Issues with Using the Default SSL Context in WSO2 APIM

[sajith-madhusanka]

Current Limitation

We have recently identified an issue where a behavioral change in a third-party Java agent (e.g., AppDynamics) deployed within the same JVM process as the WSO2 APIM server causes the default SSL context to be initialized with the JVM's instrumented keystore.Since the third-party Java client specifies the default SSL context before starting the APIM server, and the default SSL context object follows a singleton pattern, it does not reinitialize based on the APIM server configuration. The APIM server correctly sets the javax.net.ssl.trustStore system property with the truststore information defined in its configuration. However, due to the singleton pattern followed in the default SSL context initialization, this system property is not utilized in this scenario. Due to this, internal component communication that relies on the default SSL context to establish the connection socket factory fails with an SSL handshake failure (unable to find a valid certificate path).

Suggested Improvement

Improve the relevant internal components (e.g., Binary Transport, internal service invocations triggered during APIM portal logging, etc.) to define a custom SSL context using the client-truststore.jks specified in the APIM server configuration, ensuring that the default SSL context is not used.

Version

4.0.0