Cannot route to a protected service via HTTPS: Ciphertext is too large
search cancel

Cannot route to a protected service via HTTPS: Ciphertext is too large

book

Article ID: 42878

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

Solution

Background

The Layer 7 Gateway has the capability to route to protected services that accept messages via HTTP or HTTPS. A protected service that accepts messages via HTTP on a particular port will not be able to accept messages via HTTPS. The inverse is also true: Protected services that are only accepting HTTPS on a particular port will not be able to accept HTTP connections. Message processing will fail for a published service on the Gateway that attempts to consume a protected service in either prescribed manner. This article will document the necessary changes to resolve this behavior.

Presentation

A published service that is configured in such a manner that this issue will occur will print the following error message or audit log:
WARNING 4042 Problem routing to https://localhost:8080/echo. Error msg: Unable to obtain HTTP response from https://server.domain.com:80/service: Ciphertext is too large in received TLS record

Resolution

The example given above assumes that the protected service is adhering to the standard use for port #80. In this example, the service policy is routing via HTTPS to an HTTP-enabled service. An example routing assertions is displayed below:

<Please see attached file for image>

A screen capture displaying a Route via HTTP(S) assertion that is configured incorrectly.

The routing assertion itself indicates that it is routing via HTTPS but the Gateway is not aware that it is not HTTPS-enabled until the routing attempt occurs. The routing assertion should be configured to route via HTTP to port 80 or via HTTPS to port 443 (as appropriate for the web service). Example assertions are displayed below:

<Please see attached file for image>

A screen capture displaying two Route via HTTP(S) assertions configured appropriate for the HTTP and HTTPS protocols.

It is important to ensure that the Route via HTTP(S) assertion is using the correct protocol identifier (http:// or https://) that matches with the appropriate protocol listening on the specified port. The error message described in this article indicates that the Route via HTTPS assertion is trying to contact a protected service that is not using HTTPS. Resolve this issue by setting the assertion to use HTTP instead of HTTPS. This is demonstrated in the first assertion in the above screen capture.

Environment

Release:
Component: APIGTW

Attachments

1558722775612000042878_sktwi1f5rjvs16wlj.jpeg get_app
1558722773614000042878_sktwi1f5rjvs16wli.jpeg get_app