This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSPR Failure to connect to Breach Database API

We implemented the SSPR breach check.  It worked for a couple of days, but now we're getting an API error.

 

WARN , util.PwmPasswordRuleValidator, Problem while connecting to external breach database Failed to connect to api.pwnedpasswords.com/2606:4700:0:0:0:0:6811:ac66:443

 

Is anyone else experiencing this issue? I've read on the site for haveibeenpwned that an API key is possibly needed, does anyone know how to this key is implemented?

  • 0  

    Probably the same issue I asked about, some undefined certificate needs to be imported.

    Then it will probably work until the service changes its certificate and it silently fails again.

  • 0 in reply to   

    I have imported the cert chain, its as if the API is returning an ipv6 response when it should be ipv4 as if the application is asking for the wrong response through the api.

  • 0 in reply to 

    There's a recent change in the HaveIBeenPwned API. There's a new much more secure API released and we are now migrating to the new API. A fix with this API change will be provided soon.

    Gireesh Kumar

    Sr. Product Manager - IAM

  • 0

    Hi Jason,

    As Gireesh referenced, this issue occurred due to an API change for the 'HaveIBeenPwned database' but we now have a 'hotfix' which should resolve this matter.

    Please feel free to download the updated SSPR 4.5.x Linux .war file with the fix using the following link: https://download2.microfocus.com/fileinfo.asp?filename=sspr.war

    Thank you!

    -Andrew K Santos

  • 0 in reply to 

    This has been addressed in the public SSPR 4.5.0.3 release, as described in the 'Release Notes':

    Users Cannot Access the HaveIBeenPwned Database#

    Users are not able to reach the HaveIBeenPwned database after enabling ExternalBreach database check in their deployments. After this patch, users can reach HaveIBeenPwned database in their deployments.

  • Verified Answer

    0 in reply to 

    I have sspr 4.5.0.3 installed with IDM user application 4.8.2.1, jre 1.8.0_265 and still get this error:

     

    2020-12-16T14:42:32Z, WARN , util.PwmPasswordRuleValidator, Problem while connecting to external breach database PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

     

    Is this working for others?  

  • 0 in reply to 

    You need to get the certificate from the site and import it into your tomcat keystore.

  • 0 in reply to 

    If we have to import the certificates it would be nice to know what URL's are being used.  I assume api.pwnedpasswords.com.  I imported the intermediate certificate on a test box and it didn't work.  The root cert is already there so I don't see why I would need the intermediates.  Test sites are saying that cloudflare is including the intermediates as it should. 

    Do I have the right URL?  What certs need to be imported?

    Edit: Does the user application set java to use the idm.jks truststore instead of the defaults cacerts?  I don't see it on the command line, but maybe it is set in code?

  • 0 in reply to 

    IDM is configured to use idm.jks as a truststore which appears to make it ignore the default jvm cert store.  I imported the root CA (CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE) to that truststore and it is working fine now.  

  • 0 in reply to 

    It looks like this issue is back (presumably due to some new change to the backend API) and the HaveIBeenPwned Database is no longer accessible from SSPR 4.5.0.4.

    We have opened a new defect (bug# 413232) and will have our Development Team review it shortly.

    If anyone else runs into this issue, please reply below to let me know and provide a Troubleshooting bundle that captures/demonstrates the problem so that we may attach this information to the bug.

    Thank you!