Hi folks,
This is about setting up flow service that consumes a service on the target server over HTTPS and also providing a “client certificate” as the form to identify ourself.
I was able to test this using curl
from the same the same box hosting the IS (no -k
shortcut employed: the --capath
, the --cert
, --key
and even --proxy
were all provided!), and the target server responded as expected.
However things do not work out when using the IS (10.3, no TN available). I’ve followed Debugging TLS or SSL connections in Integration Server, MASSL SSL Connection being dropped and many others and they helped me to overcome sime issues to this last one seems not moving out.
Tasks performed:
- The ‘server’ (target server) certificates were manually extracted and imported into the trust store.
- The ‘client’ key and certificate were imported into the keystore, and its trust path certs as well.
And both stores were configured in the IS (IS Admin > Security > Keystores).
- Additionally, the ‘client’ key was also set in the “IS Admin > Security > Certificates, SSL Key”
- Finally, the SSL Cache was also cleared (IS Admin > Security > Certificates, Clear SSL Cache).
The testing flow service has, mainly two steps:
- INVOKE pub.security.keystore:setKeyAndChain (set the keystore and the key alias, as shown in the Certificates > SSL Key details)
- INVOKE pub.client:http
However, I’m still getting “Warning: no suitable certificate found - continuing without client authentication” (wrapper.log) which, in some sense, justifies the this post title.
Wading through the wrapper.log (with the SSL debug logfs turned on) there is a hint:
1. INFO | jvm 6 | 2020/09/28 16:07:42 | *** CertificateRequest
2. INFO | jvm 6 | 2020/09/28 16:07:42 | Cert Types: RSA, DSS, ECDSA
3. INFO | jvm 6 | 2020/09/28 16:07:42 | Supported Signature Algorithms: SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, Unknown (hash:0x5,
4. INFO | jvm 6 | 2020/09/28 16:07:42 | Cert Authorities:
5. INFO | jvm 6 | 2020/09/28 16:07:42 | <Empty>
6. INFO | jvm 6 | 2020/09/28 16:07:42 | HTTP Handler 192.168.80.81, READ: TLSv1.2 Handshake, length = 4
7. INFO | jvm 6 | 2020/09/28 16:07:42 | *** ServerHelloDone
8. INFO | jvm 6 | 2020/09/28 16:07:42 | Warning: no suitable certificate found - continuing without client authentication
9. INFO | jvm 6 | 2020/09/28 16:07:42 | *** Certificate chain
10. INFO | jvm 6 | 2020/09/28 16:07:42 | <Empty>
11. INFO | jvm 6 | 2020/09/28 16:07:42 | ***
12. INFO | jvm 6 | 2020/09/28 16:07:42 | *** ClientKeyExchange, DH
Line 8: still getting ‘no suitable certificate found’. (But how come not being able to find the certificate? The certificate is in the keystore.)
What I’m missing?
#webMethods#mTLS#ssl#tls