Hello!

I have a problem with one of the BAW environments. The process application create in BAW installed on it, when calling the REST service with one of our external systems, despite the fact that it has user and password authorization set (basic auth), tries to authenticate itself with a certificate. How can I turn this off? I only want to authenticate with username and password. I don't want to use a certificate. The same application installed on another environment authorizes itself with a user and password and does not use a certificate and everything goes flawlessly. So the problem is clearly with the environment. I am using Websphere Application Server version 8.5.5.16. Please help. 

Hi Lukas,

I believe what you describe is that the same process app, which exposes a REST service

• requires clients to send basic auth for authentication in env1
• requires clients to present a client certificate for authentication in env2

This is NOT something you can configure in the app itself, but on the HTTPS endpoint. In case, your client connects directly to the web container port of WebSphere Application Server, the configuration is in NodeDefaultSSLSettings.

In production environments, you will have some HTTP server in front of the application server, for load balancing and other reasons. It is common to configure client certificate authentication between HTTP server and application server and expect clients to connect to the HTTP server. Maybe, you need to use a different hostname in that case.

HTH

Hello!

I have a problem with one of the BAW environments. The process application create in BAW installed on it, when calling the REST service with one of our external systems, despite the fact that it has user and password authorization set (basic auth), tries to authenticate itself with a certificate. How can I turn this off? I only want to authenticate with username and password. I don't want to use a certificate. The same application installed on another environment authorizes itself with a user and password and does not use a certificate and everything goes flawlessly. So the problem is clearly with the environment. I am using Websphere Application Server version 8.5.5.16. Please help. 

Ok, sa maybe I try to describe my problem. At the beginning of the versions of the systems they have:

IBM Business Automation Workflow - 8.6.1.19003
WebSphere Application Server - 8.5.5.16

I have created a service flow in IBM BAW that communicates via REST with the SAP system. I'm geting employee data from SAP. Authorization is done using basic auth authentication (user and password). The service that get data from SAP has been operating for 2 years. We exchanged the certificate a few days ago. After replacing it, we added it to our WebSphere application server to CellDefaultTrustStore (there was a previous, old certificate on which everything worked). The same was done on the side of the SAP system. After this exchange of certificate, communication with SAP stopped working completely. When calling the service from SAP, I get a 401 Unauthorized error. We enabled advanced tracking on the SAP side. You can see in them that machine-to-machine communication is established. There is no error related to certificates, handshake's... We also enabled advanced tracing on the Websphere side on classes related to REST communication, on apache.win, on classes related to http communication. There is absolutely no error beyond the mentioned 401 Unauthorized. Several people have already tried to solve this problem and no one has any idea what happened. Maybe you can help me with something.

Hi Lukas,

I believe what you describe is that the same process app, which exposes a REST service

• requires clients to send basic auth for authentication in env1
• requires clients to present a client certificate for authentication in env2

This is NOT something you can configure in the app itself, but on the HTTPS endpoint. In case, your client connects directly to the web container port of WebSphere Application Server, the configuration is in NodeDefaultSSLSettings.

In production environments, you will have some HTTP server in front of the application server, for load balancing and other reasons. It is common to configure client certificate authentication between HTTP server and application server and expect clients to connect to the HTTP server. Maybe, you need to use a different hostname in that case.

HTH

Hello!

I have a problem with one of the BAW environments. The process application create in BAW installed on it, when calling the REST service with one of our external systems, despite the fact that it has user and password authorization set (basic auth), tries to authenticate itself with a certificate. How can I turn this off? I only want to authenticate with username and password. I don't want to use a certificate. The same application installed on another environment authorizes itself with a user and password and does not use a certificate and everything goes flawlessly. So the problem is clearly with the environment. I am using Websphere Application Server version 8.5.5.16. Please help. 

Hi Lukas,

when you receive a 401 response, you don't have a problem with certificates. Certificate configuration issues prevent the connection from happening. HTTP 401 is the application's response - typically to incorrect authentication data like an incorrect password or locked account in the case of HTTP basic auth.

For troubleshooting, you need to focus on the SAP system, because it receives a request from BAW and is not happy with the authentication information. 

