Topic
9 replies Latest Post - ‏2013-05-21T17:23:21Z by shiufun
Chris.Z
Chris.Z
52 Posts
ACCEPTED ANSWER

Pinned topic DataPower SSL connection to WCF/IIS/.net

‏2013-04-29T17:25:04Z |

This it the error we are getting when trying to test our connection.  Note that this same web service works fine when it's on HTTP.  Once we put it on HTTPS we get these errors.

First of all, what does Invalid Transport Protocol mean?  I tried googling to no success.
Second, where is this store:///dp/transport-check.xsl located?  I do not see that in our file menu....
Lastly, I'm pretty sure the sever on the backend is using the wrong SSL cert.  When you go to that webpage in your browser it says it is not validated.  It is a valid company cert, but their domain is "sub.sub.domain.com"  And the cert is just "*domain.com".  I am told they need a cert for their sub domains.  I admit to now knowing so much about certs and why just *domain.com wouldn't work.

Any help is appreciated.

Thanks.

Updated on 2013-04-29T18:01:15Z at 2013-04-29T18:01:15Z by Chris.Z
  • kenhygh
    kenhygh
    1301 Posts
    ACCEPTED ANSWER

    Re: DataPower SSL connection to WCF/IIS/.net

    ‏2013-04-29T17:38:00Z  in response to Chris.Z

    Chris,

    First, turn on 'debug' mode so you can see more details. Second, store:///dp/ is a hidden directory, you cannot get to it. Third, is this being called with 'http://' but over SSL?

     

    Ken

    • Chris.Z
      Chris.Z
      52 Posts
      ACCEPTED ANSWER

      Re: DataPower SSL connection to WCF/IIS/.net

      ‏2013-04-29T17:44:56Z  in response to kenhygh

      Debug probes are on, and log level is debug.  No this should be all HTTPS.

      • kenhygh
        kenhygh
        1301 Posts
        ACCEPTED ANSWER

        Re: DataPower SSL connection to WCF/IIS/.net

        ‏2013-04-29T18:21:58Z  in response to Chris.Z

        the log you posted wasn't from debug. There should be more details in the log.

        • Chris.Z
          Chris.Z
          52 Posts
          ACCEPTED ANSWER

          Re: DataPower SSL connection to WCF/IIS/.net

          ‏2013-04-29T18:32:33Z  in response to kenhygh

          When you say "wasn't from debug"....do you mean it wasn't from the DEBUG PROBE?  Or it isn't DEBUG LOG LEVEL?  The logs I posted were running at debug log level format, and those were the only errors.  No other errors or warning showedin this transaction.  Is there something specific you are looking for?  The full log of the transaction is pretty long.

          • kenhygh
            kenhygh
            1301 Posts
            ACCEPTED ANSWER

            Re: DataPower SSL connection to WCF/IIS/.net

            ‏2013-04-29T19:40:53Z  in response to Chris.Z

            LOG. All you showed were errors, no debug messages at all. You'll need to look at the other messages to get other details. Like if DP doesn't like the certificate.

            • Chris.Z
              Chris.Z
              52 Posts
              ACCEPTED ANSWER

              Re: DataPower SSL connection to WCF/IIS/.net

              ‏2013-04-29T20:03:49Z  in response to kenhygh

              Alright.  Here is the full log.  I have removed some private info as I figure you can never be too paranoid, right? =)

               

               

