I am trying to expose webSocket API to our frontend application team via SAG API gateway. We are able to call IS webSocket API from postman and but when called from API gateway, we are getting below error. We verified the logs and we see that are able to call API gateway webSocket API but when API gateway call IS URL, it is failing. Error seems to be with cert but we installed all the truststore but still getting same error. Also I tried calling normal HTTPS API from API gateway to IS and it works perfectly. So we concluded the issue is with only webSocket API.
Error messages / full error message screenshot / log file:
GMT [YAI.0700.8887E] (tid=2246) [default][apigateway-744f5bc67b-6f9f7] Debug: {1} javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
Question related to a free trial, or to a production (customer) instance?
please share some screenshots from your API Gateway hosting IS from the pages Security → Certificates and Security → Keystores as well as from the HTTPS -Port you are connecting to.
When using uncommon CAs, the webSocket API might not be able to verify the certificate presented by the API Gateway (or vice versa).
Can you describe in detail in which direction the call works and in which not?
I have added some screenshot for your reference. we are calling websocket URL of API gateway and it throws an error while connecting to websocket URL of IS where websocket server configuration are available. The error logs i have shared is from API Gateway of hosting IS.
IS websocket URL works fine from postman separately. but API gateway throws an error when integrated with API gateway.
Screenshot from API gateway hosting IS
Certificate →
can you provide a sample URL how you invoke the websocket port, please?
Does it help, when you provide centralized truststore containing all neccessary root and intermediate certificates, which are not present in cacerts file from the JVM, as IS Truststore alias and restart IS afterwards?
I have never worked with websockets ports (only regular HTTPS ports), so I am not quite sure where to look at.
to answer other question → We added truststore and tested without restart but it failed with same error. Does it require server restart after uploading truststore ?
when adding or updating certificates for the IS it is required to restart the IS as reloading the stores is not sufficient in this case.
Otherwise the certificates wont be activated for IS.
