Discussion:
Auth HTTPClientConnector - API SCIM: response code 403
(too old to reply)
Rafa
2020-06-08 08:51:22 UTC
Permalink
Hi everyone,

I have created a HTTP Client Connector on my local machine(SDI 7.2.0.5) which connect against an API SCIM to obtain an access_token using certificate, and all runs well, I get back the whole http response, access_token included.

The problem comes when I try to run the same Assembly Line in a TDI Dispatcher (TDI 7.1.1.0) and the response is this:

Entry attributes:
10:03:20,472 INFO - http.Content-Type (replace): 'text/html; charset=iso-8859-1'
10:03:20,472 INFO - http.body (replace): 'Forbidden access'
10:03:20,473 INFO - http.Date (replace): 'Mon, 08 Jun 2020 08:03:20 GMT'
10:03:20,474 INFO - http.Content-Length (replace): '16'
10:03:20,474 INFO - http.bodyAsBytes (replace): (\41\63\63\65\73\6f\20\70\72\6f\68\69\62\69\64\6f)
10:03:20,476 INFO - http.body.response (replace): 'Forbidden access'
10:03:20,477 INFO - http.responseMsg (replace): 'Forbidden'
10:03:20,478 INFO - http.bodyAsString (replace): 'Forbidden access'
10:03:20,478 INFO - http.Server (replace): 'Apache'
10:03:20,480 INFO - http.responseCode (replace): '403'

I have checked that HTTPClientConnector component, is different in SDI 7.2.0.5 and TDI 7.1.1.0.
I have tested the HTTPClientConnector component from 7.1.1.0 in my local (SDI 7.2.0.5) gaining the same result, despite of I click on Get Certificate inside the Connection tab and says that connection is trusted.

¿Any idea about the http.responseCode 403?
¿Or how could I make request using certificates in TDI 7.1.1.0?

Thanks in advance,

Regards.
Rafa.
Rafa
2020-06-08 10:46:10 UTC
Permalink
Post by Rafa
Hi everyone,
I have created a HTTP Client Connector on my local machine(SDI 7.2.0.5) which connect against an API SCIM to obtain an access_token using certificate, and all runs well, I get back the whole http response, access_token included.
10:03:20,472 INFO - http.Content-Type (replace): 'text/html; charset=iso-8859-1'
10:03:20,472 INFO - http.body (replace): 'Forbidden access'
10:03:20,473 INFO - http.Date (replace): 'Mon, 08 Jun 2020 08:03:20 GMT'
10:03:20,474 INFO - http.Content-Length (replace): '16'
10:03:20,474 INFO - http.bodyAsBytes (replace): (\41\63\63\65\73\6f\20\70\72\6f\68\69\62\69\64\6f)
10:03:20,476 INFO - http.body.response (replace): 'Forbidden access'
10:03:20,477 INFO - http.responseMsg (replace): 'Forbidden'
10:03:20,478 INFO - http.bodyAsString (replace): 'Forbidden access'
10:03:20,478 INFO - http.Server (replace): 'Apache'
10:03:20,480 INFO - http.responseCode (replace): '403'
I have checked that HTTPClientConnector component, is different in SDI 7.2.0.5 and TDI 7.1.1.0.
I have tested the HTTPClientConnector component from 7.1.1.0 in my local (SDI 7.2.0.5) gaining the same result, despite of I click on Get Certificate inside the Connection tab and says that connection is trusted.
¿Any idea about the http.responseCode 403?
¿Or how could I make request using certificates in TDI 7.1.1.0?
Thanks in advance,
Regards.
Rafa.
Hi again,

I have discovered that when I run the AL, the Certificate send to API SCIM is the default installed in testadmin.jks (CN = API Admin, OU = test, O = test, L = test, ST = test, C = US). For that the response is 403.

So, how to choose send the certificate that I imported in testadmin.jks to connext API SCIM?
In SDI 7.2.0, is taken the correct certificadte one without any extra configuration.

