CA Gen Call external fails to connect to Gen EJB Custom Web Service running under secure SSL/https WebSphere website ("Could not establish underlying trust relationship for the SSL/TLS secure channel.")


Article ID: 209007


Updated On:


CA Gen CA Gen - Workstation Toolset


Gen 8.6 Call External statement fails to connect to a Gen EJB Custom Web Service running under a secure SSL/https WebSphere website with error:

Error: WSDL Access
The underlying connection was closed: Could not establish underlying trust relationship for the SSL/TLS secure channel. 


Release : 8.62
Component : CA Gen Workstation Toolset


A (CA Root) certificate had not been installed for the WebSphere https website (port 9443).
After installing the certificate it was also added to the Trusted Root Certification Authorities store for the Toolset client-side access via Internet Explorer (IE11) browser using these steps:
The error was then resolved and the Custom Web Service Operation displayed successfully in the Call External WSDL Method dialog box.

Additional Information

1. The Call External feature uses a .NET library to parse the WSDL. It uses default behaviour when it tries to connect to an SSL /TLS based server to retrieve the WSDL where proper SSL handshaking needs to occur.
Currently, the parser defaults to .NET Framework 4.0 and is able to understand a variety of issues with a certificate. If the certificate is not a valid one, it will not allow proceeding further and most of the time certificate issues could be fixed by working with the certificate provider.
For the specific case when presented with a self-signed certificate, the parser is able to recognize this and a message "Certificate is Self-signed/Invalid. Do you want to continue?" is displayed to allow the user to continue:

Related Gen 8.6 documentation (see "Add a Call External Statement"):
CA Gen 8.6 > Developing > Designing > Using the Toolset > Working with Toolset > Use Action Diagram Assignment Action Statements > Add a Call External Statement > Call External Statement in Action Diagram > Consume a Secure Web Service

2. The most common issue with certificates are expired certificates and if the server presented an expired certificate, the Call External statement will not proceed and a generic error message will be received and sometimes a specific message based on what certificates are used on the server-side. In that case check for:
a. An expired certificate. There is no way to work around it.
b. If a client certificate is required. Certificates are trust operations and if encounter a certificate which doesn't match any installed trusted sources in the certificate store the certificate can be installed and set to be trusted.
c. A self-signed certificate. Per above, the Gen parser has been provided with a way to continue.
3. As a workaround, the WSDL Document could be copied to a file on disk and then instead of typing in the URL use the folder/file option  to access the saved WSDL document.