Broker SSL Setup issue

We’ve been following the 8-0-SP1_Administering_Broker.pdf guide to setup SSL.

We’ve managed to configure SSL for the Broker server without any issues so far.

Our next step according to the guide is to configure SSL for the Broker User Interface Component. This is where we are getting errors.

So for this we need to convert our PEM truststore to a JKS. We assumed this since the UI only allow us to provide a JKS truststore. The documentation says absoultely nothing about this, some where way up in the beginning it did mention that Brokern Admin component requires a JKS truststore (but we’re configuring Broker User Interface Component, is it the same?).

So we did so using openssl and the keystore tool. Here’s the output of the -list command that shows that the jks trust store is valid:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

mykey, Jan 5, 2010, trustedCertEntry,
Certificate fingerprint (MD5): <deleted>

However in the “Change Identity Setting” screen in My Webmethods, after we’ve filled in all the fields and click on the “Connect” button we get the following stack trace:

2010-01-05 09:52:27 EST (jsf:INFO)  [RID:1384] - Error: Cannot save the identity setting. Error: Failed to set the clien
t identity. Internal error.: Error: Failed to set the cl
ient identity. Internal error.
        at com.webmethods.caf.msg.msgsettingchangeidentity.MsgSettingChangeIdentityDefaultviewView.connectAction(MsgSett
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(
        at java.lang.reflect.Method.invoke(
        at com.sun.el.parser.AstValue.invoke(
        at com.sun.el.MethodExpressionImpl.invoke(
        at com.sun.faces.application.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.ja
        at com.webmethods.caf.faces.application.CAFMethodBinding.invoke(
        at com.sun.faces.application.ActionListenerImpl.processAction(
        at javax.faces.component.UICommand.broadcast(
        at com.webmethods.caf.faces.component.ViewRoot.broadcastEvents(
        at com.webmethods.caf.faces.component.ViewRoot.processApplication(
        at com.webmethods.caf.faces.portlet.PortletLifecycle$InvokeApplicationPhase.execute(
        at com.webmethods.caf.faces.portlet.PortletLifecycle.phase(
        at com.webmethods.caf.faces.portlet.PortletLifecycle.execute(
        at com.webmethods.caf.faces.portlet.FacesPortlet.processAction(
        at com.webmethods.portal.framework.portletcontainer.impl.PortletApplicationHandler.process(PortletApplicationHan
        at com.webmethods.portal.framework.portletcontainer.servlet.PortletServlet.service(
        at javax.servlet.http.HttpServlet.service(
        at org.mortbay.jetty.servlet.ServletHolder.handle(
        at org.mortbay.jetty.servlet.ServletHandler.handle(
        at org.mortbay.jetty.servlet.SessionHandler.handle(
        at org.mortbay.jetty.handler.ContextHandler.handle(
        at org.mortbay.jetty.webapp.WebAppContext.handle(
        at org.mortbay.jetty.servlet.Dispatcher.forward(
        at org.mortbay.jetty.servlet.Dispatcher.forward(
        at com.webmethods.portal.framework.portletcontainer.PortletContainer.dispatch(
        at com.webmethods.portal.framework.portletcontainer.PortletContainer.process(
        at com.webmethods.portal.framework.portletcontainer.PortletContainer.processPortletAction(
        at com.webmethods.portal.framework.dispatch.DispatchManager.handle(
        at com.webmethods.portal.framework.dispatch.DispatchManager.handleDispatch(
        at com.webmethods.portal.framework.impl.PortalServlet.service(
        at javax.servlet.http.HttpServlet.service(
        at org.mortbay.jetty.servlet.ServletHolder.handle(
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(
        at com.webmethods.portal.framework.impl.NTLMFilter.doFilter(
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(
        at com.webmethods.caf.faces.servlet.GZIPFilter.doFilter(
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(
        at org.mortbay.jetty.servlet.ServletHandler.handle(
        at org.mortbay.jetty.servlet.SessionHandler.handle(
        at org.mortbay.jetty.handler.ContextHandler.handle(
        at org.mortbay.jetty.webapp.WebAppContext.handle(
        at org.mortbay.jetty.handler.ContextHandlerCollection.handle(
        at org.mortbay.jetty.handler.HandlerCollection.handle(
        at org.mortbay.jetty.handler.HandlerWrapper.handle(
        at org.mortbay.jetty.Server.handle(
        at org.mortbay.jetty.HttpConnection.handleRequest(
        at org.mortbay.jetty.HttpConnection$RequestHandler.content(
        at org.mortbay.jetty.HttpParser.parseNext(
        at org.mortbay.jetty.HttpParser.parseAvailable(
        at org.mortbay.jetty.HttpConnection.handle(
        at org.mortbay.thread.BoundedThreadPool$
Security Error (114-9999): Internal error.

        at COM.activesw.api.client.BrokerConnection.createSSLContext(
        at COM.activesw.api.client.BrokerConnection.testSSLContext(

Any help? (truncated the stacktrace to fit message length limit)

Well, we figured it out. First off, the broker library has some poor exception handling. The stacktrace is showing a generic error and swallowing up the real issue (bad, bad enterprise programming practice!)

The problem stems from the fact that we used a self signed cert, i.e. our cert request was signed using the same key. Apparently this is not supported! This should really be documented.

So what we did was, since we do not wish to pay an actual CA to sign this cert, considering that we are using this in an internal network, we used openssl to setup our own private CA and signed the broker cert using this private CA’s key and cert.

Here’s a good tutorial on how to create your own CA and sign certs:

After that just convert the keystore to pkcs12 and the truststore to der and jks. Remember to add both the CA cert and broker cert into the truststore.

Hope this helps others out there. Well on to using this setup on the client side…

1 Like