search cancel

After WSS Agent is deployed to developer computers some certificate related error may appear in applications like github or eclipse

book

Article ID: 199464

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

After the WSS Agent is deployed to computers, users in Development teams, or teams with custom applications or Linux applications ported to Windows, may encounter certificate errors as highlighted below:

PS C:\...\cobol-lsp-vscode-extension> npm ci

> node ./node_modules/vscode/bin/install

Detected VS Code engine version: ^1.30.0
Error installing vscode.d.ts: Error: unable to get local issuer certificate

 

Environment

WSS Agent with SSL Interception policies turned on and 3rd party applications not using schannel and the Windows certificate store.

Cause

These certificate related errors are caused by the TLS interception taking place within WSS to ensure the traffic is protected and validated per corporate policies.

The WSS Agent installed the "Cloud Services Root CA" in the Windows certificate store however some applications do not use this store directly, and as such they will not trust the TLS intercepted responses back.

Resolution

The resolution will depend on the application itself, but generally speaking it will revolve around adding a version of the "Cloud Services Root CA" certificate (in der, cer or crt format) into a local CA Store (in the case of Eclipse you need to add the CA root to a Java CA store [1][2]) or switching the TLS communication mode from using OpenSSL libraries to using schannel (as is the case for git applications) [3].

[1] https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.0/tshoot/t_add_selfsigned_cert_to_keystore.html

[2] https://stackoverflow.com/questions/21076179/pkix-path-building-failed-and-unable-to-find-valid-certification-path-to-requ

[3] https://git-scm.com/docs/git-config