Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

Certificate error when contacting 3rd party server from within RTC server side plugin

Hello,
we are currently running RTC 6.0.6.1 with WAS (no Liberty) and we are developing quite a number of plugins.
The current plugin that we are working on is a REST service running on the RTC server which itself is contacting another server over https using the apache HttpClient library. The problem is that the connection cannot be established due to certificate issues.

The error we get is:
Error 400: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.&#59; internal cause is:

            java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted&#59; internal cause is:

            java.security.cert.CertPathValidatorException: Certificate chaining error

I have the feeling (but cannot verify it) that the plugin was working when we had 6.0.6 installed and after the update to 6.0.6.1 it is no more working.
I also checked the certificate store of the IBM JDK/JRE and the certificate seems to be in there.

Now I am out of ideas and therefore I am contacting the forum.
Do you have some more ideas what could be the reason?

0 votes

Comments

Is the server being called one of the ELM applications, or some other kind of server?

If it is an ELM application, and the service being invoked is an ELM public service, then it would also be good to file a defect with the snippet of code that is failing, so IBM support can reproduce and comment.  

Unfortunately it is not an ELM application (it is Atlassian Bitbucket) and I guessed that this is not supported by IBM. My hope was that somebody else came across the same issue and would share the solution with me via this thread.

Thanks you anyway.



3 answers

Permanent link

 Most likely you need to import the the entire Digicert chain into your WAS trust keystore. With WAS you have three separate keystores: a root keystore (where root certs are stored), a trust keystore (where trusted certs of external locations are kept), and a default keystore (where the WAS cert is stored and used to present to the external connection). Make sure you import the entire chain. 

0 votes


Permanent link

One would think...   Another more invasive alternative is to update the cacerts file of the JRE with the needed certificates.   We have to do that for RTC server plugin to Sales Force.

0 votes


Permanent link
This is because the WebSphere server doesn't trust the external service.

You need to add the CA certificate chain for the remote server into the Websphere server NodeDefaultTrustStore in the SSL settings for WAS.

Check the info in this Jazz article: https://jazz.net/library/article/606

0 votes

Comments
Thanks for the link.

As it seems the certificates of our Bitbucket instance are completely different ones than the ones installed on our CCM. I really did not expect this to be the case but Murphy's law was active again as it seems.

Kind regards, Marko

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 10,927
× 6,117

Question asked: Jul 31 '19, 12:06 p.m.

Question was seen: 3,025 times

Last updated: Aug 07 '19, 3:46 a.m.

Confirmation Cancel Confirm