Issue
Mutual Authentication Debugging
Please follow these steps when debugging Mutual Authentication:
- Validate protocol profile is setup correctly, e.g "myhttps" and port is "443"
- Convert the given format of the keystore to p12.
- From pfx to p12:
- keytool -importkeystore -destkeystore newCustomer.p12 -deststoretype pkcs12 -srckeystore "name.pfx"
- From pfx to p12:
- Extract public cert from this P12:
- keytool -export -alias "<alias_from_p12>" -keystore newCustomer.p12 -rfc -file publicCert.cert
- Extract private key from this P12:
- openssl pkcs12 -in newCustomer.p12 -nodes -nocerts -out private.pem # alterantively run this to see full output, if no "-----BEGIN PRIVATE KEY" line is seen then the private key is missing and the customer needs to regenerate a new key pair following our documentation: openssl pkcs12 -info -in newCustomer.p12 -nodes -nocerts
- openssl pkcs12 -in newCustomer.p12 -nodes -nocerts -out private.pem # alterantively run this to see full output, if no "-----BEGIN PRIVATE KEY" line is seen then the private key is missing and the customer needs to regenerate a new key pair following our documentation: openssl pkcs12 -info -in newCustomer.p12 -nodes -nocerts
- Try connecting via OPENSSL:
- openssl s_client -connect <Destination_IP>:<PORT> -msg
- Use the Private key and validate if OPENSSL is working correctly:
- openssl s_client -showcerts -connect <Destination_IP>:<Port> -key private.pem
- Leverage Public and Private keys via Curl to validate if the 3rd party is configured correctly:
- curl <API_Point>:<port> -v -H "Content-Type:application/json" -d --key private.pem:<password>
Before continuing, make sure steps 6 and 7 have a satisfactory result. If any of the previous steps fail, it means the configuration at the 3rd party is not correct and there is no need to debug at ServiceNow yet. Once this is working, start configuring ServiceNow for Mutual Auth:
- Add Target's public certificate as a trusted cert in the given keystore and attach it to the protocol profile in ServiceNow.
When running the test on a REST method and it shows https:// instead of the custom protocol name (which should be <8 characters and lower alphabetic letters only), ensure that the end point on the REST outbound message uses the custom protocol and has mutual authentication checked. At least in Quebec it seems to be taking the custom protocol from the message, rather than the method. If you get unexplained errors with connection refusal, set the mutual authentication checkbox on the message only, not the method.
