HTTPS (on 8443) only for all web related
> services (web console, servlets) w/ undertow and disable HTTP (on 8181).
> Could this be reached with the setup I have?
>
> Thanks
> - Gerald
>
> > Grzegorz Grzybek <gr...@gmail.com> hat am 07.08.2020 10:47
> geschrieben:
> >
> >
> > Hello
> >
> > Unfortunately it is not possible to use the internal (managed by Pax
> Web) servlet runtime selectively - by specifying which listener (or more
> generally - virtual host) should be used for the servlets created and
> registered by Camel into HttpService (Pax Web) runtime.
> >
> > pax-web-jetty has partial (legacy, non-standard from the point of view
> of OSGi CMPN specification) support for virtual hosts where a
> Whiteboard-registered servlet (or filter, or other "web element") may
> specify a comma-separated list of virtual host/connector names. But that's
> only for Jetty.
> >
> > I'm still working on refactoring Pax Web 8 and I plan to have unified
> "experience" for dealing with separate connectors/virtual hosts across
> Jetty/Tomcat/Undertow runtimes, but it'll come only in Pax Web 8.
> >
> > regards
> > Grzegorz Grzybek
> >
> >
> > pt., 7 sie 2020 o 10:34 Gerald Kallas <ca...@mailbox.org> napisał(a):
> > > Dear all,
> > >
> > > following the guidance in the ticket
> > >
> > > https://issues.apache.org/jira/browse/KARAF-6772
> > >
> > > I was setting up a vanilla Karaf 4.2.9 with the following features
> > >
> > > feature:repo-add camel 3.4.2
> > > feature:install pax-http-undertow
> > > feature:install camel camel-servlet webconsole
> > >
> > > I wonder how I can bind the webconsole and the servlet consumer in the
> camel routes to the HTTPS port. My undertow.xml see below. I tried to
> change the org.ops4j.pax.web.cfg but with no success.
> > >
> > > Any hints are appreciated.
> > >
> > > Thanks
> > > - Gerald
> > >
> > >
> > > <?xml version="1.0" encoding="UTF-8"?>
> > > <!--
> > > Licensed under the Apache License, Version 2.0 (the "License");
> > > you may not use this file except in compliance with the License.
> > > You may obtain a copy of the License at
> > >
> > > http://www.apache.org/licenses/LICENSE-2.0
> > >
> > > Unless required by applicable law or agreed to in writing, software
> > > distributed under the License is distributed on an "AS IS" BASIS,
> > > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> > > implied.
> > >
> > > See the License for the specific language governing permissions and
> > > limitations under the License.
> > > -->
> > > <undertow xmlns="urn:org.ops4j.pax.web:undertow:1.0"
> > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > > xmlns:w="urn:jboss:domain:5.0"
> > > xmlns:io="urn:jboss:domain:io:3.0"
> > > xsi:schemaLocation="
> > > urn:jboss:domain:io:3.0
> http://www.jboss.org/schema/jbossas/wildfly-io_3_0.xsd
> > > urn:jboss:domain:undertow:4.0
> http://www.jboss.org/schema/jbossas/wildfly-undertow_4_0.xsd
> > > urn:jboss:domain:5.0
> http://www.jboss.org/schema/jbossas/wildfly-config_5_0.xsd">
> > >
> > > <!--
> > > Only "default" worker and buffer-pool are supported and can be used
> to override the default values
> > > used by all listeners
> > >
> > > buffer-pool:
> > > - buffer-size defaults to:
> > > - when < 64MB of Xmx: 512
> > > - when < 128MB of Xmx: 1024
> > > - when >= 128MB of Xmx: 16K - 20
> > > - direct-buffers defaults to:
> > > - when < 64MB of Xmx: false
> > > - when >= 64MB of Xmx: true
> > >
> > > worker:
> > > - io-threads defaults to
> Math.max(Runtime.getRuntime().availableProcessors(), 2);
> > > - task-core-threads and task-max-threads default to io-threads * 8
> > > -->
> > > <!--
> > > <subsystem xmlns="urn:jboss:domain:io:3.0">
> > > <buffer-pool name="default" buffer-size="16364" direct-buffers="true"
> />
> > > <worker name="default" io-threads="8" task-core-threads="64"
> task-max-threads="64" />
> > > </subsystem>
> > > -->
> > >
> > > <!--
> https://docs.jboss.org/author/display/WFLY/Undertow+subsystem+configuration
> -->
> > > <subsystem xmlns="urn:jboss:domain:undertow:4.0">
> > > <!-- org.wildfly.extension.undertow.BufferCacheDefinition -->
> > > <buffer-cache name="default" buffer-size="1024"
> buffers-per-region="1024" max-regions="10" />
> > > <server name="default-server">
> > > <!-- HTTP(S) Listener references Socket Binding (and indirectly -
> Interfaces) -->
> > > <http-listener name="http" socket-binding="http" />
> > > <!-- verify-client: org.xnio.SslClientAuthMode.NOT_REQUESTED,
> org.xnio.SslClientAuthMode.REQUESTED, org.xnio.SslClientAuthMode.REQUIRED
> -->
> > > <https-listener name="https" socket-binding="https"
> > > security-realm="https" verify-client="NOT_REQUESTED" />
> > > <host name="default-host" alias="localhost">
> > > <!--<location name="/" handler="welcome-content" />-->
> > > <!--<location name="/docs" handler="docs-content" />-->
> > > <access-log directory="${karaf.data}/log" pattern="common"
