Layer7 API Management

Hi,

Our system is working with 2 gateways :

- 1 in DMZ as external gateway that have access on internet
- 1 in LAN as internal gateway with access to external gateway

Our service call an Exchange Server which use NTLM for authentication (https://msdn.microsoft.com/fr-fr/library/windows/desktop/aa378749(v=vs.85).aspx) Challenge/Response protocol.

NTLM Authentication requires multiple exchange between the client and the server.

When we call the service on the internal gateway the service works with NTML authentication (3 call between my internal gateway and exchange server).

But on the external gateway, on the second call from the external gateway we got this error :

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<soapenv:Fault>
<faultcode>soapenv:Server</faultcode>
<faultstring>Error in assertion processing</faultstring>
<faultactor>https://apidev-eu-ext1.sanofi.com:7443/MI/1.0/EWS/Exchange.asmx</faultactor>
<detail>
<l7:policyResult status="javax.security.auth.x500.X500Principal cannot be cast to com.l7tech.server.transport.http.ConnectionId" xmlns:l7="http://www.layer7tech.com/ws/policy/fault"/>
</detail>
</soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope>

If you have previous experience with NTLM and CA gateway?

Regards.

Hi GHaener,

It seems you are encountering an issue related to a certificate validation.

Did you had a look at your generated audit or log entries ?

Regards

Hi Nicolas,

Here are some logs from the server :

2017-08-29T14:53:37.020+0200 SEVERE  263 com.l7tech.server.SoapMessageProcessingServlet: javax.security.auth.x500.X500Principal cannot be cast to com.l7tech.server.transport.http.ConnectionId

java.lang.ClassCastException: javax.security.auth.x500.X500Principal cannot be cast to com.l7tech.server.transport.http.ConnectionId

        at com.l7tech.server.transport.http.ConnectionId.equals(Unknown Source)

        at org.apache.http.pool.RouteSpecificPool.getFree(RouteSpecificPool.java:80)

        at org.apache.http.pool.AbstractConnPool.getPoolEntryBlocking(AbstractConnPool.java:223)

        at org.apache.http.pool.AbstractConnPool.access$000(AbstractConnPool.java:62)

        at org.apache.http.pool.AbstractConnPool$2.getPoolEntry(AbstractConnPool.java:176)

        at org.apache.http.pool.AbstractConnPool$2.getPoolEntry(AbstractConnPool.java:172)

        at org.apache.http.pool.PoolEntryFuture.get(PoolEntryFuture.java:100)

        at org.apache.http.impl.conn.PoolingClientConnectionManager.leaseConnection(PoolingClientConnectionManager.java:212)

        at org.apache.http.impl.conn.PoolingClientConnectionManager$1.getConnection(PoolingClientConnectionManager.java:199)

        at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:456)

        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)

        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)

        at com.l7tech.common.http.prov.apache.components.f.getResponse(Unknown Source)

        at com.l7tech.server.policy.assertion.ServerHttpRoutingAssertion.a(Unknown Source)

        at com.l7tech.server.policy.assertion.ServerHttpRoutingAssertion.a(Unknown Source)

        at com.l7tech.server.policy.assertion.ServerHttpRoutingAssertion.checkRequest(Unknown Source)

        at com.l7tech.server.policy.assertion.composite.ServerCompositeAssertion.iterateChildren(Unknown Source)

        at com.l7tech.server.policy.assertion.composite.ServerOneOrMoreAssertion.checkRequest(Unknown Source)

        at com.l7tech.server.policy.assertion.composite.ServerCompositeAssertion.iterateChildren(Unknown Source)

        at com.l7tech.server.policy.assertion.composite.ServerAllAssertion.checkRequest(Unknown Source)

        at com.l7tech.server.policy.ServerPolicy.checkRequest(Unknown Source)

        at com.l7tech.server.policy.w.call(Unknown Source)

        at com.l7tech.server.policy.w.call(Unknown Source)

        at com.l7tech.common.log.HybridDiagnosticContext.doInContext(Unknown Source)

        at com.l7tech.server.policy.ServerPolicyHandle.checkRequest(Unknown Source)

        at com.l7tech.server.ao.b(Unknown Source)

        at com.l7tech.server.ao.a(Unknown Source)

        at com.l7tech.server.ao.access$700(Unknown Source)

       at com.l7tech.server.MessageProcessor.a(Unknown Source)

        at com.l7tech.server.MessageProcessor.processMessageNoAudit(Unknown Source)

        at com.l7tech.server.SoapMessageProcessingServlet.serviceNoAudit(Unknown Source)

        at com.l7tech.server.SoapMessageProcessingServlet.access$000(Unknown Source)

        at com.l7tech.server.a1.call(Unknown Source)

        at com.l7tech.server.audit.AuditContextFactory.doWithNewAuditContext(Unknown Source)

        at com.l7tech.server.SoapMessageProcessingServlet.service(Unknown Source)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:770)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

        at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:646)

        at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:436)

        at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:342)

        at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:302)

        at com.l7tech.server.transport.http.HttpNamespaceFilter.doFilter(Unknown Source)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

        at com.l7tech.server.WsdlFilter.doFilter(Unknown Source)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

        at com.l7tech.server.transport.http.ConnectionIdFilter.doFilter(Unknown Source)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

        at com.l7tech.server.transport.http.InputTimeoutFilter.doFilter(Unknown Source)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

        at com.l7tech.server.log.HybridDiagnosticContextServletFilter.doFilter(Unknown Source)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:181)

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)

        at com.l7tech.server.tomcat.ResponseKillerValve.invoke(Unknown Source)

        at com.l7tech.server.tomcat.ConnectionIdValve.invoke(Unknown Source)

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:295)

        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)

        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606)

        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:396)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

        at java.lang.Thread.run(Thread.java:745)

2017-08-29T14:53:37.026+0200 WARNING 263 com.l7tech.server.MessageProcessor: 3016: Request routing failed with status -1 (Undefined)

2017-08-29T14:53:37.026+0200 WARNING 263 com.l7tech.server.message: Message was not processed: Undefined (-1)

Also some audits :

And the response of the service :

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<soapenv:Fault>
<faultcode>soapenv:Server</faultcode>
<faultstring>Error in assertion processing</faultstring>
<faultactor>https://apidev-eu-ext1.sanofi.com:7443/MI/1.0/EWS/Exchange.asmx</faultactor>
<detail>
<l7:policyResult
status="javax.security.auth.x500.X500Principal cannot be cast to com.l7tech.server.transport.http.ConnectionId" xmlns:l7="http://www.layer7tech.com/ws/policy/fault"/>
</detail>
</soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope>

How could I log if there is issue on certificate validation?

Thank you.

A case was opened to address this issue and the problem related to a bug in the API Gateway which was resolved by applying the latest CR for 9.2. This fix was also incorporated in version 9.3 and 9.4 of the API Gateway.

Sincerely,

Stephen Hughes

Broadcom Support