Topic
12 replies Latest Post - ‏2013-10-30T18:38:14Z by HermannSW
thotranh
thotranh
76 Posts
ACCEPTED ANSWER

Pinned topic Best Way to test a HTTP REQUEST outbound from DP

‏2013-09-18T20:01:10Z |

I am trying to test an HTTP request in the Production environment via SSL

DATAPOWER -----> external HTTP Request service (eg. RESTFul service), let's say "SEARCH service"

This is in the production, so the only thing that we can do now (before implementing any actual DP Policy) is :

1/ test the Ping to the external URL   or

2/ test the TCP connection with the desired port (eg.  TCP to the external IP with port 443 or 8443 for SSL )

These tests are done via the Troubleshooting Panel.

3/ This is the third test : we need to test the actual SEARCH service to make sure that we can get a response (eg. search result) by invoking a HTTPs call from the DP (DP as SSL client). What would be the simplest way to do this test without creating any services (such as XML Fireewall, WS, MultiGateway,etc.).  Just a simple invocation from the DP to make sure that it can present its cert  , gets authenticated , and get a response back so that we know all the firewall connection is open and DP can be authenticated OK ...

Please advise.

  • JoeMorganNTST
    JoeMorganNTST
    427 Posts
    ACCEPTED ANSWER

    Re: Best Way to test a HTTP REQUEST outbound from DP

    ‏2013-09-18T20:21:31Z  in response to thotranh

    If the TCP connection works, the firewall is open to the search service.


    Try sending a test message "Administration->Debug->Send a Test Message" and try it that way.

    I'm curious why you want to make a full integration test without setting up a service?  Just setup the service with the proper SSL proxy profile (looks like you're doing 2-way SSL), expose the service on an open IP:Port, and call it.

    Updated on 2013-09-18T20:25:16Z at 2013-09-18T20:25:16Z by JoeMorganNTST
    • thotranh
      thotranh
      76 Posts
      ACCEPTED ANSWER

      Re: Best Way to test a HTTP REQUEST outbound from DP

      ‏2013-09-18T23:18:12Z  in response to JoeMorganNTST

      We'll be calling the external web service (HTTPs) with 2-way SSL . 

      Back-end client -----------<http:port>------->   Datapower ---------HTTP/2-way SSL  <https:port>----------->  External Web Service

      This is in production, so in order for the back-end client to call the external WS via the DP , we will need to go through an approval process to open the firewall and port to connect to the HTTP front-side handler.

      So we're just getting prepared for that final approval, we need to test 1/ TCP connection to the external service  is good (done) 

      2/ need to invoke the HTTPs request to the external with the Datapower's X509 cert  ON THE DATAPOWER (if possible) instead of having to go through an HTTPS front-side hanlder.  We want to make sure that the DP's cert is authenticated fine and get a response back , from the DP itself .

      Hope that it makes sense ... 

      So , would your instruction above work for my scenario >?

      THANK YOU

      • Sudarshan Hebbar
        Sudarshan Hebbar
        57 Posts
        ACCEPTED ANSWER

        Re: Best Way to test a HTTP REQUEST outbound from DP

        ‏2013-09-19T01:13:25Z  in response to thotranh

        Why don you try cUrl which ingnores SSL handshake, if you are concerned about the data received.

        For Example : curl -k -u user:password -d @AMP_getdomainlist.xml https://DataPowerIP:Port/service/mgmt/amp/1.0

        • thotranh
          thotranh
          76 Posts
          ACCEPTED ANSWER

          Re: Best Way to test a HTTP REQUEST outbound from DP

          ‏2013-09-19T08:32:03Z  in response to Sudarshan Hebbar

          Thanks .  I do need to test the SSL handshake, with the cert from the Datapower to make sure that the Datapower can be authenticated (DataPower as a "service' principal).   

          Please let me know if there's anything *on the DP* itself that can help me achieve this test :  making a HTTPs request to an external with a cert (stored on the DP that represents the DP)  and get some response back (without needing an external client such as browser that has to go through a front-side handler)

          • HermannSW
            HermannSW
            4238 Posts
            ACCEPTED ANSWER

            Re: Best Way to test a HTTP REQUEST outbound from DP

            ‏2013-09-19T10:35:28Z  in response to thotranh

            So you want to do it "on the box".

            Joe's idea with "Send a test message" does not work directly.

            But you can create a servive on the box (with HTTP listener on 127.0.0.1) accessing your backend with 2-way SSL.
            Then you should be able to use "Send a test message" against URL "http://127.0.0.1:yourport" to test backend 2-way SSL.

             


            Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>


             

            • thotranh
              thotranh
              76 Posts
              ACCEPTED ANSWER

              Re: Best Way to test a HTTP REQUEST outbound from DP

              ‏2013-09-19T13:16:26Z  in response to HermannSW

              Thanks for your help.  Yes, that's exactly what I need to do :  test a service "on the box" with 2-way SSL.