> prefix="access_log." suffix="log" rotate="true" />
> > > <filter-ref name="server-header" />
> > > <filter-ref name="x-powered-by-header" />
> > > </host>
> > > </server>
> > > <servlet-container name="default">
> > > <jsp-config />
> > > <websockets />
> > > <welcome-files>
> > > <welcome-file name="index.html" />
> > > <welcome-file name="index.txt" />
> > > </welcome-files>
> > > </servlet-container>
> > > <handlers>
> > > <file name="welcome-content" path="${karaf.home}/welcome" />
> > > <!--<file name="docs-content" path="${karaf.home}/docs" />-->
> > > </handlers>
> > > <filters>
> > > <!-- filters for reference from /host/filter-ref and
> /host/location/filter-ref -->
> > > <response-header name="server-header" header-name="Server"
> header-value="Pax-HTTP-Undertow" />
> > > <response-header name="x-powered-by-header"
> header-name="X-Powered-By" header-value="Pax-HTTP-Undertow/7.2.16" />
> > > </filters>
> > > </subsystem>
> > >
> > > <!-- https://docs.jboss.org/author/display/WFLY/Security+Realms -->
> > > <!--
> > > we'll use "default" security realm by default to configure
> jaas/properties authentication
> > > (io.undertow.security.idm.IdentityManager):
> > > - w:jaas -
> org.ops4j.pax.web.service.undertow.internal.security.JaasIdentityManager
> > > - w:properties -
> org.ops4j.pax.web.service.undertow.internal.security.PropertiesIdentityManager
> > > -->
> > > <security-realm name="default">
> > > <w:authentication>
> > > <!-- JaasIdentityManager for given realm -->
> > > <w:jaas name="karaf" />
> > > <!-- OR PropertiesIdentityManager (mutually exclusive with <w:jaas>)
> -->
> > > <!--<w:properties path="users.properties" />-->
> > > </w:authentication>
> > >
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > >
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > > <!--<role-principal-class-name>...</role-principal-class-name>-->
> > > </security-realm>
> > > <!--
> > > Any security realm may be referenced by https-listener to define
> trust/keystore, protocols and cipher suites
> > > -->
> > > <security-realm name="https">
> > > <w:server-identities>
> > > <w:ssl>
> > > <!-- sun.security.ssl.ProtocolVersion -->
> > > <!-- sun.security.ssl.CipherSuite -->
> > > <!-- openssl ciphers 'ALL:eNULL' | sed -e 's/:/\n/g' | sort -->
> > > <w:engine
> > > enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
> > > enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" />
> > > <w:keystore path="${karaf.etc}/server.p12" provider="PKCS12"
> alias="server"
> > > keystore-password="password" key-password="password"
> > > generate-self-signed-certificate-host="localhost" />
> > > </w:ssl>
> > > </w:server-identities>
> > > <w:authentication>
> > > <w:jaas name="karaf" />
> > > <w:truststore path="${karaf.etc}/truststore.jks" provider="JKS"
> keystore-password="password" />
> > > </w:authentication>
> > >
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > >
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > > </security-realm>
> > >
> > > <!-- Interface lists IP addresses to bind to -->
> > > <interface name="default">
> > > <w:inet-address value="0.0.0.0" />
> > > <!--<w:inet-address value="127.0.0.1" />-->
> > > </interface>
> > > <interface name="secure">
> > > <w:inet-address value="127.0.0.1" />
> > > </interface>
> > >
> > > <!-- Socket Binding adds port for each IP from referenced Interface
> -->
> > > <socket-binding name="http" interface="default"
> port="${org.osgi.service.http.port}" />
> > > <socket-binding name="https" interface="secure"
> port="${org.osgi.service.http.port.secure}" />
> > >
> > > </undertow>
>
Re: HTTPS with Karaf 4.2.9 and underpinning undertow web server
Posted by Gerald Kallas <ca...@mailbox.org>.
Thanks, Grzegorz for the explanation.
At the moment I'd be happy to use HTTPS (on 8443) only for all web related services (web console, servlets) w/ undertow and disable HTTP (on 8181). Could this be reached with the setup I have?
Thanks
- Gerald
> Grzegorz Grzybek <gr...@gmail.com> hat am 07.08.2020 10:47 geschrieben:
>
>
> Hello
>
> Unfortunately it is not possible to use the internal (managed by Pax Web) servlet runtime selectively - by specifying which listener (or more generally - virtual host) should be used for the servlets created and registered by Camel into HttpService (Pax Web) runtime.
>
> pax-web-jetty has partial (legacy, non-standard from the point of view of OSGi CMPN specification) support for virtual hosts where a Whiteboard-registered servlet (or filter, or other "web element") may specify a comma-separated list of virtual host/connector names. But that's only for Jetty.
>
> I'm still working on refactoring Pax Web 8 and I plan to have unified "experience" for dealing with separate connectors/virtual hosts across Jetty/Tomcat/Undertow runtimes, but it'll come only in Pax Web 8.
