Have any of you had this issue with your JSS?
I recently got an email about an error. I decided to test my JSS GSX connection. Failing.
AUTH.UPL.003: Invalid URL for this SoldTo.
I was getting the same error last week. I performed the following:
Email from JAMF: Email was sent out April 14, 2015
Currently have the same issue. My questions is, why can't I use Password-based Authentication instead of the certificate. It was working recently with Password-based Authentication but has started failing with the wrong URL error message, but the URL is set automatically.
I would echo @davidacland said above:
"GSX has gone through a load of security enhancements, restricting to particular IP addresses etc, so you may need to make changes to get that working again."
I know JAMF sent out an email back in April about GSX Web Services API update and SSL requirements. Here is the email:
Apple recently sent out communication regarding two upcoming changes to GSX service access. JAMF Software is working to ensure there are no disruptions in the Casper Suite’s link to client’s GSX connection, but there are a few requirements that must be handled by the GSX service account holder to completely avoid disruption.
What are the changes?
Beginning on April 22nd, the GSX web portal will require two-factor authentication. This will not affect the JSS’ API call to the service, but it will affect how customers login to https://gsx.apple.com/WebApp/login.htm.
Beginning in August, the GSX Web Services (API) will require certificate-based authentication, which requires all customers to generate a Certificate Signing Request (CSR) and send it to Apple.
What do customers need to do?
Before April 22nd, login into the GSX web portal and enable two-factor authentication.
Customers must send a CSR to Apple in order to get a certificate for the certificate-based authentication change. Apple has asked that all CSRs are submitted to email@example.com by April 17th. The email must include the following information:
-- Subject: GSX New Generation WSDL On-boarding Request
-- Message Content: --- GSX Sold To account number
--- Primary IT contact’s name
--- Primary IT contact’s email
--- Primary IT contact’s phone number
--- Static outgoing server IP address sending requests to GSX production
--- Static outgoing server IP address sending requests to GSX UT
--- Apple Channel Manager
The preferred switch-to date (Do not switch to certificate-based authentication until JAMF Software notifies the community that this functionality is supported. We will have an official release to support this before August)
The instructions to generate the CSR may be found at https://gsxwsut.apple.com/apidocs/prod/html/WSFaq.html, beneath the Certificates heading.
I followed the above instructions and received a response. I was notified my IP Address would be whitelisted 2 to 4 weeks.
Well..... My IP has been whitelisted. So, I ran a test and ran into the following error:
AUTH.UPL.002: Invalid certificate for the SoldTo.
I have emailed GSX and currently waiting on a response.
So, my issue came down to creating the cert. It is HIGHLY Important/IMPERATIVE you type the FQDN exactly right. As noted in "What are the instructions to follow when generating the CSR?"
--- The FQDN is a very important field and it’s CASE SENSITIVE.
This is embarrassing, so I hope someone learns from my PEBCAK problem. I was typing the following:
--- not ---
You see the difference? Capital Ps in APP. Yep.
Hope this helps!
Hey @mklos !
Yes, you will want to give the the external IP Address where the server sits. For example, we have arrange of IP's provided by our Internet Service Provider (ISP) and we use the IP Addresses for various Assignments. One of the IP Addresses is for our internet connectivity/traffic. Our Casper Server uses that Public IP Address. I provided that IP Address to GSX.
For our environment, our server is not hosted but located on premise. If your server is sitting in a datacenter somewhere it will be the IP Address it uses to connect to the Internet.
A tool you can use to look up your public IP Address is ipchicken.com This will give you the IP Address your internet traffic is going out.
Does all that make sense?
Hey @mklos Yes, you will need to convert/combine the .pem files with your private key to .p12.
I ran into some issues with my Certs and requested assistance from JAMF. They sent me some scripts. You can call JAMF and request assistance. They have a script to convert them easily. Here is what they sent me
#!/bin/bash #Written by LeeBob mkdir ~/Desktop/GSX - Do Not Delete/ openssl genrsa -aes256 -out ~/Desktop/GSX - Do Not Delete/privatekey.pem 2048 openssl req -new -sha256 -key ~/Desktop/GSX - Do Not Delete/privatekey.pem -out ~/Desktop/GSX - Do Not Delete/my_gsx.csr echo echo Good Work! echo echo You just created a certificate signing request, it is in a folder on your desktop called “GSX - Do Not Delete” echo echo The file is called “my_gsx.csr” send this file to Apple. echo echo Please mail the “my_gsx.csr” file to Apple to receive a client certificate in return. echo echo Please keep the other file labeled “privatekey.pem” as we will need this once apple sends back the client certificate. echo
You can also visit:
Check out @yellow Posted: 10/19/15 at 10:31 AM by yellow
I hope I didn't give you information overload.
Does this make sense?
Thank you for the information....I read a different article here that explained something totally different when creating the file to send to GSX so I followed the directions in the link you posted and send a different type of file which was called gsx.certSigningRequest to GSX.
They have already whitelisted my IP which surprisingly only took about 2 business days!
Thanks again for your help. I wish there was a better way to do this ourselves from our GSX account, but oh well.
We have same problem. Every things is done but we cant access to web services.
Out IP address is in whiteList. we have certifcate from apple both for prod and test. When we request to service , returns "Invalid certificate for the SoldTo.".
Did you solve this. Can you help me. I can sharing my application code. There is a thing that we are missing but we cannot see.
The SoldTo error you are seeing is because of a change GSX made to the API for the system. From what I've read elsewhere, JAMF is going to have to upgrade the JSS to get it to work correctly with GSX again. I can't find the other thread where JAMF confirmed with but hopefully someone with better search fu can link to it.
Hi @Lee I got this result (AUTH.UPL.002):
<?xml version="1.0"?> -<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"> -<S:Body> -<S:Fault xmlns:ns4="http://www.w3.org/2003/05/soap-envelope"> <faultcode>AUTH.UPL.002</faultcode> <faultstring>Invalid certificate for the SoldTo.</faultstring> -<detail> <operationId>v3FAa0GHxPQGLID7HCZI56</operationId> </detail> </S:Fault> </S:Body> </S:Envelope>
I dont use Casper on my Windows machine. is it required?