Topic
11 replies Latest Post - ‏2014-02-14T14:53:38Z by Deepanyuvraj
SystemAdmin
SystemAdmin
2262 Posts
ACCEPTED ANSWER

Pinned topic WESB - Certificate chaining error - Outbound webservice call

‏2010-09-07T14:36:57Z |
Hello,

I'm trying to call a webservice over https using the Service Invoke component from a mediation in Websphere ESB 6.2.

I get this error when the call is initiated:

CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=*.totalrewards-exchange.com, OU=Secure Link SSL Wildcard, OU=Information Technology, O="Harrah's License Company, LLC", STREET=One Harrah's Court, L=Las Vegas, ST=NV, POSTALCODE=89119, C=US" was sent from target host:port "wsdev.totalrewards-exchange.com:4434". The signer may need to be added to local trust store "F:/IBM/WID62/pf/esb/config/
cells/esbCell/nodes/esbNode/trust.p12" located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml". The extended error message from the SSL handshake exception is: "Certificate chaining error".

I followed the WESB documentation to automatically import the destination certificate into the trust store ("Obtaining signer certificate from a remote port"): http://www.ibm.com/developerworks/websphere/techjournal/0612_birk/0612_birk.html

Do you know how I can debug this error? since I m using the "Obtaining signer certificate from a remote port" feature from the WESB console.

Thanks a lot!
Updated on 2010-09-15T14:35:27Z at 2010-09-15T14:35:27Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    2262 Posts
    ACCEPTED ANSWER

    Re: WESB - Certificate chaining error - Outbound webservice call

    ‏2010-09-07T15:05:06Z  in response to SystemAdmin
    I'm no Websphere expert, but I'll try. From the certificate details, it looks like the issuer of the certificate is 'Harrah's license company'. I'm unaware if this is an actual CA (certificate authority), but this is not a CA that is shipped with IBM JDK (whose root CA keystore WAS uses for verifying certificates).
    Certificates are verified against the common root CAs stored in the system keystore (<JDK root>/jre/lib/security/cacerts), and usually we ship the popular ones (Verisign/Thawte/Entrust etc). If the certificate you use was signed by a different root CA, i.e. one that is not present in the keystore, then the JDK has no way of verifying it.

    This is why you'll have to manually add the signer certificate with the subject DN mentioned to the local trust store, so that WAS can correctly validate your server's certificate.
    • SystemAdmin
      SystemAdmin
      2262 Posts
      ACCEPTED ANSWER

      Re: WESB - Certificate chaining error - Outbound webservice call

      ‏2010-09-07T15:40:11Z  in response to SystemAdmin
      Thanks a lot for this quick response.

      Ok, I understand now. So here are my next questions:

      • I'm going to ask the Web Service provider for "the signer certificate with the subject DN". But what kind of file is it? (.cert file?)

      • How to insert this certificate in the system keystore (<JDK root>/jre/lib/security/cacerts), I heard about Ikeyman? Is there any tutorials on Ikayman and WAS.

      Thanks again.
      • SystemAdmin
        SystemAdmin
        2262 Posts
        ACCEPTED ANSWER

        Re: WESB - Certificate chaining error - Outbound webservice call

        ‏2010-09-07T15:57:01Z  in response to SystemAdmin
        The certificate might be given in plain text, or as a binary coded certificate (.der/.cer/.arm), or as a PKCS12 file(.pfx/.p12) If it's a text file, you can save the file with a .der extension too.

        Ikeyman documentation is here, as a PDF.
        If you are given a PKCS12 file
        (If not, skip ahead to the next section, since you already have the certificate in a format that can be directly added)
        A PKCS12 is a type of keystore- not the actual certificate itself.
        So if you are given a PKCS12 file, you will have to directly open the file first with Ikeyman. Use the password originally used for the keystore when prompted.
        Once you have opened the keystore, select 'Signer certificates' from the dropdown under 'Key database content', choose the signer certificate and export it as a .cer/.der file.
        If you're given a .cer/.der/plain text
        Open the system keystore. The default password when prompted is changeit.
        From the dropdown under 'Key database content', again select 'Signer certificates. Then use the 'Add' button on the right to import the new certificate, and give it an appropriate alias.

        Close the keystore (changes get automatically saved) and then it should work.
  • saurabhsule82
    saurabhsule82
    12 Posts
    ACCEPTED ANSWER

    Re: WESB - Certificate chaining error - Outbound webservice call

    ‏2010-09-08T03:12:16Z  in response to SystemAdmin
    Alternatively, you can even use the 'keytool' command provided by the JRE.

    Here is the link: http://www.ibm.com/developerworks/java/jdk/security/142/secguides/keytoolDocs/KeyToolUserGuide-142.html

    This is the link for IBM's keytool. Sun also provides similar tool. Since you are on WESB, I assume you would be using IBM JRE and can use keytool as explained in the link.

