Layer7 API Management

Expand all | Collapse all

Not able to send client cert to ssg over soap UI

  • 1.  Not able to send client cert to ssg over soap UI

    Posted Jun 15, 2017 09:09 PM

    Hi There,

    Soap UI 5.2.3 is not able to send the certficate from the keystore. Below are my soapUI.vmoptions,please let me know if am missing.See below screen shot for your reference.

    Please feel free to let me know if i could use any other soap UI version will switch to it.

     

    -XX:MinHeapFreeRatio=20
    -XX:MaxHeapFreeRatio=40
    -Xms128m
    -Xmx1000m
    -Dsoapui.properties=soapui.properties
    -Dsoapui.home=C:\Program Files\SmartBear\SoapUI-5.2.1/bin
    -Dsoapui.ext.libraries=C:\Program Files\SmartBear\SoapUI-5.2.1/bin/ext
    -Dsoapui.ext.listeners=C:\Program Files\SmartBear\SoapUI-5.2.1/bin/listeners
    -Dsoapui.ext.actions=C:\Program Files\SmartBear\SoapUI-5.2.1/bin/actions
    -Dwsi.dir=C:\Program Files\SmartBear\SoapUI-5.2.1/wsi-test-tools
    -Djava.library.path=C:\Program Files\SmartBear\SoapUI-5.2.1/bin
    -Djava.util.Arrays.useLegacyMergeSort=true
    -splash:SoapUI-Spashscreen.png
    -Dsoapui.https.protocols=TLSv1.2

     



  • 2.  Re: Not able to send client cert to ssg over soap UI

    Posted Jun 16, 2017 12:19 PM

    SoapUI can be a bith twitchy;

    1) right after changing the certificate it sometimes does nto load the new one right away, you may need to close and re-open the applicaiton to get it to load

    2) it will wait for an authentication challenge before sending the client credentials, unless you check the following box:

    HTTP settings

    3) if your certificate/private key file or password is incorrect this would of course prevent it from being sent but should throw an error into the transaction log of SoapUI



  • 3.  Re: Not able to send client cert to ssg over soap UI

    Posted Jun 16, 2017 05:45 PM

    It didn't really helped.The below are the screen shots for your reference what i have on my soap UI.

    All see the error from the gate in screen shot 3. 

    Please let me know if i had missed any.

     

     

    Gateway error

     



  • 4.  Re: Not able to send client cert to ssg over soap UI

    Posted Jun 16, 2017 06:24 PM

    Ok, lets validate your keystore and try it in p12 format...

    this will expoert the p12 from your jks:

    keytool -importkeystore -srckeystore privatekeystore.jks -storepass KeystoreStorePassword -destkeystore private.p12 -deststoretype PKCS12 -deststorepass KeystoreStorePassword

     

    This will extract the key file from your p12:

    openssl pkcs12 -in private.p12 -clcerts -nodes -nocerts | openssl rsa > private.key

     

    This will export your public cert from the p12:

    openssl pkcs12 -in private.p12 -clcerts -nokeys -out public.cer

     

    and these will generate hashes from the two (which should match):

    openssl x509 -noout -modulus -in public.crt | openssl md5
    openssl rsa -noout -modulus -in private.key | openssl md5

     

    If all that works then try using the p12 in soapui instead of the jks (the jks should work, but if all of those commainds work as expected then it looks like the certificate file is good).

     

    Also, can you confirm that SSL is not being terminated before the gateway and that you are hitting the gateway on a port that allows client certificate authentication (port 9443 does not by default, but 8443 is set to 'optional').



  • 5.  Re: Not able to send client cert to ssg over soap UI

    Posted Jun 17, 2017 11:11 AM
      |   view attached

    I tried with p12 too getting same result. I will open a ticket would you mind if I mention assigning the ticket to you in the ticket?Because you were aware of the problem.

     

    Sharath

    ESF DEV

     

    Enterprise Security Framework

    8200 Dixie Road

    Brampton, ON  L6T 0C1

     

    sharath.yaramalla@rci.rogers.com<mailto:sharath.yaramalla@rci.rogers.com>

    Off +1 (647) 747-9307 cell:4163192482

     

     



  • 6.  Re: Not able to send client cert to ssg over soap UI

    Posted Jun 19, 2017 05:03 PM

    I'm not with CA anymore (I used to be a pro-services third party contractor, so technically I was never in thier support group).  Hopefully this thread will get them to a solution for you faster.



  • 7.  Re: Not able to send client cert to ssg over soap UI
    Best Answer

    Broadcom Employee
    Posted Jun 19, 2017 06:26 PM

    Good evening,

     

    If the gateway does not have it as a listed trusted CA  then SOAPUI will not send through the client certificate. You need to import the signer CA certificate that the client used into the Manage Certificates and make sure that the option Sign Client Certificates is checked on the Options tab and it is set as a trust anchor on the Validation tab.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 8.  Re: Not able to send client cert to ssg over soap UI

    Posted Jun 20, 2017 01:55 PM

    If you're sending the request through a loadbalancer to the API Gateway, confirm that the loadbalancer is not terminating SSL. If it is, that farm needs to be changed to pass-through. We beat our heads against a brick wall for weeks with this problem. I see that Ben mentioned SSL termination also - you definitely should check this.

     

    Once you successfully test via SOAP UI, your next challenge will be to complete this test via the actual client (and not SOAP UI), but not expect the client to pass a self-signed cert in its request. We have an open case on that at the moment.

     

    Thanks,



  • 9.  Re: Not able to send client cert to ssg over soap UI

    Posted Jun 20, 2017 02:14 PM

    The gateway can accept a self-signed client certifiate if (as Stephen indicated) you import it to the trusted certificate store and mark it for signing client certifiates and as a trust anchor.  This will cause it to be sent by the gateway in its trusted list during the ssl handshake so that the client knows its certifciate issuer (the client cert itself) is trusted by the gateway per TLS protocol specification.

     

    cliff, you may also find this write-up reguarding ssl termination and source IP visibility interesting:

    https://layer7admin.blogspot.com/2016/07/the-sourceip-problem-aka-ssl.html



  • 10.  Re: Not able to send client cert to ssg over soap UI

    Posted Jun 20, 2017 03:07 PM

    Appreciate your help in this regard.At this movement i wasn't coming from LB .Directly

    hitting gateway over 8443 via soap ui.Would you like to have an webex?

     

    Get Outlook for Android<https://aka.ms/ghei36>