Notifications

4791 views

Description

The MID Server tries to connect to the ServiceNow instance after the upgrade to Orlando. However, with the high-security OCSP check involved, the host machine is not able to make a successful OCSP check against the ServiceNow certificate to the following URI: http://ocsp.entrust.net

In that case, on upgrade to Orlando or a fresh install of Orlando MID Server, we see one of the following errors in the logs:

"OCSP revoke check IOException for *.service-now.com 
org.apache.commons.httpclient.HttpException: Connection reset"

It may be seen in these threads:

File sync worker: ecc_agent_jar OCSPCheck adding BouncyCastle provider at -1
File sync worker: ecc_agent_jar OCSPCheckedCertificateCache build with max capacity 32
File sync worker: ecc_agent_jar OCSPRevokedCertificateCache build with max capacity 16
File sync worker: ecc_agent_jar WARNING *** WARNING *** Socket error
File sync worker: ecc_agent_jar WARNING *** WARNING *** OCSP revoke check IOException for *.service-now.com
File sync worker: ecc_agent_jar WARNING *** WARNING *** org.apache.commons.httpclient.HttpException: Connection reset
ECCQueueMonitor.1 WARNING *** WARNING *** OCSP revoke check IOException for *.service-now.com 
ECCQueueMonitor.1 WARNING *** WARNING *** org.apache.commons.httpclient.HttpException: OCSP communication error 403 Method failed: (/) with code: 403 - Forbidden username/password combo
StartupSequencer WARNING *** WARNING *** Socket error 
StartupSequencer WARNING *** WARNING *** OCSP revoke check IOException for *.service-now.com
StartupSequencer WARNING *** WARNING *** org.apache.commons.httpclient.HttpException: Connection reset

Steps to Reproduce

On an Orlando Instance:

  1. On a host that does not have access via http/https to OCSP responder "ocsp.entrust.net"
  2. Upgrade a MID Server from Madrid to Orlando, or install a new Orlando MID Server
  3. Start Up the MID Server and see the following error:
    "OCSP revoke check IOException for *.service-now.com
    org.apache.commons.httpclient.HttpException: Connection reset"
  4. The MID Server will not connect to the instance and be Down

Workaround

This is expected behavior and by design in Orlando. Please review the documentation for more details

There are a number of possible causes for this error, and identifying which will allow you to open the required access:

  1. The Entrust OCSP responder is unavailable.
  2. An internal firewall rule or proxy configuration prevents the OCSP call from going out, and the connection fails.
  3. A web filter and proxy configuration prevents such external sites from being accessed.

Resolution:

  1. In Windows based environments, if the domain controller is behind a firewall, you may have to configure the firewall to explicitly allow outgoing HTTP connections to enable the domain controller to connect to the OCSP responder.
  2. Verify if outgoing traffic to the Entrust OCSP server, from the MID Server host, is blocked by a firewall appliance or a proxy configuration.  In this case, you will have to whitelist the FQDN of the Entrust responder as required by Entrust.
  3. Clear the validation endpoints LIST by setting the value of MID Server property of mid.security.validation.endpoints to blank. This will turn off the external endpoint validation. Do not remove the property.

Note: On-prem customers only need to complete step 3 to resolve the issue.

If the resolution fails, try capturing the network traffic using Fiddler/Wireshark when this issue presents and attach it to the case. You can work with your network team for this. OCSP runs over HTTP and it should return a response with certStatus = good, meaning that the certificate is valid for the SSL transaction between the MID Server and the instance.


Related Problem: PRB1385357

Seen In

SR - IntegrationHub - F5 Integration v1
SR - IntegrationHub - Infoblox Integration v1
SR - IntegrationHub - Jenkins Integration r1 - v1.2.0
SR - IntegrationHub - Kubernetes Integration v1
SR - IRM - Audit Management - New York 2019 Q3
SR - IRM - Audit Management PA Content - Madrid 2019 Q1
SR - IRM - GRC Profiles - Madrid 2019 Q2
SR - IRM - GRC Workbench - New York 2019 Q3
SR - IRM - PA Premium Integration - New York 2019 Q3
SR - IRM - Policy and Compliance - Madrid 2019 Q2
SR - IRM - Policy and Compliance PA Content - Madrid 2019 Q1
SR - IRM - Risk Management - New York 2019 Q3
SR - IRM - Risk Management PA Content - Madrid 2019 Q1
SR - IRM - SIG Assessment Legacy - Madrid 2019 Q1
SR - IRM - SIG Questionnaire - New York 2019 Q3
SR - IRM - Vendor Risk Management - Madrid 2019 Q1
SR - ITOM - CMDB CI Class Models - 201908
SR - ITOM - CMDB CI Class Models - 201909
SR - ITOM - Discovery and Service Mapping - 201908
SR - ITOM - Discovery and Service Mapping - v1.0.35
SR - ITOM - Fundamentals Istanbul Jakarta Kingston r1 - v5.99.6
SR - Security - Integration Framework - Madrid 2019 Q2
SR - Security - Support Common - Madrid 2019 Q2
SR - Security - Support Orchestration - Madrid 2019 Q2
SR - SIR - Have I Been Pwned Integration - New York 2019 Q3
SR - SIR - Palo Alto AutoFocus Integration - New York 2019 Q3
SR - SIR - Palo Alto WildFire Integration - New York 2019 Q3
SR - SIR - PhishTank Kingston r1 - v5.0.9
SR - SIR - RecordedFuture Integration - New York 2019 Q3
SR - SIR - Security Incident Response - Madrid 2019 Q2
SR - SIR - Security Incident Response PA Content - New York 2019 Q3
SR - SIR - Security Incident Response UI Patch - London 2019 Q2 v.6.2.3
SR - SIR - Splunk Sighting Search Integration - Madrid 2019 Q1
SR - SIR - Store SecOps Setup Assistant - Madrid 2019 Q2
SR - SIR - Store Threat Core - Madrid 2019 Q2
SR - SIR - Store Trusted Security Circles Client - New York 2019 Q3
SR - SIR - Tanium Integration - New York 2019 Q3
SR - SIR - Threat intelligence - New York 2019 Q3
SR - SIR - VirusTotal Integration - New York 2019 Q3
SR - SIR - WHOIS Integration - New York 2019 Q3
SR - VR - Qualys - New York 2019 Q3
SR - VR - Rapid7 - London 2019 Q2 v.6.2.1
SR - VR - Shodan Exploit - New York 2019 Q3
SR - VR - Solution Management Madrid Q2
SR - VR - Vulnerability Response - New York 2019 Q3
SR - VR - Vulnerability Response PA Content - Madrid 2019 Q2
SR Hybrid Analysis Kingston r1 - v5.0.9

Associated Community Threads

There is no data to report.

Article Information

Last Updated:2020-06-30 14:39:15
Published:2020-06-11