To understand xConnect more in depth or just simply for future troubleshooting purposes, it's good to setup an API testing environment for xConnect. I have been using Postman mainly for this purpose, so in this post, I am going through the steps for setting up Postman to talk to xConnect services.
The main reason for creating a post for this is due to the client certification authentication requirement for xConnect. Also this is for xConnect on a local machine so I assume you have to deal with certifications yourself.
- Install and setup Postman if not done
- Export client certificate from your local machine
- Bring up Microsoft Management Console and load Certificates for Computer Account. Under Personal/Certificates, you should be able to find the certificate used by your local xConnect. For me, it's called: sc902a.xconnect_client
- Right click -> All Tasks -> Export
- Follow the wizard and choose Yes for exporting Private Key and on Security screen, setup password and keep note of the password somewhere. Choose where the pfx file is saved and note the location.
- Optional - if you want to call xConnect in browsers as well
- Bring up Microsoft Management Console and load Certificates for My User Account, Under Personal/Certificates, import the pfx file exported from previous step, it should ask you for the password.
- When this is done, when xConnect domain is accessed in Browser, it should pop up a Window for you to select the certificate to allow the website being accessed. Note the domain being used to access need to match the certificate hostname.
- Make sure you have openssl
- Run following commands to extract cert and key files:.\openssl.exe pkcs12 -in "sc902a.pfx" -clcerts -nokeys -out "sc902a.cer".\openssl.exe pkcs12 -in "sc902a.pfx" -nocerts -nodes -out -nocerts -nodes -out "sc902a.key"
- In Postman, Files -> Settings
- In General tab, turn off "SSL Certificate Verification"
- In Certificates tab
- Click Add Certificate
- Fill in the hostname. Note this needs to be the same as the hostname setup in the certificate
- Select cer and key file and fill in the password, then click add
- Now you should be able to make request to your xConnect services, you can test using root path, /odata or /odata/$metadata. Note, the domain used to access must match the hostname in the certificate.
Note: if you still getting 403.16 error after all above steps while connecting to xConnect, or it worked initially but stopped working after some time. And you have tried the fix you found from Stackoverflow to remove self-signed root certificates. Try adding a registry key like this:
- Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
- Value name: ClientAuthTrustMode
- Value type: REG_DWORD
- Value data: 2
Credit goes to this link: https://stackoverflow.com/questions/27232340/mutual-certificates-authentication-fails-with-error-403-16/27282889#27282889