One policy we have is sending an email via an internal SMTP service via start TLS.
In version Gateway 9.2 this is working by setting:
- adding the smtp server cert to the certificates trust store (outgoing ssl, cert is trust anchor)
- having the system.properties file updated to have com.l7tech.server.policy.emailalert.useDefaultSsl=True
- having cluster property email.useDefaultSsl=true
However, on building a new gateway v10 server, adding the extact same 3 steps above to it, I cannot get the email assertion to work.
The error on v10 suggest it is not trusting the certificate:
2020-04-29T14:34:38.345+0100 FINE 357 STDOUT: tomcat-exec-executor-134, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Release : 10.0
Component : API GATEWAY
In gateway 10 if you set cwp email.useDefaultSsl=true the "send email assertion: is using the default SSL implementation , and is using the JRE cacerts default keystore as place to check the certificates
If the snmp server is using a private certificate it needed be loaded in the JRE cacerts default keystore.
On appliance gateway this file is in /opt/SecureSpan/JDK/jre/lib/security/cacerts