I figured as much. I was just hoping someone might have an idea of what I might need to change.

Regards,
TJ

@tthurman

I was getting the same error last week. I performed the following:

1. Created my GSX account. This was difficult for us but we got it all straightened out.
2. Verified our account had the following permissions: -- "Can Access Web Services" -- "Can Check Coverage/Warranty"
3. Create your Apple Certificate -- https://jamfnation.jamfsoftware.com/article.html?id=26 -- https://gsxwsut.apple.com/apidocs/prod/html/WSFaq.html, --- Note: Create your Cert via Casper. It will be a lot easier. I created mine using Apple's instructions and how to go through an extra step. If you need the command, I have it thanks to @yellow 4.) Email gsxws@apple.com with the following information: -- Subject: GSX New Generation WSDL On-boarding Request -- Message Content: -- GSX Sold To account number -- Primary IT contact’s name -- Primary IT contact’s email -- Primary IT contact’s phone number -- Static outgoing server IP address sending requests to GSX production -- Static outgoing server IP address sending requests to GSX UT Apple Channel Manager 5.) They will send you a cert. -- Note: I received word back that it will take two to four weeks for my IP Address to be whitelisted 6.) Import the cert into Casper 7.) Wait on Apple to whitelist your IP

Resources:

• https://jamfnation.jamfsoftware.com/article.html?id=26

• https://gsxwsut.apple.com/apidocs/prod/html/WSFaq.html?mkt_tok=3RkMMJWWfF9wsRovv6XBZKXonjHpfsX56O4tWK%2B%2BlMI%2F0ER3fOvrPUfGjI4ES8ZhI%2BSLDwEYGJlv6SgFTbDBMbZ5yrgIWRY%3D

• Email from JAMF: Email was sent out April 14, 2015

@lee.smith

So, basically, my current GSX Setup is invalid? Cool.

I'll do your steps and see how it goes.

Thanks!

Regards,
TJ

Currently have the same issue. My questions is, why can't I use Password-based Authentication instead of the certificate. It was working recently with Password-based Authentication but has started failing with the wrong URL error message, but the URL is set automatically.

I would echo @davidacland said above:

"GSX has gone through a load of security enhancements, restricting to particular IP addresses etc, so you may need to make changes to get that working again."

I know JAMF sent out an email back in April about GSX Web Services API update and SSL requirements. Here is the email:

Hello All!

Apple recently sent out communication regarding two upcoming changes to GSX service access. JAMF Software is working to ensure there are no disruptions in the Casper Suite’s link to client’s GSX connection, but there are a few requirements that must be handled by the GSX service account holder to completely avoid disruption.

What are the changes?
Beginning on April 22nd, the GSX web portal will require two-factor authentication. This will not affect the JSS’ API call to the service, but it will affect how customers login to https://gsx.apple.com/WebApp/login.htm.
Beginning in August, the GSX Web Services (API) will require certificate-based authentication, which requires all customers to generate a Certificate Signing Request (CSR) and send it to Apple.

What do customers need to do?
Before April 22nd, login into the GSX web portal and enable two-factor authentication.
Customers must send a CSR to Apple in order to get a certificate for the certificate-based authentication change. Apple has asked that all CSRs are submitted to gsxws@apple.com by April 17th. The email must include the following information:
-- Subject: GSX New Generation WSDL On-boarding Request
-- Message Content: --- GSX Sold To account number
--- Primary IT contact’s name
--- Primary IT contact’s email
--- Primary IT contact’s phone number
--- Static outgoing server IP address sending requests to GSX production
--- Static outgoing server IP address sending requests to GSX UT
--- Apple Channel Manager
The preferred switch-to date (Do not switch to certificate-based authentication until JAMF Software notifies the community that this functionality is supported. We will have an official release to support this before August)

The instructions to generate the CSR may be found at https://gsxwsut.apple.com/apidocs/prod/html/WSFaq.html, beneath the Certificates heading.

I followed the above instructions and received a response. I was notified my IP Address would be whitelisted 2 to 4 weeks.

Well..... My IP has been whitelisted. So, I ran a test and ran into the following error:

AUTH.UPL.002: Invalid certificate for the SoldTo.

I have emailed GSX and currently waiting on a response.

Hi,

JAMF have some instructions here: https://jamfnation.jamfsoftware.com/article.html?id=26

Does this help?

Hey Everyone,

So, my issue came down to creating the cert. It is HIGHLY Important/IMPERATIVE you type the FQDN exactly right. As noted in "What are the instructions to follow when generating the CSR?"

https://gsxwsut.apple.com/apidocs/ut/html/WSFaq.html

--- The FQDN is a very important field and it’s CASE SENSITIVE.

