KB Article #188722

TLS termination in DMZ using PassPort PKI services

Problem

Error messages are received on Gateway side, while trying to receive a file from partner, via Pesit SSL using TLS termination in DMZ, after the PassPort PKI service was integrated.

  • Protocol Pesit
  • Server Pesit: Gateway 6.17.3
  • TLS version TLSv1.3

Master.log:

[…]

24-10-17 11:38:08,259 WThread-7XPPGPS : Notification from Passport provider: No matching certificate found

24-10-17 11:38:08,259 EThread-7XPPGPS : Error from Passport provider

com.axway.passport.security.legacy.XPPCertificateException: XPPSRV 0024 - No matching certificate found

at com.axway.xpp.provider.remote.PassportX509TrustManager.checkCertificateTrusted(PassportX509TrustManager.java:275) [passport-remoteprovider.jar:?]

at com.axway.xpp.provider.remote.PassportX509TrustManager.checkClientTrusted(PassportX509TrustManager.java:214) [passport-remoteprovider.jar:?]

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_275]

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_275]

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_275]

at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_275]

at com.axway.xsr.agent.master.gps.xpp.XPPGPS$2.run(XPPGPS.java:465) [maembedded.jar:2.16.7-1-1]

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_275]

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_275]

at java.lang.Thread.run(Thread.java:748) [?:1.8.0_275]

24-10-17 11:38:08,263 EThread-7XPPGPS : Couldn't invoke the method : checkClientTrusted of class : class com.axway.xpp.provider.remote.PassportX509TrustManager

java.lang.reflect.InvocationTargetException: null

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_275]

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_275]

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_275]

at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_275]

at com.axway.xsr.agent.master.gps.xpp.XPPGPS$2.run(XPPGPS.java:465) [maembedded.jar:2.16.7-1-1]

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_275]

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_275]

at java.lang.Thread.run(Thread.java:748) [?:1.8.0_275]

Caused by: com.axway.passport.security.legacy.XPPCertificateException: XPPSRV 0021 - Unable to construct the certificate path

at com.axway.xpp.provider.remote.PassportX509TrustManager.checkCertificateTrusted(PassportX509TrustManager.java:311) ~[passport-remoteprovider.jar:?]

at com.axway.xpp.provider.remote.PassportX509TrustManager.checkClientTrusted(PassportX509TrustManager.java:214) ~[passport-remoteprovider.jar:?]

... 8 more

[…]


Router.log:

[…]

24-10-17 11:37:08,965 ERROR P-5-MPX-4SocketVirtualChannel : #6#: communicator raised an exception during HANDSHAKE, closing

javax.net.ssl.SSLHandshakeException: Error invoking checkClientTrusted

Caused by: com.axway.xsr.agent.router.gp.context.SendContextException: Error message received, cause: XPPSRV 0021 - Unable to construct the certificate path

[…]



According to the output of SRstatus.sh, MA is connected to the RA:

[…]

==== Connected Master Agents ===============================================================

-- /X.X.X.X:58756 --------------------------------------------------------------------

- Listen points mounted: 7

Listen point 0 ................ : From = /0:0:0:0:0:0:0:0:6331

> To = /127.0.0.1:46491

> No managed channels

Listen point 1 ................ : From = /0:0:0:0:0:0:0:0:6360

> To = /127.0.0.1:32817

> No managed channels

Listen point 2 ................ : From = /0:0:0:0:0:0:0:0:6370

> To = /127.0.0.1:38935

> No managed channels

Listen point 3 ................ : From = /0:0:0:0:0:0:0:0:6330

> To = /127.0.0.1:41391

> No managed channels

Listen point 4 ................ : From = /0:0:0:0:0:0:0:0:6382

> To = /127.0.0.1:38527

> No managed channels

Listen point 5 ................ : From = /0:0:0:0:0:0:0:0:6380

> To = /127.0.0.1:34165

> No managed channels

Listen point 6 ................ : From = /0:0:0:0:0:0:0:0:6321

> To = /127.0.0.1:35327

> No managed channels

Listen point 7 ................ : From = /0:0:0:0:0:0:0:0:6300

> To = /127.0.0.1:39889

> Security termination for TLS active

> No managed channels

- No outcall transfers in progress

- Multiplexers active: 5

Multiplexer 0 ................. : No managed virtual channels

Multiplexer 3 ................. : No managed virtual channels

Multiplexer 1 ................. : No managed virtual channels

Multiplexer 2 ................. : No managed virtual channels

Multiplexer 4 ................. : No managed virtual channels

- Connection Limiter is disabled

==== Last status packet length : 5247, more data follows – false

[…]


Error on the Passport log:

2024-10-17 11:36:55,211 - [Worker5-2504] WARN(CacheManager.addCertificates:155) - Unable to add a null selector or certificates in the cache

2024-10-17 11:37:08,947 - [Worker13-2505] WARN(CacheManager.addCertificates:155) - Unable to add a null selector or certificates in the cache


Resolution

  1. On Passport side:
    In Axway Passport GUI (Axway Desktop client), make sure that you have been imported under Security => Entities => “Entity name”, all chain certificates used for this flow (private certificate for Gateway server, and public certificates from partner), instead of using the certificates directly from Gateway.
    All these certificates need to have the status “active” and “trusted”.
  2. On the Gateway side:
  • In the Gateway configuration => Internet Protocols => PESIT E => TCP =>in the Port specification in server mode =>make sure that you checked “Transport security in Secure Relay” and select the required security, type profile SERVER.
  • In the SSH profile => tab “Passport PS”:
  • Local entity Name => the entity name in Passport where you imported the private certificate of the Gateway server
  • Partner entity Name => the entity name in Passport where you imported the public certificate chain of the partner, for double authentication to take place.
  • Object type => For profiles used with the XSR termination in DMZ, the only valid selection is Passport PS entity.
  • In the SSH profile, tab “General”, according to the TLS termination in DMZ, select the protocol version TLS 1.3, and the cipher in common with the partner.

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.