Great to hear! Unfortunately, different objects in DataPower that have a match property are not implemented consistently, some use a PCRE, some just the "shell-style" expression. I'm always needing to refer to the online help to make sure I've chosen the correct one! I'm still puzzled as to why specifying the profile on your url-open extension function didn't work. Specifying the profile on either the User Agent with a matching url or on the service itself simply gives you a default profile if you don't explicitly specify one, so now you're matching on the profile for the User Agent. As for specifying it on the dp:url-open extension function, I looked at the example I coded up for the API Connect knowledge center that I provided above
Notice how the ssl-proxy attribute value is within the curly braces (an attribute value template or AVT). My xsl variable tlsClientProfile has a value of client:somename, so specifying your code as this example should give you the ability to specify it explicitly. An AVT is an XPath expression that is evaluated, and its evaluated value will be the attribute value, thus the two following should be equivalent
as even a quoted string literal must be evaluated as an AVT, but without the quotations, the value entered is the attribute value. Hope this explanation helps if you should decide to try the explict ssl-proxy attribute in the future. Note that for DataPower extension function attributes, some require an AVT, some expect an XPath so the AVT isn't needed. I find it best to look at the examples in the DataPower documentation to make sure I know which is the case for the attribute I require.
Original Message:
Sent: Wed November 16, 2022 03:52 AM
From: Stefan Ruck
Subject: Error: 0x80e0005a Cannot establish TLS credentials
Hi Steve,
Changing the matching expression from regex style ".*" to shell-style "*" (without quotes) made it :-)
As said in my initial post, I was not clear (and sure) if ".*" is the correct way to express "any", which is obviously not.
There was even no need to add a ssl-proxy attribute to the dp:url-open element.
Also thanks again to Joseph and Jeroen.
Best regards,
Stefan
------------------------------
Stefan Ruck
Original Message:
Sent: Tue November 15, 2022 11:11 AM
From: Steve Linn
Subject: Error: 0x80e0005a Cannot establish TLS credentials
Hi Stefan,
Correct, per the documentation, the url matching is not a PC regular expression which would use .* for a wild card, but is "A required shell-style expression that defines a URL set assigned to a specific proxy." That would mean the expression would support * for a wildcard.
Best Regards,
Steve
------------------------------
Steve Linn
Senior Consulting I/T Specialist
IBM
Original Message:
Sent: Mon November 14, 2022 12:16 PM
From: Stefan Ruck
Subject: Error: 0x80e0005a Cannot establish TLS credentials
Hi Steve,
Thanks for your input. No change when using curly brackets :-(
Not sure if I got the point regarding the match in the UA right. I set ".*" as "URL Matching Expression" in the user agent's TLS Profile Policy, assuming this will cover any URL. Do you mean I need to change it to */<applicationname>*?
Thanks
------------------------------
Stefan Ruck
Original Message:
Sent: Fri November 11, 2022 09:35 AM
From: Steve Linn
Subject: Error: 0x80e0005a Cannot establish TLS credentials
Hi Stefan,
First off, it is not a best practice to put any application specific configuration into the default domain so I would discourage you from doing so, and doing so won't make a difference as far as the behavior you're seeing. Also, the ssl-proxy attribute should have only a string, for example, ssl-proxy="client:whatever" ... if you need an XPath expression, even a string literal, you'll need to enclose it in curly braces, for example, ssl-proxy="{$myprofile}" or ssl-proxy="{'client:whatever'}" where the variable myprofile has the name of your profile 'client:whatever'. There is an example of this (using an XPath, ie, a $variable) in the API Connect knowledge center docs for an xslt I wrote. See under the section "Return DataPower object name associated with a client TLS profile" in https://www.ibm.com/docs/en/api-connect/10.0.1.x?topic=xslt-policy-examples.
I agree with Joseph that the error
unable to get TLS Profile ''
lends me to think you are not specifying the profile name properly on the ssl-proxy attribute, but looking through the tread above I don't see anything that jumps out at me. Just a FYI, the use of specifying a profile on the XML manager (actually the referenced User Agent for your XML manager), or even for a Multi-Protocol Gateway's tls-profile, they provide default config when a TLS profile isn't explicitly specified, with the XML Manager having the match based on the url you're attempting to connect to which would take precedence over the service's entry, so you must not be matching any of the XML manager (ie, referenced User Agent's) urls there and odds are you don't have one defined for your MPGW service. One item that trips many up is the match in the UA uses shell expressions, not regular expressions, so you'd need to match on something like */applicationname* for example.