>
> regards
> Grzegorz Grzybek
>
>
> pt., 7 sie 2020 o 10:34 Gerald Kallas <ca...@mailbox.org> napisał(a):
> > Dear all,
> >
> > following the guidance in the ticket
> >
> > https://issues.apache.org/jira/browse/KARAF-6772
> >
> > I was setting up a vanilla Karaf 4.2.9 with the following features
> >
> > feature:repo-add camel 3.4.2
> > feature:install pax-http-undertow
> > feature:install camel camel-servlet webconsole
> >
> > I wonder how I can bind the webconsole and the servlet consumer in the camel routes to the HTTPS port. My undertow.xml see below. I tried to change the org.ops4j.pax.web.cfg but with no success.
> >
> > Any hints are appreciated.
> >
> > Thanks
> > - Gerald
> >
> >
> > <?xml version="1.0" encoding="UTF-8"?>
> > <!--
> > Licensed under the Apache License, Version 2.0 (the "License");
> > you may not use this file except in compliance with the License.
> > You may obtain a copy of the License at
> >
> > http://www.apache.org/licenses/LICENSE-2.0
> >
> > Unless required by applicable law or agreed to in writing, software
> > distributed under the License is distributed on an "AS IS" BASIS,
> > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> > implied.
> >
> > See the License for the specific language governing permissions and
> > limitations under the License.
> > -->
> > <undertow xmlns="urn:org.ops4j.pax.web:undertow:1.0"
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > xmlns:w="urn:jboss:domain:5.0"
> > xmlns:io="urn:jboss:domain:io:3.0"
> > xsi:schemaLocation="
> > urn:jboss:domain:io:3.0 http://www.jboss.org/schema/jbossas/wildfly-io_3_0.xsd
> > urn:jboss:domain:undertow:4.0 http://www.jboss.org/schema/jbossas/wildfly-undertow_4_0.xsd
> > urn:jboss:domain:5.0 http://www.jboss.org/schema/jbossas/wildfly-config_5_0.xsd">
> >
> > <!--
> > Only "default" worker and buffer-pool are supported and can be used to override the default values
> > used by all listeners
> >
> > buffer-pool:
> > - buffer-size defaults to:
> > - when < 64MB of Xmx: 512
> > - when < 128MB of Xmx: 1024
> > - when >= 128MB of Xmx: 16K - 20
> > - direct-buffers defaults to:
> > - when < 64MB of Xmx: false
> > - when >= 64MB of Xmx: true
> >
> > worker:
> > - io-threads defaults to Math.max(Runtime.getRuntime().availableProcessors(), 2);
> > - task-core-threads and task-max-threads default to io-threads * 8
> > -->
> > <!--
> > <subsystem xmlns="urn:jboss:domain:io:3.0">
> > <buffer-pool name="default" buffer-size="16364" direct-buffers="true" />
> > <worker name="default" io-threads="8" task-core-threads="64" task-max-threads="64" />
> > </subsystem>
> > -->
> >
> > <!-- https://docs.jboss.org/author/display/WFLY/Undertow+subsystem+configuration -->
> > <subsystem xmlns="urn:jboss:domain:undertow:4.0">
> > <!-- org.wildfly.extension.undertow.BufferCacheDefinition -->
> > <buffer-cache name="default" buffer-size="1024" buffers-per-region="1024" max-regions="10" />
> > <server name="default-server">
> > <!-- HTTP(S) Listener references Socket Binding (and indirectly - Interfaces) -->
> > <http-listener name="http" socket-binding="http" />
> > <!-- verify-client: org.xnio.SslClientAuthMode.NOT_REQUESTED, org.xnio.SslClientAuthMode.REQUESTED, org.xnio.SslClientAuthMode.REQUIRED -->
> > <https-listener name="https" socket-binding="https"
> > security-realm="https" verify-client="NOT_REQUESTED" />
> > <host name="default-host" alias="localhost">
> > <!--<location name="/" handler="welcome-content" />-->
> > <!--<location name="/docs" handler="docs-content" />-->
> > <access-log directory="${karaf.data}/log" pattern="common" prefix="access_log." suffix="log" rotate="true" />
> > <filter-ref name="server-header" />
> > <filter-ref name="x-powered-by-header" />
> > </host>
> > </server>
> > <servlet-container name="default">
> > <jsp-config />
> > <websockets />
> > <welcome-files>
> > <welcome-file name="index.html" />
> > <welcome-file name="index.txt" />
> > </welcome-files>
> > </servlet-container>
> > <handlers>
> > <file name="welcome-content" path="${karaf.home}/welcome" />
> > <!--<file name="docs-content" path="${karaf.home}/docs" />-->
> > </handlers>
> > <filters>
> > <!-- filters for reference from /host/filter-ref and /host/location/filter-ref -->
> > <response-header name="server-header" header-name="Server" header-value="Pax-HTTP-Undertow" />
> > <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Pax-HTTP-Undertow/7.2.16" />
> > </filters>
> > </subsystem>
> >
> > <!-- https://docs.jboss.org/author/display/WFLY/Security+Realms -->
> > <!--
> > we'll use "default" security realm by default to configure jaas/properties authentication
> > (io.undertow.security.idm.IdentityManager):
