SOAP Call Over HTTPS Not Working For Datapower Appliance

[FONT=Arial][SIZE=2][COLOR=#0000ff][COLOR=#0000ff]I am trying to make a SOAP request using pub.client.soapHTTP to a datapower appliance. The call fails because the IS is deciding not to send the client authentication certs over to datapower. Here is the SSL communication for that request:

serverURL: WMIS-TT.PRIVATE.SOMEWHERE.COM
ssl_debug(2): Starting handshake (iSaSiLk 3.03)…
ssl_debug(2): Sending v2 client_hello message, requesting version 3.1…
ssl_debug(2): Received v3 server_hello handshake message.
ssl_debug(2): Server selected SSL version 3.1.
ssl_debug(2): Server created new session 7C:E6:7F:C6:C2:C6:C2:9C…
ssl_debug(2): CipherSuite selected by server: SSL_RSA_WITH_RC4_128_MD5
ssl_debug(2): CompressionMethod selected by server: NULL
ssl_debug(2): Received certificate handshake message with server certificate.
ssl_debug(2): Server sent a 1024 bit RSA certificate, chain has 1 elements.
ssl_debug(2): Received certificate_request handshake message.
ssl_debug(2): Accepted certificate types: RSA, DSS
ssl_debug(2): Accepted certificate authorities:
ssl_debug(2): (empty list)
ssl_debug(2): Received server_hello_done handshake message.
ssl_debug(2): No client certificate available, sending empty certificate message…
ssl_debug(2): Sending client_key_exchange handshake message (1024 bit)…
ssl_debug(2): Sending change_cipher_spec message…
ssl_debug(2): Sending finished message…
ssl_debug(2): Exception sending message: java.net.SocketException: There is no process to read data written to a pipe.
ssl_debug(2): Shutting down SSL layer…
ssl_debug(2): IOException while handshaking: There is no process to read data written to a pipe.

So I rechecked the IS setup and verified that the certs are installed and all set. They are not in DER format but I even tried that too. In an effort to prove that the certs are working correctly I pointed the pub.client:soapHTTP call to the default soap handler of another IS However, when I point the same pub.client:soapHTTP call over to another IS and you can see that the client certs are transferred correctly:

[/COLOR][/COLOR][/SIZE][/FONT]

serverURL: WMIS-TT.PRIVATE.SOMEWHERE.COM
ssl_debug(1): Starting handshake (iSaSiLk 3.03)…
ssl_debug(1): Sending v2 client_hello message, requesting version 3.1…
ssl_debug(1): Received v3 server_hello handshake message.
ssl_debug(1): Server selected SSL version 3.1.
ssl_debug(1): Server created new session 42:39:AE:18:B0:91:EC:49…
ssl_debug(1): CipherSuite selected by server: SSL_RSA_WITH_RC4_128_MD5
ssl_debug(1): CompressionMethod selected by server: NULL
ssl_debug(1): Received certificate handshake message with server certificate.
ssl_debug(1): Server sent a 1024 bit RSA certificate, chain has 2 elements.
ssl_debug(1): Received certificate_request handshake message.
ssl_debug(1): Accepted certificate types: RSA, DSS
ssl_debug(1): Accepted certificate authorities:

ssl_debug(1): Received server_hello_done handshake message.
ssl_debug(1): Sending certificate handshake message with RSA client certificate…
ssl_debug(1): Sending client_key_exchange handshake message (1024 bit)…
ssl_debug(1): Sending certificate_verify handshake message…
ssl_debug(1): Sending change_cipher_spec message…
ssl_debug(1): Sending finished message…
ssl_debug(1): Received change_cipher_spec message.
ssl_debug(1): Received finished message.
ssl_debug(1): Session added to session cache.
ssl_debug(1): Handshake completed, statistics:
ssl_debug(1): Read 2393 bytes in 3 records, wrote 2112 bytes in 4 records.

Any idea what would cause the IS to not send the client certs? One thought was that maybe the datapower was not requesting client certs but it must be because its closing the connection down right after it gets an empty certificate.

I have a ticket opened with webMethods but nothing has come of it yet.

Pre-thanks for any help or light you are able to shed on this.

Hi,

the below link may be helpful

http://www.wmusers.com/forum/showthread.php?t=16076

Thank you for the response, I did look at this article and tried the various suggestions within it: making the certs DER, having the self signed cert as both the server and CA cert, and also putting the pub.security:setKeyAndChain flow before my pub.client:soapHTTP but nothing seems to have helped.

WebMethods suggested that perhaps my datapower device was not sending the server cert correctly and thus WebMethods was not sending the client back. So today we did a packet capture and verified that the datapower device was sending its cert.

The solution was to set the extended setting:
watt.security.ssl.client.ignoreEmptyAuthoritiesList=true

This was because the Datapower cert was not presenting any CA’s as signing their cert (they were self signed).
Thanks shahid for helping with this.