From the BAW side, best you can find is the request that is sent to SAP. You can also just look at your application, determine the request that you expect it to send and try it with 

curl -siku "$user:$password" https://sap-system/the/rest/service

where $user and $password are the basic auth credentials.

Ok, sa maybe I try to describe my problem. At the beginning of the versions of the systems they have:

IBM Business Automation Workflow - 8.6.1.19003
WebSphere Application Server - 8.5.5.16

I have created a service flow in IBM BAW that communicates via REST with the SAP system. I'm geting employee data from SAP. Authorization is done using basic auth authentication (user and password). The service that get data from SAP has been operating for 2 years. We exchanged the certificate a few days ago. After replacing it, we added it to our WebSphere application server to CellDefaultTrustStore (there was a previous, old certificate on which everything worked). The same was done on the side of the SAP system. After this exchange of certificate, communication with SAP stopped working completely. When calling the service from SAP, I get a 401 Unauthorized error. We enabled advanced tracking on the SAP side. You can see in them that machine-to-machine communication is established. There is no error related to certificates, handshake's... We also enabled advanced tracing on the Websphere side on classes related to REST communication, on apache.win, on classes related to http communication. There is absolutely no error beyond the mentioned 401 Unauthorized. Several people have already tried to solve this problem and no one has any idea what happened. Maybe you can help me with something.

Hi Lukas,

I believe what you describe is that the same process app, which exposes a REST service

• requires clients to send basic auth for authentication in env1
• requires clients to present a client certificate for authentication in env2

This is NOT something you can configure in the app itself, but on the HTTPS endpoint. In case, your client connects directly to the web container port of WebSphere Application Server, the configuration is in NodeDefaultSSLSettings.

In production environments, you will have some HTTP server in front of the application server, for load balancing and other reasons. It is common to configure client certificate authentication between HTTP server and application server and expect clients to connect to the HTTP server. Maybe, you need to use a different hostname in that case.

HTH

Hello!

I have a problem with one of the BAW environments. The process application create in BAW installed on it, when calling the REST service with one of our external systems, despite the fact that it has user and password authorization set (basic auth), tries to authenticate itself with a certificate. How can I turn this off? I only want to authenticate with username and password. I don't want to use a certificate. The same application installed on another environment authorizes itself with a user and password and does not use a certificate and everything goes flawlessly. So the problem is clearly with the environment. I am using Websphere Application Server version 8.5.5.16. Please help. 

When I try to use curl from BAW side to SAP, using the same user and password that I use in my service flow, I get correct response with status 200. 

Hi Lukas,

when you receive a 401 response, you don't have a problem with certificates. Certificate configuration issues prevent the connection from happening. HTTP 401 is the application's response - typically to incorrect authentication data like an incorrect password or locked account in the case of HTTP basic auth.

For troubleshooting, you need to focus on the SAP system, because it receives a request from BAW and is not happy with the authentication information. 

From the BAW side, best you can find is the request that is sent to SAP. You can also just look at your application, determine the request that you expect it to send and try it with 

curl -siku "$user:$password" https://sap-system/the/rest/service

where $user and $password are the basic auth credentials.

Ok, sa maybe I try to describe my problem. At the beginning of the versions of the systems they have:

IBM Business Automation Workflow - 8.6.1.19003
WebSphere Application Server - 8.5.5.16

I have created a service flow in IBM BAW that communicates via REST with the SAP system. I'm geting employee data from SAP. Authorization is done using basic auth authentication (user and password). The service that get data from SAP has been operating for 2 years. We exchanged the certificate a few days ago. After replacing it, we added it to our WebSphere application server to CellDefaultTrustStore (there was a previous, old certificate on which everything worked). The same was done on the side of the SAP system. After this exchange of certificate, communication with SAP stopped working completely. When calling the service from SAP, I get a 401 Unauthorized error. We enabled advanced tracking on the SAP side. You can see in them that machine-to-machine communication is established. There is no error related to certificates, handshake's... We also enabled advanced tracing on the Websphere side on classes related to REST communication, on apache.win, on classes related to http communication. There is absolutely no error beyond the mentioned 401 Unauthorized. Several people have already tried to solve this problem and no one has any idea what happened. Maybe you can help me with something.

