Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
6 replies Latest Post - ‏2012-11-27T21:35:43Z by SystemAdmin
SystemAdmin
SystemAdmin
6772 Posts
ACCEPTED ANSWER

Pinned topic Connection Error: certificate not trsuted

‏2012-11-27T16:16:33Z |
Hi all,

I am trying to use Datapower to connect to a external web Service. I am using:

SOAPUI (http) ---> DP (https)--> web services

I have configured the proxy to use the pubcert (web service does not accept self signed), but I am getting a certifcate not trusted. I can connect directly to the webservice with SOAPUI, but when using DP, I get these errors.
Updated on 2012-11-27T21:35:43Z at 2012-11-27T21:35:43Z by SystemAdmin
  • swlinn
    swlinn
    1346 Posts
    ACCEPTED ANSWER

    Re: Connection Error: certificate not trsuted

    ‏2012-11-27T17:00:05Z  in response to SystemAdmin
    If you enable debug logging, you should see a log record with the subjectDn that is not trusted. You should get that certifcate from the backend server and ensure that the issuer certificate of the backend cert is in the CA list of your valcred.

    Regards,
    Steve
    • SystemAdmin
      SystemAdmin
      6772 Posts
      ACCEPTED ANSWER

      Re: Connection Error: certificate not trsuted

      ‏2012-11-27T18:53:07Z  in response to swlinn
      Hi Steve,

      Thanks for the suggestion. I have enabled debug mode, and it shows the certificate credentials as below:

      13:42:16 crypto warn 351669 192.168.0.204 0x8060010a valcred (pubcert): certificate validation failed for '/C=US/ST=New York/L=East Greenbush/O=Autotask Corporation/CN=*.autotask.net' against 'pubcert': certificate not trusted

      My confusion is that when I use SoapUI, I get Certs from CN=thawte Primary Root, with the correct response.

      When I check the pubcert, I do find this cert listed, so what am I missing?
      • SystemAdmin
        SystemAdmin
        6772 Posts
        ACCEPTED ANSWER

        Re: Connection Error: certificate not trsuted

        ‏2012-11-27T19:07:39Z  in response to SystemAdmin
        > Uugh wrote:
        > Hi Steve,
        >
        > Thanks for the suggestion. I have enabled debug mode, and it shows the certificate credentials as below:
        >
        > 13:42:16 crypto warn 351669 192.168.0.204 0x8060010a valcred (pubcert): certificate validation failed for '/C=US/ST=New York/L=East Greenbush/O=Autotask Corporation/CN=*.autotask.net' against 'pubcert': certificate not trusted
        >
        > My confusion is that when I use SoapUI, I get Certs from CN=thawte Primary Root, with the correct response.
        >
        > When I check the pubcert, I do find this cert listed, so what am I missing?

        Did you check in valcred the same pub cert is listed or not?

        Is there any F5 in between ?

        HTTP--> F5-->DP(HTTPS--> BACKEND
        • SystemAdmin
          SystemAdmin
          6772 Posts
          ACCEPTED ANSWER

          Re: Connection Error: certificate not trsuted

          ‏2012-11-27T20:03:56Z  in response to SystemAdmin
          Hi Kumar,

          Interestingly, SoapUI has 2 certs (cn=Thawte SSL, cn="thawte Primary Root CA") but neither of them appear in the pubcert list. Is there an update which would have these? I would assume that these are standard.

          Is there a way I can "grab" these certs out of SoapUI, and import them into DP?

          In regards to the other question about F5, I am not sure what this is, can you provide an explanation as to what you are asking about?
          • SystemAdmin
            SystemAdmin
            6772 Posts
            ACCEPTED ANSWER

            Re: Connection Error: certificate not trsuted

            ‏2012-11-27T20:19:00Z  in response to SystemAdmin
            > Uugh wrote:
            > Hi Kumar,
            >
            > Interestingly, SoapUI has 2 certs (cn=Thawte SSL, cn="thawte Primary Root CA") but neither of them appear in the pubcert list. Is there an update which would have these? I would assume that these are standard.

            The firmware upgrade sometimes can add extra certs but will not remove or overwrite any of the exiting cert. The reason certs are not available in pubcert:/// and there by not available in valcred object is giving your error certificate not trusted.

            > Is there a way I can "grab" these certs out of SoapUI, and import them into DP?
            I am not sure whether you can import the cert from SoapUI. Did you try to test the same service with curl command?
            Can you hit the URL web services url from browser?> If yes than can download from IE.

            > In regards to the other question about F5, I am not sure what this is, can you provide an explanation as to what you are asking about?

            The reason I asked about F5 is the HTTPS FSH of the WSP will be the pool member in F5 which will allow the /url from to different appliances. If the F5 is not SSL compliant you may be see the error. But certificate trust error has nothing to do F5 for sure.
            • SystemAdmin
              SystemAdmin
              6772 Posts
              ACCEPTED ANSWER

              Re: Connection Error: certificate not trsuted

              ‏2012-11-27T21:35:43Z  in response to SystemAdmin
              Thanks Kumar,

              I was able to use firefox to export the cert into *.pem format, and the SSL connection works.