It is now pretty clear this is failing because the proxy isn't letting me through. And it also now seems pretty clear I need to use a certificate to authenticate on the proxy.
So I have .crt file that I might use. But where do I change the config of One Desktop so it will use it?
Under Window > Preferences > Network Connections you can find the proxy settings:
But the proxy settings have no certificate settings:
Under Network Connections there is a SSH2 screen, but I have no idea where to enter the location of my .crt file here. Any idea?
Page 1 / 1
Hi @Marcel-Jan, thank you for taking the time to share your question in detail. I’ve checked with our team and you can workaround it by passing a parameter in the VM arguments. To give a bit more background, when we run a .plan in ONE Desktop the plan is executed within a Java Virtual Machine (VM).
The parameter property ignoreCertificateErrors determines whether certification related error messages are ignored or not. When retrieving web pages via https, ONE Desktop's running Java VM, will check that the SSL Certificate is valid and trusted. If not you may see a similar SSL certificate error.
These error messages can be ignored by setting this property to true
Follow the steps below to change the property:
In ONE Desktop, have your .plan open and run the plan.
Then in the dropdown, please select Run Configuration.
A dialogue box should appear, choose the Runtimes tab from here.
Paste -DhttpClient.ignoreCertificateErrors=true into the VM Arguments box.
Click Apply, and then run your plan again.
Please let me know how it goes or if you have any questions ♀️
So I found the Run configuration here (just sharing for others playing along):
It’s good that there is extra debugging possible here as well.
But even with the -DhttpClient.ignoreCertificateErrors=true option I get Connection reset errors.
2024-01-23 10:50:17 1INFO] org.apache.http.impl.client.DefaultHttpClient I/O exception (java.net.SocketException) caught when connecting to {s}->https://mydev.service-now.com:443: Connection reset
2024-01-23 10:50:17 0INFO] org.apache.http.impl.client.DefaultHttpClient Retrying connect to {s}->https://mydev.service-now.com:443
23.01.2024 10:50:17 :DEBUG] BJsonCall] IOException when making request POST https://mydev.service-now.com/api/now/import/u_str_call HTTP/1.1
java.net.SocketException: Connection reset
at java.base/sun.nio.ch.NioSocketImpl.implRead(NioSocketImpl.java:323)
at java.base/sun.nio.ch.NioSocketImpl.read(NioSocketImpl.java:350)
at java.base/sun.nio.ch.NioSocketImpl$1.read(NioSocketImpl.java:803)
at java.base/java.net.Socket$SocketInputStream.read(Socket.java:966)
at java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:484)
at java.base/sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:478)
at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:160)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
at org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:570)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:554)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:415)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:326)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:605)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:440)
at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at com.ataccama.dqc.io.http.CommonHttpClient.makeRequest(CommonHttpClient.java:365)
at com.ataccama.dqc.io.http.CommonHttpClient.access$100(CommonHttpClient.java:70)
at com.ataccama.dqc.io.http.CommonHttpClient$RequestTask.run(CommonHttpClient.java:516)
at java.base/java.lang.Thread.run(Thread.java:833)
23.01.2024 10:50:17 INFO] Stopping runtime...
Our firewall people say they opened the connection to ServiceNow for me, so I should be able to connect to that without proxy. And still.. Connection reset. Very confusing.
I decided to try this out on the One App server by creating a workflow that runs this component. On the server I also got the Connection reset error. But running this on the server allowed me to do a tcpdump of this. And thanks to that info I found out that the connection actually reaches the ServiceNow server.
That means that this is not a proxy issue and this question is basically kind of answered.
Hi @Marcel-Jan thank you for sharing an update here. I’m checking with the team about what might be the issue
Hi @Marcel-Jan ,
Please try the following steps to investigate the issue further:
On the Postman, please enable SSL Authentication: go to setting > General > SSL certificate verification:
Run the API again and observe the result.
2. In ONE Desktop, try to run the plan with this parameter: -Dcom.sun.net.ssl.checkRevocation=false
If the result is error in step 1 and we can run the plan successfully in step 2 then the issue lies in installing certificates. We need to import the Root and sub CA certificates of ServiceNow to {ONE Home}\jre\lib\security\cacerts using the keytool tool
To import all certificates from an existing keystore, run the following command in java:
Thanks for your thorough response. I really appreciate it.
I enabled SSL certificate verification in Postman. But the request still succeeds.
And I added -Dcom.sun.net.ssl.checkRevocation=false to the Run configuration on my component. And that still fails in Connection resets.
After all kinds of tcpdumps and other network sniffing it seems pretty clear the connection does reach ServiceNow, but something resets the connection on the way back. Likely that's the proxy.
For this I have a .crt file that I can try to use. I tried to add it, but it asks me to enter a password. I don't know that one.
Kindly submit a support ticket at support.ataccama.com for additional assistance. This will enable our support team to provide you with further support.
Best regards,
Abbey
Hi Abbey,
Fortunately this is no longer necessary. We have requested a firewall rule from our Ataccama One App server to ServiceNow. And for the first time I got no Connection reset anymore. It's strange that our security team who consulted us in this have overlooked this.
So no proxy certificates or any of that are necessary anymore.
Now I can finally go further developing my solution.
♀️
