Error when creating a WSD for accessing a consumer in SSL

Hi,

I’ve created a WSD to access a SSL consumer without any problem on my PC
(I’ve beforehand configured the config.ini in adding the 2 lines for the truststore)

And all works fine : the connectors are well created.

Now, I’m trying to make exactly the same thing on another Computer.
(same OS, same WM Designer, same java version and same configurations)

but I meet this error :

java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)

Do you know how to solve the problem please ?

Regards

1 Like

Hi Cedric,

are you sure that the SSL/TLS settings are identical on both systems?

Might be that there is a difference in these?

Additionally check the settings for the JVMs if there have been some SSL/TLS algorithms are disabled in one of them.
/jre/lib/security

Regards,
Holger

Hi Holger,

Thank you for your reply.

Yes, we’ve used the same .jks file on both systems, and added the same two lines to the config.ini.
Ok, I’m going to verify theses informations.

Regards

Hi Cedric,

Which OS you are using? wM Version?
Have you created separate TrustStore or using the default one?
Do you have multiple TrustStore defined ?

Regards,
Syed Faraz Ahmed

Hi Syed,

On each PC, I’ve created a folder on C:, and then I’ve just copied the .jks file in that folder (the same file).
I’ve used the default .jks file that our partner has sent me.

The 2 PC are under : Windows 7 Pro SP1
The 2 Designer are connecting on the same IS :
Version 9.8.0.0
Updates IS_9.8_Core_Fix7
IS_9.8_SPM_Fix1
Build Number 247
SSL Strong (128-bit)

Regards

Hi Cedric,

May i know the reason for putting the .jks file on both PC’s?

As far as i know just by inserting two properties in configuration file for eclipse will resolve the issue.

I had set
-Djavax.net.ssl.trustStore=NONE
-Djavax.net.ssl.trustStoreType=Windows-Root

And restarted the designer.

Regards,
Syed Faraz Ahmed

That’s funny, I’ve added the 2 lines in my ecipse INI :
javax.net.ssl.trustStore=NONE
javax.net.ssl.trustStoreType=Windows-Root

an then I obtain the same error.

If i replace the lines by these one (initially those which makes all working):

javax.net.ssl.trustStore=C:\temp\orange_sms\mutuelle_ivry_la_fraternelle.jks
javax.net.ssl.trustStoreType=JKS

All works back fine.
(this is my PC)

the PC occurs on the PC of one of my colleagues.

To reply to your question… I was putting the .jks file on both PC’s because, we need to create the WSD on each PC’s.
We’ve initially tried to put it on the IS file system but did not succeeded (but it is still in testing phase :wink: ).

Regards

PS : Holgers I can’t reply to you, because I do not have access to the PC of my colleague (probably until next monday)

Regards

Hi Holger,

We could make the comparison :

  • our cacerts file was different (but crypted)

  • our java.security was a little different :
    this line was missing :

    Algorithm restrictions for signed JAR files

    jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024

After taking same files than mine, I still has the error.
Any idea ?

Regards

Hi Cedric,

the content of the cacerts file can be checked with the following command:
keytool -list -keystore cacerts -storepass changeit

Keytool is part of the java installation.

Was the designer restarted after changing the configuration?

Regards,
Holger

1 Like

Thank you Holger,
Yes the Designer has been restarted but the 2nd PC still meet this error.

Anyway, I will study the error later, for the moment the creating WSD (consumer partner) works on my PC.

I have created a new keystore on the IS from the .jks file (from the Security\Keystore menu), so I’m going to try to consume the web service now.

Regards

Hi Cedric,

the certificate toolkit is no longer neccessary.

Can you provide the output of the keytool command for your customers jks file?
you can omit the fingerprints. The alias names are sufficient.

Is this meant to be a server certificate (for transport) or client certificate (for authorization)?

If it is used for a server certificate you will only need the CA part of ot which needs to be part of your Truststore file if it is not already part of the jvm´s cacerts file.

Under the certificates config screen assign the truststore alias to the truststore config.

Can you share a screenshot of your keystore config as well as the ceriticates page?

Regards,
Holger

Thank you Holger.
Before your reply, I have edited my previous post because I’ve found my error :oops:

Sorry, I’ m not sure to understand what you are asking me

It’s a certicate (.jks) our partner sent us to consume their webservice. it is just for authorization (IS is the client of this service).

I’ve made the same test in SoapUI and all works fine : I’ve just set the Keystore .jks path, and the password, and I can run perfectly the service partner.
So, I just need to make the same thing within the Designer : make work the call of this service.

When I call the service in the Designer, I obtain an unauthorization error : the same one returned in SoapUI before editing the soapUi SSL preferences.

To call the SSL service in the Designer, do I need to add a certficate (Security/certificate admin menu) ?
To test the Connector (of the external service), do I have to set some auth\transport\keyStore alias or auth\message\keyStore alias or anything else ?

Regards

Hi Cedric,

please have a look at the WebService Developers Guide.

For authentication I would suggest to create a WebService Consumer Alias in IS Admin and assign the certificate there.
After that configure the Connector in Designer to make use of this WS Consumer alias.

Regards,
Holger

1 Like

Thanks a lot Holger, I did what you recommend, and this works well. :slight_smile:

I have just noticed, that I do not need anymore the truststore alias, neither the Certificate truststore item (I have delete them, and just leave the Keystore entry).

Does it look normal for you ?

Regards

Hi Cedric,

we are currently not using client certificates.

So I cannot tell much about this.

If is working this is fine.

This means that the jks contains all required cerificates or they are existing in the base cacerts file of your JVM.

Regards,
Holger

Hi Holger,

Ok I undestand, thank you Holger.

Regards