This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Two way SSL (Southbound) fails with Error : Proxy refused to create tunnel with response status 403

Posted on 01-26-2020 05:50 AM
ankitmadho
New Member
Reply posted on --/--/---- --:-- AM

We are trying to connect to a backend with 2-way SSL implemented. We have uploaded the backend's Certificate as a TrustStore (AAA-Enabler) and have provided our Certificate to the backend developers (ApixPreprodClientCert). We have named both the Keystore and Alias as ApixPreprodClientCert.

In our HTTPTargetConnection, we have SSLInfo like :-

<SSLInfo>
            <Enabled>true</Enabled>
            <ClientAuthEnabled>true</ClientAuthEnabled>
            <KeyStore>ApixPreprodClientCert</KeyStore>
            <KeyAlias>ApixPreprodClientCert</KeyAlias>
            <TrustStore>AAA-Enabler</TrustStore>
            <IgnoreValidationErrors>true</IgnoreValidationErrors>
</SSLInfo>

When trying to invoke this API, we get the following fault before target can be invoked:-

error Proxy refused to create tunnel with response status 403
type ErrorPoint
state TARGET_REQ_FLOW
error.class com.apigee.errors.http.server.ServiceUnavailableException
Identifier fault

We are successfully able to make a cURL request to the backend using both the certificate like :-

curl -ivs -cacert ./cert.pem --cert ./client.crt --key
./client.key -d @pass.xml https://backendhost:backendport/resource -X POST

We are simply not able to figure out why can't we make a call from the API. Please help.

0 2 746
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
ankitmadho
New Member
Reply posted on --/--/---- --:-- AM

@Dino @Anil Sagar @ Google @Dino-at-Google @Anil Sagar : Can any one of you help here please. It is very urgent for us.

0 Likes

Posted on --/--/---- --:-- AM
ylesyuk
New Member
Reply posted on --/--/---- --:-- AM

Hi Ankit,

It could be all kind of causes. The most scientific way forward would be to trace tcp/tls handshake and read the real error. If you use OPDK, that's easy to switch on at MP. If it is a Cloud, then it might be easier for you to take a tcpdump at your backend server side.

The error message clearly talks about proxy tunnel. Does your backend needs to be connected using proxy settings? Should a client to be whitelisted? Is it an opdk and you're using http client proxy configuration?

0 Likes