...
| Code Block | ||
|---|---|---|
| ||
fuseit_t4s__Trim__c trim = [Select Id, fuseit_t4s__Trim_Light_IP_Address__c, fuseit_t4s__ClientCertificateName__c from fuseit_t4s__Trim__c limit 1];
try {
Http h = new Http();
HttpRequest req = new HttpRequest();
req.setHeader('Content-Type','application/json');
req.setEndpoint(trim.fuseit_t4s__Trim_Light_IP_Address__c);
req.setMethod('GET');
req.setClientCertificateName(trim.fuseit_t4s__ClientCertificateName__c);
req.setTimeout(60000);
HttpResponse res = h.send(req);
Integer code = res.getStatusCode();
System.Debug('Status code = ' + code);
if(code != 200) {
throw new fuseit_t4s.TrimException('HTTP Error code ' + code + ' connecting to ' + trim.fuseit_t4s__Trim_Light_IP_Address__c);
}
} catch(Exception e) {
System.Debug('Error Line ' + + e.getLineNumber() + ' Msg ' + e.getMessage());
} |
If you receive a 403 response, check your IIS logs to see what the sub-status value is.
e.g. 403 7 or 403 16
On the T4SExecuteService.asmx SSL Settings, you can change the Client Certificate to “Ignnore“ and test to see if you then receive a 200 OK response.
...
If you receive a 200 OK response with Client certificate set to “Ignore“ and a 403 error when set to “Require“, make your Salesforce self-signed certificate is located in the “Trusted Root Certification Authority”
Check your CA-signed certificate is listed in IIS Server Certificates.
...
To help diagnose whether the issue is a TLS or client certificate issue, you could add the following custom variables to the IIS Logging.
...
This will output the TLS negotiation and the client certificate being passed in with the request.
If you receive a 403 response, check your IIS logs to see the sub-status value. e.g.
sc-status sc-substatus
403 7
Or
sc-status sc-substatus
403 16
NOTE: if the IIS logs out “- - -“ for any of the client certificate variables, then no certificate is being passed to IIS with the request.
Please check your load balancer/proxy server etc.
Next, check your Salesforce self-signed certificate is located in the “Trusted Root Certification Authority”
Check your CA-signed certificate is listed in IIS Server Certificates.
...
to make sure the client certificate is being passed through to the server.
Check the sc-win32-status, if the value is 2148204809
This indicates certificate chain was processed, but terminated in a root certificate which is not trusted by the trust provider.
Check you have no intermediate CA certificates into the Trusted Root CA store by running this command in PowerShell
...