Bug 955215

Summary: JON Agent auto upgrade fails using sslservlet
Product: [JBoss] JBoss Operations Network Reporter: Larry O'Leary <loleary>
Component: AgentAssignee: John Mazzitelli <mazz>
Status: CLOSED CURRENTRELEASE QA Contact: Mike Foley <mfoley>
Severity: high Docs Contact:
Priority: unspecified    
Version: JON 3.1.2CC: ahovsepy, dsteigne, mazz
Target Milestone: ER01Keywords: TestCaseNeeded
Target Release: JON 3.2.0   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: RHQ-2459 Environment:
JON 2.3 server and 2.2 agent using sslservlet
Last Closed: 2014-01-02 20:35:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 535800    
Bug Blocks:    

Description Larry O'Leary 2013-04-22 14:47:14 UTC 
+++ This bug was initially created as a clone of Bug #535800 +++

Using the sslservlet transport ( with default keys ) for communication between JON agents and JON server.  No custom SSL certificates or keys etc.

After upgrade of JON Server to 2.3.0 the agent auto upgrade fails with following messages:

2009-10-06 13:04:15,110 FATAL [RHQ Agent Update Thread] (org.rhq.enterprise.agent.AgentUpdateThread)- {PromptCommand.update.download-failed}Failed to download the agent update binary. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2009-10-06 13:04:15,110 FATAL [RHQ Agent Update Thread] (org.rhq.enterprise.agent.AgentUpdateThread)- {AgentUpdateThread.exception}The agent update thread encountered an exception: javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> sun.security.validator.ValidatorException:PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> sun.security.provider.certpath.SunCertPathBuilderException:unable to find valid certification path to requested target

--- Additional comment from John Mazzitelli on 2009-10-27 15:44:20 EDT ---

This is because the agent downloads the upgrade binary jar using a normal JDK URLConnection object, as opposed to going through agent-server mechanism.

We need to fix this so it will at least use the SSL cert assigned to the agent if it has one (for the agent-server comm).

Alternative approach is to have the agent go through the normal agent-server RPC channel, but this would then prohibit the ability for someone to deploy the agent update binaries on a separate download server.

You can tell the agent to point to a different download URL when it needs to obtain the agent update binary (this is to allow, say, a Apache HTTP server to serve up the agent binaries, freeing the RHQ Server from having to serve that static content itself).

--- Additional comment from Red Hat Bugzilla on 2009-11-10 16:04:50 EST ---

This bug was previously known as http://jira.rhq-project.org/browse/RHQ-2459

--- Additional comment from John Mazzitelli on 2010-06-11 09:29:11 EDT ---

I wanted to just document the workaround in more detail. You'll see these two settings in agent-configuration.xml. If you set them to some external HTTP-accessible locations, and you copy the <server-install-dir>/jbossas/server/default/deploy/rhq.ear/rhq-downloads/rhq-agent/* files so they are HTTP-accessible (i.e. copy them to some git-repo with HTTP access or some Apache web server) then you can have the agent do the auto-upgrade and still have it go over https to the RHQ server.

Note that these settings can be changed in agent-configuration.xml if you are preconfiguring the agent or you can answer the setup questions from the console when you first setup the agent (these are advanced questions, so you need to pass to the agent the -a option).

               <!--
               _______________________________________________________________
               rhq.agent.agent-update.version-url

               If this is defined, it will be the URL the agent uses when it
               needs to retrieve information about the latest available
               agent update binary.  If this is not defined, the agent will
               ask its server for the agent update binary version information.
               -->
               <!--
               <entry key="rhq.agent.agent-update.version-url" value="http://127.0.0.1:7080/agentupdate/version" />
               -->

               <!--
               _______________________________________________________________
               rhq.agent.agent-update.download-url

               If this is defined, it will be the URL the agent uses when it
               needs to download the latest available agent update binary.
               If this is not defined, the agent will download the agent
               update binary from its server.
               -->
               <!--
               <entry key="rhq.agent.agent-update.download-url" value="http://127.0.0.1:7080/agentupdate/download" />
               -->
Comment 1 John Mazzitelli 2013-05-08 20:47:32 UTC 
git commit to master: 2c6438cd554b64aa97f2b83d1d5fe7f005d9f68f

to test, configure the agent to talk to the server over a secure channel:

   https://docs.jboss.org/author/display/RHQ/Securing+Communications

then when the agent has started, just try this from the agent prompt:

> update -v

This should not give you any errors, it should tell you the version of the agent update binary as found on the server. Then if you try this:

> update -o

that should download the agent update binary. The agent should not print out any errors on the console and if you look at the .jar that was downloaded, it should be a complete agent update binary file.
Comment 2 John Mazzitelli 2013-05-09 02:26:37 UTC 
tweek to new class - git commit 7c4577c895a469b5ddce6aa91eb6935eb5cf6cc9
Comment 4 Larry O'Leary 2013-09-06 14:32:25 UTC 
As this is MODIFIED or ON_QA, setting milestone to ER1.
Comment 5 Armine Hovsepyan 2013-11-25 17:14:55 UTC 
auto-upgrade enabled, binary is being downloaded -> http://d.pr/i/KqI1
no exceptions in agent.log -> http://d.pr/f/Icic