Server certificate rejected by ChainVerifier

Hi ,
In the B2B Application, we are acting as server and having 5 Partners.
Recently we have got a new server SSL certificate to be implemented on our production. After implementation 4 among 5 Partners are able to connect to the production environment but one of them is getting following exception:

com.wm.app.b2b.server.ServiceException: java.io.IOException: iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier

Environment @server side:
wM 6.5
Unix AIX

Environment @ partner side
wm6.5

Please I need urgent solution !!!

[COLOR=black][FONT=Trebuchet MS]Your quick response is highly appreciable.

[/FONT][/COLOR]
Its urgent.

Thanks in advance !

Regards ,
wMuser01

Check whether certificate are in correct order and signed by trusted authorities. Also check if partner is sending the certificate in correct order what u have installed.

Hi,
I hope by this time your issue might have been resolved. If issue still persist the try following.

If your clent is not able to connect to your IS server then check with client if he has copied you server New CA cert and intermideate cert in his CA cert location of IS and restart the server.
Let me know if this does not resolve the issue.

First of all , thanks for your replies.
I tried and suggested my client ,but the client is facing same issue.
Till now we are getting same error.

Regards ,
wmuser01:confused:

Hi wmuser001,
Can you tell in detail that what all you tried till now and what is the current status and if new error or may be old then attach the complete ssl logs. It would be helpful in understanding the issue rather providing the information only “we tried and still same issue.”

Regards,
Vikas

we verified with client , but they said that they getting same error.
com.wm.app.b2b.server.ServiceException: java.io.IOException: iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier

here is log details …

ssl_debug(1): Starting handshake (iSaSiLk 3.03)…
ssl_debug(1): Sending v2 client_hello message, requesting version 3.1…
ssl_debug(1): Received v3 server_hello handshake message.
ssl_debug(1): Server selected SSL version 3.1.
ssl_debug(1): Server created new session D5:B2:EF:94:FD:00:42:A0…
ssl_debug(1): CipherSuite selected by server: SSL_RSA_WITH_RC4_128_MD5
ssl_debug(1): CompressionMethod selected by server: NULL
ssl_debug(1): Received certificate handshake message with server certificate.
ssl_debug(1): Server sent a 1024 bit RSA certificate, chain has 2 elements.
com.wm.util.LocalizedCertificateException: [ISC.0009.9001] Certificate chain broken: not linked properly
at com.wm.security.cert.wmChainVerifier.verifyChain(wmChainVerifier.java:175)
at iaik.x509.ChainVerifier.verifyChain(Unknown Source)
at com.wm.security.wmTrustDecider.isTrustedPeer(wmTrustDecider.java:157)
at iaik.security.ssl.f.a(Unknown Source)
at iaik.security.ssl.f.f(Unknown Source)
at iaik.security.ssl.f.d(Unknown Source)
at iaik.security.ssl.e.c(Unknown Source)
at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source)
at iaik.security.ssl.SSLTransport.getInputStream(Unknown Source)
at iaik.security.ssl.SSLSocket.getInputStream(Unknown Source)
at com.wm.net.NetURLConnection.trySSLConnect(NetURLConnection.java:654)
at com.wm.net.NetURLConnection.httpsConnect(NetURLConnection.java:526)
at com.wm.net.NetURLConnection.connect(NetURLConnection.java:163)
at com.wm.net.HttpURLConnection.getOutputStream(HttpURLConnection.java:410)
at com.wm.net.HttpContext.getOutputStream(HttpContext.java:579)
at com.wm.net.HttpContext.getOutputStream(HttpContext.java:555)
at com.wm.net.HttpContext.post(HttpContext.java:339)
at pub.clientimpl.http(clientimpl.java:865)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at com.wm.app.b2b.server.JavaService.baseInvoke(JavaService.java:322)
at com.wm.app.b2b.server.invoke.InvokeManager.process(InvokeManager.java:612)
at com.wm.app.b2b.server.invoke.StatisticsProcessor.process(StatisticsProcessor.java:44)
at com.wm.app.b2b.server.invoke.ServiceCompletionImpl.process(ServiceCompletionImpl.java:226)
at com.wm.app.b2b.server.invoke.ValidateProcessor.process(ValidateProcessor.java:49)
at com.wm.app.b2b.server.ACLManager.process(ACLManager.java:198)
at com.wm.app.b2b.server.invoke.DispatchProcessor.process(DispatchProcessor.java:39)
at com.wm.app.b2b.server.AuditLogManager.process(AuditLogManager.java:411)
at com.wm.app.b2b.server.invoke.InvokeManager.invoke(InvokeManager.java:521)
at com.wm.app.b2b.server.invoke.InvokeManager.invoke(InvokeManager.java:369)
at com.wm.app.b2b.server.ServiceManager.invoke(ServiceManager.java:246)
at com.wm.app.b2b.server.BaseService.invoke(BaseService.java:168)
at com.wm.lang.flow.FlowInvoke.invoke(FlowInvoke.java:324)
at com.wm.lang.flow.FlowState.invokeNode(FlowState.java:581)
at com.wm.lang.flow.FlowState.step(FlowState.java:438)
at com.wm.lang.flow.FlowState.invoke(FlowState.java:403)
at com.wm.app.b2b.server.FlowSvcImpl.baseInvoke(FlowSvcImpl.java:982)
at com.wm.app.b2b.server.invoke.InvokeManager.process(InvokeManager.java:612)
at com.wm.app.b2b.server.invoke.StatisticsProcessor.process(StatisticsProcessor.java:44)
at com.wm.app.b2b.server.invoke.ServiceCompletionImpl.process(ServiceCompletionImpl.java:226)
at com.wm.app.b2b.server.invoke.ValidateProcessor.process(ValidateProcessor.java:49)
at com.wm.app.b2b.server.ACLManager.process(ACLManager.java:198)
at com.wm.app.b2b.server.invoke.DispatchProcessor.process(DispatchProcessor.java:39)
at com.wm.app.b2b.server.AuditLogManager.process(AuditLogManager.java:411)
at com.wm.app.b2b.server.invoke.InvokeManager.invoke(InvokeManager.java:521)
at com.wm.app.b2b.server.invoke.InvokeManager.invoke(InvokeManager.java:369)
at com.wm.app.b2b.server.ServiceManager.invoke(ServiceManager.java:246)
at com.wm.app.b2b.server.comm.DefaultServerRequestHandler.handleMessage(DefaultServerRequestHandler.java:129)
at com.wm.app.b2b.server.HTTPMessageHandler.process(HTTPMessageHandler.java:168)
at com.wm.app.b2b.server.Dispatch.run(Dispatch.java:312)
at com.wm.util.pool.PooledThread.run(PooledThread.java:105)
at java.lang.Thread.run(Thread.java:534)
ssl_debug(1): Sending alert: Alert Fatal: bad certificate
ssl_debug(1): Shutting down SSL layer…