Regards.
Rafa.
Rafa
2020-06-08 11:17:42 UTC
Permalink
Post by Rafa
Hi everyone,
I have created a HTTP Client Connector on my local machine(SDI 7.2.0.5) which connect against an API SCIM to obtain an access_token using certificate, and all runs well, I get back the whole http response, access_token included.
10:03:20,472 INFO - http.Content-Type (replace): 'text/html; charset=iso-8859-1'
10:03:20,472 INFO - http.body (replace): 'Forbidden access'
10:03:20,473 INFO - http.Date (replace): 'Mon, 08 Jun 2020 08:03:20 GMT'
10:03:20,474 INFO - http.Content-Length (replace): '16'
10:03:20,474 INFO - http.bodyAsBytes (replace): (\41\63\63\65\73\6f\20\70\72\6f\68\69\62\69\64\6f)
10:03:20,476 INFO - http.body.response (replace): 'Forbidden access'
10:03:20,477 INFO - http.responseMsg (replace): 'Forbidden'
10:03:20,478 INFO - http.bodyAsString (replace): 'Forbidden access'
10:03:20,478 INFO - http.Server (replace): 'Apache'
10:03:20,480 INFO - http.responseCode (replace): '403'
I have checked that HTTPClientConnector component, is different in SDI 7.2.0.5 and TDI 7.1.1.0.
I have tested the HTTPClientConnector component from 7.1.1.0 in my local (SDI 7.2.0.5) gaining the same result, despite of I click on Get Certificate inside the Connection tab and says that connection is trusted.
¿Any idea about the http.responseCode 403?
¿Or how could I make request using certificates in TDI 7.1.1.0?
Thanks in advance,
Regards.
Rafa.
Hi again,

I have discovered that when I run the AL with the HTTPClientConnector, the Certificate send to API SCIM is the default installed in testadmin.jks (CN = API Admin, OU = test, O = test, L = test, ST = test, C = US). For that is the response 403.

So, how to choose send the certificate that I imported in testadmin.jks to connext API SCIM?
In SDI 7.2.0, is taken the correct certificate one without any extra configuration.

Regards,
Rafa.
j***@gmail.com
2020-06-09 02:58:13 UTC
Permalink
If you use a keystore which contains multiple key entries, it is random which of the entries will be chosen as the certificate to present to the server when client authentication is needed. Well, random in the sense that you cannot predict before you try.
In the next fixpack for TDI and SDI we will add an option in the HTTP Client Connector to allow you to specify which certificate to use in this case.
Until then, maybe you could store your new certificate in a new jks file,
and in solution.properties specify the new jks file using the parameters
javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword.
Rafa
2020-06-09 15:50:50 UTC
Permalink
Post by j***@gmail.com
If you use a keystore which contains multiple key entries, it is random which of the entries will be chosen as the certificate to present to the server when client authentication is needed. Well, random in the sense that you cannot predict before you try.
In the next fixpack for TDI and SDI we will add an option in the HTTP Client Connector to allow you to specify which certificate to use in this case.
Until then, maybe you could store your new certificate in a new jks file,
and in solution.properties specify the new jks file using the parameters
javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword.
Thanks both for your replies.

@Jason, I have raised to update fixpack for TDI 7.1.1, but it´s not an option by the moment, due to could affect to existing conectors.

@Jens, I created an specific keystore for the client, and now takes the correct certificated, but continue giving the response code 403.

Do you think that could be possible to import the HttpClientConnector.jar from SDI 7.2(that give back a 200 http response code) in TDI 7.1.1, to coexist both?
I was following this guide (http://www.tdiingoutloud.com/2008/11/new-component-and-library-jar-files.html) but, I can´t achive it.

Thanks again.
j***@gmail.com
2020-06-10 05:36:29 UTC
Permalink
Post by Rafa
Do you think that could be possible to import the HttpClientConnector.jar from SDI 7.2(that give back a 200 http response code) in TDI 7.1.1, to coexist both?
You could try to copy the HTTPClientConnector.jar and HTTPParser.jar from 7.2 to jars/patches in the 7.1.1 folder, and see what happens. Files in jars/patches will override files in other folders.

If you give the command 'ibmdisrv -v | grep HTTP' before and after you do this,
you should be able to verify that the version has changed.

This is not supported, but maybe it works.
Remember to remove the files again when you apply a fixpack.
Rafa
2020-06-16 14:38:27 UTC
Permalink
Post by j***@gmail.com
Post by Rafa
Do you think that could be possible to import the HttpClientConnector.jar from SDI 7.2(that give back a 200 http response code) in TDI 7.1.1, to coexist both?
You could try to copy the HTTPClientConnector.jar and HTTPParser.jar from 7.2 to jars/patches in the 7.1.1 folder, and see what happens. Files in jars/patches will override files in other folders.
If you give the command 'ibmdisrv -v | grep HTTP' before and after you do this,
you should be able to verify that the version has changed.
This is not supported, but maybe it works.
Remember to remove the files again when you apply a fixpack.
Hi,

I copied the HTTPClientConnector.jar and HTTPParser.jar from 7.2 to jars/patches in the 7.1.1 folder and checked the version, but there was not succed.

