ERROR Remote Servers Server certificate rejected by ChainVerifier

rangoon · November 10, 2004, 4:04pm

Hi All,

I’ve been through the various posts linked to this kind of problem but I couldn’t solve mine.

Problem description :
— webMethods info
. . Webmthods IS 6.1 FP1
. . Unix Solaris 8 v.05/03
. . Kernel 108.528-23
Here is an extract of the Exented we have set :
. . watt.security.ssl.ignoreExpiredChains=true
. . watt.security.ssl.client.ignoreEmptyAuthoritiesList=true

1- Certificates extraction

The certificates have been extracted via Internet Explorer as “DER X.509 .cer” files. Each certificate in the chain leads to a unique “.cer” file.
Then we convert the “.cer” file to “.der” with “<webmethods61>\IntegrationServer\CertificateToolkit\bin\ssltoolkit.bat”
Then we upload certificates from ou Windows machine to the Unix IS server in “/appl/webmthods/IntergrationServer/Certificates/trusted/”

2- Remote Server Creation

We create a Remote Server : “IS console / Settings / Remote Servers / Create Remote Server Alias”
Remote server settings :
. . Alias : MyCustomer
. . Host Name or IP Address: www.mycustomer.com
. . Port Number:443
. . User Name:myLogin
. . Password:myPassword
. . execute ACL:internal
. . Idle Timeout:
. . Use SSL : Yes
. . Private Key:
. . Certificates:/appl/webmthods/IntergrationServer/Certificates/trusted/1.der,/appl/webmthods/IntergrationServer/Certificates/trusted/2.der,/appl/webmthods/IntergrationServer/Certificates/trusted/3.der
. . Retry server:

We are using a HTTP/HTTPS/FTP Proxy server wich is set in "IS console / Settings / Proxy Servers / "

Then when we test the new remote server we get :
<<
Unable to connect to remote server MyCustomer: java.io.IOException: iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier
>>

We also get this error when trying to connect via TN.

As usual, any help welcome

Thanks

rangoon · November 10, 2004, 4:27pm

update

We got rid of the SSL setting in the Remote Server as it appears to be used to authenticate ourselves to the remote server, wich is not what we want to do.

But then, we get the following error :
<<
Unable to connect to remote server MyCustomer : com.wm.app.b2b.client.ServiceException
>>

A glance at the log do not show up anything, even with log level set at 10

rangoon · November 10, 2004, 7:00pm

update

we tried adding the chain root CA into JRE’s cacert (<webmethodshome>/jvm/sol142/jre/lib/security/cacerts )

but we keep having
<<
Unable to connect to remote server UMICORE_test_env: java.io.IOException: iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier
>>

nemziz · November 23, 2004, 6:48pm

Dear Gurus,

In our case, if we use Browser, the service is invoked and results are got. say [url]https://anilprasad:443/invoke/anil/testService[/url]

But, when we use a tool like curl, openSSL, we get an ACL exception.

any suggestion is welcome.

Thanks in advance,
Anil

krishnan.10977 · November 24, 2004, 3:00pm

Hi Rangoon,

I understand that you want to test connection to a Remote Server through HTTPS protocol using userID and password.

For this you have to configure the Client server as follows:
A.Remote Server Alias: In your above config,

Leave the following blank; Private Key, Certificates & Retry Server.
Check ‘Yes’ for Use SSL.

B. Go to Security > Certificates

Click Edit Certificate Settings.
Leave the CA Certificate Directory empty.
Save Changes

Now you should be able to connect successfully. If fails, try after restarting your server.

If you still get “Server certificate rejected by ChainVerifier”, check the certificates on the Remote Server (server you are connecting to).

The above works in IS6.0.1.

I guess both the servers you use for testing are webMethods server.

HTH

fitantop · December 16, 2004, 11:20pm

we’ve got the same message via a HTTP post to a web service? our jdk is 1.4.2_05 and IS6.01 any one had this behaviour before?

sukumar · April 19, 2005, 6:21pm

Hi,

I am using IDOC’S whenever i am access the idoc it is giving this problem [ISS.0085.9159] Invalid input. ‘document’ is a required parameter of type

If anybody have idea about this please let me know

gupta_r.17495 · April 19, 2005, 9:37pm

sukumar,

Which service is causing that error?Based on the error make sure you map the document(IDATA)structure to the input.

Pete_DiStefano · April 21, 2005, 1:17am

I am seeing the same error message as sukumar. It happens when I try to publish a document. I am mapping the document to the document input of the service. Thanks

gupta_r.17495 · April 21, 2005, 3:32am

Peter,

The subscribing service input should be fully qualified name of the publishable document like folder.subfolder:docTypeName(DocumentReference).This way the published document will be in the pipeline and further down the parsing services will not fail.

Please make sure this.

HTH,
RMG