Cannot change TIE Reputation when Certificate is used for DXL authentication

    Hello,

    has anyone seen the same behavior? We developed an DXL Client to change the Reputation Level in TIE. This works pretty fine, but with one problem. Or maybe a bug in DXL?


    DXL Topic authorization: TIE Server set enterprise Reputation.

    Default Value: Send Restricions -> ePO.

    When we add the certificate from our application we can query DXL Topics but we cannot change it.

    When changing the value to "All Systems" anything works fine.


    So, we do not want to change this value to "All Systems".

    Any idea how this can be fixed?


    Cheers

    Hi-


    It sounds like you are doing everything correct.


    Before attempting to reproduce this, can you please confirm what your broker fabric looks like? How many brokers are deployed? What is the version of the brokers deployed? Also, what is the version of the DXL extensions?


    Thanks,

    Chris

    Hello Chris,

    enclosed the requested versions.


    EPO Extensions:

    • McAfee DXL Broker Management: 3.1.0.595
    • DXL Client for ePO: 3.1.0.580
    • McAfee DXL Client Management: 3.1.0.580


    DXL Broker versions.

    • TIE Master and Slave wit TIE 2.1.0.323 where DXL Broker service 2.0.1.140 is active.
    • DXL Broker 3.1.0.595


    Enclosed the information from the DXL Fabric. The DXL Client is connected to broker01. The TIE Server(s) have the DXL Broker Service active, because wo do not have so many endpoints.


    Cheers

    Thanks a lot for collecting that information.


    Support for certificate-based authorization was added in 3.0.1. For it to work correctly, all brokers in the fabric must be at least on that version. In the fabric displayed, only one broker is at that version (3.1.0.595). The other brokers embedded in the TIE servers are still on a 2.x version.


    Our testing of 3.1.0.595 did include a suite of tests related to certificate based authorization. However, I will configure a broker today matching that version to confirm it is working as expected.


    Thanks,

    Chris

    Hi Thorsten-


    I configured an environment with DXL Broker 3.1.0.595 and confirmed that I was able to set a TIE reputation.


    A couple of things you can look for if you are still having issues.

    1.) Check the broker log file to see if authorization errors are occurring.

    The broker log file is named dxlbroker.log and can be found under the /var directory on the broker. If you see an error similar to the following when attempting to set a reputation in TIE, the authorization is not property configured:


    [139640851416928] 08/04/17 16:52:44 [I]  Not authorized for send: 9067752a-6f80-476d-848b-615a26375431 (/mcafee/service/tie/file/reputation/set) (message/handler/src/AuthorizationHandler.cpp:44)

    2.) Confirm that the certificate is found in the broker's authorization policy

    If the authorization policy on the broker does not contain two entries (ePO and your certificate) that indicates that the policy has not been updated correctly on the broker. Check the contents of the topicauth.policy also found under the /var directory on the broker.


    If the "file reputation" topic within the PUBLISHERS section only has one entry (as shown below) that indicates the policy has not been received correctly by the broker:


    /mcafee/service/tie/file/reputation/set={da34e96a-1d00-47c1-ba54-6927852af1af}


    A correct policy which contains ePO and the certificate should appear similar to the following:


    /mcafee/service/tie/file/reputation/set=d86e4f73a454623b2fe03a5298728e8c1a9e4f7f;{da34e96a-1d00-47c1-ba54-6927852af1af}


    Hope this helps,

    Chris