> > - w:jaas - org.ops4j.pax.web.service.undertow.internal.security.JaasIdentityManager
> > - w:properties - org.ops4j.pax.web.service.undertow.internal.security.PropertiesIdentityManager
> > -->
> > <security-realm name="default">
> > <w:authentication>
> > <!-- JaasIdentityManager for given realm -->
> > <w:jaas name="karaf" />
> > <!-- OR PropertiesIdentityManager (mutually exclusive with <w:jaas>) -->
> > <!--<w:properties path="users.properties" />-->
> > </w:authentication>
> > <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > <!--<role-principal-class-name>...</role-principal-class-name>-->
> > </security-realm>
> > <!--
> > Any security realm may be referenced by https-listener to define trust/keystore, protocols and cipher suites
> > -->
> > <security-realm name="https">
> > <w:server-identities>
> > <w:ssl>
> > <!-- sun.security.ssl.ProtocolVersion -->
> > <!-- sun.security.ssl.CipherSuite -->
> > <!-- openssl ciphers 'ALL:eNULL' | sed -e 's/:/\n/g' | sort -->
> > <w:engine
> > enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
> > enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" />
> > <w:keystore path="${karaf.etc}/server.p12" provider="PKCS12" alias="server"
> > keystore-password="password" key-password="password"
> > generate-self-signed-certificate-host="localhost" />
> > </w:ssl>
> > </w:server-identities>
> > <w:authentication>
> > <w:jaas name="karaf" />
> > <w:truststore path="${karaf.etc}/truststore.jks" provider="JKS" keystore-password="password" />
> > </w:authentication>
> > <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > </security-realm>
> >
> > <!-- Interface lists IP addresses to bind to -->
> > <interface name="default">
> > <w:inet-address value="0.0.0.0" />
> > <!--<w:inet-address value="127.0.0.1" />-->
> > </interface>
> > <interface name="secure">
> > <w:inet-address value="127.0.0.1" />
> > </interface>
> >
> > <!-- Socket Binding adds port for each IP from referenced Interface -->
> > <socket-binding name="http" interface="default" port="${org.osgi.service.http.port}" />
> > <socket-binding name="https" interface="secure" port="${org.osgi.service.http.port.secure}" />
> >
> > </undertow>
Re: HTTPS with Karaf 4.2.9 and underpinning undertow web server
Posted by Gerald Kallas <ca...@mailbox.org>.
Thanks, Grzegorz for the explanation.
At the moment I'd be happy to use HTTPS (on 8443) only for all web related services (web console, servlets) w/ undertow and disable HTTP (on 8181). Could this be reached with the setup I have?
Thanks
- Gerald
> Grzegorz Grzybek <gr...@gmail.com> hat am 07.08.2020 10:47 geschrieben:
>
>
> Hello
>
> Unfortunately it is not possible to use the internal (managed by Pax Web) servlet runtime selectively - by specifying which listener (or more generally - virtual host) should be used for the servlets created and registered by Camel into HttpService (Pax Web) runtime.
>
> pax-web-jetty has partial (legacy, non-standard from the point of view of OSGi CMPN specification) support for virtual hosts where a Whiteboard-registered servlet (or filter, or other "web element") may specify a comma-separated list of virtual host/connector names. But that's only for Jetty.
>
> I'm still working on refactoring Pax Web 8 and I plan to have unified "experience" for dealing with separate connectors/virtual hosts across Jetty/Tomcat/Undertow runtimes, but it'll come only in Pax Web 8.
>
> regards
> Grzegorz Grzybek
>
>
> pt., 7 sie 2020 o 10:34 Gerald Kallas <ca...@mailbox.org> napisał(a):
> > Dear all,
> >
> > following the guidance in the ticket
> >
> > https://issues.apache.org/jira/browse/KARAF-6772
> >
> > I was setting up a vanilla Karaf 4.2.9 with the following features
> >
> > feature:repo-add camel 3.4.2
> > feature:install pax-http-undertow
> > feature:install camel camel-servlet webconsole
> >
> > I wonder how I can bind the webconsole and the servlet consumer in the camel routes to the HTTPS port. My undertow.xml see below. I tried to change the org.ops4j.pax.web.cfg but with no success.
> >
> > Any hints are appreciated.
> >
> > Thanks
> > - Gerald
> >
> >
> > <?xml version="1.0" encoding="UTF-8"?>
> > <!--
> > Licensed under the Apache License, Version 2.0 (the "License");
> > you may not use this file except in compliance with the License.
> > You may obtain a copy of the License at
> >
> > http://www.apache.org/licenses/LICENSE-2.0
> >
> > Unless required by applicable law or agreed to in writing, software
> > distributed under the License is distributed on an "AS IS" BASIS,
> > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> > implied.
> >
> > See the License for the specific language governing permissions and
> > limitations under the License.
