The last error you listed: unable to find valid certification path to requested target, indicates that your IS system doesn’t trust the server cert of the system you are connecting to.
You can get the cert chain using browser (as you had been testing with chrome tool, you can get it there), install the root and intermediate cert to your local IS trust store.
If you don’t have a trust store, you need to create one.
you should read some documentation on this topic, start with: webMethods Integration Server Administrator’s Guide, 16 Securing Communications with the Server.
Key store is the place you store your own server’s keys.
Trust store is where you have a list of certs that your server will trust for different security purposes.
When you initiate a SSL/TLS connection to another system, your server need to first trust the cert chain of the destination system, even you use username/pass authentication.
Tong, Thanks for your help. I read upon keystore/truststore and I did the following.
I downloaded the certificate from the REST client provider.
Generated the keystore
Generated the trust store
Created new keystore alias and trust store alias pointing to these files with respective passwords in IS server
I am still getting the same error.
com.wm.app.b2b.server.ServiceException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
How does the pub.client.http know to use these stores when making the REST call?
HI MSR.
I did not get “My webMethods Server CA certs” Are these provided by webMethods or CA - Computer Associates
or CA refers to Certificate Authority.
I have downloaded the certificate from the website to which I am making the REST call and created a keystore and trust store based on that certificate.
As shown in my earlier post, I have created a keystore alias in the IS console.
Please detail what certs do I need to import to WebM_installDir/jvm/jvm160/jre/lib/security ?
When I try to change the DEFAULT_IS_KEYSTORE to the keystore, I have created, it is asking for an alias but I do not have anything in the alias drop down box. For DEFAULT_IS_KEYSTORE, I see an alias of “ssos”
when I edit the keystore, I do not see this “sso” as a configurable value.
you should be able to see the alias when checking the keystore with Portecle or "keytool -list".
When creating the keystore/truststore with keytool, please specify -trustcacerts parameter to the command line.
This automatically trsuts the certificates stored in cacerts file without the need to modify it.
In the truststore for the IS import all intermediate certificates which are shown in the certification path for the certificate.
Configure this truststore as an Truststore Alias and assign this Truststore Alias under Security → Certificates.
Another option is to assign the certificate directly to the pub.client:http invoke step.
if you are authenticating with username/password, you don’t need to have the key store configured, you only need to have the Trust Store configured.
on Security > Certificates > Edit page, the last section: Truststore
Do you see your truststore alias there?
if not, that means you haven’t configured the truststore yet.
Go to: Security > Keystore > Create Truststore Alias
to create it.
Finally, I was able to overcome the security handshake error and make a HTTPS request and see the response as an initial step. Thanks to everyone who helped me. Thanks once again. More to come
Regards
