Certificate chaining error in Websphere

Asked 30/12, 2014 at 7:18 Answered 17/2, 2017 at 9:29

I am trying to consume a RESTful service from url https://someurl.com. I have added the following properties in my code:

 Security.setProperty("ssl.SocketFactory.provider", "com.ibm.jsse2.SSLSocketFactoryImpl");
 Security.setProperty("ssl.ServerSocketFactory.provider", "com.ibm.jsse2.SSLServerSocketFactoryImpl");
 Security.setProperty("javax.net.ssl.trustStore", "cacerts.jks");
 Security.setProperty("javax.net.ssl.keyStore", "keystore.jks");
 Security.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
 Security.setProperty("javax.net.ssl.trustStoreType", "JKS");

The configuration changes that I have done so far are:

set com.ibm.websphere.ssl.retrieveLeafCert to true
retrieved the certificate using url as someurl and port 443 and added it to the truststore.
restarted the server

But I am getting the following exception:

java.security.cert.CertPathValidatorException: Certificate chaining error
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed:          java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
  java.security.cert.CertPathValidatorException: The certificate issued by CN=Walmart Root CA, O=Wal-Mart Stores Inc is not trusted; internal cause is:
  java.security.cert.CertPathValidatorException: Certificate chaining error
  at com.ibm.jsse2.o.a(o.java:22)
  at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:423)
  at com.ibm.jsse2.kb.a(kb.java:192)
  at com.ibm.jsse2.kb.a(kb.java:176)
  at com.ibm.jsse2.lb.a(lb.java:53)
  at com.ibm.jsse2.lb.a(lb.java:464)
  at com.ibm.jsse2.kb.s(kb.java:545)
  at com.ibm.jsse2.kb.a(kb.java:530)
  at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:79)
  at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:437)
  at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:142)
  at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:686)
  at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:98)
  at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:13)
  at com.ibm.net.ssl.www2.protocol.https.b.connect(b.java:6)
  at com.dwl.tcrm.tester.RESTClient_2.main(RESTClient_2.java:76)

Conquest answered 30/12, 2014 at 7:18 Comment(0)

I'm assuming you have a web application, which is trying to access that restful service.

First, you should not set your stores via javax.net.ssl.* properties, but use SSL configurations provided in WebSphere. So comment all these setProperty() calls. Second, you have to add your service server certificate to the trust store.

Go to Security > SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates
Click Retrieve from port button, and specify hostname, 443 port, and Alias.
Click Retrieve singer information button.
Verify, if correct certificate is imported (parent).
Save, and restart.

In some versions, the child certificate was imported (not the root), in that case, you will have to manually download the root certificate and intermediate (e.g. via browser, and import that one to the NodeDefaultTrustStore, but this time using Add button, not Retrieve..

Ahlgren answered 30/12, 2014 at 12:32 Comment(5)

as I mentioned in my post, I have already added the certificate to the trust store.But it made no difference.Also, I tried to hit the service through a standalone Rest Client and it is giving the same error. – Conquest 2/1, 2015 at 8:54

@AyanBiswas But you are adding it to the (javax.net.ssl.trustStore", "cacerts.jks) probably not to the NodeDefaultTrustStore Did you remove these setProperty calls? As they are pointing to the different stores than these used by WebSphere. And you shouldn't set the com.ibm.websphere.ssl.retrieveLeafCert property to true, as the whole idea of chained certs is to use root cert instead of leaf. – Ahlgren 2/1, 2015 at 9:6

I think this answer should be acceped, it did solve the issue for me. – Vergne 1/9, 2015 at 13:2

Hi all, we faced the similar issue, installed the certificate and it got resolved. But we don't understand how did the problem come up in first place. We have been running our application from past 3-4 years and are seeing this issue for the very first time now. Any information is appreciated. – Huldahuldah 22/2, 2018 at 14:40

I can only speculate that after 4 years someone changed the cert on the target service you are trying to call (eg. expired) and you needed to import new one. – Ahlgren 22/2, 2018 at 21:40

This means your certificate is not added in cacerts. Try to execute this command as

keytool -list -v -keystore your_path_to_cacerts (Provide the list of cert in cacerts) check by matching the serial number of your certificate. If it is not there then please follow the steps given below

To export the Intermediate certificate: Internet Explorer -> Tools -> Internet Options -> Content -> Certificates -> To view the Certificate Path: Select Certificate -> View -> Certification Path -> To Export the Certificate: Select Certificate -> Export -> DER

encoded Binary Format -> Save ( From Firefox -> Tools -> Options -> Advanced -> Encryption -> View Certificates ) (Given here - http://www-01.ibm.com/support/docview.wss?uid=swg21592616) after this add this exported certificate with below command

keytool -import -trustcacerts -Keystore CACERTS(path) -alias alias -file cert path export in step 3

My issue was the same and I am able to resolve it by following these steps

Altaf answered 17/2, 2017 at 9:29 Comment(0)

Recommended topics

Hot tags