This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Providing Client Auth =false in SSL info results in error

Posted on 10-21-2015 12:25 PM
Not applicable
Reply posted on --/--/---- --:-- AM

I'm setting up 2-way ssl from the apigee proxy (on Apigee hosted Edge) to my back-end service, and uploaded the keystore, and truststore. I'm now configuring the proxy to use client authentication - but my back-end service isn't locked down yet, so I'm configuring the proxy so I can enable it once the back-end server is updated.

I added in:

<SSLInfo>
            <Enabled>true</Enabled>  
           <ClientAuthEnabled>true</ClientAuthEnabled>
            <KeyStore>devKeystore</KeyStore>            
	    <KeyAlias>devKey</KeyAlias>            
            <TrustStore>devTrustStore</TrustStore>  
</SSLInfo>

(yes the keystore, alias, and truststore shouldn't be named 'dev...' but bear with me)

When I submit this, I get a wonderfully generic error:

{
  "fault": {
    "faultstring": "The Service is temporarily unavailable",
    "detail": {
      "errorcode": "messaging.adaptors.http.flow.ServiceUnavailable"
    }
  }
}

even changing the ClientAuthEnabled to 'false' gives the same error - if I comment out all besides 'Enabled', it results in successful processing.

My questions:

* shouldn't the error give me something at least a little better to diagnose what's going on?

* what's the point of having a client auth enabled flag if there's no difference between the behavior of true and false

* even if set to true - if the underlying service doesn't ask for it - what's the harm in presenting it?

Solved Solved
0 4 1,116
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
gnanasekaran
Staff
Reply posted on --/--/---- --:-- AM

your error suggests ssl handshake failure and the description you provide suggest there could be problem with your truststore

can you try removing the truststore [this is similar to 'curl -k'], if this works you rule out truststore issues [might have to do with ca cert chains] 

<SSLInfo><Enabled>true</Enabled><ClientAuthEnabled>true</ClientAuthEnabled><KeyStore>devKeystore</KeyStore><KeyAlias>devKey</KeyAlias></SSLInfo>

View solution in original post

Jump to Solution
4 REPLIES 4
Top Solution Authors
View all