This is embarrassing, so I hope someone learns from my PEBCAK problem. I was typing the following:

-- Applecare-App157-0000012345.Prod.apple.com

--- not ---

-- Applecare-APP157-0000012345.Prod.apple.com

You see the difference? Capital Ps in APP. Yep.

Hope this helps!

Dead link. I just got the email today from GSX. This isn't the first time I've gotten dead links from GSX. That site is such a confusing pile of garbage.

@lee.smith When I give GSX my IP, do I give them my external IP? Were a school district so I assume they'd want to whitelist the IP address of the school's WAN.

Hey @mklos !

Yes, you will want to give the the external IP Address where the server sits. For example, we have arrange of IP's provided by our Internet Service Provider (ISP) and we use the IP Addresses for various Assignments. One of the IP Addresses is for our internet connectivity/traffic. Our Casper Server uses that Public IP Address. I provided that IP Address to GSX.

For our environment, our server is not hosted but located on premise. If your server is sitting in a datacenter somewhere it will be the IP Address it uses to connect to the Internet.

A tool you can use to look up your public IP Address is ipchicken.com This will give you the IP Address your internet traffic is going out.

Does all that make sense?

@lee.smith Makes perfect sense. This is what I was thinking. I'll grab the external IP and get the ball rolling on this.

Thank you for your help!

@lee.smith Quick question...GSX gave me back 3 .pem files. One has cert.pem, another has chain.pem, and the last one has issuer.pem on the end of the filename. I assume I use the cert after I covert it?

Hey @mklos Yes, you will need to convert/combine the .pem files with your private key to .p12.

I ran into some issues with my Certs and requested assistance from JAMF. They sent me some scripts. You can call JAMF and request assistance. They have a script to convert them easily. Here is what they sent me

#!/bin/bash

#Written by LeeBob

mkdir ~/Desktop/GSX - Do Not Delete/

openssl genrsa -aes256 -out ~/Desktop/GSX - Do Not Delete/privatekey.pem 2048

openssl req -new -sha256 -key ~/Desktop/GSX - Do Not Delete/privatekey.pem -out ~/Desktop/GSX - Do Not Delete/my_gsx.csr

echo 

echo Good Work! 

echo 

echo You just created a certificate signing request, it is in a folder on your desktop called “GSX - Do Not Delete” 

echo 

echo The file is called “my_gsx.csr” send this file to Apple. 

echo 

echo Please mail the “my_gsx.csr” file to Apple to receive a client certificate in return.

echo

echo Please keep the other file labeled “privatekey.pem” as we will need this once apple sends back the client certificate.

echo

You can also visit:

https://jamfnation.jamfsoftware.com/article.html?id=26

Check out @yellow Posted: 10/19/15 at 10:31 AM by yellow

I hope I didn't give you information overload.

Does this make sense?

Thank you for the information....I read a different article here that explained something totally different when creating the file to send to GSX so I followed the directions in the link you posted and send a different type of file which was called gsx.certSigningRequest to GSX.

They have already whitelisted my IP which surprisingly only took about 2 business days!

Thanks again for your help. I wish there was a better way to do this ourselves from our GSX account, but oh well.

Hi @lee.smith We have same problem. Every things is done but we cant access to web services.
Out IP address is in whiteList. we have certifcate from apple both for prod and test. When we request to service , returns "Invalid certificate for the SoldTo.".

Did you solve this. Can you help me. I can sharing my application code. There is a thing that we are missing but we cannot see.

Hey @Yiğit

Can you provide the exact error message? Is it something like "AUTH.UPL.003: Invalid URL for this SoldTo"

Also, what version of Casper are you running?

I hope to hear from you soon.

Lee

The SoldTo error you are seeing is because of a change GSX made to the API for the system. From what I've read elsewhere, JAMF is going to have to upgrade the JSS to get it to work correctly with GSX again. I can't find the other thread where JAMF confirmed with but hopefully someone with better search fu can link to it.

I am receiving the following error:

RPR.COM.008: Choose a Ship-To location

In thread:

https://jamfnation.jamfsoftware.com/discussion.html?id=19943

I will need to upgrade Casper.

Hi @Lee I got this result (AUTH.UPL.002):

<?xml version="1.0"?> -<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"> -<S:Body> -<S:Fault xmlns:ns4="http://www.w3.org/2003/05/soap-envelope"> <faultcode>AUTH.UPL.002</faultcode> <faultstring>Invalid certificate for the SoldTo.</faultstring> -<detail> <operationId>v3FAa0GHxPQGLID7HCZI56</operationId> </detail> </S:Fault> </S:Body> </S:Envelope>

I dont use Casper on my Windows machine. is it required?