| Author |
Message
|
| sumit |
 Posted: Thu Jan 24, 2013 4:01 am Post subject: Proxy setup on SOAPRequest node |
 |
|
Partisan
Joined: 19 Jan 2006
Posts: 398
|
Hi,
Setup on MB v8
OS- Windows
I am trying to connect to an external webservice from SOAPRequest node using proxy setup. This is what I have done-
1. Set HTTP(S) Proxy location property of SoapRequest node with the proxy ip address.
2. Set the below code segment in the compute node right before soapRequest node
| Code: |
DECLARE CRLF CHAR CAST(X'0D0A' AS CHAR CCSID 1208);
SET OutputLocalEnvironment.Destination.SOAP.Request.Transport.HTTP.ProxyConnectHeaders =
'Proxy-Authorization: Basic '||BASE64ENCODE('myid:mypwd')|| CRLF ||
'Proxy-Connection: Keep-Alive' || CRLF; |
Also tried
| Code: |
DECLARE CRLF CHAR CAST(X'0D0A' AS CHAR CCSID 1208);
SET OutputLocalEnvironment.Destination.SOAP.Request.Transport.HTTP.ProxyConnectHeaders =
'Proxy-Authorization: Basic c3VtaXRfc2hhcm1hMjE6UEBzc3dvcmQ3'|| CRLF ||
'Proxy-Connection: Keep-Alive' || CRLF; |
3. Set the compute mode property of compute node as 'LocalEnvironment and Message'.
(Checked http://www.mqseries.net/phpBB2/viewtopic.php?t=43234&highlight=proxy+soaprequest and followed the advice)
Result - Error.
Trace log says-
| Code: |
| HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. ) |
I can invoke the webservice from soapUI using same proxy ip, userid and pwd.
What am I missing? 
_________________
Regards
Sumit |
|
| Back to top |
|
 |
| marko.pitkanen |
| Posted: Thu Jan 24, 2013 4:51 am Post subject: |
|
|
Chevalier
Joined: 23 Jul 2008
Posts: 440
Location: Jamsa, Finland
|
Hi sumit,
Have you verified that you are propagating LocalEnvironment with those values set to the SOAPRequest node?
--
Marko |
|
| Back to top |
|
|
| marko.pitkanen |
| Posted: Thu Jan 24, 2013 5:00 am Post subject: |
|
|
Chevalier
Joined: 23 Jul 2008
Posts: 440
Location: Jamsa, Finland
|
Are you using http or https connection?
| Quote: |
Specifies additional headers that are used if the outbound request is an SSL connection through a proxy. These additional headers are sent with the initial CONNECT request to the proxy. For example, you can send proxy authentication information to a proxy server when you are using SSL. You can send multiple headers but each one must be separated by a carriage return and a line feed (ASCII 0x0D 0x0A), in accordance with RFC2616; for example:
DECLARE CRLF CHAR CAST(X'0D0A' AS CHAR CCSID 1208);
SET OutputLocalEnvironment.Destination.SOAP.Request.Transport.HTTP.ProxyConnectHeaders =
'Proxy-Authorization: Basic Zm5lcmJsZTpwYXNzd29yZA==' || CRLF ||
'Proxy-Connection: Keep-Alive' || CRLF;
This setting is used only if the request is an SSL request through a proxy server. To send proxy authentication information for a non-SSL request, specify the individual headers in the HTTPRequestHeader folder, as shown in the following example:
SET OutputRoot.HTTPRequestHeader."Proxy-Authorization" = 'Basic Zm5lcmJsZTpwYXNzd29yZA==';
SET OutputRoot.HTTPRequestHeader."Proxy-Connection" = 'Keep-Alive'; |
--
Marko |
|
| Back to top |
|
|
| sumit |
| Posted: Thu Jan 24, 2013 5:27 am Post subject: |
|
|
Partisan
Joined: 19 Jan 2006
Posts: 398
|
| marko.pitkanen wrote: |
Have you verified that you are propagating LocalEnvironment with those values set to the SOAPRequest node?
|
I could see in debug mode that LocalEnvironmet variable was set when message was going to SOAPRequest node.
| marko.pitkanen wrote: |
Are you using http or https connection? |
Webservice URL is https
_________________
Regards
Sumit |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jan 24, 2013 5:32 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| sumit wrote: |
| marko.pitkanen wrote: |
Are you using http or https connection? |
Webservice URL is https |
Did you set the flag on the SOAPRequest node?
Did you configure the broker keystore and truststore to support this? |
|
| Back to top |
|
|
| sumit |
| Posted: Thu Jan 24, 2013 5:35 am Post subject: |
|
|
Partisan
Joined: 19 Jan 2006
Posts: 398
|
This is from user trace
| Quote: |
| BIP4015I: Message propagated to the 'out' terminal of node 'ComputeNodeName' with the following message trees: 'OutputLocalEnvironment, OutputRoot, InputExceptionList'. |
and then I have
| Quote: |
BIP3615I: SOAP message written with '0' MTOM elements.
