It's all about the answers!

Ask a question

Certificate error when contacting 3rd party server from within RTC server side plugin

Marko Tomljenovic (31649109) | asked Jul 31 '19, 12:06 p.m.
we are currently running RTC with WAS (no Liberty) and we are developing quite a number of plugins.
The current plugin that we are working on is a REST service running on the RTC server which itself is contacting another server over https using the apache HttpClient library. The problem is that the connection cannot be established due to certificate issues.

The error we get is:
Error 400: PKIX path building failed: PKIXCertPathBuilderImpl could not build a valid CertPath.&#59; internal cause is:

   The certificate issued by CN=DigiCert Global Root CA,, O=DigiCert Inc, C=US is not trusted&#59; internal cause is:

   Certificate chaining error

I have the feeling (but cannot verify it) that the plugin was working when we had 6.0.6 installed and after the update to it is no more working.
I also checked the certificate store of the IBM JDK/JRE and the certificate seems to be in there.

Now I am out of ideas and therefore I am contacting the forum.
Do you have some more ideas what could be the reason?

Geoffrey Clemm commented Aug 01 '19, 9:47 a.m.

Is the server being called one of the ELM applications, or some other kind of server?

If it is an ELM application, and the service being invoked is an ELM public service, then it would also be good to file a defect with the snippet of code that is failing, so IBM support can reproduce and comment.  

Marko Tomljenovic commented Aug 01 '19, 11:09 a.m.
Unfortunately it is not an ELM application (it is Atlassian Bitbucket) and I guessed that this is not supported by IBM. My hope was that somebody else came across the same issue and would share the solution with me via this thread.

Thanks you anyway.

3 answers

permanent link
Kenny Smith (302614) | answered Aug 01 '19, 11:58 a.m.

 Most likely you need to import the the entire Digicert chain into your WAS trust keystore. With WAS you have three separate keystores: a root keystore (where root certs are stored), a trust keystore (where trusted certs of external locations are kept), and a default keystore (where the WAS cert is stored and used to present to the external connection). Make sure you import the entire chain. 

permanent link
Kevin Ramer (4.5k9185201) | answered Aug 06 '19, 4:45 p.m.

One would think...   Another more invasive alternative is to update the cacerts file of the JRE with the needed certificates.   We have to do that for RTC server plugin to Sales Force.

permanent link
Davyd Norris (2.4k217) | answered Aug 06 '19, 9:31 p.m.
This is because the WebSphere server doesn't trust the external service.

You need to add the CA certificate chain for the remote server into the Websphere server NodeDefaultTrustStore in the SSL settings for WAS.

Check the info in this Jazz article:

Marko Tomljenovic commented Aug 07 '19, 3:46 a.m.
Thanks for the link.

As it seems the certificates of our Bitbucket instance are completely different ones than the ones installed on our CCM. I really did not expect this to be the case but Murphy's law was active again as it seems.

Kind regards, Marko

Your answer

Register or to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.