Certificate error when contacting 3rd party server from within RTC server side plugin
Hello,
we are currently running RTC 6.0.6.1 with WAS (no Liberty) and we are developing quite a number of plugins.
The current plugin that we are working on is a REST service running on the RTC server which itself is contacting another server over https using the apache HttpClient library. The problem is that the connection cannot be established due to certificate issues.
The error we get is:
Error 400: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
I have the feeling (but cannot verify it) that the plugin was working when we had 6.0.6 installed and after the update to 6.0.6.1 it is no more working.
I also checked the certificate store of the IBM JDK/JRE and the certificate seems to be in there.
Now I am out of ideas and therefore I am contacting the forum.
Do you have some more ideas what could be the reason?
3 answers
Most likely you need to import the the entire Digicert chain into your WAS trust keystore. With WAS you have three separate keystores: a root keystore (where root certs are stored), a trust keystore (where trusted certs of external locations are kept), and a default keystore (where the WAS cert is stored and used to present to the external connection). Make sure you import the entire chain.
This is because the WebSphere server doesn't trust the external service.
You need to add the CA certificate chain for the remote server into the Websphere server NodeDefaultTrustStore in the SSL settings for WAS.
Check the info in this Jazz article: https://jazz.net/library/article/606
Comments
Geoffrey Clemm
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Aug 01 '19, 9:47 a.m.Is the server being called one of the ELM applications, or some other kind of server?
Marko Tomljenovic
Aug 01 '19, 11:09 a.m.