Solved: Re: SSPR Failure to connect to Breach Database API - Micro Focus Community

jburns80 · ‎2020-09-02

We implemented the SSPR breach check. It worked for a couple of days, but now we're getting an API error.

WARN , util.PwmPasswordRuleValidator, Problem while connecting to external breach database Failed to connect to api.pwnedpasswords.com/2606:4700:0:0:0:0:6811:ac66:443

Is anyone else experiencing this issue? I've read on the site for haveibeenpwned that an API key is possibly needed, does anyone know how to this key is implemented?

jrmhscht · ‎2020-12-16

I have sspr 4.5.0.3 installed with IDM user application 4.8.2.1, jre 1.8.0_265 and still get this error:

2020-12-16T14:42:32Z, WARN , util.PwmPasswordRuleValidator, Problem while connecting to external breach database PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Is this working for others?

View solution in original post

alekz · ‎2020-09-10

Probably the same issue I asked about, some undefined certificate needs to be imported.

Then it will probably work until the service changes its certificate and it silently fails again.

jburns80 · ‎2020-09-10

I have imported the cert chain, its as if the API is returning an ipv6 response when it should be ipv4 as if the application is asking for the wrong response through the api.

Gireesh Kumar · ‎2020-09-14

There's a recent change in the HaveIBeenPwned API. There's a new much more secure API released and we are now migrating to the new API. A fix with this API change will be provided soon.

andrewksantos · ‎2020-10-06

Hi Jason,

As Gireesh referenced, this issue occurred due to an API change for the 'HaveIBeenPwned database' but we now have a 'hotfix' which should resolve this matter.

Please feel free to download the updated SSPR 4.5.x Linux .war file with the fix using the following link: https://download2.microfocus.com/fileinfo.asp?filename=sspr.war

Thank you!

-Andrew K Santos

andrewksantos · ‎2020-11-23

This has been addressed in the public SSPR 4.5.0.3 release, as described in the 'Release Notes':

Users Cannot Access the HaveIBeenPwned Database#

Users are not able to reach the HaveIBeenPwned database after enabling ExternalBreach database check in their deployments. After this patch, users can reach HaveIBeenPwned database in their deployments.

jrmhscht · ‎2020-12-16

I have sspr 4.5.0.3 installed with IDM user application 4.8.2.1, jre 1.8.0_265 and still get this error:

2020-12-16T14:42:32Z, WARN , util.PwmPasswordRuleValidator, Problem while connecting to external breach database PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Is this working for others?

View solution in original post

jburns80 · ‎2020-12-16

You need to get the certificate from the site and import it into your tomcat keystore.

jrmhscht · ‎2020-12-17

If we have to import the certificates it would be nice to know what URL's are being used. I assume api.pwnedpasswords.com. I imported the intermediate certificate on a test box and it didn't work. The root cert is already there so I don't see why I would need the intermediates. Test sites are saying that cloudflare is including the intermediates as it should.

Do I have the right URL? What certs need to be imported?

Edit: Does the user application set java to use the idm.jks truststore instead of the defaults cacerts? I don't see it on the command line, but maybe it is set in code?

jrmhscht · ‎2020-12-17

IDM is configured to use idm.jks as a truststore which appears to make it ignore the default jvm cert store. I imported the root CA (CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE) to that truststore and it is working fine now.