- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-12-2016 02:52 PM
GOAL
Prototype building a REST Message (GET) against our application hosted by the Amazon API Gateway.
ISSUE
I am getting HTTP status 500 when attempting a connection to my RESTful API; it appears to be related to "WARNING *** WARNING *** javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure"
HELP
Am I not configuring my Protocol Profile correctly for use with an HTTPS endpoint? Is it a bug?
Am I forgetting to set some other system parameter?
Any guidance regarding better troubleshooting or resolution of this error would be greatly appreciated. I assume I am not the first person to develop against the Amazon API Gateway, and I hope this does not require a MID server as a work around due to the use of HTTPS.
ENVIRONMENT
I am logged into a GENEVA developer instance.
I have configured the System Web Services -> Outbound -> REST Message
Authentication: None
HTTP Header: x-api-key: string
HTTP Header: Cache-Control: no-cache
Method: get
Endpoint: https://xxxx.execute-api.us-west2.amazonaws.com/test/apiname
I imported the Amazon SSL certificate (and chain) associated with Amazon API Gateway
System Definition -> Certificates -> "New"
I attempted to create an HTTPS Protocol Profile for our Endpoint
System Security -> Protocol Profiles -> "New"
Protocol: https
Default port: 443
Keystore: Endpoint_SSL_PublicKey
// However, it complains the SSL public key is not a valid cert store and returns Invalid Insert - even though "Validate Stores/Certificates" returns "Valid trust_store"
DEBUGGING STEPS
ServiceNow KB: REST API FAQs (KB0535048)
- glide.basicauth.required.api is set to FALSE
//I set this because we are not using basic auth, in addition to leaving "Autentication: None"
- glide.outbound.sslv3.disabled is set to TRUE
//I set this because I want to force TLS
http://wiki.servicenow.com/index.php?title=REST_API
- glide.rest.debug is set to TRUE
Note: glide.rest.debug is set with scope of my app, not global - which was unexpected, not sure how to set that global
https://community.servicenow.com/thread/175996
- glide.outbound.sslv3.disabled is set to TRUE
FYI: Finding the log with REST DEBUG data was confusing… but it is here:
System Logs -> Utilities -> Node Log File Browser
Then I look at logs around 1 min before and 1 min after I run the REST test; I also find data this way…
System Logs -> Utilities -> Node Log File Browser -> Message = "sys_rest_message_fn.do"
BACKGROUND
Our API is hosted via the Amazon AWS API Gateway
The API does not require authentication
The API service only supports HTTPS
The API service supports the following protocols and cipher suites per an SSL Scan:
Protocols | |
TLS 1.2 | Yes |
TLS 1.1 | Yes |
TLS 1.0 | Yes |
SSL 3 | No |
SSL 2 | No |
Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites at the end) | ||
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ( | 128 | |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ( | 128 | |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ( | 128 | |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ( | 256 | |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ( | 256 | |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ( | 256 | |
TLS_RSA_WITH_AES_128_GCM_SHA256 ( | 128 | |
TLS_RSA_WITH_AES_256_GCM_SHA384 ( | 256 | |
TLS_RSA_WITH_AES_128_CBC_SHA256 ( | 128 | |
TLS_RSA_WITH_AES_256_CBC_SHA ( | 256 | |
TLS_RSA_WITH_AES_128_CBC_SHA ( | 128 | |
TLS_RSA_WITH_3DES_EDE_CBC_SHA ( | 112 | |
RELEVANT LINKS
http://wiki.servicenow.com/index.php?title=Outbound_Web_Services_Mutual_Authentication
https://www.ssllabs.com/ssltest/analyze.html?d=YOUR URL <- to identify SSL/TLS Protocols and Cipher Suites
https://aws.amazon.com/api-gateway/faqs/
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-27-2016 09:26 AM
I ran into this issue about a month ago as well. Customer Support told me that ServiceNow needs a dedicated IP and Certificate on AWS because of a lack of SNI support. I haven't gotten around to implementing a dedicated IP, so not sure that it fixes the issue completely.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-20-2016 11:05 AM
Thank you for taking a look b-rad
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-20-2016 11:11 AM
ctomasib-radmike.malcangio Thanks for taking a look, I will follow up with Customer Support. If I get an answer/solution, I will post it here for future reference.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-27-2016 09:26 AM
I ran into this issue about a month ago as well. Customer Support told me that ServiceNow needs a dedicated IP and Certificate on AWS because of a lack of SNI support. I haven't gotten around to implementing a dedicated IP, so not sure that it fixes the issue completely.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-28-2016 04:50 PM
UPDATE on troubleshooting...
Thanks for the feedback tabraham
I have now created an SSL cert to sit in front of the API Gateway. Per AWS documentation...
"API Gateway supports custom domain names for an API by using Server Name Indication (SNI). After a custom domain name is configured with the API, you can call the API with the custom domain name by using a browser or a client library that supports SNI."
I have tested with POSTMAN and it works as expected.
Unfortunately, I am still getting the exact same error from my SN instance when I try to test a RESTful Message GET. In addition, when I attempt to create a Protocol Profile (using the new SSL public key) I am getting the same error as before: "Invalid Insert"- certificate store type must be a keystore.
--- USEFUL LINKS ---
Creating a custom url for API Gateway...
Use a Custom Domain Name in API Gateway - Amazon API Gateway
Here is a link from the AWS forums in support of the SNI hypothesis...
https://forums.aws.amazon.com/thread.jspa?threadID=230798
Here is a link that provides more details on CloudFront and SNI support...
Amazon CloudFront Custom SSL — Amazon Web Services
*Note, if you have to deploy a dedicated IP - In addition to just the SSL Certificate and SNI - it is going to cost an additional $600/month currently.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-03-2016 02:52 PM
tabraham You are correct - you have to use a dedicated CloudFront Custom SSL solution to function at this time.
Here is some more info on the issue...
The issue appears to be based upon the ServiceNow implementation of the SNI client per RFC 4366.
You can test Amazon's CloudFront SNI response via openssl like this...
> openssl s_client -connect api.server-name.com:443
returns an error
> openssl s_client -connect api.server-name.com:443 -servername 'api.server-name.com'
is successful
Per the RFC including a server name is a "recommended" option for Clients to implement, but not required and thus where this issue appears to occur. The SN dev team has it in their queue, so hopefully it will be addressed in a coming release relatively soon.
-- USEFUL LINKS --
http://www.ietf.org/rfc/rfc4366.txt Specifically, on Page 9 it calls out this scenario.
"It is RECOMMENDED that clients include an extension of type"server_name" in the client hello whenever they locate a server by asupported name type."
As an aside, it looks like Apache has a work around for this on the server side: https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI with this config: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslstrictsnivhostcheck - doesn't help us with CloudFront, but good to know if someone runs into this issue talking to their private RESTful API implementations - this would probably fix this issue for them.