During these days I have been editing the keystores testadmin.jks and testserver.jks, futhermore the /jar folder and the TDI 7.1.1 is not working correctly.

I have started another way, based on call a cURL command, passing certificate to obtain the access token and use it in the TDI 7.1.1.
I will share the process whether succeed.

Thanks again.
Rafa
2020-06-25 09:18:20 UTC
Permalink
Post by Rafa
Post by j***@gmail.com
Post by Rafa
Do you think that could be possible to import the HttpClientConnector.jar from SDI 7.2(that give back a 200 http response code) in TDI 7.1.1, to coexist both?
You could try to copy the HTTPClientConnector.jar and HTTPParser.jar from 7.2 to jars/patches in the 7.1.1 folder, and see what happens. Files in jars/patches will override files in other folders.
If you give the command 'ibmdisrv -v | grep HTTP' before and after you do this,
you should be able to verify that the version has changed.
This is not supported, but maybe it works.
Remember to remove the files again when you apply a fixpack.
Hi,
I copied the HTTPClientConnector.jar and HTTPParser.jar from 7.2 to jars/patches in the 7.1.1 folder and checked the version, but there was not succed.
During these days I have been editing the keystores testadmin.jks and testserver.jks, futhermore the /jar folder and the TDI 7.1.1 is not working correctly.
I have started another way, based on call a cURL command, passing certificate to obtain the access token and use it in the TDI 7.1.1.
I will share the process whether succeed.
Thanks again.
Hi,

Finally I got it using cURL, my steps were:

1. Install curl and OpenSSL, configure the enviroment variables.
OpenSSL is required to convert the certificate in .pem format, as is explained here: http://www.rajatswarup.com/blog/2007/03/10/using-certificates-with-curl/

2. After convert the certificate, I checked the curl command explained on the above blog in windows CMD, but like doesn´t work well, I have based my request on the request that worked on Postman, so my final request has this format:
"curl -X POST \ https://url.to.obtain.token -v -key -key.pem"
(-cacert and -cert is not resolved, so I skiped it)

3. In TDI, using a Script component write:

//Curl request to gain token from RA-SCIM using certificate
var command ="curl -X POST \ https://url.to.obtain.token -v -key -key.pem";

task.getLog().info("Comando lanzado:"+"curl -X POST \ https://url.to.obtain.token -v -key -key.pem");

//Execute command and storing data in cmd variable
var cmd = system.shellCommand(command)

//task.logmsg("OutputB:" + cmd.getOutputBuffer())

//Convert JSON to hierarchical Entry from cmd variable
work = work.fromJSON(cmd.getOutputBuffer());

//Show in console only access_token
task.logmsg(work.getAttribute("token_field"));


Hope this could help someone.

Jason Williams
2020-06-08 17:11:36 UTC
Permalink
Post by Rafa
Hi everyone,
I have created a HTTP Client Connector on my local machine(SDI 7.2.0.5) which connect against an API SCIM to obtain an access_token using certificate, and all runs well, I get back the whole http response, access_token included.
10:03:20,472 INFO - http.Content-Type (replace): 'text/html; charset=iso-8859-1'
10:03:20,472 INFO - http.body (replace): 'Forbidden access'
10:03:20,473 INFO - http.Date (replace): 'Mon, 08 Jun 2020 08:03:20 GMT'
10:03:20,474 INFO - http.Content-Length (replace): '16'
10:03:20,474 INFO - http.bodyAsBytes (replace): (\41\63\63\65\73\6f\20\70\72\6f\68\69\62\69\64\6f)
10:03:20,476 INFO - http.body.response (replace): 'Forbidden access'
10:03:20,477 INFO - http.responseMsg (replace): 'Forbidden'
10:03:20,478 INFO - http.bodyAsString (replace): 'Forbidden access'
10:03:20,478 INFO - http.Server (replace): 'Apache'
10:03:20,480 INFO - http.responseCode (replace): '403'
I have checked that HTTPClientConnector component, is different in SDI 7.2.0.5 and TDI 7.1.1.0.
I have tested the HTTPClientConnector component from 7.1.1.0 in my local (SDI 7.2.0.5) gaining the same result, despite of I click on Get Certificate inside the Connection tab and says that connection is trusted.
¿Any idea about the http.responseCode 403?
¿Or how could I make request using certificates in TDI 7.1.1.0?
Thanks in advance,
Regards.
Rafa.
I would see that you upgrade to the latest fixpack for TDI 7.1.1 before troubleshooting this further.

IBM Security Directory Integrator - Recommended Fixes:
https://www.ibm.com/support/pages/node/712883
Loading...