Bug 535800 - (RHQ-2459) JON Agent auto upgrade fails using sslservlet
JON Agent auto upgrade fails using sslservlet
Status: ON_QA
Product: RHQ Project
Classification: Other
Component: Agent (Show other bugs)
1.3
All All
high Severity medium (vote)
: ---
: ---
Assigned To: John Mazzitelli
Mike Foley
http://jira.rhq-project.org/browse/RH...
: SubBug
Depends On:
Blocks: rhq_triage 955215
  Show dependency treegraph
 
Reported: 2009-10-07 12:39 EDT by dsteigne
Modified: 2013-05-08 22:25 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 955215 (view as bug list)
Environment:
JON 2.3 server and 2.2 agent using sslservlet
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description dsteigne 2009-10-07 12:39:00 EDT
Using the sslservlet transport ( with default keys ) for communication between JON agents and JON server.  No custom SSL certificates or keys etc.

After upgrade of JON Server to 2.3.0 the agent auto upgrade fails with following messages:

2009-10-06 13:04:15,110 FATAL [RHQ Agent Update Thread] (org.rhq.enterprise.agent.AgentUpdateThread)- {PromptCommand.update.download-failed}Failed to download the agent update binary. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2009-10-06 13:04:15,110 FATAL [RHQ Agent Update Thread] (org.rhq.enterprise.agent.AgentUpdateThread)- {AgentUpdateThread.exception}The agent update thread encountered an exception: javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> sun.security.validator.ValidatorException:PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> sun.security.provider.certpath.SunCertPathBuilderException:unable to find valid certification path to requested target

Issue Tracker ticket: https://enterprise.redhat.com/issue-tracker/351555
Comment 1 dsteigne 2009-10-07 12:53:13 EDT
title and Environment should read sslservlet not sslsocket.  I'm not able to change either one of them
DSteigner
Comment 2 John Mazzitelli 2009-10-27 15:44:20 EDT
This is because the agent downloads the upgrade binary jar using a normal JDK URLConnection object, as opposed to going through agent-server mechanism.

We need to fix this so it will at least use the SSL cert assigned to the agent if it has one (for the agent-server comm).

Alternative approach is to have the agent go through the normal agent-server RPC channel, but this would then prohibit the ability for someone to deploy the agent update binaries on a separate download server.

You can tell the agent to point to a different download URL when it needs to obtain the agent update binary (this is to allow, say, a Apache HTTP server to serve up the agent binaries, freeing the RHQ Server from having to serve that static content itself).
Comment 3 Red Hat Bugzilla 2009-11-10 16:04:50 EST
This bug was previously known as http://jira.rhq-project.org/browse/RHQ-2459
Comment 4 wes hayutin 2010-02-16 11:55:47 EST
Temporarily adding the keyword "SubBug" so we can be sure we have accounted for all the bugs.

keyword:
new = Tracking + FutureFeature + SubBug
Comment 5 wes hayutin 2010-02-16 12:00:50 EST
making sure we're not missing any bugs in rhq_triage
Comment 6 John Mazzitelli 2010-06-11 09:29:11 EDT
I wanted to just document the workaround in more detail. You'll see these two settings in agent-configuration.xml. If you set them to some external HTTP-accessible locations, and you copy the <server-install-dir>/jbossas/server/default/deploy/rhq.ear/rhq-downloads/rhq-agent/* files so they are HTTP-accessible (i.e. copy them to some git-repo with HTTP access or some Apache web server) then you can have the agent do the auto-upgrade and still have it go over https to the RHQ server.

Note that these settings can be changed in agent-configuration.xml if you are preconfiguring the agent or you can answer the setup questions from the console when you first setup the agent (these are advanced questions, so you need to pass to the agent the -a option).

               <!--
               _______________________________________________________________
               rhq.agent.agent-update.version-url

               If this is defined, it will be the URL the agent uses when it
               needs to retrieve information about the latest available
               agent update binary.  If this is not defined, the agent will
               ask its server for the agent update binary version information.
               -->
               <!--
               <entry key="rhq.agent.agent-update.version-url" value="http://127.0.0.1:7080/agentupdate/version" />
               -->

               <!--
               _______________________________________________________________
               rhq.agent.agent-update.download-url

               If this is defined, it will be the URL the agent uses when it
               needs to download the latest available agent update binary.
               If this is not defined, the agent will download the agent
               update binary from its server.
               -->
               <!--
               <entry key="rhq.agent.agent-update.download-url" value="http://127.0.0.1:7080/agentupdate/download" />
               -->
Comment 7 John Mazzitelli 2013-05-08 16:47:26 EDT
git commit to master: 2c6438cd554b64aa97f2b83d1d5fe7f005d9f68f

to test, configure the agent to talk to the server over a secure channel:

   https://docs.jboss.org/author/display/RHQ/Securing+Communications

then when the agent has started, just try this from the agent prompt:

> update -v

This should not give you any errors, it should tell you the version of the agent update binary as found on the server. Then if you try this:

> update -o

that should download the agent update binary. The agent should not print out any errors on the console and if you look at the .jar that was downloaded, it should be a complete agent update binary file.
Comment 8 John Mazzitelli 2013-05-08 22:25:47 EDT
tweek to new class - git commit 7c4577c895a469b5ddce6aa91eb6935eb5cf6cc9

Note You need to log in before you can comment on or make changes to this bug.