ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

After WSS Agent is deployed to developer computers some certificate related error may appear in applications like github or eclipse

book

Article ID: 199464

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

After the WSS Agent is deployed to computers, their users in Development team or in other team with custom applications or Linux applications ported to Windows, may encounter errors like this:

PS C:\...\cobol-lsp-vscode-extension> npm ci

> node ./node_modules/vscode/bin/install

Detected VS Code engine version: ^1.30.0
Error installing vscode.d.ts: Error: unable to get local issuer certificate

 

Cause

Those error are caused by the TLS interception that is taking place in WSS to ensure the traffic is protected and validated per corporate policies.

The WSS Agent installed the "Cloud Services Root CA" in the Windows certificate store however some applications do not use this store directly, and as such they will not trust the TLS intercepted responses back.

Environment

WSS Agent with SSL Interception policies turned on and 3rd party applications not using schannel and the Windows certificate store.

Resolution

The resolution will depend on the application itself, but generally speaking it will revolve around adding a version of the "Cloud Services Root CA" certificate (in der, cer or crt format) into a local CA Store (in the case of Eclipse you need to add the CA root to a Java CA store [1][2]) or switching the TLS communication mode from using OpenSSL libraries to using schannel (as is the case for git applications) [3].

[1] https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.0/tshoot/t_add_selfsigned_cert_to_keystore.html

[2] https://stackoverflow.com/questions/21076179/pkix-path-building-failed-and-unable-to-find-valid-certification-path-to-requ

[3] https://git-scm.com/docs/git-config