Passing certificate in HTTPS call to an Azure api

, ,
1

Hi Folks,

The use case is as below:

  • We have been doing the HTTPS call to a Microsoft API even before but they never asked for the certificate till now.

  • Now we have to call them to a new URL and pass our certificate, they have configured the thumbprint of same certificate at their end.

  • We were doing a custom http call before, but now we are doing the http call as below

    1. pub.security.keystore:setKeyAndChain
    2. pub.client:http
    3. pub.security:clearKeyAndChain
      But still getting the error as : com.wm.net.NetException: [ISC.0064.9314] Authorization Required: Client certificate or AAD Bearer token not found in request.

  • We have our certificate configured and mapped with our HTTPS port in Security > Keystore and we have CA Cert in truststore.

  • Even we have configured the certificate of the API which we are making HTTPS call to in Security > Certificates > Configure Client Certificates and mapped to a user which is part of group Administrator .

  • In Security > Certificates, I have the same Keystore and TrustStore as we have in Security > Keystore.

Still not sure what else required to send them the certificate so that they can verify the HTTPS call with certificate against the thumbprint of same certificate.

Though here from pub.security.keystore:setKeyAndChain no certificate is produced and not sure if it is produced from services like pub.security.keystore:getKeyAndChain or pub.security.keystore:getTrustedCertificates, where to pass it in pub.client:http

Any help here would be much appreciated!

Regards,

Sanket

2

Hi Sanket,
Can you please do the following and share the server.log and IS profile logs

  1. Enable the SSL logging by setting the watt property watt.config.systemProperties=mail.imap.partialfetch=true,javax.net.debug=ssl
  2. Set the logging of HTTP Header, HTTP Request, HTTP Response component to DEBUG
  3. Restart the IS.

There are couple of reasons when IS (acting as client) will not send it’s certificate.

  1. If the server is not sending any CA certificates
  2. If none of the CA certificates that is send by the server signed the IS certificate.

Thanks.

3

Hi Jaideep,

Thanks a lot for your inputs!

I was away for a while so sorry for delay in response.

After doing the below said at service level:

  1. pub.security.keystore:setKeyAndChain
  2. pub.client:http
  3. pub.security:clearKeyAndChain

Further, at Extended Setting the below said made it work:

watt.security.ssl.client.ignoreEmptyAuthoritiesList=true

Thanks a lot for your reply!

Regards,
Sanket

4

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.