Consumer Web Service Connector authentication issue using private key certificate keyAlias from keyStoreAlias - part 2

This is the resolution of an issue we tried to fix starting Dec. 2020 (see article Consumer Web Service Connector authentication issue using private key certificate keyAlias from keyStoreAlias)

We had been trying to have our Web Methods Integration server act as a client (consumer) to a SOAP Web Service running on our customer’s server, and they do not use Integration Server. See the original articicle mentionned above.

We recently tried also to connect as a client to a REST web service using a client certificate for authentication. We used pub.security.keystore:setKeyAndChain to set the client certificate, and then we called pub.client:http to call the remote REST web service. The result was the same as SOAP web service: network traces showed we are note sending the client certificate.

So we started to play around a bit more, realizing that depending on which remote server we connect to, for some servers Integration Server would send the client certificate, and for some servers it would not.

Taling network traces of the TLS session establishment conversation, we found that Web Methods Integration Server will only send a client certificate if the remote server provides a list of certificate authority it trusts, in the form of a list of distinguished names, as part of the Certificate Request in the network trace. If that remote server does not provider a list of distinguished names, Web Methods does not send the client certificate. We can even see that in the network traces I provided 18 months ago in the original article. During “Certificate Request” it shows:

Distinguished Names Length: 0

After contacting Software AG support, they pointed us to an extended setting which is false by default, and which we should set to true if we want Integration Server to send a client certificate even if the list of distinguished names sent by the remote server is empty:

watt.security.ssl.client.ignoreEmptyAuthoritiesList=true

We tested again and this time it works.

There are various ways which can be used to tell Integration Server to send a client certificate, as mentionned in the original article. I only tested pub.security.keystore:setKeyAndChain when calling a REST web service using pub.client:http and setting auth → transport → serverCerts keyStoreAlias and keyAlias when calling a SOAP web service as a consumer.

I did not test adding an HTTPS alias under “Settings → Web Services → Web Service Consumer Endpoints List” but I assume it would work too.

Hopefully this can be useful to others in the future.

Tested on WM Integration Server 9.10 and 10.7.

Many thanks to Holger von Thomsen and Gerardo Lisboa who had tried to help me in Dec 2020 and early 2021.

To Gerardo Lisboa: I did not even need to add the certificate authorities which signed the server certificate of the remote host in my “Keystore → Truststore List” for the https connection to work.

Hi Stéphane,

This would mean, that all the needed authorities are already present as part of the cacerts file of the jvm being used.

Hi Holger, I can assure you, they are not there. The customer has his own CA, which we do not have in our trust store, and I tried also to connect to one of our internal servers which uses it’s own internal CA. In fact, in the case of our internal server, we used a client certificate which is self-signed.