              mpgw (FYI_MPG): Response Finished: memory used 775088
              mpgw (FYI_MPG): Latency: 0 13 0 12 13 10 0 39 39 39 39 39 0 39 12 13 [https://IP:PORT/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc]
              mpgw (FYI_MPG): Latency: 0 13 0 12 13 10 0 39 39 39 39 39 0 39 12 13 [https://IP:PORT/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc]
              mpgw (FYI_MPG): Multistep Probe enabled
              mpgw (FYI_MPG): Response Started: memory used 801368
              mpgw (FYI_MPG): No match from processing policy 'FYI_Routing_Policy' - default rule selected.
              stylepolicy (FYI_Routing_Policy): No response rule is matched, the default rule is selected.
              wsgw (newtest): Response Finished: memory used 1570400
              mpgw (FYI_MPG): Selecting Backside Processing Rule Based on URL: /COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc
              mpgw (FYI_MPG): HTTP response code 500 for 'http://127.0.0.1:PORT/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc'
              wsgw (newtest): rule (newtest_error_rule): #2 results: 'generated from PIPE' completed OK.
              wsgw (newtest): Processing [Rule (newtest_error_rule), Action ('newtest_rule_0_results_1', results()), Input(PIPE), Output(NULL)] finished: memory used 2146576
              wsgw (newtest): rule (newtest_error_rule): #1 xform: 'Transforming INPUT with local:///soapFault.xsl results stored in PIPE' completed OK.
              wsgw (newtest): Processing [Rule (newtest_error_rule), Action ('newtest_rule_0_xform_1', xform(local:///soapFault.xsl)), Input(INPUT), Output(PIPE)] finished: memory used 1693032
              xmlmgr (default): xslt Compilation Request: Found in cache (local:///soapFault.xsl)
              xmlmgr (default): xslt Compilation Request: Checking cache for URL local:///soapFault.xsl
              wsgw (newtest): Stylesheet URL to compile is 'local:///soapFault.xsl'
              wsgw (newtest): Multistep Probe enabled
              wsgw (newtest): Request Finished: memory used 1113648
              wsgw (newtest): rule (newtest_error_rule): selected via match 'newtest_match_all' from processing policy 'newtest' for code '0x00d30003'
              Matching (newtest_match_all): Match: Received URL [/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc] matches rule '*'
              wsgw (newtest): Match: Received value [http://www.datapower.com/fragment-id#dp.all()] matches WSDL component type 'fragmentid' 'GetAssets'.
              wsgw (newtest): Match: Received value [http://www.datapower.com/fragment-id#dp.all()] matches WSDL component type 'fragmentid' 'GetAssets'.
              wsgw (newtest): Match: Received value [domain.com#dp.wsdlName(COMPANYLimitsWCF.wsdl)] matches WSDL component type 'fragmentid' 'GetAssets'.
              wsgw (newtest): Rejected by filter; SOAP fault sent
              wsgw (newtest): rule (newtest_request_rule): implied action Calling rule var://service/wspolicy/endpoint/configname with input INPUT and output INPUT failed: Rejected by policy.
              wsgw (newtest): request endpoint_28_3-req #3 filter: 'INPUT store:///dp/transport-check.xsl' failed: Rejected by policy.
              wsgw (newtest): Rejected by filter 'endpoint_28_3-1-1-transport-request' of rule 'endpoint_28_3-req'.
              wsgw (newtest): Execution of 'store:///dp/transport-check.xsl' aborted: Rejected by policy.
              wsgw (newtest): Invalid transport protocol
              xmlmgr (default): xslt Compilation Request: Found in cache (store:///dp/transport-check.xsl)
              xmlmgr (default): xslt Compilation Request: Checking cache for URL store:///dp/transport-check.xsl
              wsgw (newtest): Stylesheet URL to compile is 'store:///dp/transport-check.xsl'
              wsgw (newtest): rule (endpoint_28_3-req): #2 xform: 'Transforming INPUT with store:///identity.xsl results stored in DPPOLICY_SHARED_CONTEXT' completed OK.
              xmlmgr (default): xslt Compilation Request: Found in cache (store:///identity.xsl)
              xmlmgr (default): xslt Compilation Request: Checking cache for URL store:///identity.xsl
              wsgw (newtest): Stylesheet URL to compile is 'store:///identity.xsl'
              wsgw (newtest): rule (endpoint_28_3-req): #1 setvar: 'setting var://service/strict-error-mode in context INPUT to be 1' completed OK.
              wsgw (newtest): Multistep Probe enabled
              xmlmgr (default): xslt Compilation Request: Found in cache (store:///identity.xsl)
              xmlmgr (default): xslt Compilation Request: Checking cache for URL store:///identity.xsl
              wsgw (newtest): Stylesheet URL to compile is 'store:///identity.xsl'
              wsgw (newtest): Parsing document: 'http://127.0.0.1:PORT/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc'
              wsgw (newtest): Multistep Probe enabled
              wsgw (newtest): Request Started: memory used 149776
              wsm-stylepolicy (newtest): rule (newtest_request_rule): selected via match 'newtest_wps_match' from processing policy 'newtest'
              Matching (newtest_wps_match): Match: Received URL [/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc] matches rule '/COMPANYLimitsServiceSecure*'
              wsgw (newtest): Match: Received value [domain.com#dp.wsdlName(COMPANYLimitsWCF.wsdl)] matches WSDL component type 'fragmentid' 'GetAssets'.
              source-http (test): WS-Proxy selected: 'newtest'. Operation 'GetAssets' matches all criteria.
              xmlmgr (default): Parsing http://127.0.0.1:PORT/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc stopped on XPath match
              xmlmgr (default): Parsing document: 'http://127.0.0.1:PORT/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc'
              xmlmgr (default): patterns Compilation Request: Found in cache (expr:////*[local-name()='Envelope']/*[local-name()='Body']/*)
              xmlmgr (default): patterns Compilation Request: Checking cache for URL expr:////*[local-name()='Envelope']/*[local-name()='Body']/*
              source-http (test): WS-Proxy newtest operation GetAssets matches address (127.0.0.1:PORT) url (/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc). SOAP operation and Action will be evaluated.
              source-http (test): WS-Proxy newtest operation GetCustomer matches address (127.0.0.1:PORT) url (/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc). SOAP operation and Action will be evaluated.
              source-http (test): WS-Proxy newtest operation GetData matches address (127.0.0.1:PORT) url (/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc). SOAP operation and Action will be evaluated.
              source-http (test): WS-Proxy newtest operation GetDealer matches address (127.0.0.1:PORT) url (/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc). SOAP operation and Action will be evaluated.
