Topic Thread

Expand all | Collapse all

SOAP based service failing on SSL

Jump to Best Answer
  • 1.  SOAP based service failing on SSL

    Posted 04-06-2018 03:56 AM

    Hi,

     

    We have onboarded a SOAP based service hosted outside of our domain and protected it with basic auth to restrict access. 

     

    Basic Auth is working fine however the service is failing to route on SSL and ends up with below msg in ssg logs.

     

    2018-03-19T15:49:22.917+1000 WARNING 219 com.l7tech.server.policy.assertion.ServerHttpRoutingAssertion: 4042: Problem routing to https://abc.com/yyy/zzz/. Error msg: Unable to obtain HTTP response from https://abc.com/yyy/zzz/.: Remote host closed connection during handshake. Caused by: SSL peer shut down incorrectly

     

    Any pointers on above ? I have the certificate imported as trust anchor for this service 

     

    Thanks and Regards,

    Yatin..



  • 2.  Re: SOAP based service failing on SSL
    Best Answer

    Posted 04-06-2018 04:24 AM

    Could be the mismatch of TLS version. Try setting different ones in the http(s) route assertion



  • 3.  Re: SOAP based service failing on SSL

    Posted 04-09-2018 01:55 AM

    Yes, it was due to TLS v1.2. What i need to do if i need to enable it for inbound connections i.e client --> apigateway ?



  • 4.  Re: SOAP based service failing on SSL

    Posted 04-09-2018 02:05 AM

    If you need to Enable TLS Setting 

    1. login to policy manager --> Task --> Transport --> Manage Listen Ports 

    2. Select the Port which the Client is using and go to properties and then click on SSL/TLS setting you will see a below page and change the TLS version which you need 

     

    Please correct me if i am wrong

     

     

    Thanks,

    irfan



  • 5.  Re: SOAP based service failing on SSL

    Posted 04-09-2018 02:18 AM

    Absolutely, correct.



  • 6.  Re: SOAP based service failing on SSL

    Posted 04-09-2018 02:05 AM

    You'll have to set it in manage listen ports

     

    Go to Tasks > Transports > Manage listen ports

     

     

    Select the port you want to change tls version for. Click on Properties

     

     

    You can change the private key, TLS version etc on the SSL/TLS Settings tab

     



  • 7.  Re: SOAP based service failing on SSL

    Posted 04-09-2018 02:16 AM

    Yes, i looked at that option through Manage Listen ports. I am more of looking to set it via ssg startup script/processcontroller.sh ?



  • 8.  Re: SOAP based service failing on SSL

    Posted 04-09-2018 02:24 AM

    I'm not sure I understood the requirement. Why would want to do it through a start script rather than the policy manager which makes it permanent as long as the gateway is listening on that port?



  • 9.  Re: SOAP based service failing on SSL

    Posted 04-09-2018 03:35 AM

    This is because we have automated our deployment and prefer to do our changes through command line as part of our CI/CD



  • 10.  Re: SOAP based service failing on SSL

    Posted 04-09-2018 03:49 AM

    We used to call restman APIs on the gateway for a client I was working with.

     

    You can write a script to call restman 

     

    1) Call GET "https://<yourgateway>:<port>/restman/1.0/listenPorts?port=<the listening port you want to change>" and get the details of the listen port

     

    2) Modify the xml to change TLS versions

    <l7:EnabledVersions>
    <l7:StringValue>TLSv1</l7:StringValue>
    <l7:StringValue>TLSv1.1</l7:StringValue>
    <l7:StringValue>TLSv1.2</l7:StringValue>
    </l7:EnabledVersions>

     

    3) Call PUT "https://<yourgateway>:<port>/restman/1.0/listenPorts/<id of the listening port>" with the modified payload

     

    Hope this helps you.



  • 11.  Re: SOAP based service failing on SSL

    Posted 04-09-2018 07:07 PM

    Dear ymalhotra.1 ,

    If you want auto provision, keep in mind that restman requires the ssg service is up and running, and ssg service might not be up when executing  the cloud-init script. You may need to start ssg service before you call restoman in your cloud-init script.

    Are your running docker gateway or AMI gateway?

    For docker gateway, an alternation is to use bundle file with the listen port settings.

     

    Regards,

    Mark