I have an issue integrating some web service from WM7 to WM9. The web service consumer requires the certificate file while sending the request.
WM7 Configuration
IS - define path of Trusted Certificates in IS–>Security–>Edit Certificates Settings → CA Certificate Directory=config\security\cert\cas\
On Developer - in consumer we added a flow service before calling soap client
pub.security.setKeyAndChain which we could locate privateKey (privatekey.der) and certFiles (cer1.der,cer2.der). Note that the certificates in full path.
pub.client.soapClient which just send request out and it’s working fine
However, in WM9 the service pub.security.setKeyAndChain is deprecated and we are recommended to use pub.security.keystore.setKeyAndChain. So we made a few configuration on IS
IS - define KeyStore by going to IS–>Security → Create Keystore Alias and Create Truststore Alias named “myKeyStore” for both Keystore alias and Truststore alias.
On Developer - in the same service of WSC we use
pub.security.setKeyAndChain which set KeystoreAlias=myKeyStore and keyalias=mykeystore (get it while creating keystore)
pub.client.soapClient which just send request out but we received the error…
org.apache.axis2.AxisFault: Error in obtaining a token
I’d like to know what configurations i missed setting. If you have any ideas, please help me out.
I am facing the same issue. I was advised to do the same. Could you tell me how you imported the private certificate to the key-store?
Could you explain in detail about the configuration you did to accommodate the changes?
I have the same thing, privatekey.der, certificate.cer, and ca_certificate.der. I’ve done converted .der to .pem file and added them to the keystore. However, I still have the same error.
So, I was trying to check if my keystore does contain all of the key and certs convertion or not.
I used pub.securirty.keystore:getKeyAndChain. The output of this service is privateKey and certficates that used in pub.security:setKeyAndChain in WM7 but they are in byte array. After that I’ve tried to use pub.security:setKeyAndChainFromByes. It failed because the privateKey is java interface of java.io.Serializable
So, I am pretty confident that my keystore contains everything that needed.
Import the Certificate into a Java Keystore:
keytool -import -file ./certificates/wm9/server.pem -keystore ./certificates/wm9/server.jks -alias wmkey -trustcacerts
Package the PEM certificate and Private Key as PKCS#12 (PFX):
openssl pkcs12 -export -out ./certificates/wm9/certificate.pfx -inkey ./certificates/wm9/private_server.key -in ./certificates/wm9/server.pem
Import the Private Key and Public Certificate into the Java keystore:
set CLASSPATH=C:\SoftwareAG\MWS\lib\ext\jetty-util.jar;C:\SoftwareAG\MWS\lib\ext\jetty.jar
java org.mortbay.jetty.security.PKCS12Import ./certificates/wm9/certificate.pfx ./certificates/wm9/certificate.jks
Thank you very much for sharing your knowledge with me and everyone.
I finally found the solution for this issue.
First, we need to have a Keystore file. I built a java program to test my keystore if we could actually send out the request via SSL.
Second, once we have keystore that it’s working. Here the configuration that I’ve made.
Put keystore on the WM IS and configure it on WM IS console -->Security → Create Keystore Alias
Create WS Alias on WM IS console go to → Settings → Web Services → Create Web Service Endpoint Alias
Fill in WS Alias details in
- Web Service Endpoint Alias Properties:
Transportation Type: HTTPS
- HTTPS Transport Properties (optional)
Proxy (https): You need to configure it on Security → Proxy first
Keystore: select your keystore
KeystoreAlias: type the alias name
Third, go to WM Designer and to your WSDC. Select the tab “Binder” and set “Port Alias” from the 2nd step. If you do not see it, refresh the package first.
Forth, if you still have the same error “Error in obtaining token”, on the WSDC, set the properties “Pre-8.2 compatibility mode” to “True”. That made my consumer works.
Hope this could be helpful to everyone.
Remark: I think you can also use keystore on auth->transportation->keystore/keystore alias if you don’t want to set up all those 2 and 3 but at least setting up the keystore alias on WM IS console. (I haven’t tried it, but i think it would work).
Or even change the SOAP version from 1.2 to 1.1 or vice versa would help.
I see you have used jetty-util.jar and jetty.jar files at last, when i check in our webmethods server i didn't find them, can you please help me where would i find these files, do they get shipped with default webmethods installation.
