Problem with consuming a webservice that's using a self signed certificate.

Problem with consuming a webservice that's using a self signed certificate.

  

Hey all,

So our partner has exposed a webservice which forces the use of HTTPS, however it's using a custom self signed certificate.
So when trying to consume this webservice Outsytems returns the following error:
"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."

Now I have made an extension in which I call the webservice while ignoring the self signed certificate (since it's not verified by a vald CA).
However ideally I want to simply consume this webservice using the basic functionality in Outsystems so that the other devs in the team can easily make changes if needed.

Does anybody know how to achieve this? I read something about SSL certificates while exposing webservices with Outsystems, but haven't found anything for consuming one.


Cheers,

Joey.

Hello Joey,

Maybe this (old) post have the solution for your problem.

https://www.outsystems.com/forums/discussion/5690/web-services-could-not-establish-trust-relationship-for-the-ssl-tls/

It seems to be possible to workaround this issue with self signed certificates installing the certificate from the provider in the server.

Cheers

Eduardo Jauch

Thanks Eduardo, I'll check that out, I'll come back to you in a couple of days!

I have the same problem, but i am using the public Outsystems cloud.

What i am trying to do is to call via JavaScript a webservice developed in Apache using a auto signed certificate.

When i access the page via browser the first time, it asks me to validade the page. However, when i run via native app, i have no error, nor i have the option to accept to use a self signed certificate.

What i am trying to do, is: When i am under a local network, i call the webservice directly via local url, without the need to go under Outsystems servers. When i am out of local network it calls the webservice as usual.


Thanks,

Vasco Mendes

If installing the (self signed) certificate in the front-end isn't an option (because you may not have access to the FE), evaluate using the REST Ignore Certificates component, if you're consuming a REST service.

For SOAP services, you may need to build an extension (see here). I've done something similar in the past for a quick PoC, but I lost the extension since.

Having said this, ignoring the error is itself a security concern - these are workarounds and shouldn't be used as a solution in production.

The problem is that the extension would be on the server side, right?

I want the rest call to be on the client side, to avoid latency by calling the service via Outsystems server

Vasco,

I'm not sure this can be done in JavaScript, because allowing that would be a security issue. You (the user) are supposed to accept navigating to a site with a self-signed certificate (declaration of trust). Allowing JS to bypass that validation would be problematic in terms of security.

As a workaround, you can further investigate how feasible it is to install the certificate in the device (I assume it will always depend on some manual interaction). Or you can invoke the service via http instead of https, which will avoid these issues but is probably a big NO (unless you've no authentication and are exchanging harmless data like the weather or something).

On a side note, are you really invoking the service directly from the device? If you just use the web reference action inside a client action, the communication still goes through your OutSystems front-end:

<Mobile device> - <OS FE> - <external server>

(Adding this because this model is often misunderstood, but from your message, you're probably using a JavaScript node.)