    The basic command to import a certificate is:

    keytool -import -keystore <your trusted store> -alias <anything goes here> -file <signer's certificate>.cer
    • SystemAdmin
      SystemAdmin
      2262 Posts
      ACCEPTED ANSWER

      Re: WESB - Certificate chaining error - Outbound webservice call

      ‏2010-09-08T14:36:53Z  in response to saurabhsule82
      Hello,
      I tried with 'keytool', I've imported all the signer's certificates (from Network Solutions), it looks like:

      AddTrustExternalCARoot.crt (*this one was already in the cacerts keystore*)
      Network_Solutions_Intermediate.crt
      netsolevroot.crt
      NetworkSolutionsEVSSLCA.crt
      NetworkSolutionsUTNServerCA.crt
      UTNAddTrustServer_CA.crt
      totalrewards-exchange.pem (the targeted webservice certificate exported from firefox)

      I did it for the both trusted stores:
      F:\IBM\WID62\runtimes\bi_v62\java\jre\lib\security\cacerts
      F:\IBM\WID62\jdk\jre\lib\security\cacerts

      But I still get the same exception at runtime:

      WSX509TrustMa E CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=*.totalrewards-exchange.com, OU=Secure Link SSL Wildcard, OU=Information Technology, O="Harrah's License Company, LLC", STREET=One Harrah's Court, L=Las Vegas, ST=NV, POSTALCODE=89119, C=US" was sent from target host:port "wsdev.totalrewards-exchange.com:4434". The signer may need to be added to local trust store "F:/IBM/WID62/pf/esb/config/cells/esbCell/nodes/esbNode/trust.p12" located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml". The extended error message from the SSL handshake exception is: "Certificate chaining error".
  • saurabhsule82
    saurabhsule82
    12 Posts
    ACCEPTED ANSWER

    Re: WESB - Certificate chaining error - Outbound webservice call

    ‏2010-09-09T03:29:04Z  in response to SystemAdmin
    Can you try adding the totalrewards-exchange.pem certificate in F:/IBM/WID62/pf/esb/config/cells/esbCell/nodes/esbNode/trust.p12 ?
    • SystemAdmin
      SystemAdmin
      2262 Posts
      ACCEPTED ANSWER

      Re: WESB - Certificate chaining error - Outbound webservice call

      ‏2010-09-09T20:18:22Z  in response to saurabhsule82
      When I list the content of trust.p12, I already see the totalrewards-exchange.pem certificate. So I guess the "Retrieve from port" import from the web admin console worked (SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates > Retrieve from port)

      This is how I've displayed the content of trust.p12
      keytool -list -keystore F:\IBM\WID62\pf\esb\config\cells\esbCell\nodes\esbNode\trust.p12 -storepass WebAS -storetype PKCS12 -v

      Here are the properties of my service invoke in the mediation: (it's web service binding)

      Transport: SOAP1.1/HTTP Using JAX-RPC
      Address: *https://wsdev.totalrewards-exchange.com:4434*/TREXWebService/services
      Port: HARRAHS_SOAPPort
      Service: HARRAHS_SOAPService
      Namespace: http://soap.harrahs.com

      Do you think, the error could come from the certificates them self (what could be wrong in the certificate chain?)
      Thanks,
      • saurabhsule82
        saurabhsule82
        12 Posts
        ACCEPTED ANSWER

        Re: WESB - Certificate chaining error - Outbound webservice call

        ‏2010-09-10T03:20:29Z  in response to SystemAdmin
        Check if this helps:

        http://www-01.ibm.com/support/docview.wss?uid=swg21237861
        • saurabhsule82
          saurabhsule82
          12 Posts
          ACCEPTED ANSWER

          Re: WESB - Certificate chaining error - Outbound webservice call

          ‏2010-09-10T03:35:15Z  in response to saurabhsule82
          One more thing, check your totalrewards-exchange.pem certificate.

          Does it have a certificate chain in it?

          For example, it might look like (just an example)

          • Verisign Class 3 CA
          - Versign Inc.
          - Totalrewards-exchange.com

          If it is so then you will have to import all the individual certificates using the same method.

          i.e you will have to import totalrewards-exchange.pem, versign.pem, versign3.pem so on and so forth.
          • SystemAdmin
            SystemAdmin
            2262 Posts
            ACCEPTED ANSWER

            Re: WESB - Certificate chaining error - Outbound webservice call

            ‏2010-09-15T14:35:27Z  in response to saurabhsule82
            Hi, I finally figured out a solution. I tried with WESB 7.0 instead of 6.2, and it works! Simply by using the "import certificate from signer" feature from the admin console to the trustStore. SO I guess it was related to the 6.2 version...

            Thanks a lot for your help.
            • Deepanyuvraj
              Deepanyuvraj
              1 Post
              ACCEPTED ANSWER

              Re: WESB - Certificate chaining error - Outbound webservice call

              ‏2014-02-14T14:53:38Z  in response to SystemAdmin

              Can you explain me what you did exactly to solve the problem. I get exactly the same error in WepSphere7.0.