JWP: Secure LDAP with IBM Java throws exception.

book

Article ID: 196772

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine CA Automic Workload Automation - Automation Engine

Issue/Introduction

The secure LDAP connection does not work if the JWP is started with IBM Java. The following exception is thrown:

U00045015 The previous error was caused by 'javax.net.ssl.SSLHandshakeException: "com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 

java.security.cert.CertPathValidatorException: The certificate issued by CN=Company DC=domain, DC=domain, DC=domain is not trusted; internal cause is: 
java.security.cert.CertPathValidatorException: Certificate chaining error"' at 'com.ibm.jsse2.k.a():15'.

Cause

Configuration.

Environment

Release : 12.3

Component : AUTOMATION ENGINE

Resolution

Certificate chaining errors in an HTTPRequest node

Troubleshooting


Problem

You are unable to connect to a backend webservice using an HTTPRequest node in IBM Integration Bus (IIB) or WebSphere Message Broker (WMB).

Symptom

This set of errors will occur together:

javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed:

java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.;

internal cause is: java.security.cert.CertPathValidatorException:
The certificate issued by OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US is not trusted;

internal cause is: java.security.cert.CertPathValidatorException:
Certificate chaining error

Cause

A 'certificate chaining error' occurs when the provided chain of certificates cannot be validated.

The cause for the chaining error is provided in the previous message.
Here, one of the certificates is "not trusted".

A received certificate is "not trusted" when the Integration Server's truststore lacks a 'signer certificate' for the issuer of the received certificate.

Diagnosing The Problem

'SSLHandshakeException' is a generic error to indicate a problem with an SSL handshake.
View the 'internal cause' messages to confirm whether you are receiving a CertPathValidatorException.
Then, confirm that the cause text is the same.

Resolving The Problem

Verify that your truststore contains the proper 'signer certificate' for the certificate chain provided by the backend webservice.

If the proper signer certificate(s) exist in the truststore, then the handshake should complete. If not, you should confirm that all required certificates are present in the keystore of the webservice that WMB/IIB is communicating with. You may need to recreate the keystore with 'keytool' using the "genkey" option and re-import your application certificates if you are missing any components of the certificate chain.


Additional information regarding chains of trust and the WMB/IIB truststore:
In order to verify the digital signature on a particular certificate "A", the public key of certificate A's issuing Certification Authority (CA) must be present.

This public key will be issued on a signed certificate "B", which must be verified with the public key of certificate B's CA.

This public key will be issued on a signed certificate "C", and so on...

This "chain" of certificates will continue until one of the CA's has a certificate with a digital signature that is signed by itself. This is considered a "root" CA.

The default truststore in WMB/IIB is a file called 'cacerts'. It contains several root CA signer certificates.