Forum Discussion

BuildAutomation's avatar
BuildAutomation
Icon for Nimbostratus rankNimbostratus
May 07, 2015

"Connection refused" while using the Java API

Attempted to access a BIG-IP instance using the Java API. The code used for the POC is the sample Codeshare script - https://devcentral.f5.com/codeshare/java-system-info. We get thrown the following exception:

 

AxisFault faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException faultSubcode: faultString: java.net.ConnectException: Connection refused: connect faultActor: faultNode: faultDetail: {http://xml.apache.org/axis/}stackTrace:java.net.ConnectException: Connection refused: connect at java.net.DualStackPlainSocketImpl.connect0(Native Method) at java.net.DualStackPlainSocketImpl.socketConnect(Unknown Source) at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source) at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source) at java.net.AbstractPlainSocketImpl.connect(Unknown Source) at java.net.PlainSocketImpl.connect(Unknown Source) at java.net.SocksSocketImpl.connect(Unknown Source) at java.net.Socket.connect(Unknown Source) at sun.security.ssl.SSLSocketImpl.connect(Unknown Source) at sun.security.ssl.SSLSocketImpl.(Unknown Source) at sun.security.ssl.SSLSocketFactoryImpl.createSocket(Unknown Source) at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:118) at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191) at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404) at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) at org.apache.axis.client.Call.invokeEngine(Call.java:2784) at org.apache.axis.client.Call.invoke(Call.java:2767) at org.apache.axis.client.Call.invoke(Call.java:2443) at org.apache.axis.client.Call.invoke(Call.java:2366) at org.apache.axis.client.Call.invoke(Call.java:1812) at iControl.SystemSystemInfoBindingStub.get_system_information(SystemSystemInfoBindingStub.java:1793) at SystemInfo.getSystemInformation(SystemInfo.java:24) at SystemInfo.Run(SystemInfo.java:18) at SystemInfo.main(SystemInfo.java:67)

 

Is there something that is being overlooked?

 

4 Replies

  • I'm assuming you are using the latest iControl library for Java along with that script. Can you verify the following for me? * Version of the iControl Library for Java * Version of the JVM * Version of the BIG-IP you are connecting to.

     

    It could be that something has changed in a newer version of the JVM with regards to the self signed certificate validation bypass we have in the library.

     

    -Joe

     

    • Joe_Pruitt's avatar
      Joe_Pruitt
      Icon for Cirrostratus rankCirrostratus
      Ok, haven't tested out JRE 1.8 yet. Could be a change in the way they handle self-signed certs. I know for a fact 1.5 and 1.6 work fine.
  • Guess my memory is failing me on this one. Took a little digging and then I remembered hostname verification was added to our build of Apache Axis due to a NIST vulnerability in Apache Axis.

     

    It's discussed in this Question: https://devcentral.f5.com/questions/handling-self-signed-certs-with-java-and-icontrol

     

    The bottom line is that you must use the same hostname in your client as is defined in the BIG-IP's certificate "Common Name" field. I believe the default value is "localhost.localdomain" unless you rebuild it after changing the hostname. The easiest way to find what it is is to open a browser to the BIG-IP admin gui, and then view the certificate info in your browser.

     

    If there is no dns entries for that hostname, you can put it in your hosts file.

     

    Unfortunately, we can't undo this in our build we release with our distribution. If you really have a need to bypass hostname verification, you can look for an old build of Apache Axis 1 from the Apache Foundation. and use that instead.

     

    Sorry about the delay in response, but I've been trying to code around it until I remembered adding this in in 2013.

     

    In my test, I went into the BIG-IP GUI and hit "Renew" on the System.Device Certificate and updated it with the hostname. I then put the hostname in my hosts file and the hostname verification error went away.

     

    -Joe