Commodore
Commodore
917 views

SSPR Failure to connect to Breach Database API

Jump to solution

We implemented the SSPR breach check.  It worked for a couple of days, but now we're getting an API error.

 

WARN , util.PwmPasswordRuleValidator, Problem while connecting to external breach database Failed to connect to api.pwnedpasswords.com/2606:4700:0:0:0:0:6811:ac66:443

 

Is anyone else experiencing this issue? I've read on the site for haveibeenpwned that an API key is possibly needed, does anyone know how to this key is implemented?

1 Solution

Accepted Solutions
Vice Admiral
Vice Admiral

I have sspr 4.5.0.3 installed with IDM user application 4.8.2.1, jre 1.8.0_265 and still get this error:

 

2020-12-16T14:42:32Z, WARN , util.PwmPasswordRuleValidator, Problem while connecting to external breach database PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

Is this working for others?  

View solution in original post

0 Likes
9 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Probably the same issue I asked about, some undefined certificate needs to be imported.

Then it will probably work until the service changes its certificate and it silently fails again.

Commodore
Commodore

I have imported the cert chain, its as if the API is returning an ipv6 response when it should be ipv4 as if the application is asking for the wrong response through the api.

Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

There's a recent change in the HaveIBeenPwned API. There's a new much more secure API released and we are now migrating to the new API. A fix with this API change will be provided soon.

Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Hi Jason,

As Gireesh referenced, this issue occurred due to an API change for the 'HaveIBeenPwned database' but we now have a 'hotfix' which should resolve this matter.

Please feel free to download the updated SSPR 4.5.x Linux .war file with the fix using the following link: https://download2.microfocus.com/fileinfo.asp?filename=sspr.war

Thank you!

-Andrew K Santos

Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

This has been addressed in the public SSPR 4.5.0.3 release, as described in the 'Release Notes':

Users Cannot Access the HaveIBeenPwned Database#

Users are not able to reach the HaveIBeenPwned database after enabling ExternalBreach database check in their deployments. After this patch, users can reach HaveIBeenPwned database in their deployments.

0 Likes
Vice Admiral
Vice Admiral

I have sspr 4.5.0.3 installed with IDM user application 4.8.2.1, jre 1.8.0_265 and still get this error:

 

2020-12-16T14:42:32Z, WARN , util.PwmPasswordRuleValidator, Problem while connecting to external breach database PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

Is this working for others?  

View solution in original post

0 Likes
Commodore
Commodore

You need to get the certificate from the site and import it into your tomcat keystore.

Vice Admiral
Vice Admiral

If we have to import the certificates it would be nice to know what URL's are being used.  I assume api.pwnedpasswords.com.  I imported the intermediate certificate on a test box and it didn't work.  The root cert is already there so I don't see why I would need the intermediates.  Test sites are saying that cloudflare is including the intermediates as it should. 

Do I have the right URL?  What certs need to be imported?

Edit: Does the user application set java to use the idm.jks truststore instead of the defaults cacerts?  I don't see it on the command line, but maybe it is set in code?

0 Likes
Vice Admiral
Vice Admiral

IDM is configured to use idm.jks as a truststore which appears to make it ignore the default jvm cert store.  I imported the root CA (CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE) to that truststore and it is working fine now.  

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.