Mutual Authentication Debugging

Please follow these steps when debugging Mutual Authentication:

  1. Validate profile name is "myhttps" and port is "443"
  2. If this is not the case, define the following properties, replacing the variables in brackets with your values:
    • glide.httpclient.protocol.<profile_name>.class = "com.glide.certificates.DBKeyStoreSocketFactory"
    • glide.httpclient.protocol.<profile_name>.port = "<port>"
  3. Convert the given format of the keystore to p12.
    • From pfx to p12:
      • keytool -importkeystore -destkeystore newCustomer.p12 -deststoretype pkcs12 -srckeystore "name.pfx"
  4. Extract public cert from this P12:
    • keytool -export -alias "<alias_from_p12>" -keystore newCustomer.p12 -rfc -file publicCert.cert
  5. Extract private key from this P12:
    • openssl pkcs12 -in newCustomer.p12 -out private.pem
  6. Try connecting via OPENSSL:
    • openssl s_client -connect <Destination_IP>:<PORT> -msg
  7. Use the Private key and validate if OPENSSL is working correctly:
    • openssl s_client -showcerts -connect <Destination_IP>:<Port> -key private.pem
  8.  Leverage Public and Private keys via Curl to validate if the 3rd party is configured correctly:
    • curl <API_Point>:<port> -v -H "Content-Type:application/json" -d --key private.pem:<password>

Before continuing, make sure steps 6 and 7 have a satisfactory result. If any of the previous steps fail, it means the configuration at the 3rd party is not correct and there is no need to debug at ServiceNow yet. Once this is working, start configuring ServiceNow for Mutual Auth:

  1. Add Target's public certificate as a trusted cert in the given keystore and attach it to the protocol profile in ServiceNow.
  2. If this fails with a 400 error, no required certificate was sent: Check protocol profile and port. Configure the following properties if protocol profile name is not https AND port is not 443:
    • glide.httpclient.protocol.<protocol_profile_name>.class = "com.glide.certificates.DBKeyStoreSocketFactory"
    • glide.httpclient.protocol.<protocol_profile_name>.port = "<PORT_it_connects_on>"

Additional information

Article Information

Last Updated:2019-08-02 21:06:31