Issue
You're experiencing one or more of the following symptoms:
-
The ContrastAgent Explorer and/or .NET agent logs report errors when connecting to the Contrast UI:
Exception communicating with Contrast. Error: Error communicating with Contrast for request URL:'/Contrast/api/ng/servers/'
-
Data from a server with the installed agent doesn't appear in the Contrast interface.
Cause
There can be several causes for this error but the end result is that the agent is unable to successfully communicate with the Contrast UI and is therefore unable to continue.
If the error states one of the following:
System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: PartialChain
System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot
then there is some issue with the certificate that the agent is receiving from the Contrast UI. See Certificate Issues below.
Configuration Issue
If the error states one of the following:
System.Net.WebException: The remote name could not be resolved
System.Net.Sockets.SocketException (11001): No such host is known.
Response: AuthenticationError (Unauthorized)
then there is likely a credential error in the agent's configuration file. See Configuration Issues below.
Firewall Issue
An error such as one of the following would suggest a possible firewall or proxy issue, resulting in the agent being unable to reach the network:
System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it
System.Net.Sockets.SocketException (10013): An attempt was made to access a socket in a way forbidden by its access permissions
System.Net.Http.HttpRequestException: Connection refused
or simply:
Response: Failure (Unused)
Low Level Network Issue
The following error transitioning app domains may be experienced if your application targets a .NET Framework version prior to 4.7
:
System.Exception: HttpRequestException cannot transition between app domains. Exception data was truncated at the boundary.
In the .NET Agent Sensor logs, search for TargetFramework:
to confirm the version of the .NET Framework being targeted.
Resolution
Certificate Issues
contrast.cer
:[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$webRequest = [Net.WebRequest]::Create("https://app.contrastsecurity.com")
try { $webRequest.GetResponse() } catch {}
$cert = $webRequest.ServicePoint.Certificate
$bytes = $cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert)
set-content -value $bytes -encoding byte -path "$pwd\contrast.cer"
deep-connect
option in the .NET agent diagnostics utility to view the certificate.Option One - Obtain an exception
Contact the administrators of the proxy or VPN to see if a bypass can be added for this application server.
Option Two - Trust the certificate
If you have verified that the certificate is valid in your organization, you can trust the certificate permanently.
On Windows, double-click the certificate to open it and select "Install Certificate...". Follow the wizard prompts to install the certificate to the Trusted Root Certification Authorities certificate store for the Local Machine.
On Linux, the certificate must be in PEM
format with the extension .crt
- you can acquire that using openssl as follows:
openssl s_client -showcerts -connect {Contrast UI hostname}:{port} </dev/null 2>/dev/null | openssl x509 -outform PEM > contrast.crt
And then import it into the system's trust store. If the ca-certificates
package is installed on the system, run the following commands as root:
cp contrast.crt /usr/local/share/ca-certificates/ update-ca-certificates
Or (depending on the distribution):
cp contrast.crt /usr/share/pki/ca-trust-source/anchors/
update-ca-trust
Option Three - Ignore certificate exceptions
Certificate errors can be ignored by adding the following to the contrast_security.yaml
file on the server:
api:
certificate:
ignore_cert_errors: true
Configuration Issues
For other issues, open the .NET agent's configuration file, contrast_security.yaml
, which is located in the agent's working directory (i.e., %ProgramData%\Contrast\dotnet\
). Then:
- Verify that the
url
value is correct. It should look similar to the following, although will vary if you have an on-premise Contrast UI install:api:
Check the URL can be reached from a normal web browser on the server. If it can't be reached, you should review the network path and related settings between the server and the Contrast application.
url: https://app.contrastsecurity.com/Contrast - Verify proxy settings. If a web browser can connect to Contrast but the agent can't, the agent might be missing the proxy settings required by your network environment. You can configure a proxy using the following settings:
api:
proxy:
enable: true
url: <proxy url with port and scheme>
user: <proxy user if required>
pass: <proxy password if required>
auth_type: <proxy auth type if required> -
Verify that the values of
service_key
andapi_key
are correct. If the above settings are correct, the API key used by your organization might have changed. Follow these directions to view your current API Key.
Error Transitioning app domains
api: tls_versions: tls12 agent: dotnet: enable_http_client_app_domain_isolation: false
More detail on the .NET agent's configuration properties can be found here. All properties can also be set as environment variables - this is especially useful if it's not possible to store the proxy password in a configuration file.