We have onboarded a SOAP based service hosted outside of our domain and protected it with basic auth to restrict access.
Basic Auth is working fine however the service is failing to route on SSL and ends up with below msg in ssg logs.
2018-03-19T15:49:22.917+1000 WARNING 219 com.l7tech.server.policy.assertion.ServerHttpRoutingAssertion: 4042: Problem routing to https://abc.com/yyy/zzz/. Error msg: Unable to obtain HTTP response from https://abc.com/yyy/zzz/.: Remote host closed connection during handshake. Caused by: SSL peer shut down incorrectly
Any pointers on above ? I have the certificate imported as trust anchor for this service
Thanks and Regards,
Could be the mismatch of TLS version. Try setting different ones in the http(s) route assertion
Yes, it was due to TLS v1.2. What i need to do if i need to enable it for inbound connections i.e client --> apigateway ?
If you need to Enable TLS Setting
1. login to policy manager --> Task --> Transport --> Manage Listen Ports
2. Select the Port which the Client is using and go to properties and then click on SSL/TLS setting you will see a below page and change the TLS version which you need
Please correct me if i am wrong
You'll have to set it in manage listen ports
Go to Tasks > Transports > Manage listen ports
Select the port you want to change tls version for. Click on Properties
You can change the private key, TLS version etc on the SSL/TLS Settings tab
Yes, i looked at that option through Manage Listen ports. I am more of looking to set it via ssg startup script/processcontroller.sh ?
I'm not sure I understood the requirement. Why would want to do it through a start script rather than the policy manager which makes it permanent as long as the gateway is listening on that port?
This is because we have automated our deployment and prefer to do our changes through command line as part of our CI/CD
We used to call restman APIs on the gateway for a client I was working with.
You can write a script to call restman
1) Call GET "https://<yourgateway>:<port>/restman/1.0/listenPorts?port=<the listening port you want to change>" and get the details of the listen port
2) Modify the xml to change TLS versions
<l7:EnabledVersions> <l7:StringValue>TLSv1</l7:StringValue> <l7:StringValue>TLSv1.1</l7:StringValue> <l7:StringValue>TLSv1.2</l7:StringValue> </l7:EnabledVersions>
3) Call PUT "https://<yourgateway>:<port>/restman/1.0/listenPorts/<id of the listening port>" with the modified payload
Hope this helps you.
Dear ymalhotra.1 ,
If you want auto provision, keep in mind that restman requires the ssg service is up and running, and ssg service might not be up when executing the cloud-init script. You may need to start ssg service before you call restoman in your cloud-init script.
Are your running docker gateway or AMI gateway?
For docker gateway, an alternation is to use bundle file with the listen port settings.