Debugging Mutual Authentication


Mutual Authentication Debugging

Please follow these steps when debugging Mutual Authentication:

  1. Validate profile name is "myhttps" and port is "443"
  2. If this is not the case, define the following properties, replacing the variables in brackets with your values:
    • glide.httpclient.protocol.<profile_name>.class = "com.glide.certificates.DBKeyStoreSocketFactory"
    • glide.httpclient.protocol.<profile_name>.port = "<port>"
  3. Convert the given format of the keystore to p12.
    • From pfx to p12:
      • keytool -importkeystore -destkeystore newCustomer.p12 -deststoretype pkcs12 -srckeystore "name.pfx"
  4. Extract public cert from this P12:
    • keytool -export -alias "<alias_from_p12>" -keystore newCustomer.p12 -rfc -file publicCert.cert
  5. Extract private key from this P12:
    • openssl pkcs12 -in newCustomer.p12 -out private.pem
  6. Try connecting via OPENSSL:
    • openssl s_client -connect <Destination_IP>:<PORT> -msg
  7. Use the Private key and validate if OPENSSL is working correctly:
    • openssl s_client -showcerts -connect <Destination_IP>:<Port> -key private.pem
  8.  Leverage Public and Private keys via Curl to validate if the 3rd party is configured correctly:
    • curl <API_Point>:<port> -v -H "Content-Type:application/json" -d --key private.pem:<password>

Before continuing, make sure steps 6 and 7 have a satisfactory result. If any of the previous steps fail, it means the configuration at the 3rd party is not correct and there is no need to debug at ServiceNow yet. Once this is working, start configuring ServiceNow for Mutual Auth:

  1. Add Target's public certificate as a trusted cert in the given keystore and attach it to the protocol profile in ServiceNow.
  2. If this fails with a 400 error, no required certificate was sent: Check protocol profile and port. Configure the following properties if protocol profile name is not https AND port is not 443:
    • glide.httpclient.protocol.<protocol_profile_name>.class = "com.glide.certificates.DBKeyStoreSocketFactory"
    • glide.httpclient.protocol.<protocol_profile_name>.port = "<PORT_it_connects_on>"
When running the test on a REST method and it shows https:// instead of the custom protocol name (which should be <8 characters and lower alphabetic letters only), ensure that the end point on the REST outbound message uses the custom protocol and has mutual authentication checked. At least in Quebec it seems to be taking the custom protocol from the message, rather than the method. If you get unexplained errors with connection refusal, set the mutual authentication checkbox on the message only, not the method.

Additional information

Mutual Authentication - Overview
Steps to set up Mutual Authentication: Keys