Two way SSL (Southbound) fails with Error : Proxy refused to create tunnel with response status 403

We are trying to connect to a backend with 2-way SSL implemented. We have uploaded the backend’s Certificate as a TrustStore (AAA-Enabler) and have provided our Certificate to the backend developers (ApixPreprodClientCert). We have named both the Keystore and Alias as ApixPreprodClientCert.

In our HTTPTargetConnection, we have SSLInfo like :-

<SSLInfo>
            <Enabled>true</Enabled>
            <ClientAuthEnabled>true</ClientAuthEnabled>
            <KeyStore>ApixPreprodClientCert</KeyStore>
            <KeyAlias>ApixPreprodClientCert</KeyAlias>
            <TrustStore>AAA-Enabler</TrustStore>
            <IgnoreValidationErrors>true</IgnoreValidationErrors>
</SSLInfo>

When trying to invoke this API, we get the following fault before target can be invoked:-

We are successfully able to make a cURL request to the backend using both the certificate like :-

curl -ivs -cacert ./cert.pem --cert ./client.crt --key
./client.key -d @pass.xml [https://backendhost:backendport/resource](https://backendhost:backendport/resource) -X POST

We are simply not able to figure out why can’t we make a call from the API. Please help.

@Dino @Anil Sagar @ Google @Dino-at-Google @Anil Sagar : Can any one of you help here please. It is very urgent for us.

Hi Ankit,

It could be all kind of causes. The most scientific way forward would be to trace tcp/tls handshake and read the real error. If you use OPDK, that’s easy to switch on at MP. If it is a Cloud, then it might be easier for you to take a tcpdump at your backend server side.

The error message clearly talks about proxy tunnel. Does your backend needs to be connected using proxy settings? Should a client to be whitelisted? Is it an opdk and you’re using http client proxy configuration?