> > -->
> > <undertow xmlns="urn:org.ops4j.pax.web:undertow:1.0"
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > xmlns:w="urn:jboss:domain:5.0"
> > xmlns:io="urn:jboss:domain:io:3.0"
> > xsi:schemaLocation="
> > urn:jboss:domain:io:3.0 http://www.jboss.org/schema/jbossas/wildfly-io_3_0.xsd
> > urn:jboss:domain:undertow:4.0 http://www.jboss.org/schema/jbossas/wildfly-undertow_4_0.xsd
> > urn:jboss:domain:5.0 http://www.jboss.org/schema/jbossas/wildfly-config_5_0.xsd">
> >
> > <!--
> > Only "default" worker and buffer-pool are supported and can be used to override the default values
> > used by all listeners
> >
> > buffer-pool:
> > - buffer-size defaults to:
> > - when < 64MB of Xmx: 512
> > - when < 128MB of Xmx: 1024
> > - when >= 128MB of Xmx: 16K - 20
> > - direct-buffers defaults to:
> > - when < 64MB of Xmx: false
> > - when >= 64MB of Xmx: true
> >
> > worker:
> > - io-threads defaults to Math.max(Runtime.getRuntime().availableProcessors(), 2);
> > - task-core-threads and task-max-threads default to io-threads * 8
> > -->
> > <!--
> > <subsystem xmlns="urn:jboss:domain:io:3.0">
> > <buffer-pool name="default" buffer-size="16364" direct-buffers="true" />
> > <worker name="default" io-threads="8" task-core-threads="64" task-max-threads="64" />
> > </subsystem>
> > -->
> >
> > <!-- https://docs.jboss.org/author/display/WFLY/Undertow+subsystem+configuration -->
> > <subsystem xmlns="urn:jboss:domain:undertow:4.0">
> > <!-- org.wildfly.extension.undertow.BufferCacheDefinition -->
> > <buffer-cache name="default" buffer-size="1024" buffers-per-region="1024" max-regions="10" />
> > <server name="default-server">
> > <!-- HTTP(S) Listener references Socket Binding (and indirectly - Interfaces) -->
> > <http-listener name="http" socket-binding="http" />
> > <!-- verify-client: org.xnio.SslClientAuthMode.NOT_REQUESTED, org.xnio.SslClientAuthMode.REQUESTED, org.xnio.SslClientAuthMode.REQUIRED -->
> > <https-listener name="https" socket-binding="https"
> > security-realm="https" verify-client="NOT_REQUESTED" />
> > <host name="default-host" alias="localhost">
> > <!--<location name="/" handler="welcome-content" />-->
> > <!--<location name="/docs" handler="docs-content" />-->
> > <access-log directory="${karaf.data}/log" pattern="common" prefix="access_log." suffix="log" rotate="true" />
> > <filter-ref name="server-header" />
> > <filter-ref name="x-powered-by-header" />
> > </host>
> > </server>
> > <servlet-container name="default">
> > <jsp-config />
> > <websockets />
> > <welcome-files>
> > <welcome-file name="index.html" />
> > <welcome-file name="index.txt" />
> > </welcome-files>
> > </servlet-container>
> > <handlers>
> > <file name="welcome-content" path="${karaf.home}/welcome" />
> > <!--<file name="docs-content" path="${karaf.home}/docs" />-->
> > </handlers>
> > <filters>
> > <!-- filters for reference from /host/filter-ref and /host/location/filter-ref -->
> > <response-header name="server-header" header-name="Server" header-value="Pax-HTTP-Undertow" />
> > <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Pax-HTTP-Undertow/7.2.16" />
> > </filters>
> > </subsystem>
> >
> > <!-- https://docs.jboss.org/author/display/WFLY/Security+Realms -->
> > <!--
> > we'll use "default" security realm by default to configure jaas/properties authentication
> > (io.undertow.security.idm.IdentityManager):
> > - w:jaas - org.ops4j.pax.web.service.undertow.internal.security.JaasIdentityManager
> > - w:properties - org.ops4j.pax.web.service.undertow.internal.security.PropertiesIdentityManager
> > -->
> > <security-realm name="default">
> > <w:authentication>
> > <!-- JaasIdentityManager for given realm -->
> > <w:jaas name="karaf" />
> > <!-- OR PropertiesIdentityManager (mutually exclusive with <w:jaas>) -->
> > <!--<w:properties path="users.properties" />-->
> > </w:authentication>
> > <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > <!--<role-principal-class-name>...</role-principal-class-name>-->
> > </security-realm>
> > <!--
> > Any security realm may be referenced by https-listener to define trust/keystore, protocols and cipher suites
> > -->
> > <security-realm name="https">
> > <w:server-identities>
> > <w:ssl>
> > <!-- sun.security.ssl.ProtocolVersion -->
> > <!-- sun.security.ssl.CipherSuite -->
> > <!-- openssl ciphers 'ALL:eNULL' | sed -e 's/:/\n/g' | sort -->
> > <w:engine
> > enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
> > enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" />
> > <w:keystore path="${karaf.etc}/server.p12" provider="PKCS12" alias="server"
> > keystore-password="password" key-password="password"
> > generate-self-signed-certificate-host="localhost" />
> > </w:ssl>
> > </w:server-identities>
> > <w:authentication>
> > <w:jaas name="karaf" />
> > <w:truststore path="${karaf.etc}/truststore.jks" provider="JKS" keystore-password="password" />
> > </w:authentication>
> > <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
> > <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> > </security-realm>
> >
> > <!-- Interface lists IP addresses to bind to -->
> > <interface name="default">
> > <w:inet-address value="0.0.0.0" />
> > <!--<w:inet-address value="127.0.0.1" />-->
> > </interface>
> > <interface name="secure">
> > <w:inet-address value="127.0.0.1" />
> > </interface>
> >
> > <!-- Socket Binding adds port for each IP from referenced Interface -->
> > <socket-binding name="http" interface="default" port="${org.osgi.service.http.port}" />
> > <socket-binding name="https" interface="secure" port="${org.osgi.service.http.port.secure}" />
> >
> > </undertow>
Re: HTTPS with Karaf 4.2.9 and underpinning undertow web server
Posted by Grzegorz Grzybek <gr...@gmail.com>.
