KB#1322 – Error when creating API Client

Table of Contents

Problem

When trying to create an API Client under “System” -> “Usermanagement” -> “API Clients”, you get a weird error message without any text.

Cause

When BiG EVAL creates a new API Client, it establishes a server-internal HTTPS-Communication to create the JWT Access-Token that will be displayed on the success-dialog. The weird error messages appears, when this connection cannot be established. In fact it gets dropped by the webserver.

The cause of this problem lies in the SSL-Certificate binding. Before we recognized this problem we had an error in the documentation. We wrongly instructed you to setup the SSL-binding on the servers IP-Address that is listening for client/server HTTPS requests. Because the internal communication is established on the loopback-interface and not on the external network interface, there is simply no SSL-Certificate binding available. Therefore the connection gets dropped because it is unsecure.

Solution

To solve this problem you should fix your SSL-Certificate bindings on the BiG EVAL Server so there is an SSL-Certificate bound to the external IP as wells as one on the loopback address.

Please note that when you are running the IPv6 stack, there could be differences in the syntax below. Please refer to your network administrator. But ensure that the bindings are done on all IPv6 addresses involved in the communication.

The following solution shows you how you can drop your current bindings and add one single binding for all your IP-addresses using the a wildcard-IP of 0.0.0.0. Depending on your preferences you can also add bindings for all involved IP-Addresses.

  1. Open a PowerShell or Commandline with local Administrator-Permissions on the BiG EVAL server.
  2. Use the following command to list your current SSL-bindings.
netsh http show sslcert
  1. Drop the current bindings with the following command.
    Please note that the IP-Address shown is only an example. You should use your own external IP-Address where the actual SSL-Certificate binding was done. You can see the actual binding on the output of the previous command.
netsh http delete sslcert ipport=10.0.0.7:443
  1. Add a new binding with the following command.
    Please note that you must replace the certificate thumbprint by the one your own certificate has. The appid-parameter can be any GUID/Uniqueidentifier you want. It doesn’t matter.
netsh http add sslcert ipport=0.0.0.0:443 certstorename=MY certhash=c20965abecfff0ee2dfb0121ec173db33e371cd1 appid={4084CF5D-09E5-44D4-9A30-D027C8130E7A}
  1. Restart the BiG EVAL Service.