This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Breach check not working in 4.5

Hi

I'm testing the breach check function in 4.5 and it is not working for me due to that SSPR can't verify the certificate of the breach service I guess:

This is when I'm trying to change my password:

2020-04-07T17:18:11Z, WARN , util.PwmPasswordRuleValidator, Problem while connecting to external breach database sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

Which certificates do I need to import?

To the JDK/JRE cacerts keystore or somewhere else?

 

Thanks

Tags:

  • 0  

    Hello - I got in touch with internal team and was told as follows:

    Can you please let us know what software and version you are using? The SSPR product doesn’t have anything called breach so we assume you are referencing some security software that is attempting to perform some type of security breach. SSPR is just an application that runs on top of Tomcat. Maybe the issue is not really with SSPR but with Tomcat? Please provide some additional details.

    OpenText Community Manager
    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0   in reply to   

    Hi,

    No - I'm talking about the breach database check in SSPR. That is what the setting is called anyway.

    From the SSPR 4.5 release notes:

     

    Provision to Enable Breach Database Check

    Self Service Password Reset introduces Enable Breach Database Check to generate unique and secure passwords that are passed through the breach check to ensure that it is not a compromised password.

     

  • 0   in reply to   

    And this is from the SSPR log file, which itself refers to "breach":

     

    2020-04-07T17:18:11Z, WARN , util.PwmPasswordRuleValidator, Problem while connecting to external breach database sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

  • 0 in reply to   

    Same error if REST used for external password validation check in this version.

     

    2020-05-12T13:51:55Z, FATAL, servlet.AbstractPwmServlet, {125,xxxxx} unexpected error: 5015 ERROR_INTERNAL (http response error while executing external rest call, error: 5057 ERROR_SERVICE_UNREACHABLE (error while making http request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)) [xxxxxx]
    2020-05-12T13:51:55Z, ERROR, util.PwmPasswordRuleValidator, error executing external rule REST call: 5015 ERROR_INTERNAL (http response error while executing external rest call, error: 5057 ERROR_SERVICE_UNREACHABLE (error while making http request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target))

  • 0 in reply to 

    Did you figure out which cert to install?  We are having this issue

  • 0   in reply to 

    No.

     

  • 0 in reply to 

    The certificate for the SSL connection to the external service must imported.

  • 0 in reply to 

    Hi everybody,

     

    did anybody managed to use this new feature?

    I did import the server certificate and the two ca cerrs in the chain to a truststore.p12 and configured tomcat to use it - but the issue is still there.

    Meanwhile I found, haveibeenpwned uses differenbt fqdn, deopending on which REST API is called.

    https://haveibeenpwned.com/api

    https://api.pwnedpasswords.com   is used for the "Pwned Passwords" API 

     

    Since accessing the latter is free, I believe SSPR is using this one. In any case there are two different certificates available with the cn =sni.cloudflaressl.com providing either the first or the second FQDN as an SAN. In case of api.pwnedpasswords.com the SAN provided is *.pwnedpasswords.com - Could this be the root of the issue? I remember somehow wildcard SAN are not supported anymore, are they?

     

    Kind regards,

     

    Thorsten