ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Unable to send SMTP email with GW v10 and GW 9.4 cr3+ using STARTTLS


Article ID: 195075


Updated On:


CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway


One policy we have is sending an email via an internal SMTP service via startTLS.

In version Gateway 9.2 this is working by setting:
- adding the smtp server cert to the certificates trust store (outgoing ssl, cert is trust anchor)
- having the file updated to have com.l7tech.server.policy.emailalert.useDefaultSsl=True
- having cluster property email.useDefaultSsl=true

However, on building a new gateway v10 server, adding the exact same 3 steps above to it, I cannot get the email assertion to work.

The error on GW v10 suggest it is not trusting the certificate:

2020-10-26T08:45:30.407+0100 WARNING 36564 4: Unable to send email: Could not connect to SMTP host: lvntest005812, port: 587.  Exception caught! 

2020-04-29T14:34:38.345+0100 FINE    357 STDOUT: tomcat-exec-executor-134, handling exception: PKIX path building failed: unable to find valid certification path to requested target

On GW9.4 there is a error "Could not convert socket to TLS"

2020-10-26T16:43:02.417+0100 WARNING 12275 4: Unable to send email: Could not connect to SMTP host: lvntest005812, port: 587. Exception caught!


Release : 10.0

Release : 9.4 CR3 and above

Component : API GATEWAY


In gateway version 10 or 9.4 , when you set cwp email.useDefaultSsl=true and you are using the protocol " SMTP with STARTTLS in the  "send email assertion: 

The STARTTLS is using the cacerts default keystore as place to check the certificates for starting the TLS connection .

If you use "SMTP over SSL " it is using the gateway's default certificate store in Policy manager ,tasks ,manage certificates

When  the smtp server is using a private certificate it needed be loaded in the JRE cacerts default keystore when you use STARTTLS as protocol .

On appliance gateway this keystore  file is in /opt/SecureSpan/JDK/jre/lib/security/cacerts the default pw is "changeit"

List all certs in cacerts keystore :

/opt/SecureSpan/JDK/jre/bin/keytool  -list -keystore /opt/SecureSpan/JDK/jre/lib/security/cacerts

Adding a new cert to the cacerts keystore :

/opt/SecureSpan/JDK/jre/bin/keytool -importcert -file  mymailservercertfile.pem  -keystore /opt/SecureSpan/JDK/jre/lib/security/cacerts  -alias "mymailserverfqdn" -storepass changeit

After updating the cacerts file the ssg service needs to be restarted . 

service ssg stop 

service ssg start