              > you can create a servive on the box (with HTTP listener on 127.0.0.1) accessing your backend with 2-way SSL.

              I am not quite sure how to do this .

              Do you mean that I can create something like a simple Multi Gateway or Web Service Proxy ?

              How do I configure the "HTTP Listener on local box ?

              Please clarify . Thanks

              • thotranh
                thotranh
                76 Posts
                ACCEPTED ANSWER

                Re: Best Way to test a HTTP REQUEST outbound from DP

                ‏2013-09-19T14:13:36Z  in response to thotranh

                I created a Multi Gateway and a local listener on the box (HTTPs front side handler 127.0.0.1). 

                However, when i tried to do "Send a Test Message" for a GET request, it required that "Request Body is required".

                The external request is just an HTTPs GET , not a POST, so I guess I wouldn't need a "Request Body", but "Send a Test Message" seems to require request body.

                Any idea ?

                Thanks

              • HermannSW
                HermannSW
                4238 Posts
                ACCEPTED ANSWER

                Re: Best Way to test a HTTP REQUEST outbound from DP

                ‏2013-09-19T14:33:01Z  in response to thotranh

                Hi,

                just create a MPGW, the simplest form is with pass-thru request and response types and "default" policy.

                You can enter your backend as static backend, and provide the SSL Client Profile.

                Finally you create a new HTTP Frontside Handler with  Local IP Address  either 0.0.0.0 or better 127.0.0.1.


                Here you can see "Send Test Message" tool against a local (127.0.0.1) service.

                Back in 2010 I did fix Probe APAR IC66310 on "extra namespaces".

                Similar issue happens below in  Response Body  (dpm namespace declaration).
                If you create a PMR that will be fixed.

                 


                Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>

              • JoeMorganNTST
                JoeMorganNTST
                427 Posts
                ACCEPTED ANSWER

                Re: Best Way to test a HTTP REQUEST outbound from DP

                ‏2013-09-19T14:37:54Z  in response to thotranh

                Wasn't this your original post?

                What would be the simplest way to do this test without creating any services (such as XML Fireewall, WS, MultiGateway,etc.).  Just a simple invocation from the DP to make sure that it can present its cert  , gets authenticated , and get a response back so that we know all the firewall connection is open and DP can be authenticated OK

                 Which is why we are all confused.

                The short end of it is this, you need to setup a service within DataPower.  The sound of it is you will need this service anyway, so what's the harm in doing it now?

                Is the back end a web service?  If yes, then setup a WSP.  Is it something else?  Then I'd recommend you use an MPG.  Setup an HTTP FSH on the service that you *can* reach, and you can use a browser to make the call to DP and see what comes back.  You *can* use cURL, but it is overkill for a simple test request.

                What HermannSW is saying is that if you *cannot* use an HTTP FSH on an *externally reachable* IP:Port on the DP, then setup your service's FSH to listen on 127.0.0.1 on whatever port, and then use the Send Test Message tool to test through that FSH.

                The service will negotiate the outbound mutual SSL, and you can debug the SSL Proxy until it works.  Once you do get an IP/Port, then just change the FSH to listen on that.

                 

                 

                • thotranh
                  thotranh
                  76 Posts
                  ACCEPTED ANSWER

                  Re: Best Way to test a HTTP REQUEST outbound from DP

                  ‏2013-09-19T15:00:12Z  in response to JoeMorganNTST

                  Thanks . So after HermannSW explained it, i created a simple MGW as a proxy to a back-end HTTP service over ssl .

                  so let's say the back-end service is  http://backend.com/search?name=xyz  ( GET HTTP , no body/payload)

                  and the response is <result>...</result>

                  The DP --- 2-way SSL to this backend service.

                  When I use the "Send a Test Message" tool, i am a little confused about what to put on the Request Body , since I wouldn't have a request body . It' just a GET request.   With an empty REQUEST body, i'd expect to get back <result>...</result> in teh response.

                  Why does the "Send a Test Message" always require a "Request Body" (to be not empty) ???

                  Maybe I'm missing something about using this Test tool on the box. THANK YOU

                  Updated on 2013-09-19T16:18:52Z at 2013-09-19T16:18:52Z by thotranh
    • HermannSW
      HermannSW
      4238 Posts
      ACCEPTED ANSWER

      Re: Best Way to test a HTTP REQUEST outbound from DP

      ‏2013-09-19T10:25:04Z  in response to JoeMorganNTST

      > Try sending a test message "Administration->Debug->Send a Test Message" and try it that way.
      >

      That uses a non-configurable internal SSL proxy, so I doubt that it will work with 2-way SSL.

       


      Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>