https hand shake error

My earlier thread is here.
I have configured pub.client.http making a REST API call that returns JSON as response.

I have executed the same REST url via Google Chrome REST client and was able to see the response.

When i execute the flow service I get the following error.

com.wm.app.b2b.server.ServiceException: iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake failure

The REST URL has a username and password.

I have seen on the forums something about configuring https port. I am not sure which port number to use.
I am kind of in a roadblock situation now.

Thanks

Please share your IS details along with fix levels.

Also,did you properly configure truststore ?

Did you select anything as part of Integration Server HTTPS port definition ?

Thanks,

Software AG IS 9.8 trial version

I am not sure about " Did you properly configure trust store"?

Did you select anything as part of Integration Server HTTPS port definition ?

I was in that screen but was not sure which port # to use as it is an outbound request.

This is how I configured the https port based on the search in forum and your reply.

I still get the same error. bad handshake.

Can you try the below extended setting on IS (Read Server Configuration Parameters from 9-8_Integration_Server_Administrators_Guide.pdf)

watt.net.jsse.client.enabledProtocols=
watt.net.jsse.server.enabledProtocols=

watt.net.jsse.client.enabledCipherSuiteList=
watt.net.jsse.server.enabledCipherSuiteList=

If it is an outbound request, HTTPS Port in IS-config does not apply here.

More likely you will have to take a look at WS Endpoint Aliases (under Settings).

These are available for recent wM versions.
See IS Admin Guide as well as WebService Developers Guide for further informations.

Regards,
Holger

Yes, it is an outbound request as I am doing a GET request to another service.

At this point all I have is a pub.client:http with the url, id, password and expecting to see a JSON structure with list of ids.

Thanks Mahesh, I tried your settings as follows.

watt.net.ssl.client.strongcipheronly=true
watt.net.jsse.client.enabledProtocols=SSLv3,TLSv1,TLSv1.1,TLSv1.2
watt.net.ssl.client.cipherSuiteList=default

I see a different error now.

com.wm.app.b2b.server.ServiceException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The last error you listed: unable to find valid certification path to requested target, indicates that your IS system doesn’t trust the server cert of the system you are connecting to.
You can get the cert chain using browser (as you had been testing with chrome tool, you can get it there), install the root and intermediate cert to your local IS trust store.
If you don’t have a trust store, you need to create one.

Hi Tong, Thanks for your quick follow up. This is completely new territory related to trust stores.

I have the following in my IS server Plesae see Keystores-IS.jpg

Please provide an example of "install the root and intermediate cert to your local IS trust store. "

i see cacerts in jre/lib. Do I create a new keystore alias first pointing to this file under jre?

What is the difference between keystore and truststore?

you should read some documentation on this topic, start with: webMethods Integration Server Administrator’s Guide, 16 Securing Communications with the Server.

Key store is the place you store your own server’s keys.
Trust store is where you have a list of certs that your server will trust for different security purposes.

When you initiate a SSL/TLS connection to another system, your server need to first trust the cert chain of the destination system, even you use username/pass authentication.

Tong, Thanks for your help. I read upon keystore/truststore and I did the following.

I downloaded the certificate from the REST client provider.
Generated the keystore
Generated the trust store

Created new keystore alias and trust store alias pointing to these files with respective passwords in IS server

I am still getting the same error.
com.wm.app.b2b.server.ServiceException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

How does the pub.client.http know to use these stores when making the REST call?

did you config on this page:
Security > Certificates >Edit Certificates Settings
assign the TrustStore as minimum

Viswanath – As per your earlier stated error, did you import My WebMethods Server CA certs to WebM_installDir/jvm/jvm160/jre/lib/security ?

Thanks,

HI MSR.
I did not get “My WebMethods Server CA certs” Are these provided by WebMethods or CA - Computer Associates
or CA refers to Certificate Authority.

I have downloaded the certificate from the website to which I am making the REST call and created a keystore and trust store based on that certificate.

As shown in my earlier post, I have created a keystore alias in the IS console.

Please detail what certs do I need to import to WebM_installDir/jvm/jvm160/jre/lib/security ?

Thanks

Hi Tong,

When I try to change the DEFAULT_IS_KEYSTORE to the keystore, I have created, it is asking for an alias but I do not have anything in the alias drop down box. For DEFAULT_IS_KEYSTORE, I see an alias of “ssos”

when I edit the keystore, I do not see this “sso” as a configurable value.

Hi Viswanath,

you should be able to see the alias when checking the keystore with Portecle or "keytool -list".

When creating the keystore/truststore with keytool, please specify -trustcacerts parameter to the command line.
This automatically trsuts the certificates stored in cacerts file without the need to modify it.

In the truststore for the IS import all intermediate certificates which are shown in the certification path for the certificate.

Configure this truststore as an Truststore Alias and assign this Truststore Alias under Security → Certificates.

Another option is to assign the certificate directly to the pub.client:http invoke step.

See Built-In-Services Guide for pub.client:http:

Regards,
Holger

if you are authenticating with username/password, you don’t need to have the key store configured, you only need to have the Trust Store configured.

on Security > Certificates > Edit page, the last section: Truststore
Do you see your truststore alias there?
if not, that means you haven’t configured the truststore yet.
Go to: Security > Keystore > Create Truststore Alias
to create it.

Finally, I was able to overcome the security handshake error and make a HTTPS request and see the response as an initial step. Thanks to everyone who helped me. Thanks once again. More to come :slight_smile:
Regards