It's all about the answers!

Ask a question
QuestionsTagsUsersBadges
Follow this question
Question details

×7,387
×6,077
×2,339
×69
×36

question asked: Nov 16 '15, 11:22 a.m.
question was seen: 4,037 times
last updated: Nov 17 '15, 1:41 a.m.

Related questions

FAQ - How this Forum works

CWPKI0022E Error with Email Notification and Websphere Liberty Profile

0
Robert Carter (42928589) | asked Nov 16 '15, 11:22 a.m.
edited Nov 16 '15, 1:49 p.m.
I have installed CLM 6.0.1 RC1 on a edHat Linux server using Websphere Liberty profile.  I have successfully completed a web install.  I am now configuring email notifications and I receive the error code, CWPKI0022E, when I send a test email.  The error massage retuned is:

Can't send command to SMTP host; nested exception is: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error

I have found the following tech note. But this is for websphere and does not cover the Websphere Liberty profile.  Is there a way to add certificates and retrieve certificates from host and port using the Liberty Profile?

One answer

Most liked answers ↑|Newest answers|Oldest answers

0
permanent link
Donald Nong (14.5k414) | answered Nov 17 '15, 1:41 a.m.
The first step is to retrieve the signer certificate from the (SMTP) server. Since you are using Redhat and openssl should be installed by default, you can use it.
http://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server
The command suggested in the above post will not as we are working with STARTTLS here, so add the -starttls parameter, and the command becomes
openssl s_client -starttls smtp -showcerts -connect host:port
Copy the certificate from the output and make it a PEM file.

Next step is to import the signer certificate into Liberty.
1. First check the server/liberty/servers/clm/server.xml file to confirm the location of the keystore. By default it should look like this. The default keystore is of JKS format and the password is "ibm-team".
 < keyStore id="defaultKeyStore" location="ibm-team-ssl.keystore" type="JCEKS" password="{xor}Nj0ycis6PjI="/ >
2. Launch the iKeyMan by running the command server/jre/bin/ikeyman.
3. Open the keystore and add the signer certificate to the keystore. See the "Storing a CA's certificate" section towards the bottom of the below document for details steps.
http://www-01.ibm.com/software/webservers/httpservers/doc/v1312/ibm/9atikeyu.htm

I have verified the steps with a single CA (root CA). If there are intermediate CAs, the steps should be the same or similar.

Your answer

Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.