How to access HTTPS using pub.client.http

Hi community,

I know how to invoke an HTTP API using pub.client.http built-in service. However when I try to hit an HTTPS based url/API using same built-in service then I get SSL handshake error.

below is the screenshot of error message in service designer when I try to execute my flow service:

Can you please guide me how I can invoke an HTTPS url based API using pub.client.http or should I use some other built-in client/service?

Thanks

1 Like

Hi Muhammad,

please investigate the certificate chain with the hoster of the URL you are trying to invoke.
Make sure that the intermediate and root CA certificates are present either in the cacerts file of your JVM or in the global truststore configured in the IS.

Regards,
Holger

3 Likes

Hello Holger
Thanks for your response. I am not expert on certificates but I know about private & public key concept.

I can download .cer file corresponding to the particular https url from web browser.

Now if I add that .cer file (I believe it would be the Public key certificate of that https url) in IS truststore then is it sufficient to connect to https url via pub.client.http?

I might sound naive here as I am new to webMethods and hence need some more guidance here.

Also is there any other better way to connect https url inside the flow service or is pub.client.http built-in service is fine to use for https connectivity as well?

Thanks

Hi Muhammad,

the service pub.client:http is the right one, just pass an https-url instead of the http-url.

You can introspect the certificate by opening the https-url in a browser and then check the ssl-config (usually a lock sign in the URL field).
You wont need the public key of the server directly but mainly those certificates from the company (CA) who signed it.
When opening the cer-file on Windows you can switch to the CA certificates und extract them from there.

When adding certificates to your truststore, remember to use “-trustcacerts” parameter in the command so you will automatically trust the certificates in the cacerts file provided by the JVM so you only need to add those certificates to your own truststore which are not present in the cacerts file.

After addiing the CA certificates to the truststore remember to clear the ssl cache in the IS Admin UI, reload them stores and if this does not help you will have to shutdown and restart the IS once.

Regards,
Holger

1 Like

Thanks Holger for your comments/feedback.That was really helpful. I was able to create new truststore (.jks file using keytool) and load it in IS and then successfully established connection with https url by specifying newly created truststore in pub.client.http service parameters.

What I understood so far is that truststore in webMethods is basically some .jks file and we can add trusted certificate to new or existing .jks file using keytool. Can you please let me know if my understanding is correct?

Secondly, I would like to ask that do we need to use “-trustcacerts” parameter in keytool command every time we import any trusted certificate or doing it once or occasionally is enough?

Hi Muhammad,

correct, truststore is a jks file which can be managed with keytool.
Even the cacerts truststore file from the JVMs is nothing else than a jks file and can be introsprected with keytool.

I would suggest to use -trustcacerts evey time a new intermediate CA is added to your own truststore to make that it is already trusted during import when it is based on a known CA present in cacerts.
When the base CA is not available in cacerts, you will have to import it additionally to your trustsore file.

On the other side: Using the -trustcacerts every time provides the benefit, that it is not missing for the case it should have been used.

Regards,
Holger

1 Like

Thanks Holger. Big help. I appreciate.