I have been using WSO2 API Manager for almost a year to easily and securely expose APIs to both internal and external consumers. Everything was working fine until the system was taken down for maintenance activity. When the system was resumed back to normal service, WSO2 failed to start with a few exceptions in the wso2carbon.log file – “Caused by: com.mysql.cj.exceptions.UnableToConnectException: Public Key Retrieval is not allowed”. In this article, I’ll be sharing the fix.
Error Public Key Retrieval is not allowed – WSO2 with MySQL 8.*
Apart from the above error, I could see a few more exceptions in the wso2carbon.log file, and here’s the copy of it.
ERROR {org.wso2.carbon.user.core.internal.Activator} - Cannot start User Manager Core bundle org.wso2.carbon.user.core.UserStoreException: Cannot initialize the realm.
at org.wso2.carbon.user.core.common.DefaultRealmService.initializeRealm(DefaultRealmService.java:286)
at org.wso2.carbon.user.core.common.DefaultRealmService.<init>(DefaultRealmService.java:102)
:::::::::::::::::::::::::::::::::::::::::::::::::
Caused by: java.sql.SQLNonTransientConnectionException: Public Key Retrieval is not allowed
at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:110)
at
:::::::::::::::::::::::::::::::::::::::::::
ERROR {org.wso2.carbon.user.core.internal.Activator} - Cannot start User Manager Core bundle org.wso2.carbon.user.core.UserStoreException: Cannot initialize the realm.
at org.wso2.carbon.user.core.common.DefaultRealmService.initializeRealm(DefaultRealmService.java:286)
::::::::::::::::::::::::::::::::::::::::::
Caused by: org.wso2.carbon.user.core.UserStoreException: DB error occurred while persisting domain : PRIMARY & tenant id : -1234Looking at the first few exceptions, I understood that the error is due to MySQL connection and exception caused at ‘com.mysql.cj.jdbc.exceptions.SQLError‘ confirms it. The MySQL connector seems to have some issue and a quick search in Google revealed that the issue was commonly reported in MySQL version 8.
The system seems to have updated to the latest version of MySQL i.e., version 8.0.26. Very recently I had fixed a couple of issues in MySQL 8 version, in case you want to have a look at it. Now coming back to this issue. Most forums suggested adding 'allowPublicKeyRetrieval=true' to the MySQL connection URL and it worked as well.
In WSO2, add ‘allowPublicKeyRetrieval=true‘ to the deployment.toml file as shown below:
[database.apim_db] type = "mysql" #Henry - Retain mysql connnection string as localhost always url = "jdbc:mysql://localhost:3306/apim_db?useSSL=false&allowPublicKeyRetrieval=true" ............. [database.shared_db] type = "mysql" #Henry - Retain mysql connnection string as localhost always url = "jdbc:mysql://localhost:3306/shared_db?useSSL=false&allowPublicKeyRetrieval=true" ........................
Note: the & before allowPublicKeyRetrieval=true in the connection URL. Adding just ‘&’ instead of ‘&’ would result in the below error:
Caused by: com.ctc.wstx.exc.WstxUnexpectedCharException: Unexpected character '=' (code 61); expected a semi-colon after the reference for entity 'allowPublicKeyRetrieval'
at [row,col {unknown-source}]: [39,100]
ERROR {org.wso2.carbon.user.core.internal.Activator} - Cannot start User Manager Core bundle java.lang.RuntimeException: Error in looking up data source: Name [jdbc/SHARED_DB] is not bound in this Context. Unable to find [jdbc].Once the changes are made, restart the WSO service. That’s it!
The option allowPublicKeyRetrieval=true allows the client to automatically request the public key from the server. Read more about the MySQL options here.
If you are running WSO2 on a production server, the useSSL=false is not recommended. allowPublicKeyRetrieval=True could allow man-in-the-middle attack via malicious proxy to get the plaintext password. allowPublicKeyRetrieval is False by default and must be explicitly enabled. If you use a secured connection to the database, then try removing useSSL=false from the connection URL and that could fix the issue.
