I’ve a certificate problem, using the code below in my portlet I get a certificate error
URL url = new URL(hostName + “intranet/TU/sessionvalidator/” + sessionID );
URLConnection con = url.openConnection();
com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by CN=SBG Certificate Authority, DC=dpardirectory, DC=com is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error
I got the two certificates and sucefully imported into cacerts sucefully:
keytool -importcert -keystore /var/opt/webMethods/v8/jvm/aix160_64/jre/lib/security/cacerts -trustcacerts -file /sistemas/BPM/keystore/wexcertificate.der -a
keytool -importcert -keystore /var/opt/webMethods/v8/jvm/aix160_64/jre/lib/security/cacerts -trustcacerts -file /sistemas/BPM/keystore/wexcertificateCA.der -a
Restart IS and MWS but the problem remains.
The message you got “chaining error”, means that the client could not build a proper certificate chain from what the server sent you to one of the trust roots in your JVM. It is possible the server is not configured properly even though it may work with some clients. A couple suggestions to resolve:
try with browser. If it works with no warnings use the certs it found for proper path
try with OpenSSL s_client, this shows the certs the server is sending
$ openssl s_client -connect host:port -showcerts
build a standalone java client and enable debug
My webMethods application try to connect to the site using https (URLConnection/HttpsURLConnection). The certificates were correctly imported. One of them is self-signed. Two certificates were imported as mentioned above to the truststore located in webMethods/v8/jvm/aix160_64/jre/lib/security/cacerts.
The application reports an chaining error.
Are the certificates imported to the correct truststore?
I got more info for this problem.
I execute the url using an IS Api pub.client:http and it works.
I made a conclusion:
“Certificates imported to the truststore <SAG_DIR>/jvm/aix160_64/jre/lib/security/cacerts are not being used by MW applications”
If that is true, where is located the trustore for MWS? (Since it seem is not using the jvm cacerts.)
What version of the server are you running? In the current release the cacerts is in the \server\default\config\glue directory.
It should be in the gluetruststore.jks file. Please open a support ticket if you continue to have issues/questions.
Thanks. I was using the incorrect keystore/truststore, the truststore I mentioned above works for IS, not MWS.