javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

Kory_Hansen · March 20, 2015, 7:06am

We have a partner that is using WM IS with the SAP adapter, and they are using SSL x509 client authentication. They have given us their root CA certificate, an intermediate CA certificate, and the server certificate. We are putting those certificates into a truststore and passing it in the https connection. We are using Java to connect to their WM IS server, but are getting a “javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate”. We have tried a number of different ways to connect, but have been unsuccessful. We have verified that the certificate issuer matches the subject of the certificate above it in the chain.

The partner has indicated that other partners of theirs are using the same certificates to connect to their WM IS server, although we are the first to be using their SAP adapter.

Any ideas about what might be preventing us from connecting to their server, tips, or things to try would be greatly appreciated.

Holger_von_Thomsen · March 20, 2015, 1:00pm

Hi Kory,

can you provide some more details about the WM Version (esp. the SAP-Adapter)?
If possible with FixLevel and the version of JCo-Libs being used.

Are you using WebServices over https? if so restarting the ICM might help.

I am not quite sure how this relates to the SAP-Adater, as the SAP-Adapter is designed for RFC-Connections.
These can be encrypted by using SNC feature.

Regards,
Holger

Kory_Hansen · March 23, 2015, 11:56pm

Hi Holger,

Our partner is using WM version 7.1. I don’t believe the SAP adapter or JCo-Libs are the issue, because we can’t even connect to WM.

We are trying to connect to WebServices over https through WM. I can ask our partner to restart the ICM and see if that fixes the problem.

Regards,
Kory

Kory_Hansen · March 27, 2015, 1:59am

The partner restarted the ICM, but I am still getting the same error.

I am getting a similar error when I use openssl s_client. It looks something like this:

openssl s_client -CAfile cafile.pem -connect host:port
CONNECTED(00000003)
depth=2 /C=/O=/OU=/CN=***
verify return:1
depth=1 /C=/O=/CN=**
verify return:1
depth=0 /C=/postalCode=/ST=/L=/street=/O=/OU=/OU=/CN=**
verify return:1
17104:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:/SourceCache/OpenSSL098/OpenSSL098-52.10.1/src/ssl/s3_pkt.c:1143:SSL alert number 42
17104:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.10.1/src/ssl/s23_lib.c:185:

Any ideas?

Holger_von_Thomsen · March 27, 2015, 12:21pm

Can you connect to Webservice via Browser?

If yes you can check the certificate from there.

You can use the same URL and append a ‘?WSDL’ to retrieve the WSDL dircetly from Is.

Regards,
Holger

Kory_Hansen · March 27, 2015, 5:08pm

No, I am unable connect to their WebServices via a browser. I get an SSL error, “Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don’t have.”

Holger_von_Thomsen · March 27, 2015, 5:18pm

Seems you need two certificates, one for the HTTPS-Transport (Server Certificate) and one for the Certificate-based authentication.

Even if you are unable to authenticate (as you have described) you should be able to retrieve the server certificate via Browser.

Can you share some more details about the configuration (how you connect to the IS)?

Regards,
Holger