search cancel

"Use SSL to client" is enabled in the VSM but the client application is not able to reach the VSM via HTTPS

book

Article ID: 7155

calendar_today

Updated On:

Products

CA Application Test

Issue/Introduction

'Use SSL to client' is enabled in the VSM/HTTP Listener step, but the client application is not able to get a valid response when sending HTTPS requests.

The same VSM works when a request is sent from a test case.

When we try to access the virtual service from a web browser, we get messages such as:

There is a problem with this website’s security certificate. 

The security certificate presented by this website was issued for a different website's address.

The security certificate presented by this website was not issued by a trusted certificate authority.

However, a valid response is received when the option "Continue to this website" is selected.

 

Environment

All supported DevTest releases.

Cause

When enabling 'Use SSL to Client' in the Listener step, the properties below are used:

ssl.server.cert.path

ssl.server.cert.pass

By default, these properties point to the webreckeys.ks file under $DEVTEST_HOME folder - Refer to the documentation section on the Local Properties File in the SSL Properties section for reference.

Webreckeys.ks is a self-signed keystore that (1) was not issued by a CA (Certificate Authority) and (2) was not issued to the VSE Server. The VSE server hostname or IP address is the address used to send a request to a VSM. 

(1) causes the type of message - The security certificate presented by this website was not issued by a trusted certificate authority.

(2) causes the type of message -  The security certificate presented by this website was issued for a different website's address.  

Resolution

Generate a keystore with a key pair and a certificate issued by a CA (Certificate Authority) and issued to the VSE Server.

This new keystore and its password should be specified in the HTTP/S Listener step inside the virtual service model.

The service model needs to be redeployed.

Additional Information

The java keystore should have both PUBLIC key certificates and matching private key. 

This can be verified using portecle tool (or you could use keytool) and when the certificate is exported, it should show the complete trust chain.

Note that if other Virtual Services depend on existing property values in ssl.server.cert.path and ssl.server.cert.pass, and if these are not suitable for this client, then set different values. Either by setting the values directly in the Listen step or by creating some new properties.

Attachments