"Use SSL to client" is enabled in the VSM but the client application is not able to reach the VSM via HTTPS.

book

Article ID: 7155

calendar_today

Updated On:

Products

CA Application Test Service Virtualization

Issue/Introduction

'Use SSL to client' is enabled in the VSM/HTTP Listener step, but the client application is not able to get a valid response when sending HTTPS requests.

The same VSM works when a request is sent from a test case.

When we try to access the virtual service from a web browser, we get messages such as:

There is a problem with this website’s security certificate. 

The security certificate presented by this website was issued for a different website's address.

The security certificate presented by this website was not issued by a trusted certificate authority.

However, a valid response is received when the option "Continue to this website" is selected.

 

Cause

When enabling 'Use SSL to Client' in the Listener step, the properties below are used:

ssl.server.cert.path

ssl.server.cert.pass

By default, these properties point to the webreckeys.ks file under $DEVTEST_HOME folder - Local Properties File - ssl.server.cert.path

Webreckeys.ks is a self-signed keystore that (1) was not issued by a CA (Certificate Authority) and (2) was not issued to the VSE Server. The VSE server hostname or IP address is the address used to send a request to a VSM. 

(1) causes the type of message - The security certificate presented by this website was not issued by a trusted certificate authority.

(2) causes the type of message -  The security certificate presented by this website was issued for a different website's address.  

Environment

All supported DevTest releases.

Resolution

Generate a keystore with a key pair and a certificate issued by a CA (Certificate Authority) and issued to the VSE Server.

This new keystore and its password should be specified in the HTTP/S Listener step inside the virtual service model.

The service model needs to be redeployed.

Additional Information

The java keystore should have both PUBLIC key certificates and matching private key. 
This can be verified using portecle tool (or you could use keytool) and when the certificate is exported, it should show the complete trust chain.

Note that if other Virtual Services depend on existing property values in ssl.server.cert.path and ssl.server.cert.pass, and if these are not suitable for this client, then set different values. Either by setting the values directly in the Listen step or by creating some new properties.

Attachments