I'd suggest you open a PMR. This is a difficult one to triage just seeing bits and pieces of obfuscated configuration. I'm sure DataPower support will ask you for a domain export, and seeing all of that in one place they should be able to determine the cause of the issue.
Best Regards,
Steve
------------------------------
Steve Linn
Senior Consulting I/T Specialist
IBM
Original Message:
Sent: Thu November 10, 2022 10:40 AM
From: Stefan Ruck
Subject: Error: 0x80e0005a Cannot establish TLS credentials
>>Is the TLS Client Profile referenced in your code the exact name of the TLS Client Profile in the domain?<<
Double-checked it: yes, same
What I also tried: changed the name of the client profile named in the code to an undefined name:
<dp:url-open target="{$ParamUri}" ssl-proxy="client:doesnotexist"/>
Log output is still "TLS connection to '<uri>' failed, unable to get TLS Profile '' "
I would have expected to find "doesnotexist" somewhere in the log, but did not.
Next week, I will drop the entire config, re-confiure DPG from scratch, but will use the default domain instead of a custom domain (know, it should not make a difference, but I would like to verify it).
------------------------------
Stefan Ruck
Original Message:
Sent: Wed November 09, 2022 11:14 AM
From: Joseph Morgan
Subject: Error: 0x80e0005a Cannot establish TLS credentials
>> Btw, think you mean User Agent's TLS Profile Policy.
Yep, my brain is still on the old "proxy" language.
So, why is the log saying the TLS Profile name is blank? Is the TLS Client Profile referenced in your code the exact name of the TLS Client Profile in the domain?
------------------------------
Joseph Morgan
Original Message:
Sent: Wed November 09, 2022 10:43 AM
From: Stefan Ruck
Subject: Error: 0x80e0005a Cannot establish TLS credentials
>>When you added the TLS profile to the code, did you remove it from the User Agent's TLS proxy policy?<<
No, did not - should I? I tried it (only name the TLS Client Profile in the code, removed it from the User Agent), still no change :-(
Btw, think you mean User Agent's TLS Profile Policy.
------------------------------
Stefan Ruck
Original Message:
Sent: Tue November 08, 2022 11:47 AM
From: Joseph Morgan
Subject: Error: 0x80e0005a Cannot establish TLS credentials
>> I'm wondering if I should check if it works when I use the default domain instead of my custom domain.
As long as the TLS Client profile is in the same domain as the code seeking it, you should be fine. That won't make a difference.
So, this is the problem:
TLS connection to ... failed, unable to get TLS Profile ''
It is saying the TLS profile name is blank.
When you added the TLS profile to the code, did you remove it from the User Agent's TLS proxy policy?
I'm wondering if one is not overriding the other, but even then, as long as the name is correct, you should be fine.
------------------------------
Joseph Morgan
Original Message:
Sent: Tue November 08, 2022 11:10 AM
From: Stefan Ruck
Subject: Error: 0x80e0005a Cannot establish TLS credentials
>>The client profile only supports TLS1.2 and TLS1.3. Is the server to which you are connecting at TLS1.2 or above?<<
Same error occurs having all protocols enabled.
>> Does the certificate and key pair match the one the server is authenticating you with? <<
No need to authenticate. Root CA us trusted by the server.
I changed the logs to debug. The "Log Extract.txt" contains the log entries from starting a new transaction (client call) up to the "Cannot establish TLS credentials" error. Unfortunately, there are no "write error..." entries.
DPG sees it has to load an XSLT because it is not in the cache, then "TLS connection to ... failed, unable to get TLS Profile '', and then "Cannot establish TLS credentials"
I'm wondering if I should check if it works when I use the default domain instead of my custom domain.
------------------------------
Stefan Ruck
Original Message:
Sent: Mon November 07, 2022 09:30 AM
From: Joseph Morgan
Subject: Error: 0x80e0005a Cannot establish TLS credentials
DomainSettings is an object not really at play here. It is just another configuration object named "default". Nothing to worry about with respect to this.
After looking over the export, the only things that may be problems are:
- The client profile only supports TLS1.2 and TLS1.3. Is the server to which you are connecting at TLS1.2 or above?
- Does the certificate and key pair match the one the server is authenticating you with?
