We are trying to make HTTPS call from one IntegrationServer(A) to other(B).
As part of this we were advised to use the setKeyAndChain service and then invoke soapHTTP.
The soapHTTP call return the soapStatus as ‘0’ but the soapResponseData is coming as empty.
The setKeyAndChain takes PrivateKey and CertFiles as input.
Since no one shares their PrivateKey we generated a PrivateKey and used the UserCertificate and CA certificate to make the https call,but the request doesnt seem to have reached IS(B).
We are getting the following error from IS(B)
The required client certificate was not provided by /10.248.11.206
As far as I know, for an HTTPS server to accept the client certificate, it must trust the CA / chain that generated it. Besides, according to the IS manual, the client certificate presented must exist in the server:
Thus I guess you should copy the client CA to the Trusted Authority Directory of the HTTPS port of the invoked IS. There seems to be also a property called watt.security.cert.wmChainVerifier.trustByDefault to make IS to trust all certificates.
First, ensure the invokation works with HTTPS but without requiring client certificates, in order to verify that accepting client certificates is the only problem.
Ensure you copied to C:\Program Files\webMethods061\IntegrationServer\config\cert the certificate of the authority that generated your client certificate. If it is a self-generated certificate, then the authority is the certificate itself.
-Also, if your client CA is generated by another CA, remember that, in the “certFiles” parameter of the setKeyAndChain you must provide the certificates of all the certificate chain: your own client cert, the one of the CA creating it, and the ones of all other CAs creating the CA
When client certificates are required, they are used to map to IS users for authentication; i.e. your client certificate must be associated to an IS user in the server. For this, you must:
Import the client certificate in the server IS, in Security > Certificates > Configure Client Certificates
Once the certificate is imported, you have to associate it to an existing IS user.
-You may also try to use not a SOAP call, but a plain HTTP one (pub.client:http), passing the service parameters as GET arguments in the URL
-You may also try to use a client other than IS. E.g. you may import your client certificate into Internet Explorer and try to invoke a service in server B from the URL line. I suppose Internet Explorer will demand you to select a client certificate to use. If this works, then the problem lies not in the server IS, but in the client one.
In the client IS, instead of giving the private key in setKeyAndChain, you may also try to configure IS with a default client certificate (Security > Certificates > Edit )
Yet another alternative mechanism between ISs is to use remote service invokation, pub.remote:invoke, and setting a remote server alias using SSL, but this would be another path