URGENT help is much appreciated…
OurCompany created a private key for raising a CSR and sent it to PartnerCompany. PartnerCompany came back to us with a p12 certificate, pfx file. Now, we used openssl to extract the private key and the certificate from the p12 keystore and placed these two files in some folder to be used by webMethods.
At the same time, we did install these certificates in our IE browser and tried to connect to PartnerCompany via a HTTPS request. We did receive a OK status back. In addition, we looked at the certificate provided by them during the SSL handshake and save a copy of the certificate with us.
We checked the certificate chain from their certificate and since it was signed by Verisign, we exported the corresponding
root CA certificates from our IE and placed them safely in $IS-ROOT/config/certs/cas folder.
The certificate chain in their certificate and ours is different but thats obvious and makes sense anyways.
On the webMethods Admin console, under Security > Certificates link, the “CA Certificate Directory” for the “Trusted
Certificates” was set to $IS-ROOT/config/certs/cas.
Created a test service just trying to connect to PartnerCompany via public.client:http service. Before the invocation of this service, we used public.security:setKeyAndChain for us to be able to provide our certificates during SSL handshake. Running this service brought out - “Server certificate reject by chain verifier” exception.
FAILED
Although we had PartnerCompany’s chain certificates in our trusted keystore and set, we still thought its a worth a try placing our
certificate’s chain (PartnerCompany being CA for our certificates) in the same folder. Same Error.
FAILED
On the admin console, we set
Server’s Signed Certificate (under Outbound SSL Certificates) = path to our signed certificate
Signing CA’s Certificate = PartnerCompany’s Root CA Certificate
Server’s Private Key = Our private key in DER format.
we got SSLException while handshaking: Peer sent alert: Alert Fatal: bad certificate
We tried setting PartnerCompany’s intermediate CA certificate in Signing CA’s Certificate, but no luck.
We used Certificate tool kit to convert the chain certificates in DER format and placing them correctly.
We’ve tried various combinations of setting our extended field settings but currently we have:
watt.net.ssl.client.handshake.minVersion=sslv3
watt.net.ssl.client.handshake.maxVersion=sslv3
watt.security.ssl.ignoreExpiredChains=true
watt.security.ssl.cacheClientSessions=false
watt.security.cert.wmChainVerifier.trustByDefault=true
watt.ssl.iaik.debug=true
watt.net.ssl.debug=true
watt.security.ssl.client.ignoreEmptyAuthoritiesList=true
Although, we don’t see the SSL Logging in any of our log files.
This morning, removed everything back to how it was and from the p12 certificate, we exported the certificate and key using
Openssl command in PEM format. Converted PEM to DER format using the same openssl tool:
to convert a private key from PEM to DER format:
openssl rsa -in userkey.pem -out userkey.der -outform DER
to convert a certifcate from PEM to DER format:
openssl x509 -in cert.pem -out cert.der -outform DER
All the chain certificates (our’s and PartnerCompanys) were converted to DER format using Certificate Took Kit and placed in the
$IS-ROOT/config/certs/cas folder. Tried running the service with/without setKeyAndChain step. Either the service goes in
infinite waiting time resulting in - read timed out. Or, “Peer Sent Alert: bad certificate”.
Configuration on our system:
Product webMethods Integration Server
Version 6.1
Updates TNS_6-1_Fix15
TNS_6-1_Fix10
TNS_6-1_Fix5
TNS_6-1_Fix12
TNS_6-1_Fix18
TNS_6-1_Fix2
IS_6-1_SP2_Audit_Fix1
IS_6-1_SP2_Flow_Fix1
IS_6-1_SP2_Core_Fix6
IS_6-1_SP2_XA_Fix2
IS_6-1_SP2
IS_6-1_SP1_Fix116
IS_6-1_SP1_Fix85
IS_6-1_SP1_Fix106
Build Number 132
SSL Strong (128-bit)
Java Version 1.4.2.05 (48.0)
OS HP-UX
OS Platform PA_RISC2.0
OS Version B.11.11
Let me know, if I haven;t provided any info that I should have…