Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

CWPKI0022E Error with Email Notification and Websphere Liberty Profile

I have installed CLM 6.0.1 RC1 on a edHat Linux server using Websphere Liberty profile.  I have successfully completed a web install.  I am now configuring email notifications and I receive the error code, CWPKI0022E, when I send a test email.  The error massage retuned is:

Can't send command to SMTP host; nested exception is: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error

I have found the following tech note. But this is for websphere and does not cover the Websphere Liberty profile.  Is there a way to add certificates and retrieve certificates from host and port using the Liberty Profile?

0 votes



One answer

Permanent link
The first step is to retrieve the signer certificate from the (SMTP) server. Since you are using Redhat and openssl should be installed by default, you can use it.
http://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server
The command suggested in the above post will not as we are working with STARTTLS here, so add the -starttls parameter, and the command becomes
openssl s_client -starttls smtp -showcerts -connect host:port
Copy the certificate from the output and make it a PEM file.

Next step is to import the signer certificate into Liberty.
1. First check the server/liberty/servers/clm/server.xml file to confirm the location of the keystore. By default it should look like this. The default keystore is of JKS format and the password is "ibm-team".
 < keyStore id="defaultKeyStore" location="ibm-team-ssl.keystore" type="JCEKS" password="{xor}Nj0ycis6PjI="/ >
2. Launch the iKeyMan by running the command server/jre/bin/ikeyman.
3. Open the keystore and add the signer certificate to the keystore. See the "Storing a CA's certificate" section towards the bottom of the below document for details steps.
http://www-01.ibm.com/software/webservers/httpservers/doc/v1312/ibm/9atikeyu.htm

I have verified the steps with a single CA (root CA). If there are intermediate CAs, the steps should be the same or similar.

0 votes

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 7,486
× 6,117
× 2,353
× 36

Question asked: Nov 16 '15, 11:22 a.m.

Question was seen: 4,596 times

Last updated: Nov 17 '15, 1:41 a.m.

Confirmation Cancel Confirm