Web Services SOAP failure after SSL cert renewal

I just renewed SSL certs on our OC 3.1.4 servers and 4 that currently have Web services in use were no longer able to connect through WS/SOAP. All servers are identical config, no proxy. I know there are similar posts here with this SOAP error, but it was working perfectly, the only change was a new cert. And 2 were already a SHA2 cert before.

From developer of Enketo, I added our cert to the cacerts keystore and now we can connect with Access/VBA uses MSXML2.DOMDocument to send the request: Set objXMLDoc = CreateObject("MSXML2.DOMDocument"). However, our .NET apps to extract data fail with:

System.Net.WebException: The remote server returned an error: (500) Internal Server Error.
at System.Net.HttpWebRequest.GetResponse()


SOAP-ENV:ServerCould not access envelope: Unable to create envelope from given source: ; nested exception is com.sun.xml.messaging.saaj.SOAPExceptionImpl: Unable to create envelope from given source:

Comments

  • toskriptoskrip Posts: 265 ✭✭
    Hi,

    so you have added the certificate to the keystore on the web service client site right? I think you need to do some debugging of your .NET apps in order to see what is really going on. Maybe .NET does not see the certificate as trusted from the keystore. It may be that you would have to explicitly say that it is trusted on the source code level in you client WS calls.

    I would also recommend to look into OC-ws logs, you may find some more details regarding what is actually crashing.

    Just to explain the messages you have:

    on the client... error code 500 is a generic error code, that basically means that after request was send from client the server start processing it but it failed (for whatever reason).

    T
  • BinaryVisionBinaryVision Posts: 42
    That was the initial catch, but the full error is
    <SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"><SOAP-ENV:Header/><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring xml:lang=\"en\">Could not access envelope: Unable to create envelope from given source: ; nested exception is com.sun.xml.messaging.saaj.SOAPExceptionImpl: Unable to create envelope from given source: </faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>

    The CA cert was added to cacerts and the .jks keystore Tomcat is using on the HTTPS connector. Is that what you mean by the client cert? I found this article but don't see how it differs from what was working before. Thanks!
  • mvirtosumvirtosu Posts: 275
    I have the following lines in my .NET code, they may or may not help you:

    StudySubject.wsClient ss = new StudySubject.wsClient();

    // The following are needed so that WCF does not send and expect timestamps because the web service does not support those
    BindingElementCollection elements = ss.Endpoint.Binding.CreateBindingElements();
    elements.Find().IncludeTimestamp = false;
    ss.Endpoint.Binding = new CustomBinding(elements);


    Mihai
  • ColinSuttonColinSutton Posts: 30
    via Email
    Are you sure nothing else was changed? A similar error occurs if the java version is upgraded from 1.6 to 1.7.

    Colin
    > On 20 May 2016, at 3:42 AM, BinaryVision wrote:
    >
    > OpenClinica http://scanmail.trustwave.com/?c=1688&amp;d=8_q915Mcs48ZJWmN9FgG-rVdJWrh5ot5eBOjDJG0Wg&amp;u=https://forums.openclinica.com/
    >
    >
    >
    > BinaryVision started a new discussion: Web Services SOAP failure after SSL cert renewal
    >
    >
    >
    > I just renewed SSL certs on our OC 3.1.4 servers and 4 that currently have Web services in use were no longer able to connect through WS/SOAP. All servers are identical config, no proxy. I know there are similar posts here with this SOAP error, but it was working perfectly, the only change was a new cert. And 2 were already a SHA2 cert before.
    >
    >
    >
    > From developer of Enketo, I added our cert to the cacerts keystore and now we can connect with Access/VBA uses MSXML2.DOMDocument to send the request: Set objXMLDoc = CreateObject("MSXML2.DOMDocument"). However, our .NET apps to extract data fail with:
    >
    >
    >
    > System.Net.WebException: The remote server returned an error: (500) Internal Server Error.
    >
    > at System.Net.HttpWebRequest.GetResponse()
    >
    >
    >
    > SOAP-ENV:ServerCould not access envelope: Unable to create envelope from given source: ; nested exception is com.sun.xml.messaging.saaj.SOAPExceptionImpl: Unable to create envelope from given source:
    >
    >
    >
    > --
    >
    > To manage your email notifications, please visit: http://scanmail.trustwave.com/?c=1688&amp;d=8_q915Mcs48ZJWmN9FgG-rVdJWrh5ot5eECiC868XA&amp;u=https://www.openclinica.com/forums#/profile/preferences
    >
    >
    >
    > Reply to this email directly or follow the link below to check it out:
    >
    > http://scanmail.trustwave.com/?c=1688&amp;d=8_q915Mcs48ZJWmN9FgG-rVdJWrh5ot5eB6hDZ3qAA&amp;u=https://forums.openclinica.com/discussion/15982/web-services-soap-failure-after-ssl-cert-renewal
    >
    >
    >
    > Check it out: http://scanmail.trustwave.com/?c=1688&amp;d=8_q915Mcs48ZJWmN9FgG-rVdJWrh5ot5eB6hDZ3qAA&amp;u=https://forums.openclinica.com/discussion/15982/web-services-soap-failure-after-ssl-cert-renewal

    #####################################################################################
    Scanned by MailMarshal - M86 Security's comprehensive email content security solution.
    #####################################################################################

    ________________________________________
    IMPORTANT NOTICE: This e-mail and any attachment to it are intended only to be read or used by the named addressee. It is confidential and may contain legally privileged information. No confidentiality or privilege is waived or lost by any mistaken transmission to you. The CTC is not responsible for any unauthorised alterations to this e-mail or attachment to it. Views expressed in this message are those of the individual sender, and are not necessarily the views of the CTC. If you receive this e-mail in error, please immediately delete it and notify the sender. You must not disclose, copy or use any part of this e-mail if you are not the intended recipient.
    ________________________________________
  • BinaryVisionBinaryVision Posts: 42
    Hi Colin. No, the Java version on all servers is untouched at JDK 1.6.0_32. I know other references on the site point to examine for errors in the XML that is sent but in this case it was working, and obviously has to do with Java's handling with SSL and the SOAP connections specifically. So when I requested a new cert originally, I just did a keytool -certreq and did not create a new keystore and -genkey. So I started from scratch with a new -genkey, a new CSR, installed the new CA cert from Digicert, and now it works through Access to Web services without adding public cert to the cacerts (as Trusted cert), but still same error through the .Net application. We've also tried using the Webclient connection method through .Net, didn't make a difference. Other references on the net pointed to issues with specific Java apis and Jboss, beyond my scope
Sign In or Register to comment.