Websphere certificate binding error
I am trying to use a RESTful service from url https://someurl.com . I added the following properties to my code:
Security.setProperty("ssl.SocketFactory.provider", "com.ibm.jsse2.SSLSocketFactoryImpl");
Security.setProperty("ssl.ServerSocketFactory.provider", "com.ibm.jsse2.SSLServerSocketFactoryImpl");
Security.setProperty("javax.net.ssl.trustStore", "cacerts.jks");
Security.setProperty("javax.net.ssl.keyStore", "keystore.jks");
Security.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
Security.setProperty("javax.net.ssl.trustStoreType", "JKS");
The configuration changes I've made so far:
- install
com.ibm.websphere.ssl.retrieveLeafCert
intrue
- extracted the certificate using url like someurl and port 443 and added it to the trust store.
- restarted the server
But I am getting the following exception:
java.security.cert.CertPathValidatorException: Certificate chaining error
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=Walmart Root CA, O=Wal-Mart Stores Inc is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.o.a(o.java:22)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:423)
at com.ibm.jsse2.kb.a(kb.java:192)
at com.ibm.jsse2.kb.a(kb.java:176)
at com.ibm.jsse2.lb.a(lb.java:53)
at com.ibm.jsse2.lb.a(lb.java:464)
at com.ibm.jsse2.kb.s(kb.java:545)
at com.ibm.jsse2.kb.a(kb.java:530)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:79)
at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:437)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:142)
at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:686)
at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:98)
at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:13)
at com.ibm.net.ssl.www2.protocol.https.b.connect(b.java:6)
at com.dwl.tcrm.tester.RESTClient_2.main(RESTClient_2.java:76)
source to share
I am assuming that you have a web application that is trying to access this calm service.
First, you do not have to set up your stores using properties javax.net.ssl.*
, but use the SSL settings provided by WebSphere. So please comment on all these calls setProperty()
. Second, you must add the service server certificate to the trust store.
Login to the web admin console:
- Switch to
Security > SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates
- Click the button
Retrieve from port
and specify the hostname, port 443 and alias. - Click the button
Retrieve singer information
. - Check if the correct certificate (parent) is imported.
- Save and restart.
In some versions, the child certificate was imported (and not the root), in which case you will have to manually download the root certificate and intermediate (for example, via a browser and import it into NodeDefaultTrustStore
, but this is using the button Add
, notRetrieve..
source to share
This means that your certificate is not added to cacerts. Try to run this command like
keytool -list -v -keystore your_path_to_cacerts (list certificates in cacerts) check by matching the serial number of your certificate. If not, please follow the instructions below
To export the intermediate certificate: Internet Explorer → Tools → Internet Options → Content → Certificates → To view the path to the certificate: Select certificate → View → Certification path → To export the certificate: select the certificate → Export → DER
encoded binary format -> Save (from Firefox -> Tools -> Options -> Advanced -> Encryption -> View certificates) (Here - http://www-01.ibm.com/support/docview.wss?uid=swg21592616 ) after that add this exported certificate using the following command
keytool -import -trustcacerts -Keystore CACERTS (path) -alias alias -file export the export certificate in step 3
My problem was the same and I can solve it by following the steps below.
source to share