Hello
Unfortunately it is not possible to use the internal (managed by Pax Web)
servlet runtime selectively - by specifying which listener (or more
generally - virtual host) should be used for the servlets created and
registered by Camel into HttpService (Pax Web) runtime.
pax-web-jetty has partial (legacy, non-standard from the point of view of
OSGi CMPN specification) support for virtual hosts where a
Whiteboard-registered servlet (or filter, or other "web element") may
specify a comma-separated list of virtual host/connector names. But that's
only for Jetty.
I'm still working on refactoring Pax Web 8 and I plan to have unified
"experience" for dealing with separate connectors/virtual hosts across
Jetty/Tomcat/Undertow runtimes, but it'll come only in Pax Web 8.
regards
Grzegorz Grzybek
pt., 7 sie 2020 o 10:34 Gerald Kallas <ca...@mailbox.org> napisał(a):
> Dear all,
>
> following the guidance in the ticket
>
> https://issues.apache.org/jira/browse/KARAF-6772
>
> I was setting up a vanilla Karaf 4.2.9 with the following features
>
> feature:repo-add camel 3.4.2
> feature:install pax-http-undertow
> feature:install camel camel-servlet webconsole
>
> I wonder how I can bind the webconsole and the servlet consumer in the
> camel routes to the HTTPS port. My undertow.xml see below. I tried to
> change the org.ops4j.pax.web.cfg but with no success.
>
> Any hints are appreciated.
>
> Thanks
> - Gerald
>
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!--
> Licensed under the Apache License, Version 2.0 (the "License");
> you may not use this file except in compliance with the License.
> You may obtain a copy of the License at
>
> http://www.apache.org/licenses/LICENSE-2.0
>
> Unless required by applicable law or agreed to in writing, software
> distributed under the License is distributed on an "AS IS" BASIS,
> WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> implied.
>
> See the License for the specific language governing permissions and
> limitations under the License.
> -->
> <undertow xmlns="urn:org.ops4j.pax.web:undertow:1.0"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:w="urn:jboss:domain:5.0"
> xmlns:io="urn:jboss:domain:io:3.0"
> xsi:schemaLocation="
> urn:jboss:domain:io:3.0
> http://www.jboss.org/schema/jbossas/wildfly-io_3_0.xsd
> urn:jboss:domain:undertow:4.0
> http://www.jboss.org/schema/jbossas/wildfly-undertow_4_0.xsd
> urn:jboss:domain:5.0
> http://www.jboss.org/schema/jbossas/wildfly-config_5_0.xsd">
>
> <!--
> Only "default" worker and buffer-pool are supported and can be
> used to override the default values
> used by all listeners
>
> buffer-pool:
> - buffer-size defaults to:
> - when < 64MB of Xmx: 512
> - when < 128MB of Xmx: 1024
> - when >= 128MB of Xmx: 16K - 20
> - direct-buffers defaults to:
> - when < 64MB of Xmx: false
> - when >= 64MB of Xmx: true
>
> worker:
> - io-threads defaults to
> Math.max(Runtime.getRuntime().availableProcessors(), 2);
> - task-core-threads and task-max-threads default to io-threads * 8
> -->
> <!--
> <subsystem xmlns="urn:jboss:domain:io:3.0">
> <buffer-pool name="default" buffer-size="16364"
> direct-buffers="true" />
> <worker name="default" io-threads="8" task-core-threads="64"
> task-max-threads="64" />
> </subsystem>
> -->
>
> <!--
> https://docs.jboss.org/author/display/WFLY/Undertow+subsystem+configuration
> -->
> <subsystem xmlns="urn:jboss:domain:undertow:4.0">
> <!-- org.wildfly.extension.undertow.BufferCacheDefinition -->
> <buffer-cache name="default" buffer-size="1024"
> buffers-per-region="1024" max-regions="10" />
> <server name="default-server">
> <!-- HTTP(S) Listener references Socket Binding (and
> indirectly - Interfaces) -->
> <http-listener name="http" socket-binding="http" />
> <!-- verify-client: org.xnio.SslClientAuthMode.NOT_REQUESTED,
> org.xnio.SslClientAuthMode.REQUESTED, org.xnio.SslClientAuthMode.REQUIRED
> -->
> <https-listener name="https" socket-binding="https"
> security-realm="https" verify-client="NOT_REQUESTED" />
> <host name="default-host" alias="localhost">
> <!--<location name="/" handler="welcome-content" />-->
> <!--<location name="/docs" handler="docs-content" />-->
> <access-log directory="${karaf.data}/log" pattern="common"
> prefix="access_log." suffix="log" rotate="true" />
> <filter-ref name="server-header" />
> <filter-ref name="x-powered-by-header" />
> </host>
> </server>
> <servlet-container name="default">
> <jsp-config />
> <websockets />
> <welcome-files>
> <welcome-file name="index.html" />
> <welcome-file name="index.txt" />
> </welcome-files>
> </servlet-container>
> <handlers>
> <file name="welcome-content" path="${karaf.home}/welcome" />
> <!--<file name="docs-content" path="${karaf.home}/docs" />-->
> </handlers>
> <filters>
> <!-- filters for reference from /host/filter-ref and
> /host/location/filter-ref -->
