Skip to Content

API endpoint communication issues when using Zscaler

Introduction

Some organizations use a restrictive firewall, such as that configured with Zscaler, to secure their backend endpoints.

This can create challenges when those endpoints attempt to access API Manager APIs secured with TLS. Since the backend systems may lack access to public Certificate Authorities (CAs), some organizations might import Jitterbit's certificate into their backend certificate store manually. This approach can lead to problems when Jitterbit renews its certificate.

Caution

Importing Jitterbit's certificate manually is not a practice recommended by Jitterbit. Consult your network team that manages Zscaler for their recommended best practices.

Accessing a CA through a Zscaler-managed network—especially when HTTPS access is restricted—requires close knowledge of your organization's security policies. You should take those policies into account when considering the options for accessing CAs in a restricted environment.

Understanding the Zscaler interception

Zscaler performs SSL/TLS interception for HTTPS traffic to inspect and secure traffic. This typically means:

  • Zscaler presents its own root certificate to clients instead of the original website's certificate.
  • The organization must install Zscaler's root certificate in the trusted certificate store of any device accessing HTTPS resources.

Options to access external CAs in a restricted environment

Install Zscaler's root certificate

Important

Installing Zscaler's root certificate is usually required for SSL inspection to function without breaking access.

  1. Obtain the Zscaler root certificate from your IT department or the Zscaler Admin Portal.

  2. Install it into the OS/browser or endpoint trust store:

    • Windows: Use certmgr.msc.
    • Linux: Add to /usr/local/share/ca-certificates/ and run update-ca-certificates.
    • macOS: Use Keychain Access.

Use a proxy-aware tool

If you need to fetch certificates or communicate with a CA server, use tools that support HTTP proxies (for example, curl, wget, openssl) and set them to route through Zscaler. Example using curl:

curl --proxy http://proxy.company.com:8080 https://ca.example.com

For OpenSSL, consider configuring proxy at the system level or tunnel through a tool like cntlm.

Request a policy exception (if needed)

If access to a particular CA or endpoint is blocked, you can request an exception:

  • Submit a request to your network security team or Zscaler administrator for a temporary or permanent exception.
  • Provide the hostname, purpose, and port (typically 443).

Access via PAC file rules

If your environment uses a Proxy Auto-Config (PAC) file, your requests might be routed differently based on domain:

  • Check PAC file rules (for example, http://proxy.company.com/proxy.pac) to see if the CA endpoint is explicitly blocked or routed incorrectly.
  • Work with IT to modify the PAC file if needed.

Use an internal CA or mirror

Some organizations mirror external CA repositories internally. Check if your organization mirrors root/intermediate CAs inside the intranet. For example, internal NGINX or Apache hosts might serve root certificates via HTTP.

Troubleshooting tips

  • Use tools like openssl s_client -connect ca.example.com:443 to verify connectivity and certificate presentation.
  • Check browser or system logs for SSL errors.
  • Use packet capture (Wireshark or tcpdump) to confirm whether traffic is reaching the CA server or being blocked mid-path.