CWPKI0022E Error with Email Notification and Websphere Liberty Profile
I have installed CLM 6.0.1 RC1 on a edHat Linux server using Websphere Liberty profile. I have successfully completed a web install. I am now configuring email notifications and I receive the error code, CWPKI0022E, when I send a test email. The error massage retuned is:
I have found the following tech note. But this is for websphere and does not cover the Websphere Liberty profile. Is there a way to add certificates and retrieve certificates from host and port using the Liberty Profile?
Can't send command to SMTP host; nested exception is: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error
One answer
The first step is to retrieve the signer certificate from the (SMTP) server. Since you are using Redhat and openssl should be installed by default, you can use it.
http://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server
The command suggested in the above post will not as we are working with STARTTLS here, so add the -starttls parameter, and the command becomes
Next step is to import the signer certificate into Liberty.
1. First check the server/liberty/servers/clm/server.xml file to confirm the location of the keystore. By default it should look like this. The default keystore is of JKS format and the password is "ibm-team".
< keyStore id="defaultKeyStore" location="ibm-team-ssl.keystore" type="JCEKS" password="{xor}Nj0ycis6PjI="/ >
2. Launch the iKeyMan by running the command server/jre/bin/ikeyman.
3. Open the keystore and add the signer certificate to the keystore. See the "Storing a CA's certificate" section towards the bottom of the below document for details steps.
http://www-01.ibm.com/software/webservers/httpservers/doc/v1312/ibm/9atikeyu.htm
I have verified the steps with a single CA (root CA). If there are intermediate CAs, the steps should be the same or similar.
http://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server
The command suggested in the above post will not as we are working with STARTTLS here, so add the -starttls parameter, and the command becomes
openssl s_client -starttls smtp -showcerts -connect host:portCopy the certificate from the output and make it a PEM file.
Next step is to import the signer certificate into Liberty.
1. First check the server/liberty/servers/clm/server.xml file to confirm the location of the keystore. By default it should look like this. The default keystore is of JKS format and the password is "ibm-team".
< keyStore id="defaultKeyStore" location="ibm-team-ssl.keystore" type="JCEKS" password="{xor}Nj0ycis6PjI="/ >
2. Launch the iKeyMan by running the command server/jre/bin/ikeyman.
3. Open the keystore and add the signer certificate to the keystore. See the "Storing a CA's certificate" section towards the bottom of the below document for details steps.
http://www-01.ibm.com/software/webservers/httpservers/doc/v1312/ibm/9atikeyu.htm
I have verified the steps with a single CA (root CA). If there are intermediate CAs, the steps should be the same or similar.