Server certificate rejected by ChainVerifier using useridpwd authentification

Trying to connect to a webMethods marketsite the following error is thrown:
SSL v3 Toolkit enabled Encryption Ciphers:
SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
SSL_RSA_EXPORT1024_WITH_RC4_56_SHA
SSL_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_NULL_MD5
Verifying peer certificate chain.
com.commerceone.xdk.excp.metadox.send.TransferException: Error while silently connecting: org.w3c.www.protocol
.http.HttpException: iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier
at com.commerceone.ccs.comm.sender.http.HttpTransmitter.sendEnvelopeReceiveEnvelope(HttpTransmitter.java:193)
at com.commerceone.ccs.comm.sender.http.HttpTransmitter.handleDocument(HttpTransmitter.java:262)
at com.commerceone.ccs.comm.sender.https.HttpsTransmitter.handleDocument(HttpsTransmitter.java:383)

Any information would be greatly appreciated.

thanks.

I assume you are trying to establish a https session with the remote server. I believe this error is occuring during the SSL session handshaking setup. I think you will find that the “Server certificate rejected by Chainverifier” message is caused by your IS not being able to verify the signature of the server certificate (Public key) of the remote server. That is, you do not have the Certificate Authority Root certificates (CA Root certificates) that signed the servers public key cert installed in your IS. You can either ask the remote server’s operators for copies of the appropriate CA Root certs or if you can obtain their public key cert you can extract the CA Root certs from that or at least determine who the signing CA is. Once you get the CA Root certs place them in the directory defined on “Trusted Certificates” (or something like that - It is on the administrator|Certificates page). It is my experience that you must then restart IS to “activate” the new CA Root certs.

I had the same problem. After reading John’s message I checked the certificates. Somehow some very strange root certificates were installed, completely not matching (RSA 1024 bits vs. 512 bits) with the client certificate. After instelling the gooed root certificate the problem was solved.

I’m currently getting this error. I don’t have the server’s CA Root Certificate in the “CA Certificate Directory”, but the Admin guide states that if you don’t specify a “CA Certificate Directory” it will trust all server certificates. I’ve always seen it work like this as well.

It works from the IE browser just fine. Doesn’t wm come with a file that contains the trusted root authorities. I remember editing this a few years back…

Any ideas?

Your IE browser may contain certificates that webMethods does not. webMethods won’t trust “all server certificates”, just whatever standard root certificates it comes with. I don’t have an exact list of which ones webMethods has - anyone know where that’s stored?

I ran into this exact same problem recently and it turned out that the IE installation I was using had several non-standard certificates. We ended up exporting the certificates from IE and putting them on the webMethods server, then setting the CA Certificate Directory. Of course, that meant we also had to export all the standard certificates that we needed and put those in that same directory.

We had this problem and solved by specifying the intermediate cert as the servers root cert instead of CA’s Root cert.der

Thanks

is it not possible to ‘switch’ off the certifcate checking?

Hi I am receving the below error:
[SIZE=3][COLOR=#000080]Service : wm.server.flow:stepFlow
Doc Id : N/A
errorMessage=iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier

Can anyone help me out in resolving this issue.
[/color][/size]

What version of what product from what vendor are you using? Assuming you mean webMethods IS 7.1.x, be sure that you have applied the latest fixes. If you are using TN you may not have the proper certificate from your trading partner.

Having done that, the issue could be that your server’s security certificate is not properly formed or that it or its CA authority are not trusted by the server with which you are communicating.

Google that error to see other details.

M

Hi All,

One of our client use webmethods to call to our webservices hosted in IIS 6. Recently we changed our certificate vendor. After then onwards they are getting the following error

Error:
java.io.IOException: iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier.

Can any body help me on this.

Hi Krishna,
After changing your certificate vendor did you provide your new certificate public key (Complete chain) to your client? If not then provide your new certificate to the client and ask him to configure it on his trusted CA certs (mainely Root and intermideate) and restart his IS server and then try connecting to your application.
Regards,
Vikas

SSL world… always the issue is a bad certificate setup.

Sometomes to overcome them you canse to true the following:

watt.security.cert.wmChainVerifier.trustByDefault
watt.security.ssl.client.ignoreEmptyAuthoritiesList
watt.security.ssl.ignoreExpiredChains

Good luck :smiley:

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.