i am trying to do a https post in my flow service using “pub.client:http”
i am getting the following error message…can anyone help?
“com.wm.app.b2b.server.ServiceException: java.io.IOException: iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier”
You’ve got some fun learning ahead of you on this one.
Other than the normal how-to use learning to setup a certificate chain here is one HUGE item you need to know.
To improve performance, the default behavior of the IS is to cache a certificate and certChain (I believe). So, if you need to swap different certificates, or CHANGE THE ORDER of the certificate chain, you’ll want to have this watt dot value in your extended settings. The default is true.
watt.security.ssl.cacheClientSessions=false
I think you may need to call WmPublic pub.security:setKeyAndChain before the HTTPS call in order to set the cert chain to use, assuming that it the one you need to use not already set (like as the default).
HTH,
Fred
from what it looks, you are trying to connect to a server using https. And the certificate presented by the server is rejected.
The trusted certificates of Integration Server are stored in
“Security->Certificates” “Edit Certificates Settings” “CA Certificate Directory”.
Get the Certificate Authority’s certificate from the server (in .der format) and put in the folder configured (if already). Else, put it in a folder, and use that foldername in above settings.
I was getting the same error and noticed that one of the intermediate certificate was expired and therefore the Server was rejecting it. To test this I set the following property in server.cnf
watt.security.ssl.ignoreExpiredChains=true
and I could make an HTTPS connection. However in this case you should have all the certificates checked to see if they are current.
Below contents come from Integration Administration Guide:
Most of the time you will want to specify a trusted certificates directory;
however, there may be times when you want to leave it blank. For example, you might
want to trust all certificate authorities on outbound requests and trust specific CAs on
different ports for incoming requests. For outbound requests (a certificate the server
receives from a server that it submits a request to), if you leave this field blank or
specify a directory that does not contain certificates for CAs, by default, the server
trusts all certificate authorities. The property that controls this behavior
(watt.security.cert.wmChainVerifier.trustByDefault) is set to True by default.
If this property is set to False and no directory or an empty directory is specified, the
server will trust no certificates for outbound requests.
For inbound requests, you can specify a trusted certificates directory at the server
level (on the Security Certificates screen) or at the port level (on the Edit HTTPS Port
Configuration screen). If you omit a trusted authorities directory (or specify a
directory that does not contain CA certificates) from both the server level and the port
level, the server will trust no certificate authorities. If you specify a trusted authorities
directory at the server level and at the port level, the server uses the directory
specified at the port level for determining trust on connections being made to that
port. If you specify a trusted authorities directory at just the port level, the server uses
the port-level setting for requests being made to the port.
or
follow chirag1.sanghavi.35488’s reply
Quoting: [For outbound requests (a certificate the server receives from a server that it submits a request to), if you leave this field blank or
specify a directory that does not contain certificates for CAs, by default, the server trusts all certificate authorities. ]
I altered the Trusted Certificates directory so it would be “unspecified” and retried my outbound https post and am still getting the error. I had also refreshed the cache.
My backup wm server is posting to this exact same URL with no errors. I cannot find any other differences between the two.