Two way SSL (Southbound) fails with Error : Proxy refused to create tunnel with response status 403

ankitmadho
Participant II

We are trying to connect to a backend with 2-way SSL implemented. We have uploaded the backend's Certificate as a TrustStore (AAA-Enabler) and have provided our Certificate to the backend developers (ApixPreprodClientCert). We have named both the Keystore and Alias as ApixPreprodClientCert.

In our HTTPTargetConnection, we have SSLInfo like :-

<SSLInfo>
            <Enabled>true</Enabled>
            <ClientAuthEnabled>true</ClientAuthEnabled>
            <KeyStore>ApixPreprodClientCert</KeyStore>
            <KeyAlias>ApixPreprodClientCert</KeyAlias>
            <TrustStore>AAA-Enabler</TrustStore>
            <IgnoreValidationErrors>true</IgnoreValidationErrors>
</SSLInfo>

When trying to invoke this API, we get the following fault before target can be invoked:-

error Proxy refused to create tunnel with response status 403
type ErrorPoint
state TARGET_REQ_FLOW
error.class com.apigee.errors.http.server.ServiceUnavailableException
Identifier fault

We are successfully able to make a cURL request to the backend using both the certificate like :-

curl -ivs -cacert ./cert.pem --cert ./client.crt --key
./client.key -d @pass.xml https://backendhost:backendport/resource -X POST

We are simply not able to figure out why can't we make a call from the API. Please help.

0 2 744
2 REPLIES 2

ankitmadho
Participant II

@Dino @Anil Sagar @ Google @Dino-at-Google @Anil Sagar : Can any one of you help here please. It is very urgent for us.

ylesyuk
Participant V

Hi Ankit,

It could be all kind of causes. The most scientific way forward would be to trace tcp/tls handshake and read the real error. If you use OPDK, that's easy to switch on at MP. If it is a Cloud, then it might be easier for you to take a tcpdump at your backend server side.

The error message clearly talks about proxy tunnel. Does your backend needs to be connected using proxy settings? Should a client to be whitelisted? Is it an opdk and you're using http client proxy configuration?