              source-http (test): WS-Proxy newtest operation GetEvent matches address (127.0.0.1:PORT) url (/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc). SOAP operation and Action will be evaluated.
              source-http (test): WS-Proxy newtest operation GetExceptionCalculations matches address (127.0.0.1:PORT) url (/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc). SOAP operation and Action will be evaluated.
              source-http (test): WS-Proxy newtest operation GetHILO matches address (127.0.0.1:PORT) url (/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc). SOAP operation and Action will be evaluated.
              source-http (test): WS-Proxy newtest operation GetROC matches address (127.0.0.1:PORT) url (/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc). SOAP operation and Action will be evaluated.
              source-http (test): WS-Proxy newtest operation GetSQC matches address (127.0.0.1:PORT) url (/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc). SOAP operation and Action will be evaluated.
              source-http (test): WS-Proxy newtest operation GetSite matches address (127.0.0.1:PORT) url (/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc). SOAP operation and Action will be evaluated.
              source-http (test): WS-Proxy newtest operation SetLimitEVENT matches address (127.0.0.1:PORT) url (/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc). SOAP operation and Action will be evaluated.
              source-http (test): WS-Proxy newtest operation SetLimitHILO matches address (127.0.0.1:PORT) url (/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc). SOAP operation and Action will be evaluated.
              source-http (test): WS-Proxy newtest operation SetLimitROC matches address (127.0.0.1:PORT) url (/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc). SOAP operation and Action will be evaluated.
              source-http (test): WS-Proxy newtest operation SetLimitSQC matches address (127.0.0.1:PORT) url (/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc). SOAP operation and Action will be evaluated.
              source-http (test): WS-Proxy newtest operation CreateAsset matches address (127.0.0.1:PORT) url (/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc). SOAP operation and Action will be evaluated.
              source-http (test): Generating chunked response stream to front
              source-http (test): Found content length 249 HTTP input
              source-http (test): HTTP Transaction # 1 on this TCP connection
              source-http (test): Received HTTP/1.1 POST for /COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc from 127.0.0.1
              mpgw (FYI_MPG): Request Finished: memory used 795064
              mpgw (FYI_MPG): Outbound HTTP on new TCP session using HTTP/1.1 to http://127.0.0.1:PORT/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc
              mpgw (FYI_MPG): HTTP Header-Retention:Compression Policy: Off, URL: /COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc
              mpgw (FYI_MPG): HTTP Header-Retention:Header-Retention Policy:MQMD = OFF. MQMD Header = (NULL), URL: http://127.0.0.1:PORT/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc
              mpgw (FYI_MPG): HTTP Header-Retention:Header-Retention Policy: Range = OFF. Range Header = (NULL), URL: http://127.0.0.1:PORT/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc
              mpgw (FYI_MPG): HTTP Header-Retention:Header-Retention Policy: Accept-Encoding = OFF. Accept-Encoding Header = gzip,deflate, URL: http://127.0.0.1:PORT/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc
              mpgw (FYI_MPG): HTTP Header-Retention:Header-Retention Policy: TE = OFF. TE Header = (NULL), URL: http://127.0.0.1:PORT/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc
              xmlmgr (FYI_xml_mgr): Attempting TCP connect to 127.0.0.1
              mpgw (FYI_MPG): rule (FYI_Routing_Policy_LimitsService): #3 results: 'generated from INPUT' completed OK.
              mpgw (FYI_MPG): Processing [Rule (FYI_Routing_Policy_LimitsService), Action ('FYI_Routing_Policy_LimitsService_results_0', results()), Input(INPUT), Output(NULL)] finished: memory used 1348088
              mpgw (FYI_MPG): rule (FYI_Routing_Policy_LimitsService): #2 route-set: 'setting route to http://127.0.0.1:PORT/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc' completed OK.
              mpgw (FYI_MPG): Processing [Rule (FYI_Routing_Policy_LimitsService), Action ('FYI_Routing_Policy_LimitsService_route-set_0', route-set()), Input(NULL), Output(NULL)] finished: memory used 964720
              mpgw (FYI_MPG): rule (FYI_Routing_Policy_LimitsService): #1 filter: 'INPUT store:///SQL-Injection-Filter.xsl' completed OK.
              mpgw (FYI_MPG): Processing [Rule (FYI_Routing_Policy_LimitsService), Action ('FYI_Routing_Policy_LimitsService_filter_0', filter(store:///SQL-Injection-Filter.xsl)), Input(INPUT), Output(NULL)] finished: memory used 613504
              mpgw (FYI_MPG): Finished parsing: store:///SQL-Injection-Patterns.xml
              mpgw (FYI_MPG): Parsing document: 'store:///SQL-Injection-Patterns.xml'
              xmlmgr (FYI_xml_mgr): xslt Compilation Request: Found in cache (store:///SQL-Injection-Filter.xsl)
              xmlmgr (FYI_xml_mgr): xslt Compilation Request: Checking cache for URL store:///SQL-Injection-Filter.xsl
              mpgw (FYI_MPG): Stylesheet URL to compile is 'store:///SQL-Injection-Filter.xsl'
              mpgw (FYI_MPG): Parsing document: 'https://IP:PORT/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc'
              xmlmgr (FYI_xml_mgr): xsd Compilation Request: Found in cache (store:///schemas/soap-envelope.xsd)
              xmlmgr (FYI_xml_mgr): xsd Compilation Request: Checking cache for URL store:///schemas/soap-envelope.xsd
              mpgw (FYI_MPG): Multistep Probe enabled
              mpgw (FYI_MPG): Request Started: memory used 155064
              stylepolicy (FYI_Routing_Policy): rule (FYI_Routing_Policy_LimitsService): selected via match 'newtest_wps_match' from processing policy 'FYI_Routing_Policy'
              Matching (newtest_wps_match): Match: Received URL [/COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc] matches rule '/COMPANYLimitsServiceSecure*'
              source-https (FYI_HTTPS_FSH_IP1): Generating chunked response stream to front
              source-https (FYI_HTTPS_FSH_IP1): Found content length 210 HTTP input
              source-https (FYI_HTTPS_FSH_IP1): HTTP Transaction # 1 on this TCP connection
              source-https (FYI_HTTPS_FSH_IP1): Received HTTP/1.1 POST for /COMPANYLimitsServiceSecure/COMPANYLimitsWCF.svc from 172.20.209.47
               
