Gen CALL EXTERNAL runtime error TIRXCWS "Client certificate required"
search cancel

Gen CALL EXTERNAL runtime error TIRXCWS "Client certificate required"

book

Article ID: 380200

calendar_today

Updated On:

Products

Gen Gen - Workstation Toolset

Issue/Introduction

Using Gen 8.6 CALL EXTERNAL.
In Toolset successfully imported wsdl which is hosted at secure (https) location of hostname:port = server1.a.b.com:8443.

The file "%Gen86%\Gen\callexternal.ini" file has been changed to enable server certification validation i.e.
server1.a.b.com:8443 SERVER_CERT_VALIDATION=Y CONNECTION_TIMEOUT=600 REQUEST_TIMEOUT=600 SOAPHEADER_BUFFERSIZE=4500 ERROR_HANDLING_BY_USER=N

The server certificate has been placed into a new cacert.pem file which replaces default "%Gen86%\Gen\cacert.pem" file

When testing from C client receive error:
TIRM149E: Error occurred in CA Gen supplied function: TIRXCWS 
TIRM322E: Error occurred while performing external call
CSU-GENERAL-ERROR: WsErrorParser::parse(): Client certificate required (faultcode:soapenv:Server).
TIRM046E: *** Processing terminated ***
TIRM044E: *** Press OK to continue ***

This same SSL handshake has previously worked successfully from SoapUI.

Cause

Normally the term "Client Certificate" refers to when mutual (two-way) SSL authentication is being used i.e. the client verifies the identity of the server (using the server certificate), and then the server verifies the identity of the client (using the client certificate). Standard one-way SSL just does the first part.

From tests run by Gen Support the message is different if the correct server certificate is not in the cacert.pem file i.e.:
*****
TIRM149E: Error occurred in CA Gen supplied function: TIRXCWS  
TIRM322E: Error occurred while performing external call
Error message: "SSL peer certificate or SSH remote key was not OK"
*****
So as the above error is different to "Client certificate required" it appears the web service is requiring mutual SSL.

Resolution

It was confirmed that the web service requires mutual SSL (mTLS) and that was setup in SoapUI for the successful test there.
Mutual SSL authentication it is not currently supported by CALL EXTERNAL.
So the advice would be to create a new Idea (enhancement request) on the Ideas Community.

Additional Information

Gen Product Management are currently considering planning for support of mutual SSL authentication in Gen as part of their reoccurring conversations about security best practices. However there are no specific timelines yet on when this would be available.

CLOUDFARE - What is mutual TLS (mTLS)?

Add a Call External Statement > Call External Statement in Action Diagram > Consume a Secure Web Service
Add a Call External Statement > Call External File