> <response-header name="server-header" header-name="Server"
> header-value="Pax-HTTP-Undertow" />
> <response-header name="x-powered-by-header"
> header-name="X-Powered-By" header-value="Pax-HTTP-Undertow/7.2.16" />
> </filters>
> </subsystem>
>
> <!-- https://docs.jboss.org/author/display/WFLY/Security+Realms -->
> <!--
> we'll use "default" security realm by default to configure
> jaas/properties authentication
> (io.undertow.security.idm.IdentityManager):
> - w:jaas -
> org.ops4j.pax.web.service.undertow.internal.security.JaasIdentityManager
> - w:properties -
> org.ops4j.pax.web.service.undertow.internal.security.PropertiesIdentityManager
> -->
> <security-realm name="default">
> <w:authentication>
> <!-- JaasIdentityManager for given realm -->
> <w:jaas name="karaf" />
> <!-- OR PropertiesIdentityManager (mutually exclusive with
> <w:jaas>) -->
> <!--<w:properties path="users.properties" />-->
> </w:authentication>
>
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
>
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> <!--<role-principal-class-name>...</role-principal-class-name>-->
> </security-realm>
> <!--
> Any security realm may be referenced by https-listener to define
> trust/keystore, protocols and cipher suites
> -->
> <security-realm name="https">
> <w:server-identities>
> <w:ssl>
> <!-- sun.security.ssl.ProtocolVersion -->
> <!-- sun.security.ssl.CipherSuite -->
> <!-- openssl ciphers 'ALL:eNULL' | sed -e 's/:/\n/g' |
> sort -->
> <w:engine
>
> enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
> enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" />
> <w:keystore path="${karaf.etc}/server.p12"
> provider="PKCS12" alias="server"
> keystore-password="password"
> key-password="password"
> generate-self-signed-certificate-host="localhost"
> />
> </w:ssl>
> </w:server-identities>
> <w:authentication>
> <w:jaas name="karaf" />
> <w:truststore path="${karaf.etc}/truststore.jks"
> provider="JKS" keystore-password="password" />
> </w:authentication>
>
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
>
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> </security-realm>
>
> <!-- Interface lists IP addresses to bind to -->
> <interface name="default">
> <w:inet-address value="0.0.0.0" />
> <!--<w:inet-address value="127.0.0.1" />-->
> </interface>
> <interface name="secure">
> <w:inet-address value="127.0.0.1" />
> </interface>
>
> <!-- Socket Binding adds port for each IP from referenced Interface -->
> <socket-binding name="http" interface="default"
> port="${org.osgi.service.http.port}" />
> <socket-binding name="https" interface="secure"
> port="${org.osgi.service.http.port.secure}" />
>
> </undertow>
>
Re: HTTPS with Karaf 4.2.9 and underpinning undertow web server
Posted by Grzegorz Grzybek <gr...@gmail.com>.
Hello
Unfortunately it is not possible to use the internal (managed by Pax Web)
servlet runtime selectively - by specifying which listener (or more
generally - virtual host) should be used for the servlets created and
registered by Camel into HttpService (Pax Web) runtime.
pax-web-jetty has partial (legacy, non-standard from the point of view of
OSGi CMPN specification) support for virtual hosts where a
Whiteboard-registered servlet (or filter, or other "web element") may
specify a comma-separated list of virtual host/connector names. But that's
only for Jetty.
I'm still working on refactoring Pax Web 8 and I plan to have unified
"experience" for dealing with separate connectors/virtual hosts across
Jetty/Tomcat/Undertow runtimes, but it'll come only in Pax Web 8.
regards
Grzegorz Grzybek
pt., 7 sie 2020 o 10:34 Gerald Kallas <ca...@mailbox.org> napisał(a):
> Dear all,
>
> following the guidance in the ticket
>
> https://issues.apache.org/jira/browse/KARAF-6772
>
> I was setting up a vanilla Karaf 4.2.9 with the following features
>
> feature:repo-add camel 3.4.2
> feature:install pax-http-undertow
> feature:install camel camel-servlet webconsole
>
> I wonder how I can bind the webconsole and the servlet consumer in the
> camel routes to the HTTPS port. My undertow.xml see below. I tried to
> change the org.ops4j.pax.web.cfg but with no success.
>
> Any hints are appreciated.
>
> Thanks
> - Gerald
>
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!--
> Licensed under the Apache License, Version 2.0 (the "License");
> you may not use this file except in compliance with the License.
> You may obtain a copy of the License at
>
> http://www.apache.org/licenses/LICENSE-2.0
>
> Unless required by applicable law or agreed to in writing, software
> distributed under the License is distributed on an "AS IS" BASIS,
> WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> implied.
>
> See the License for the specific language governing permissions and
> limitations under the License.