              • kenhygh
                kenhygh
                1301 Posts
                ACCEPTED ANSWER

                Re: DataPower SSL connection to WCF/IIS/.net

                ‏2013-04-29T22:24:47Z  in response to Chris.Z

                Chris,

                Sorry, but this has me stumped. You might need to open a PMR with IBM to get a definitive answer.

                Ken

                • Chris.Z
                  Chris.Z
                  52 Posts
                  ACCEPTED ANSWER

                  Re: DataPower SSL connection to WCF/IIS/.net

                  ‏2013-05-21T17:11:56Z  in response to kenhygh

                  So, I have opened a PMR with IBM awhile ago.  Here is what I have found out, for anyone who ever sees this thread.

                  IIS adds a transport binding to the WSDL code.  Which basically checks to make sure the connection is initiated by SSL.  So in DataPower's case it makes sure you are using a valid HTTPS Front Side Handler.  We have our incoming connection with an SSL FSH to an MPG, and that MPG sends the request via a normal HTTP FSH to a WSP, which then connects to a backend via SSL.  So it was making sure our WSP had an SSL FSH, which it did not.  Makes no sense why it would care, but it does.  So if we take this transport section out of their WSDL it works, or if we make sure the service(MPG, WSP, XMLFW) connecting to this service is using an HTTPS FSH for it's incoming connections...it works.  In our case we changed our WSP FSH to SSL.  There was also an issue with the crypto profile cipher algorithm.  It wanted only the default settings.

  • shiufun
    shiufun
    49 Posts
    ACCEPTED ANSWER

    Re: DataPower SSL connection to WCF/IIS/.net

    ‏2013-05-21T17:23:21Z  in response to Chris.Z

    Could you turn on the probe ?  It seems like you are using Security Policy -> Transport Binding, I suspect the SSL communication negotiated by the client and DP does not meet the Policy requirement.