Outbound SSL Failing

Back to discussions

Expand all | Collapse all

1. Outbound SSL Failing

0 Recommend
Alejandro Calbazana
Posted Apr 30, 2015 03:21 PM

Reply Reply Privately
Hello,

I'm working on routing outbound to an endpoint under SSL in a pre-production environment. My callouts are failing because of certificate issues.

"Certificate not verified. Caused by: Certificate path validation and/or revocation checking failed"

I thought I saw somewhere the use of useDefaultTrustAnchor. Is this still a valid cluster wide property? I can't find it in the list of properties (8.2).

This is for a pre-production environment. I'd hate to have to manage certs on the gateway for outbound routing purposes.

Any help is appreciated!

Thanks,

Alejandro
2. Re: Outbound SSL Failing

0 Recommend
Legacy User
Posted May 04, 2015 05:19 AM

Reply Reply Privately
Hi Alejandro,

you can set pkix.useDefaultTrustAnchor=true for well-know trust anchors.

kind regards

Heiko
3. Re: Outbound SSL Failing

0 Recommend
Alejandro Calbazana
Posted May 05, 2015 09:45 AM

Reply Reply Privately
Hi,

Thanks. Is there anything else that I need to do to enable this? I don't see the property in the drop down list, but I added it manually. Even after adding the property, I don't see the behavior that I expect. I still receive:

Problem routing to https://<host>/api/v1/<resource>. Error msg: Unable to obtain HTTP response from https://<host>/api/v1/<resource>: Certificate not verified. Caused by: Certificate path validation and/or revocation checking failed

A couple of questions here... Which keystore is being used? I find several:

./opt/SecureSpan/JDK/jre/lib/security/cacerts
./opt/CA/sdk/install_config_jre/lib/security/cacerts
./etc/pki/java/cacerts
./etc/pki/ca-trust/extracted/java/cacerts

Is the default password documented anywhere? I'd like to list the certs in the keystore to verify. It's possible that the certificate isn't in the store and I'm making an assumption.

Thanks,

Alejandro
4. Re: Outbound SSL Failing

1 Recommend
Anon Anon
Posted May 05, 2015 09:52 AM

Reply Reply Privately
You need to add the cert for https://<host> in your Task / Manage Certificates. You can simply Add a new cert in there via URL. The gateway needs to "trust" all of the connections it makes via https and that "trust" store is the Task / Manage Certificates
5. Re: Outbound SSL Failing

0 Recommend
Broadcom Employee

Jay Thorne
Posted May 08, 2015 07:20 PM

Reply Reply Privately
The gateway doesn't use any of those keystores. You need to make it available using the manage certificates capability: https://wiki.ca.com/display/GATEWAY83/Manage+Certificates
6. Re: Outbound SSL Failing

1 Recommend
Alejandro Calbazana
Posted May 11, 2015 12:27 PM

Reply Reply Privately
Got it. Thanks!

Alejandro

Layer7 API Management

Outbound SSL Failing

Alejandro CalbazanaApr 30, 2015 03:21 PM

Legacy UserMay 04, 2015 05:19 AM

Alejandro CalbazanaMay 05, 2015 09:45 AM

Anon AnonMay 05, 2015 09:52 AM

Jay ThorneMay 08, 2015 07:20 PM

Alejandro CalbazanaMay 11, 2015 12:27 PM

1. Outbound SSL Failing

2. Re: Outbound SSL Failing

3. Re: Outbound SSL Failing

4. Re: Outbound SSL Failing

5. Re: Outbound SSL Failing

6. Re: Outbound SSL Failing