BIP3719I: Node 'SOAPRQ_InvokeQASService' sending SOAP request via transport 'HTTP' ('ws2.ondemand.qas.com:443') for operation 'DoSearch' of type 'request-response' |
_________________
Regards
Sumit |
|
| Back to top |
|
|
| sumit |
| Posted: Thu Jan 24, 2013 5:46 am Post subject: |
|
|
Partisan
Joined: 19 Jan 2006
Posts: 398
|
| mqjeff wrote: |
Did you set the flag on the SOAPRequest node?
Did you configure the broker keystore and truststore to support this? |
I am not setting any keystore or truststore explicitly as it exchanges them at runtime. Same is happening on soapUI wherein I have not given setup any cert but it negotiates and download the certificates during run time.
Also, the same flow has been tested (without any proxy setup) from the outside network and it works fine.
_________________
Regards
Sumit |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jan 24, 2013 5:53 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| sumit wrote: |
| mqjeff wrote: |
Did you set the flag on the SOAPRequest node?
Did you configure the broker keystore and truststore to support this? |
I am not setting any keystore or truststore explicitly as it exchanges them at runtime. |
What part of the documentation on configuring SSL for SOAPRequest for Broker specifically says that it will perform this function? |
|
| Back to top |
|
|
| sumit |
| Posted: Thu Jan 24, 2013 10:05 am Post subject: |
|
|
Partisan
Joined: 19 Jan 2006
Posts: 398
|
| mqjeff wrote: |
| What part of the documentation on configuring SSL for SOAPRequest for Broker specifically says that it will perform this function? |
Help me to understand this please. I can access the URL from IE, Mozilla and from soapUI without configuring any SSL certificate. It's just the proxy ip, id and password which allow me to hit this external service and get the response.
The same message flow setup can hit the webservice if invoked from outside network with so explicit SSL certificate configuration. However, as my configuration requires to cross the company's firewall and hence I understand that I only need to set the proxy in MB flow.
Also AFAIK, if there is a problem with SSL certificate then I'll get a handshake error however, it appears to me that it's not even able to cross the firewall with the provided proxy details. Am I still lost!!
_________________
Regards
Sumit |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jan 24, 2013 10:16 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
| sumit |
| Posted: Thu Jan 24, 2013 10:34 am Post subject: |
|
|
Partisan
Joined: 19 Jan 2006
Posts: 398
|
Thanks mqjeff. I came across the first link and then ignored thinking it's not for this particular case. I will go through the links and do the required setup.
_________________
Regards
Sumit |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jan 24, 2013 11:03 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| sumit wrote: |
| Thanks mqjeff. I came across the first link and then ignored thinking it's not for this particular case. I will go through the links and do the required setup. |
I agree, except again, you are using SSL and the second link explicitly says at the front
| Quote: |
| Before you start: Set up a public key infrastructure (PKI) at broker or execution group level: Setting up a public key infrastructure. |
So the first link stuff is necessary before you can check the box on the node to enable the node to use SSL. |
|
| Back to top |
|
|
| sumit |
| Posted: Fri Jan 25, 2013 3:02 am Post subject: |
|
|
Partisan
Joined: 19 Jan 2006
Posts: 398
|
I checked again and found that we have not received any SSL certificate. We instead have user id and password which we send in webservice request. The provider send the response only if user id and password in the request are correct.
_________________
Regards
Sumit
Last edited by sumit on Fri Jan 25, 2013 6:06 am; edited 1 time in total |
|
| Back to top |
|
|
| mgk |
| Posted: Fri Jan 25, 2013 4:20 am Post subject: |
|
|
Padawan
Joined: 31 Jul 2003
Posts: 1642
|
| Quote: |
| So the first link stuff is necessary before you can check the box on the node to enable the node to use SSL. |
That depends on who signed the certificate. Certainly it is correct for any self-sign cert, but out of the box, the Broker comes set up to use the default Java Trust store so for sending outbound requests, certs that are signed by the big players (verisign etc) should work without any changes or setup needed...
Kind regards,
_________________
MGK
The postings I make on this site are my own and don't necessarily represent IBM's positions, strategies or opinions. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Jan 25, 2013 4:32 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| mgk wrote: |
| Quote: |
| So the first link stuff is necessary before you can check the box on the node to enable the node to use SSL. |
That depends on who signed the certificate. Certainly it is correct for any self-sign cert, but out of the box, the Broker comes set up to use the default Java Trust store so for sending outbound requests, certs that are signed by the big players (verisign etc) should work without any changes or setup needed...
Kind regards, |
Then clearly the documentation should make that, um, clearer. As is, it says quite specifically that you *must* setup the PKI infrastructure first. |
|
| Back to top |
|
|
|
|
