- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-12-2016 02:52 PM
GOAL
Prototype building a REST Message (GET) against our application hosted by the Amazon API Gateway.
ISSUE
I am getting HTTP status 500 when attempting a connection to my RESTful API; it appears to be related to "WARNING *** WARNING *** javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure"
HELP
Am I not configuring my Protocol Profile correctly for use with an HTTPS endpoint? Is it a bug?
Am I forgetting to set some other system parameter?
Any guidance regarding better troubleshooting or resolution of this error would be greatly appreciated. I assume I am not the first person to develop against the Amazon API Gateway, and I hope this does not require a MID server as a work around due to the use of HTTPS.
ENVIRONMENT
I am logged into a GENEVA developer instance.
I have configured the System Web Services -> Outbound -> REST Message
Authentication: None
HTTP Header: x-api-key: string
HTTP Header: Cache-Control: no-cache
Method: get
Endpoint: https://xxxx.execute-api.us-west2.amazonaws.com/test/apiname
I imported the Amazon SSL certificate (and chain) associated with Amazon API Gateway
System Definition -> Certificates -> "New"
I attempted to create an HTTPS Protocol Profile for our Endpoint
System Security -> Protocol Profiles -> "New"
Protocol: https
Default port: 443
Keystore: Endpoint_SSL_PublicKey
// However, it complains the SSL public key is not a valid cert store and returns Invalid Insert - even though "Validate Stores/Certificates" returns "Valid trust_store"
DEBUGGING STEPS
ServiceNow KB: REST API FAQs (KB0535048)
- glide.basicauth.required.api is set to FALSE
//I set this because we are not using basic auth, in addition to leaving "Autentication: None"
- glide.outbound.sslv3.disabled is set to TRUE
//I set this because I want to force TLS
http://wiki.servicenow.com/index.php?title=REST_API
- glide.rest.debug is set to TRUE
Note: glide.rest.debug is set with scope of my app, not global - which was unexpected, not sure how to set that global
https://community.servicenow.com/thread/175996
- glide.outbound.sslv3.disabled is set to TRUE
FYI: Finding the log with REST DEBUG data was confusing… but it is here:
System Logs -> Utilities -> Node Log File Browser
Then I look at logs around 1 min before and 1 min after I run the REST test; I also find data this way…
System Logs -> Utilities -> Node Log File Browser -> Message = "sys_rest_message_fn.do"
BACKGROUND
Our API is hosted via the Amazon AWS API Gateway
The API does not require authentication
The API service only supports HTTPS
The API service supports the following protocols and cipher suites per an SSL Scan:
Protocols | |
TLS 1.2 | Yes |
TLS 1.1 | Yes |
TLS 1.0 | Yes |
SSL 3 | No |
SSL 2 | No |
Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites at the end) | ||
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ( | 128 | |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ( | 128 | |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ( | 128 | |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ( | 256 | |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ( | 256 | |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ( | 256 | |
TLS_RSA_WITH_AES_128_GCM_SHA256 ( | 128 | |
TLS_RSA_WITH_AES_256_GCM_SHA384 ( | 256 | |
TLS_RSA_WITH_AES_128_CBC_SHA256 ( | 128 | |
TLS_RSA_WITH_AES_256_CBC_SHA ( | 256 | |
TLS_RSA_WITH_AES_128_CBC_SHA ( | 128 | |
TLS_RSA_WITH_3DES_EDE_CBC_SHA ( | 112 | |
RELEVANT LINKS
http://wiki.servicenow.com/index.php?title=Outbound_Web_Services_Mutual_Authentication
https://www.ssllabs.com/ssltest/analyze.html?d=YOUR URL <- to identify SSL/TLS Protocols and Cipher Suites
https://aws.amazon.com/api-gateway/faqs/
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-27-2016 09:26 AM
I ran into this issue about a month ago as well. Customer Support told me that ServiceNow needs a dedicated IP and Certificate on AWS because of a lack of SNI support. I haven't gotten around to implementing a dedicated IP, so not sure that it fixes the issue completely.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-05-2017 12:39 PM
Wanted to add some clarity to this thread:
Releases up to and including Istanbul do not support Server Name Indication (SNI) for making outbound HTTP requests from ServiceNow (e.g., using RESTMessageV2 API) to 3rd party APIs that require SNI support. This thread lists common error messages that will result from this lack of support.
Adding support for SNI is in our roadmap and we are tracking it with enhancement request FTASK26385.
At this point the earliest support could be added for SNI is in the release following Istanbul.
-Bryan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-28-2017 09:37 PM
Bryan,
Will FTASK26385 include a fix for previous versions? (Helsinki, Istanbul?)
This is a significant problem for us at a major customer. We've got competitors trying to displace us over this, so we're keen to hear about any progress in resolving the SNI issue.
Thanks,
Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-01-2017 09:24 AM
To get around this limitation, I have used an orchestration midserver to send curl and powershell REST commands in workflow. It isn't ideal, but has worked for my purposes.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-05-2017 10:23 PM
Peter,
Can you elaborate on how you have competitors trying to displace you over the lack of SNI support?
Thanks,
Bryan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-24-2017 10:21 AM
For those reading this thread post Jakarta release: Server Name Indication for outbound web services