> -->
> <undertow xmlns="urn:org.ops4j.pax.web:undertow:1.0"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:w="urn:jboss:domain:5.0"
> xmlns:io="urn:jboss:domain:io:3.0"
> xsi:schemaLocation="
> urn:jboss:domain:io:3.0
> http://www.jboss.org/schema/jbossas/wildfly-io_3_0.xsd
> urn:jboss:domain:undertow:4.0
> http://www.jboss.org/schema/jbossas/wildfly-undertow_4_0.xsd
> urn:jboss:domain:5.0
> http://www.jboss.org/schema/jbossas/wildfly-config_5_0.xsd">
>
> <!--
> Only "default" worker and buffer-pool are supported and can be
> used to override the default values
> used by all listeners
>
> buffer-pool:
> - buffer-size defaults to:
> - when < 64MB of Xmx: 512
> - when < 128MB of Xmx: 1024
> - when >= 128MB of Xmx: 16K - 20
> - direct-buffers defaults to:
> - when < 64MB of Xmx: false
> - when >= 64MB of Xmx: true
>
> worker:
> - io-threads defaults to
> Math.max(Runtime.getRuntime().availableProcessors(), 2);
> - task-core-threads and task-max-threads default to io-threads * 8
> -->
> <!--
> <subsystem xmlns="urn:jboss:domain:io:3.0">
> <buffer-pool name="default" buffer-size="16364"
> direct-buffers="true" />
> <worker name="default" io-threads="8" task-core-threads="64"
> task-max-threads="64" />
> </subsystem>
> -->
>
> <!--
> https://docs.jboss.org/author/display/WFLY/Undertow+subsystem+configuration
> -->
> <subsystem xmlns="urn:jboss:domain:undertow:4.0">
> <!-- org.wildfly.extension.undertow.BufferCacheDefinition -->
> <buffer-cache name="default" buffer-size="1024"
> buffers-per-region="1024" max-regions="10" />
> <server name="default-server">
> <!-- HTTP(S) Listener references Socket Binding (and
> indirectly - Interfaces) -->
> <http-listener name="http" socket-binding="http" />
> <!-- verify-client: org.xnio.SslClientAuthMode.NOT_REQUESTED,
> org.xnio.SslClientAuthMode.REQUESTED, org.xnio.SslClientAuthMode.REQUIRED
> -->
> <https-listener name="https" socket-binding="https"
> security-realm="https" verify-client="NOT_REQUESTED" />
> <host name="default-host" alias="localhost">
> <!--<location name="/" handler="welcome-content" />-->
> <!--<location name="/docs" handler="docs-content" />-->
> <access-log directory="${karaf.data}/log" pattern="common"
> prefix="access_log." suffix="log" rotate="true" />
> <filter-ref name="server-header" />
> <filter-ref name="x-powered-by-header" />
> </host>
> </server>
> <servlet-container name="default">
> <jsp-config />
> <websockets />
> <welcome-files>
> <welcome-file name="index.html" />
> <welcome-file name="index.txt" />
> </welcome-files>
> </servlet-container>
> <handlers>
> <file name="welcome-content" path="${karaf.home}/welcome" />
> <!--<file name="docs-content" path="${karaf.home}/docs" />-->
> </handlers>
> <filters>
> <!-- filters for reference from /host/filter-ref and
> /host/location/filter-ref -->
> <response-header name="server-header" header-name="Server"
> header-value="Pax-HTTP-Undertow" />
> <response-header name="x-powered-by-header"
> header-name="X-Powered-By" header-value="Pax-HTTP-Undertow/7.2.16" />
> </filters>
> </subsystem>
>
> <!-- https://docs.jboss.org/author/display/WFLY/Security+Realms -->
> <!--
> we'll use "default" security realm by default to configure
> jaas/properties authentication
> (io.undertow.security.idm.IdentityManager):
> - w:jaas -
> org.ops4j.pax.web.service.undertow.internal.security.JaasIdentityManager
> - w:properties -
> org.ops4j.pax.web.service.undertow.internal.security.PropertiesIdentityManager
> -->
> <security-realm name="default">
> <w:authentication>
> <!-- JaasIdentityManager for given realm -->
> <w:jaas name="karaf" />
> <!-- OR PropertiesIdentityManager (mutually exclusive with
> <w:jaas>) -->
> <!--<w:properties path="users.properties" />-->
> </w:authentication>
>
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
>
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> <!--<role-principal-class-name>...</role-principal-class-name>-->
> </security-realm>
> <!--
> Any security realm may be referenced by https-listener to define
> trust/keystore, protocols and cipher suites
> -->
> <security-realm name="https">
> <w:server-identities>
> <w:ssl>
> <!-- sun.security.ssl.ProtocolVersion -->
> <!-- sun.security.ssl.CipherSuite -->
> <!-- openssl ciphers 'ALL:eNULL' | sed -e 's/:/\n/g' |
> sort -->
> <w:engine
>
> enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
> enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" />
> <w:keystore path="${karaf.etc}/server.p12"
> provider="PKCS12" alias="server"
> keystore-password="password"
> key-password="password"
> generate-self-signed-certificate-host="localhost"
> />
> </w:ssl>
> </w:server-identities>
> <w:authentication>
> <w:jaas name="karaf" />
> <w:truststore path="${karaf.etc}/truststore.jks"
> provider="JKS" keystore-password="password" />
> </w:authentication>
>
> <user-principal-class-name>org.apache.karaf.jaas.boot.principal.UserPrincipal</user-principal-class-name>
>
> <role-principal-class-name>org.apache.karaf.jaas.boot.principal.RolePrincipal</role-principal-class-name>
> </security-realm>
>
> <!-- Interface lists IP addresses to bind to -->
> <interface name="default">
> <w:inet-address value="0.0.0.0" />
> <!--<w:inet-address value="127.0.0.1" />-->
> </interface>
> <interface name="secure">
> <w:inet-address value="127.0.0.1" />
> </interface>
>
> <!-- Socket Binding adds port for each IP from referenced Interface -->
> <socket-binding name="http" interface="default"
> port="${org.osgi.service.http.port}" />
> <socket-binding name="https" interface="secure"
> port="${org.osgi.service.http.port.secure}" />
>
> </undertow>
>