Hi,
I’m trying to access an external HTTPS web service… but when I try to run it in webMethods (after having created the consumer), I obtain this error :
“Server certificate rejected by ChainVerifier with HTTPS”
If I try to call the same WS with SoapUI all works fine. The web service just need a basic authentication with login/password.
Regards
that seems to be the exactly the same problem of mine :
http://tech.forums.softwareag.com/techjforum/posts/list/20985.page
Hi Cedric,
this means that your IS truststore does not contain or is not trusting the issuing CA of your partners host.
Can you access the URL from Browser and see what it is presenting when checking the ssl status of the page?
Keep exploring the certificate.
Regards,
Holger
Hi Holger,
In security (Chrome) i see that the certificate is expired (please see the picture attached). This could be the reason ?
But in this case could you explain me how SoapUI succeeds to call the web service without any error ?
Regards
Hi Cedric,
yes, the expired certificate can be a reason.
Can you check the certificate with Internet Explorer via the URL?
This will give you an overview with all the issues this certificate is encountering.
Might be that SoapUI does not validate the validity of the certificate.
Regards,
Holger
Hi Holger,
We could get the new certitificate. Viewing it in IE, it is valid now.
We add it in the IS certitite(Admin console), Security > Certificates > Configure Client Certificates
and tried again but it still does not work.
What is missing please ?
Do we have to deal with keyStore and Jks ?
Another point, is : we can not create the consumer directly from the HTTPS URL, we met this error :
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
So saving WSDL as a file first works for create the consumer, but is this normal ?
Regards
Hi Cedric,
Client certificates are not related to HTTPS.
You need to trust the issuing CA of the certificate in your Truststore (or the JVMs cacerts file) to get this working.
If the certificate is a self-signed certificate (a singleton) you will have to add this one to your truststore.
After this is done you should be able to cretae the consumer via the HTTPS URL.
Regards,
Holger
Thanks Holger
What do you mean by " to trust the issuing CA of the certificate in my Truststore" ?
How do we have to proceed ?
Regards
Hi Cedric,
when you check the certificate in IE or Windows Explorer there should be an entry named Requestor and entry named Issuer.
If these 2 entries are indentical this certificate is a self-signed certificate.
We usually have a JKS file in our environment where all intermediate CAs are stored (and the self-signed certificates, but we currently do not have any self-signed certificates).
This JKS Truststore needs to be configured under Security → Keystores as a Truststore Alias and under Security → Certificates as Truststore. Use the Truststore Alias created under Keystores for the Truststore.
See IS Administrators Guide for Details.
Regards,
Holger
Thanks a lot for your help Holger.
Regards