Problems behind corporative proxy

[victorsanpe]

Hello.
I am having some troubles in order to connect and get resources behind a corporative proxy.

First, when I config the yaml file and write proxy variables with the prefix ALPINE, it seems not to work:
2022-07-26 09:41:13,165 INFO [NistMirrorTask] Initiating download of https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz
2022-07-26 09:41:43,383 ERROR [NistMirrorTask] Download failed : Connect to server.ttec.es:8080 [server.ttec.es/172.17.21.165] failed: connect timed out

However if I erase the prefix and declare as it is showed bellow, it seems to work but I am getting a certificate error.
As the backend is a jar, I can not change it in order it could connect via 'http' to get the resources.

    - HTTP_PROXY_ADDRESS=server.ttec.es
    - HTTP_PROXY_PORT=8080
    - HTTP_PROXY_USERNAME=bbbbbbb
    - HTTP_PROXY_PASSWORD=aaaaaaaa
    - NO_PROXY=localhost, bla bla bla, .ttec.es

2022-07-26 09:52:18,361 INFO [EpssMirrorTask] Initiating download of https://epss.cyentia.com/epss_scores-current.csv.gz
2022-07-26 09:52:18,450 ERROR [EpssMirrorTask] Download failed : PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

[nscuro]

You're most likely running into a situation where your corporate proxy serves a TLS certificate that was signed by an internal CA.

Dependency-Track (or rather the Java Runtime it uses) has a set of public CAs that are trusted (referred to as "trust store" in Java world).

In order to resolve this issue, you must add the certificate of your proxy to the truststore. This can be done as follows:

# Get original trust store from API server container
container_id=$(docker run -d --rm dependencytrack/apiserver:4.5.0)
docker exec -i $container_id sh -c '/bin/base64 /opt/java/openjdk/lib/security/cacerts' | base64 -d > cacerts
docker stop $container_id

# Add internal CA certificate (acme.crt) to trust store
# This assumes that you have the Java JDK installed on your system
keytool -keystore ./cacerts -storepass changeit \
    -noprompt -trustcacerts -importcert -alias acme.crt \
    -file ./acme.crt

The modified truststore can then be mounted into the API server container, e.g. like this for Docker Compose:

volumes:
- "./cacerts:/opt/java/openjdk/lib/security/cacerts:ro"

[victorsanpe]

Thanks for your reply.
This aproach could be ok, but I could not test it, because I do not know how could I get the certificate the proxy is using when signing the request that sends to the external dependency-track server. I have not access to the corporate proxy, althought perhaps I could ask for that certificate to the responsable. I do not know if he could provide me it.

Once I would have it, I could add to the cacerts and test.

At the same time, would be any chance of avoiding the encrypted request and make a plain one from the api?

Thank you.

[nscuro]

I do not know how could I get the certificate the proxy is using when signing the request that sends to the external dependency-track server

You only need the certificate that the proxy serves to its caller (can be the DT API server, but might just as well be yourself). You should be able to get that certificate like you would do for any other website that uses TLS, see here for instructions with Firefox: https://support.mozilla.org/en-US/kb/secure-website-certificate

The certificate itself is not confidential, you don't need the private key.

would be any chance of avoiding the encrypted request and make a plain one from the api?

No, and I'm very confident that this is something we'll never support.

[victorsanpe]

Hello. As I am on holidays I could not test it at work, but I managed to get the same error at home with an intermediate proxy.
I included the certificate from my test proxy to cacerts with the help of KeyStoreExplorer and it works ok.
Thanks for your time and your accurate reply. Greetings.

[lsauer]

I got the connection to work.
Thanks.

Unfortunately, the OIDC redirects me to the the main page, rather than to the page under htpps://main.url/dtrack/
I've setup everything in Keycloak according to the documentation with ../dtrack/oidc-callback.html.
It should still do the login through SSO though and when I visit the login site after i was redirected to the root page, the SSO starts and it fails. 401 Unauthorized.
The API Server says:

dtrack-apiserver_1  | 2022-07-27T10:00:24.313489268Z 2022-07-27 10:00:24,311 INFO [UserResource] Unauthorized OpenID Connect login attempt / IP Address: .148 / User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/
dtrack-apiserver_1  | 2022-07-27T10:01:14.677446132Z 2022-07-27 10:01:14,677 INFO [MetricsUpdateTask] Completed metrics update on vulnerability database
dtrack-apiserver_1  | 2022-07-27T10:17:12.481148500Z 2022-07-27 10:17:12,480 ERROR [OidcIdTokenAuthenticator] Parsing ID token failed
dtrack-apiserver_1  | 2022-07-27T10:17:12.481177303Z java.text.ParseException: Invalid serialized unsecured/JWS/JWE object: Missing part delimiters

And indeed in the Browser WebDev Console I can see that to dtrack/login the following Form data was posted: accessToken:..................... idToken:` <-NOTHING

idToken is empty

[nscuro]

Ensure that the frontend request to the /auth endpoint of the Keycloak contains the scope "openid". For example:

https://example.com/auth/realms/example/protocol/openid-connect/auth?client_id=dependency-track&redirect_uri=https://dtrack.example.com/static/oidc-callback.html&response_type=code&scope=openid profile email&state=d6085b04362e4ca28b3e1a57caa754bb&code_challenge=kPPc492YyS_WeJ-bHDY5zvC-4zGyfyS3SsQTCviPjQU&code_challenge_method=S256&response_mode=query

Otherwise this may be a Keycloak configuration issue.

[lsauer]

It works now.
I did several steps:

• fix: reverse proxy settings weren't encompassing all /static/ locations and some libraries thus couldn't be loaded by oidc-callback.html
• I turn on user provisioning

I cannot get the redirect to be /dtrack/static/oidc-callback.html instead of /static/oidc-callback.html.

Where can I set that context path? I tried to retrace the browser-flow but without success.
Acording to the OAuth flow the App determines its own redirection url. So it has to be set somewhere in DT.

[nscuro]

Context paths other than / are not supported right now using prebuilt container images. We have an open issue for that here: DependencyTrack/frontend#153

This has to do with how the base path is configured - it's a build-time variable right now (DependencyTrack/frontend#153 (comment)).

You could build your own image with publicPath being set to /dtrack/ instead if you really need to deploy to a subdirectory.

[lsauer]

Do you have a string or Keyword for me. Since it is minified etc. I cannot search for a publicPath. I would simply rewrite the string. That would solve it.

Actually I cannot find anything named publicPath in the repository either: https://github.com/DependencyTrack/dependency-track/search?q=publicPath

[nscuro]

As I said, it's a built-time setting, so you won't find it in the compiled code that's presented to your browser.

The code is here:

https://github.com/DependencyTrack/frontend/blob/f0d0f7b44b7a69340f5b50c6ba7b7ba80b69b156/vue.config.js#L8

publicPath is a Vue.js configuration option, see https://cli.vuejs.org/config/#publicpath