Solved: Invoke REST Operation

ericr999 · ‎11-18-2016

Hello,

I've added the host, and an operation. Then I generated the workflow.

Trying to invoke the workflow that was generated and I'm getting an SSL error:

[2016-11-18 10:43:49.119] [I] Request: DynamicWrapper (Instance) : [RESTRequest]-[class com.vmware.o11n.plugin.rest.Request] -- VALUE : com.vmware.o11n.plugin.rest.Request@7bd367b4

[2016-11-18 10:43:49.124] [I] Request URL: https://url/app/web/orchestrator/update/step/123/456

[2016-11-18 10:43:49.220] [E] Workflow execution stack:

***

item: 'Invoke 'Test: POST /app/web/orchestrator/update/step/12...'/item1', state: 'failed', business state: 'null', exception: 'Cannot execute the request: ; Received fatal alert: handshake_failure (Workflow:Invoke 'Test: POST /app/web/orchestrator/update/step/12...' / Scripting (item3)#14)'

workflow: 'Invoke 'Test: POST /app/web/orchestrator/update/step/12...'' (800cbd0a-0167-46a6-aff0-abe611832d84)

| 'attribute': name=errorCode type=String value=Cannot execute the request: ; Received fatal alert: handshake_failure (Workflow:Invoke 'Test: POST /app/web/orchestrator/update/step/12...' / Scripting (item3)#14)

| 'attribute': name=restOperation type=REST:RESTOperation value=dunes://service.dunes.ch/CustomSDKObject?id='21ea9502-53a0-4ffc-9714-8815f886adaa:ed65ac13-7790-4d8d-b0d7-1b224d5b99c0'&dunesName='REST:RESTOperation'

| 'attribute': name=statusCodeAttribute type=Number value=null

| 'attribute': name=hostResource type=ResourceElement value=dunes://service.dunes.ch/ResourceElement?id='9af5f116-ff9e-4e54-9821-8a8f11547f58'&dunesName='ResourceElement'

| 'input': name=content type=String value=

| 'output': name=statusCode type=Number value=null

| 'output': name=contentLength type=Number value=null

| 'output': name=headers type=Properties value=null

| 'output': name=contentAsString type=String value=null

*** End of execution stack.

The remote host has a certificate with the chain.

openssl s_client -connect url:443

CONNECTED(00000003)

depth=2 C = CA, ST = QC, O = XXXXX, OU = ICP, CN = XXXXXX

verify error:num=19:self signed certificate in certificate chain

140528935810728:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1472:SSL alert number 40

140528935810728:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

---

Certificate chain

0 s:/C=CA/ST=QC/O=XXXXX/OU=Serveurs/OU=unix/CN=URL

i:/C=CA/ST=QC/O=XXXXX/OU=ICP/CN=XXXX

1 s:/C=CA/ST=QC/O=XXXXX/OU=ICP/CN=XXXX

i:/C=CA/ST=QC/O=XXXXXX/OU=ICP/CN=XXXX

2 s:/C=CA/ST=QC/O=XXXXXX/OU=ICP/CN=XXXX

i:/C=CA/ST=QC/O=XXXXX/OU=ICP/CN=XXXX

---

Server certificate

-----BEGIN CERTIFICATE-----

XXXXX

-----END CERTIFICATE-----

subject=/C=CA/ST=QC/O=XXXXX/OU=Serveurs/OU=unix/CN=URL

issuer=/C=CA/ST=QC/O=XXXXX/OU=ICP/CN=XXXXXX

---

Acceptable client certificate CA names

/C=CA/ST=QC/O=XXXXX/OU=Autorite-Certification/OU=XXXX

/C=CA/ST=QC/O=XXXXX/OU=ICP/CN=XXXX

/C=CA/ST=QC/O=XXXX/OU=ICP/CN=XXXX

Client Certificate Types: RSA sign, DSA sign, ECDSA sign

Server Temp Key: ECDH, P-256, 256 bits

---

SSL handshake has read 5943 bytes and written 146 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

Protocol : TLSv1

Cipher : ECDHE-RSA-AES256-SHA

Session-ID:

Session-ID-ctx:

Master-Key: A62BDBA5E58CA071B2056318CD579C4CAA87A55BCEB458F7154E34784946161D2B8FC259428D8F85DC8EA7C5CB4C3BE7

Key-Arg : None

PSK identity: None

PSK identity hint: None

SRP username: None

Start Time: 1479485992

Timeout : 300 (sec)

Verify return code: 19 (self signed certificate in certificate chain)

---

If I run a curl I get this:

bdrovro100:~ # curl -v --tlsv1 -vH "Accept: application/json" -X POST --insecure https://url/app/web/orchestrator/update/step/123/456

* Trying XXXX...

* Connected to URL (XXXX) port 443 (#0)

* ALPN, offering http/1.1

* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH

* successfully set certificate verify locations:

* CAfile: none

CApath: /etc/ssl/certs/

* TLSv1.2 (OUT), TLS header, Certificate Status (22):

* TLSv1.2 (OUT), TLS handshake, Client hello (1):

* TLSv1.0 (IN), TLS handshake, Server hello (2):

* TLSv1.0 (IN), TLS handshake, Certificate (11):

* TLSv1.0 (IN), TLS handshake, Server key exchange (12):

* TLSv1.0 (IN), TLS handshake, Request CERT (13):

* TLSv1.0 (IN), TLS handshake, Server finished (14):

* TLSv1.0 (OUT), TLS handshake, Certificate (11):

* TLSv1.0 (OUT), TLS handshake, Client key exchange (16):

* TLSv1.0 (OUT), TLS change cipher, Client hello (1):

* TLSv1.0 (OUT), TLS handshake, Finished (20):

* TLSv1.0 (IN), TLS alert, Server hello (2):

* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

* Closing connection 0

curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

Any idea how I could make this work ?

iiliev · ‎11-19-2016

A few things to check:

ensure TLSv1/SSL3 is not disabled globally (eg. on OS level)
check what is key usage of your key/certificate
try to add the following options to curl command -i --trace filename, and then check if there is some more info written in filename

View solution in original post

iiliev · ‎11-19-2016

A few things to check:

ensure TLSv1/SSL3 is not disabled globally (eg. on OS level)
check what is key usage of your key/certificate
try to add the following options to curl command -i --trace filename, and then check if there is some more info written in filename

ericr999 · ‎11-21-2016

Hi Ilian,

You're maybe right! I've double checked the remote web server for his settings. And I've used a great tool that I've found online, https://testssl.sh/, and it appears that my webserver has multiple problems that I will have to look at.

Thanks for your input! My issue is not solved yet, but at least I'm on the right track.

All

Invoke REST Operation