MID Server TLS policy for cloud, container, and external IPs


Problem

A Discovery pattern fails and throws the following error:

org.apache.commons.httpclient.HttpException: Session contains no certificates - Untrusted

This also produces the following log sample:

12/09/20 15:43:29 (496) ECCQueueMonitor.1 DEBUG: MIDSecPolicy: calculating security Policy to be applied on itomq.service-now.com 

12/09/20 15:43:29 (496) ECCQueueMonitor.1 DEBUG: MIDSecPolicy: returning a security policy from the fast cache! [7e4848c9db061010d1d85ff25e961904] 

12/09/20 15:43:29 (496) ECCQueueMonitor.1 DEBUG: MIDSecPolicy: Certificate revocation check for host[itomq.service-now.com] is true

12/09/20 15:43:29 (498) RefreshMonitor.65 DEBUG: MIDSecPolicy: calculating security Policy to be applied on itomq.service-now.com 

12/09/20 15:43:29 (498) Worker-Standard:SystemCommand-98a04be41bc560106758b8c11a4bcbd9 WARNING *** WARNING *** org.apache.commons.httpclient.HttpException: Session contains no certificates - Untrusted

The failure is caused by the error in Ad hoc script 'null' at line 4.

The root cause of the error may be that the discovery pattern, such as the K8s pattern, is attempting to make an https connection to a K8s API server. This API endpoint may nto host a valid certificate that is signed by a recognized Certificate Authority (CA) or might host a self-signed certificate.  

Solution

  1. If the endpoint you are trying to access is using a self signed certificate, you can import it to the MID Server Truststore.

  2. Alternatively, you can create a new TLS policy for the endpoint, as shown in the following example picture.

  3. You can edit an existing policy if the IP endpoint belongs to your private network and is not covered by the out-of-the-box Intranet policy.

    1. Open the Intranet policy.

    2. Check if the IP address belongs to the out-of-the-box network topologies that are reserved for private networks.

    3. In the following example the new IP is being added to the topology.