What else shows in the logs? Turn your logs to debug. That will tell us a great deal more about why it is reporting a failure. In addition to the failed to establish a backside connection, I'm going to be very interested in log entries containing things like "write error (7)" or "write error (8)".
------------------------------
Joseph Morgan
Original Message:
Sent: Mon November 07, 2022 06:04 AM
From: Stefan Ruck
Subject: Error: 0x80e0005a Cannot establish TLS credentials
Attached you can find the export. Whatever looks sensitive to me, I've <obfuscated>. Hope it will still be helpful.
What surprised me a bit is line 34<DomainSettings name="default" ....
As said, all is defined in a custom domain, which is reflected properly in line 33
<configuration domain="<mydomain>">
In the WebUI of the TLS Client Profile, I can't see an option to change this.
Thanks,
------------------------------
Stefan Ruck
Original Message:
Sent: Fri November 04, 2022 08:51 AM
From: Joseph Morgan
Subject: Error: 0x80e0005a Cannot establish TLS credentials
The XML export should be fine. My worry, though, is if you have any passwords on keys or certs, are they passwords and password aliases. There may not be any, but once you export to XML, you can look in there and obfuscate any visible passwords you might have within that export before posting here.
------------------------------
Joseph Morgan
Original Message:
Sent: Fri November 04, 2022 06:55 AM
From: Stefan Ruck
Subject: Error: 0x80e0005a Cannot establish TLS credentials
Of course, the XML export of the TLS Client Profile only ;-)
Not sure how to share / show the config other than creating a screenshot or by XML export. From looking at the XML export I had the impression it gives all details. Or is there another way how to show the config? Sorry if this sounds stupid, DPG is not part of my daily work.
------------------------------
Stefan Ruck
Original Message:
Sent: Thu November 03, 2022 01:03 PM
From: Joseph Morgan
Subject: Error: 0x80e0005a Cannot establish TLS credentials
No.. we likely need to see the configuration of the TLS Client Profile you are using for TLS.
That is, what is the configuration of the "<name of TLS Client Profile within the same domain>"?
------------------------------
Joseph Morgan
Original Message:
Sent: Thu November 03, 2022 12:41 PM
From: Stefan Ruck
Subject: Error: 0x80e0005a Cannot establish TLS credentials
Yes, sure:TLS Client Profile.
>>Can we see an obfuscated version of that?<<
Do you mean (parts of) the XML export?
------------------------------
Stefan Ruck
Original Message:
Sent: Thu November 03, 2022 11:01 AM
From: jeroen willems
Subject: Error: 0x80e0005a Cannot establish TLS credentials
and just to be sure are you using a TLS Client Profile or a TLS proxy profile (deprecated)?
------------------------------
jeroen willems
Original Message:
Sent: Thu November 03, 2022 10:47 AM
From: Joseph Morgan
Subject: Error: 0x80e0005a Cannot establish TLS credentials
There must be something wrong with the TLS Client profile itself.
Can we see an obfuscated version of that?
------------------------------
Joseph Morgan
Original Message:
Sent: Thu November 03, 2022 10:42 AM
From: Stefan Ruck
Subject: Error: 0x80e0005a Cannot establish TLS credentials
Oh - embarrassing :-(
Fixed it, and the result is - back to start:
Cannot establish TLS credentials (credential is NULL), URL:
------------------------------
Stefan Ruck
Original Message:
Sent: Thu November 03, 2022 10:24 AM
From: jeroen willems
Subject: Error: 0x80e0005a Cannot establish TLS credentials
Please check your quotes, one is missing after }
<dp:url-open target="{$ParamUri} ssl-proxy="client:<name of TLS Client Profile within the same domain>"/>
try
<dp:url-open target="{$ParamUri}" ssl-proxy="client:<name of TLS Client Profile within the same domain>"/>
------------------------------
jeroen willems
Original Message:
Sent: Thu November 03, 2022 10:17 AM
From: Stefan Ruck
Subject: Error: 0x80e0005a Cannot establish TLS credentials
Hi Jeroen, hi Joseph,
I've added the ssl-proxy attribute, now the call looks like this:
<dp:url-open target="{$ParamUri} ssl-proxy="client:<name of TLS Client Profile within the same domain>"/>
Result: Another error:
xslt: Request failed to compile. local:///<myxslt>.xslt: illegal character 'c' at line 298 of local:///<myxslt>.xslt Referenced by local:///<myxslt>.xslt.
