Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-11050

Mutual SSL authentication failure with external REST

    Details

    • Target Version/s:
    • Verified Version/s:
    • Story Points:
      3
    • Sprint:
      2019.7 - IDM
    • Support Ticket IDs:

      Description

      In boot.properties:

      openidm.ssl.host.aliases=localhost=openidm-localhost,openidm.example.com=openidm-localhost
      

      Regardless, requests to mutual auth SSL ports are failing to connect. This request :

      POST http://openidm.exampe.com:8080/openidm/external/rest?_action=call { "url": "https://openidm.example.com:8444/openidm/config",
        "method": "GET",
        "headers": { "X-OpenIDM-Username": "openidm-admin", "X-OpenIDM-Password" : "openidm-admin"  }
      }
      

      Results in :

      {
          "code": 502,
          "reason": "Bad Gateway",
          "message": "HTTP request failed"
      }
      

      And this exception in the console:

      May 30, 2018 12:47:41 AM org.forgerock.openidm.servlet.internal.ServletConnectionFactory$3 lambda$handleRequestWithLogging$8
      WARNING: Resource exception: 502 Bad Gateway: "HTTP request failed"
      org.forgerock.json.resource.PermanentException: HTTP request failed
          at org.forgerock.json.resource.ResourceException.newResourceException(ResourceException.java:261)
          at org.forgerock.openidm.external.rest.RestService$1.apply(RestService.java:336)
          at org.forgerock.openidm.external.rest.RestService$1.apply(RestService.java:331)
          at org.forgerock.util.promise.PromiseImpl.lambda$then$6(PromiseImpl.java:369)
          at org.forgerock.util.promise.PromiseImpl.handleCompletion(PromiseImpl.java:531)
          at org.forgerock.util.promise.PromiseImpl.setState(PromiseImpl.java:572)
          at org.forgerock.util.promise.PromiseImpl.tryHandleResult(PromiseImpl.java:258)
          at org.forgerock.util.promise.PromiseImpl.handleResult(PromiseImpl.java:208)
          at org.forgerock.util.promise.PromiseImpl.lambda$then$6(PromiseImpl.java:369)
          at org.forgerock.util.promise.PromiseImpl.handleCompletion(PromiseImpl.java:531)
          at org.forgerock.util.promise.PromiseImpl.setState(PromiseImpl.java:572)
          at org.forgerock.util.promise.PromiseImpl.tryHandleResult(PromiseImpl.java:258)
          at org.forgerock.util.promise.PromiseImpl.handleResult(PromiseImpl.java:208)
          at org.forgerock.util.promise.PromiseImpl.lambda$then$6(PromiseImpl.java:369)
          at org.forgerock.util.promise.PromiseImpl.handleCompletion(PromiseImpl.java:531)
          at org.forgerock.util.promise.PromiseImpl.setState(PromiseImpl.java:572)
          at org.forgerock.util.promise.PromiseImpl.tryHandleResult(PromiseImpl.java:258)
          at org.forgerock.util.promise.PromiseImpl.handleResult(PromiseImpl.java:208)
          at org.forgerock.http.apache.async.AsyncHttpClient$PromiseHttpAsyncResponseConsumer.failed(AsyncHttpClient.java:151)
          at org.apache.http.impl.nio.client.DefaultClientExchangeHandlerImpl.executionFailed(DefaultClientExchangeHandlerImpl.java:98)
          at org.apache.http.impl.nio.client.AbstractClientExchangeHandler.failed(AbstractClientExchangeHandler.java:413)
          at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.endOfInput(HttpAsyncRequestExecutor.java:344)
          at org.apache.http.impl.nio.DefaultNHttpClientConnection.consumeInput(DefaultNHttpClientConnection.java:261)
          at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:81)
          at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:39)
          at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:121)
          at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
          at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
          at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
          at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
          at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
          at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588)
          at java.lang.Thread.run(Thread.java:748)
      Caused by: org.apache.http.ConnectionClosedException: Connection closed
          ... 12 more
      

      However, this request to 8443 is successful:

      {
      "url": "https://openidm.example.com:8443/openidm/config",
      "method": "GET",
      "headers": { "X-OpenIDM-Username": "openidm-admin", "X-OpenIDM-Password" : "openidm-admin" }
      }
      {
      "_id": "",
      "configurations": [
      {
      "_id": "ui/dashboard",
      "pid": "ui.4a28897c-d62c-4802-94ac-f9c77050865f",
      "factoryPid": "ui"
      }, ....
      

      So the server certificate is trusted (e.g self-trust as the certificate is present in the truststore), however, the client cert mapping seems not to be taken into account.

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                travis.haagen Travis Haagen
                Reporter:
                patrickdiligent patrick diligent
              • Votes:
                1 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: