One policy we have is sending an email via an internal SMTP service via startTLS.
In version Gateway 9.2 this is working by setting:
- adding the smtp server cert to the certificates trust store (outgoing ssl, cert is trust anchor)
- having the system.properties file updated to have com.l7tech.server.policy.emailalert.useDefaultSsl=True
- having cluster property email.useDefaultSsl=true
However, on building a new gateway v10 server, adding the exact same 3 steps above to it, I cannot get the email assertion to work.
The error on GW v10 suggest it is not trusting the certificate:
2020-04-29T14:34:38.345+0100 FINE 357 STDOUT: tomcat-exec-executor-134, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Release : 10.0
Release : 9.4 CR3 and above
Component : API GATEWAY
In gateway version 10 or 9.4 , when you set cwp email.useDefaultSsl=true and you are using the protocol " SMTP with STARTTLS in the "send email assertion:
The STARTTLS is using the cacerts default keystore as place to check the certificates for starting the TLS connection .
If you use "SMTP over SSL " it is using the gateway's default certificate store in Policy manager ,tasks ,manage certificates
When the smtp server is using a private certificate it needed be loaded in the JRE cacerts default keystore when you use STARTTLS as protocol .
On appliance gateway this keystore file is in /opt/SecureSpan/JDK/jre/lib/security/cacerts the default pw is "changeit"
List all certs in cacerts keystore :
/opt/SecureSpan/JDK/jre/bin/keytool -list -keystore /opt/SecureSpan/JDK/jre/lib/security/cacerts
Adding a new cert to the cacerts keystore :
/opt/SecureSpan/JDK/jre/bin/keytool -importcert -file mymailservercertfile.pem -keystore /opt/SecureSpan/JDK/jre/lib/security/cacerts -alias "mymailserverfqdn" -storepass changeit
After updating the cacerts file the ssg service needs to be restarted .
service ssg stop
service ssg start