ApacheHttpClient server certificate validation doesn't run

IdentityIQ (IIQ) IIQ Discussion and Questions
1

Which IIQ version are you inquiring about?

8.4

Share all details about your problem, including any error messages you may have received.

I’ve developed an IIQ plugin that triggers some Java Code. The Java code contains an HTTP client helper (ApacheHttpClient wrapper):

package com.my.code.http.client.helper;

import com.my.code.Consts;
import sailpoint.integration.ApacheHttpClient;

import java.util.HashMap;
import java.util.Map;

public class HttpClientHelper {
    private final ApacheHttpClient client;
    private final Map<String, String> baseHeaders = new HashMap<>();

    public HttpClientHelper(String methodId, String correlationId) throws Exception {
        baseHeaders.put(Consts.METHOD_ID_HEADER_NAME, methodId);
        baseHeaders.put(Consts.CORRELATION_ID_HEADER_NAME, correlationId);
        this.client = new ApacheHttpClient();
        client.setup(true, 443, null, null, "30", new HashMap<String, String>());
    }

    public Map<String, String> createHeaders(Map<String, String> headers) {
        Map<String, String> joinedHeaders = new HashMap<>();
        joinedHeaders.putAll(this.baseHeaders);
        joinedHeaders.putAll(headers);
        return joinedHeaders;
    }

    public int post(String url, String body, Map<String, String> headers) throws Exception {
        return client.post(url, body, this.createHeaders(headers));
    }

    public int get(String url, Map<String, String> headers) throws Exception {
        return client.get(url, this.createHeaders(headers));
    }

    public String getBody() {
        return client.getBody();
    }

    public void validateResponse(int responseCode) throws RuntimeException {
        if (responseCode < 200 || responseCode >= 300) {
            String error = "HTTP Status: " + responseCode + ", Response: " + getBody();
            throw new RuntimeException(error);
        }
    }
}

For some reason, the ApacheHttpClient doesn’t perform server certificate validation. If I try to access a server using the code above with a self-signed certificate that IIQ’s OS doesn’t trust, it still works instead of throwing an SSL error.

I expect the ApacheHttpClient to perform SSL validation since I’m not passing any flags that might affect its default behavior (for example, trustAllCerts).

Is there some IIQ global definition regarding performing SSL validation?

2

Hi @liza_s, this caught my interest too… and yes, you’re absolutely right to expect proper SSL validation by default… but based on my understanding so far “after I did some research”, the sailpoint.integration.ApacheHttpClient in IIQ doesn’t actually enforce server certificate validation unless it’s explicitly configured, even if trustAllCerts isn’t used, it still allows connections to untrusted/self-signed certs unless the cert is already in the JVM truststore “which is interesting”.

If you need strict validation, here are two clean options:

Import the server’s certificate into the JVM truststore (usually at $JAVA_HOME/lib/security/cacerts) using keytool, this allows the default trust manager to validate it properly “Tomcat (or app server) restart is needed after that”

Build your own Apache HTTP client wrapper and configure it with a proper SSLContext and trust strategy… this gives you full control over how TLS is handled in the plugin.

As far as I know, there’s no IIQ-level config or toggle that changes this behaviour — it’s either the truststore or your own implementation.

Let me know if you find anything else around this, always happy to dive deeper :slightly_smiling_face:

Regards,
Mustafa