Regards ,
wmuser01

Can you tell me, how you have configured certificate at your server side? From the logs it seems certificates are not configured on your server properly. In the logs it seems client is connecting with the certificate which is having chain of two certificates (leaf and root). Make sure at your end you have saved the customer CA cert to your server Trusted CA cert location and customer’s leaf cert is copied on cert location and you restarted your server (Server restart is mandatory). Then map the leaf cert to the partner id from IS console.
Also make sure certificates are not expired. I belive you would have followed these steps already but still double check it.

Regards,
Vikas

Hi,
Whether your issue resolved?

Hi wmuser01,

We also faced this issue earlier. After troubleshooting found that there are 2 elements present in the client certificate that was sent to us during handshake.(Actual chain has 3 elements) so we are not receiving the complete chain or its out of order. thats why error is coming. When complete cert are sent and in order (what we had on our side), then its resolved.

Please follow all the steps suggested by Vikas after checking this.

Thanks
-Hemendra

Hi ,
Thanks for replies.
Still am facing same issue.
I configured everything properly.If not , All of my 5 partners have to face same issue ,but only one of 5 partners is facing that kind of issue !!!:confused:
After doing some debugging and changes , then we are getting following error…
ssl_debug(174): Received alert message: Alert Fatal: bad certificate
ssl_debug(174): SSLException while handshaking: Peer sent alert: Alert Fatal: bad certificate
ssl_debug(174): Shutting down SSL layer…
ssl_debug(174): Closing transport…
This was frustrating …

Please help me


Thanks in adavance …

Thanks

Hi WMUSER,
Please go through below mentioned check points.

-> Check the number of elements in client’s certificate.
->Check whether root chain is copied correctly into ‘cacerts’ location of IS & RI and
restarted both the servers.
-> Check whether the user certificate is expired.

Hi,

Its clearly stating that there is a problem with certificate only.
Please double check all the cert CA,Inter,Public of the partner for which its failing. Good to check with the partner itself and match serial num.,expiry date ,signing authority ,order of cert,mapping, ACL of the partner name mapped ,its group and the services.

Please check the config for successfull partner and match it with the failure one.

Thanks,
-Hemendra

Hi wmuser1,

From th thread i understand, the problem is with inbound as well as outbound as you said the client is facing the same issue.
There is a similar thread for this , check if it helps.
http://www.wmusers.com/forum/showthread.php?p=283#poststop

I have faced this same issue couple of time… we always find that it is because of certificates are expired. Check once the certificate expiry date… might help you.

Did you try with watt.security.ssl.client.ignoreEmptyAuthoritiesList=true in the extended settings?
Regards.