Unable to send SMTP email with GW v10 and GW 9.4 cr3+ using STARTTLS

book

Article ID: 195075

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway

Issue/Introduction

One policy we have is sending an email via an internal SMTP service via startTLS.

In version Gateway 9.2 this is working by setting:
- adding the smtp server cert to the certificates trust store (outgoing ssl, cert is trust anchor)
- having the system.properties file updated to have com.l7tech.server.policy.emailalert.useDefaultSsl=True
- having cluster property email.useDefaultSsl=true

However, on building a new gateway v10 server, adding the exact same 3 steps above to it, I cannot get the email assertion to work.

The error on GW v10 suggest it is not trusting the certificate:

2020-10-26T08:45:30.407+0100 WARNING 36564 com.l7tech.external.assertions.email.server.ServerEmailAssertion: 4: Unable to send email: Could not connect to SMTP host: lvntest005812, port: 587.  Exception caught! 

2020-04-29T14:34:38.345+0100 FINE    357 STDOUT: tomcat-exec-executor-134, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

On GW9.4 there is a error "Could not convert socket to TLS"

2020-10-26T16:43:02.417+0100 WARNING 12275 com.l7tech.external.assertions.email.server.ServerEmailAssertion: 4: Unable to send email: Could not connect to SMTP host: lvntest005812, port: 587. Exception caught!

Environment

Release : 10.0

Release : 9.4 CR3 and above

Component : API GATEWAY

Resolution

In gateway version 10 or 9.4 , when you set cwp email.useDefaultSsl=true and you are using the protocol " SMTP with STARTTLS in the  "send email assertion: 

The STARTTLS is using the cacerts default keystore as place to check the certificates for starting the TLS connection .

If you use "SMTP over SSL " it is using the gateway's default certificate store in Policy manager ,tasks ,manage certificates

When  the smtp server is using a private certificate it needed be loaded in the JRE cacerts default keystore when you use STARTTLS as protocol .

On appliance gateway this keystore  file is in /opt/SecureSpan/JDK/jre/lib/security/cacerts the default pw is "changeit"

List all certs in cacerts keystore :

/opt/SecureSpan/JDK/jre/bin/keytool  -list -keystore /opt/SecureSpan/JDK/jre/lib/security/cacerts

Adding a new cert to the cacerts keystore :

/opt/SecureSpan/JDK/jre/bin/keytool -importcert -file  mymailservercertfile.pem  -keystore /opt/SecureSpan/JDK/jre/lib/security/cacerts  -alias "mymailserverfqdn" -storepass changeit

After updating the cacerts file the ssg service needs to be restarted . 

service ssg stop 

service ssg start