After the WSS Agent is deployed to computers, their users in Development team or in other team with custom applications or Linux applications ported to Windows, may encounter errors like this:

PS C:\...\cobol-lsp-vscode-extension> npm ci

> node ./node_modules/vscode/bin/install

Detected VS Code engine version: ^1.30.0
Error installing vscode.d.ts: Error: unable to get local issuer certificate

Those error are caused by the TLS interception that is taking place in WSS to ensure the traffic is protected and validated per corporate policies.

The WSS Agent installed the "Cloud Services Root CA" in the Windows certificate store however some applications do not use this store directly, and as such they will not trust the TLS intercepted responses back.

WSS Agent with SSL Interception policies turned on and 3rd party applications not using schannel and the Windows certificate store.

The resolution will depend on the application itself, but generally speaking it will revolve around adding a version of the "Cloud Services Root CA" certificate (in der, cer or crt format) into a local CA Store (in the case of Eclipse you need to add the CA root to a Java CA store [1][2]) or switching the TLS communication mode from using OpenSSL libraries to using schannel (as is the case for git applications) [3].

[1] https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.0/tshoot/t_add_selfsigned_cert_to_keystore.html

[2] https://stackoverflow.com/questions/21076179/pkix-path-building-failed-and-unable-to-find-valid-certification-path-to-requ

[3] https://git-scm.com/docs/git-config