Line 298 is the line of url-open element. The name of the client profile does not contain a 'c', even the URI does not contain a lower case 'c'.
When I removed the "client:" part, DPG was complaining about the first character of the client profile name. Using a variable instead of plain text, DPG complained about the '{'.
>>You're referring to the default XML manager in the domain where you have the validation, correct?<<
Yes
>>And, then n the domain you created for the validating service, you've set the TLS policy on a user agent (default?) connected to the "default" XML manager in there?<<
Also true. In the TLS Profile Policy of the User Agent, I set the TLS client type to "Client Profile".
Thanks,
Stefan
------------------------------
Stefan Ruck
Original Message:
Sent: Thu November 03, 2022 09:19 AM
From: Joseph Morgan
Subject: Error: 0x80e0005a Cannot establish TLS credentials
Jeroen Willems supplied information for dp:url-open that should work, which is honestly the easiest solution.
However, I'm surprised your TLS policy on the user agent isn't working.
You're referring to the default XML manager in the domain where you have the validation, correct? And, then n the domain you created for the validating service, you've set the TLS policy on a user agent (default?) connected to the "default" XML manager in there?
------------------------------
Joseph Morgan
Original Message:
Sent: Thu November 03, 2022 07:17 AM
From: Stefan Ruck
Subject: Error: 0x80e0005a Cannot establish TLS credentials
Hi Joseph,
>>it sounds like you're fetching remote documents<<
Almost ;-): The documents to be validated and processed are sent via HTTP(S) to DPG. The schema for validation and XSLT for processing are fetched from external server using dp:url-open.
>>What does the dp:url-open call look like<<
The call is <dp:url-open target="{$ParamUrl}"/>
The URL looks like this:
https://<ip-address>/<applicationname>/<applicationpage>.aspx?<parameter1>=< value1>&<parameter2>=< value2>&<parameter>=<value3>
We also tried explicitly naming the port, but same error:
https://<ip-address>:443/<applicationname>/<applicationpage>.aspx?<parameter1>=< value1>&<parameter2>=< value2>&<parameter>=<value3>
As already mentioned, this works when using a Web browser. Also, HTTP-only works fine from DPG:
http://<ip-address>/<applicationname>/<applicationpage>.aspx?<parameter1>=< value1>&<parameter2>=< value2>&<parameter>=<value3>
>> What is the XML Manager in use?<<
We use the default manager with the following changes:
- XSL Cache Size „3000" stylesheets
- Compile Options Policy "Minimum Output Escaping"
- XML Bytes Scanned "0" bytes
- XML Maximum Node Size "8388608" bytes
One thing I didn't mentioned yet: We've created our own domain within the DPG config.
Hope this helps.
Thanks,
Stefan
------------------------------
Stefan Ruck
Original Message:
Sent: Wed November 02, 2022 03:05 PM
From: Joseph Morgan
Subject: Error: 0x80e0005a Cannot establish TLS credentials
That is, it sounds like you're fetching remote documents for validation and processing, yes?
From the sound of it you've done everything correctly. What does the dp:url-open call look like (you can obfuscate the URL details, but in general).
What is the XML Manager in use?
------------------------------
Joseph Morgan
Original Message:
Sent: Wed November 02, 2022 11:28 AM
From: Stefan Ruck
Subject: Error: 0x80e0005a Cannot establish TLS credentials
Hi,
We are using DPG 10.0.1.0 for XML validation and transformation. Within the XSLT used by the processing policy, we use the extension url-open to load schema / additional XSLTs from an external Web address via HTTP calls.
Now we want to switch to TLS encrypted communication (HTTPS), but run into "0x80e0005a Cannot establish TLS credentials (credential is NULL), URL: '%s'.". The explanation given by the docs is that "An TLS profile cannot be found for this TLS connection.".
On the remote server, we can't see any communication attempts in the Web server's log.
We also defined a TLS Profile Policy in XML Manager / User Agent (Client Profile), but no change. (To be honest, I am not clear what value is expected for "URL Matching Expression", entered ".*" [without quotes]).
The only change in the remote address is https instead of http. Calling the HTTPS address from the server via Web browser works fine, so no firewall issue.
TLS communication from a client to DPG (DPG as server) is working fine.
What config are we missing?
Thanks in advance for your help!
Stefan
------------------------------
Stefan Ruck
------------------------------