Merge pull request #585 from vossen-adobe/ssl_vrfy

Ability to disable SSL verify for umapi

Author: adorton-adobe

docs/en/user-manual/deployment_best_practices.md

@@ -244,6 +244,29 @@ logging:
   log_file_name_format: "user-sync.log"
 ```
 
+### Disabling SSL Verification
+
+In environments where SSL inspection is enforced at the firewall, the UMAPI client can encounter the following error:
+
+`CRITICAL main - UMAPI connection to org id 'someUUIDvalue@AdobeOrg' failed: [SSL: CERTIFICATE_VERIFY_FAILED] `
+
+This is because the requests module is not aware of the middle-man certificate required for SSL inspection.  The recommended solution to this problem is to specify a path to the certificate bundle using the  REQUESTS_CA_BUNDLE environment variable (see https://helpx.adobe.com/enterprise/kb/UMAPI-UST.html for details).  However, in some cases following these steps does not solve the problem.  The next logical step is to disable SSL inspection on the firewall for the UMAPI traffic.  If, however, this is not permitted, you may work around the issue by disabling SSL verification for user-sync.  
+
+Disabling the verification is unsafe, and leaves the umapi client vulnerable to middle man attacks, so it is recommended to  avoid disabling it if at all possible.  The umapi client only ever targets two URLs - the usermanagement endpoint and the ims endpoint - both of which are secure Adobe URL's.  In addition, since this option is only recommended for use in a secure network environment, any potential risk is further mitigated.
+
+To bypass the ssl verification, update the umapi config as follows:
+
+```yaml
+server:
+  ssl_verify: False
+```
+
+During the calls, you will also see  a warning from requests:
+
+"InsecureRequestWarning: Unverified HTTPS request is being made to host 'usermanagement-stage.adobe.io'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
+  InsecureRequestWarning"
+
+
 ---
 
 [Previous Section](advanced_configuration.md)  \| [Next Section](additional_tools.md)

examples/config files - basic/connector-umapi.yml

@@ -19,13 +19,24 @@
 # alternate values by Adobe as part of a support engagement.  It is
 # highly recommended that you leave these values commented out
 # so that the default values are guaranteed to be used.
+
+# (optional) ssl_verify
+# Allows you to disable the SSL verification used by the requests module.  This can
+# come in handy for troubleshooting or working around network / proxy related issues when
+# the following error is encountered:
+
+#  'UMAPI connection to org id failed: [SSL: CERTIFICATE_VERIFY_FAILED]'
+
+# It is recommended to leave this set to default (True), since it leaves UST potentially
+# vulnerable to middle man attacks and set to False only if absolutely needed.
 server:
   #host: usermanagement.adobe.io
   #endpoint: /v2/usermanagement
   #ims_host: ims-na1.adobelogin.com
   #ims_endpoint_jwt: /ims/exchange/jwt
   #timeout: 120
   #retries: 3
+  #ssl_verify: True
 
 # (required) enterprise organization settings
 # You must specify all five of these settings.  Consult the

user_sync/connector/umapi.py

@@ -65,6 +65,7 @@ def __init__(self, name, caller_options):
         server_builder.set_string_value('ims_endpoint_jwt', '/ims/exchange/jwt')
         server_builder.set_int_value('timeout', 120)
         server_builder.set_int_value('retries', 3)
+        server_builder.set_bool_value('ssl_verify', True)
         options['server'] = server_options = server_builder.get_options()
 
         enterprise_config = caller_config.get_dict_config('enterprise')
@@ -98,6 +99,7 @@ def __init__(self, name, caller_options):
                 logger=self.logger,
                 timeout_seconds=float(server_options['timeout']),
                 retry_max_attempts=server_options['retries'] + 1,
+                ssl_verify=server_options['ssl_verify']
             )
         except Exception as e:
             raise AssertionException("Connection to org %s at endpoint %s failed: %s" % (org_id, um_endpoint, e))