Hi Lukas,

I believe what you describe is that the same process app, which exposes a REST service

• requires clients to send basic auth for authentication in env1
• requires clients to present a client certificate for authentication in env2

This is NOT something you can configure in the app itself, but on the HTTPS endpoint. In case, your client connects directly to the web container port of WebSphere Application Server, the configuration is in NodeDefaultSSLSettings.

In production environments, you will have some HTTP server in front of the application server, for load balancing and other reasons. It is common to configure client certificate authentication between HTTP server and application server and expect clients to connect to the HTTP server. Maybe, you need to use a different hostname in that case.

HTH

Hello!

I have a problem with one of the BAW environments. The process application create in BAW installed on it, when calling the REST service with one of our external systems, despite the fact that it has user and password authorization set (basic auth), tries to authenticate itself with a certificate. How can I turn this off? I only want to authenticate with username and password. I don't want to use a certificate. The same application installed on another environment authorizes itself with a user and password and does not use a certificate and everything goes flawlessly. So the problem is clearly with the environment. I am using Websphere Application Server version 8.5.5.16. Please help. 

In that case, the basic auth credentials sent by BAW may be incorrect. 

I think to remember a bug where storing settings in a REST server stored an incorrect password when changing something in Process Admin Console.

Maybe this one: https://www.ibm.com/mysupport/s/defect/aCI3p000000PZgvGAG/dt178855?language=en_US

I suggest opening a case to help debug the situation. You will want to see the exact outbound request to inspect the username and password sent.

When I try to use curl from BAW side to SAP, using the same user and password that I use in my service flow, I get correct response with status 200. 

Hi Lukas,

when you receive a 401 response, you don't have a problem with certificates. Certificate configuration issues prevent the connection from happening. HTTP 401 is the application's response - typically to incorrect authentication data like an incorrect password or locked account in the case of HTTP basic auth.

For troubleshooting, you need to focus on the SAP system, because it receives a request from BAW and is not happy with the authentication information. 

From the BAW side, best you can find is the request that is sent to SAP. You can also just look at your application, determine the request that you expect it to send and try it with 

curl -siku "$user:$password" https://sap-system/the/rest/service

where $user and $password are the basic auth credentials.

Ok, sa maybe I try to describe my problem. At the beginning of the versions of the systems they have:

IBM Business Automation Workflow - 8.6.1.19003
WebSphere Application Server - 8.5.5.16

I have created a service flow in IBM BAW that communicates via REST with the SAP system. I'm geting employee data from SAP. Authorization is done using basic auth authentication (user and password). The service that get data from SAP has been operating for 2 years. We exchanged the certificate a few days ago. After replacing it, we added it to our WebSphere application server to CellDefaultTrustStore (there was a previous, old certificate on which everything worked). The same was done on the side of the SAP system. After this exchange of certificate, communication with SAP stopped working completely. When calling the service from SAP, I get a 401 Unauthorized error. We enabled advanced tracking on the SAP side. You can see in them that machine-to-machine communication is established. There is no error related to certificates, handshake's... We also enabled advanced tracing on the Websphere side on classes related to REST communication, on apache.win, on classes related to http communication. There is absolutely no error beyond the mentioned 401 Unauthorized. Several people have already tried to solve this problem and no one has any idea what happened. Maybe you can help me with something.

Hi Lukas,

I believe what you describe is that the same process app, which exposes a REST service

• requires clients to send basic auth for authentication in env1
• requires clients to present a client certificate for authentication in env2

This is NOT something you can configure in the app itself, but on the HTTPS endpoint. In case, your client connects directly to the web container port of WebSphere Application Server, the configuration is in NodeDefaultSSLSettings.

In production environments, you will have some HTTP server in front of the application server, for load balancing and other reasons. It is common to configure client certificate authentication between HTTP server and application server and expect clients to connect to the HTTP server. Maybe, you need to use a different hostname in that case.

HTH

Hello!

I have a problem with one of the BAW environments. The process application create in BAW installed on it, when calling the REST service with one of our external systems, despite the fact that it has user and password authorization set (basic auth), tries to authenticate itself with a certificate. How can I turn this off? I only want to authenticate with username and password. I don't want to use a certificate. The same application installed on another environment authorizes itself with a user and password and does not use a certificate and everything goes flawlessly. So the problem is clearly with the environment. I am using Websphere Application Server version 8.5.5.16. Please help.