SSL error when connecting on-premise Integration Server with Integration Cloud

Hi there,

In order to test hybrid integration on Integration Cloud, I am trying to connect my on-premise Integration Server with my Integration Cloud following the instructions in Configuring On-Premise Integration Servers for webMethods Cloud, page 12. In the IS Administrator, I enter my username and password and https://integration.webmethodscloud.com as webMethods Cloud URL. (I also tried https://thesse.webmethodscloud.com - with the same result.) I am always getting the following error message:

The following error occurred while saving settings: com.wm.app.b2b.server.ServiceException: java.io.IOException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. See the error log for the full stack trace.

Maybe something else has to be configured on the on-premise Integration Server?

Thanks a lot!

Best regards,
Thomas

Just found out that the Integration Server seems to have problems with SSL connections in general: I have created a flow service calling pub.client:http service. This is working fine for http URLs, but for every https URL, I am getting the following stack trace:

com.wm.app.b2b.server.ServiceException: java.io.IOException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at pub.clientimpl.http(clientimpl.java:1035)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.wm.app.b2b.server.JavaService.baseInvoke(JavaService.java:404)
at com.wm.app.b2b.server.invoke.InvokeManager.process(InvokeManager.java:646)
at com.wm.app.b2b.server.util.tspace.ReservationProcessor.process(ReservationProcessor.java:39)
at com.wm.app.b2b.server.invoke.StatisticsProcessor.process(StatisticsProcessor.java:49)
at com.wm.app.b2b.server.invoke.ServiceCompletionImpl.process(ServiceCompletionImpl.java:243)
at com.wm.app.b2b.server.invoke.ValidateProcessor.process(ValidateProcessor.java:49)
at com.wm.app.b2b.server.invoke.PipelineProcessor.process(PipelineProcessor.java:171)
at com.wm.app.b2b.server.ACLManager.process(ACLManager.java:299)
at com.wm.app.b2b.server.invoke.DispatchProcessor.process(DispatchProcessor.java:34)
at com.wm.app.b2b.server.AuditLogManager.process(AuditLogManager.java:377)
at com.wm.app.b2b.server.invoke.InvokeManager.invoke(InvokeManager.java:545)
at com.wm.app.b2b.server.invoke.InvokeManager.invoke(InvokeManager.java:382)
at com.wm.app.b2b.server.ServiceManager.invoke(ServiceManager.java:234)
at com.wm.app.b2b.server.BaseService.invoke(BaseService.java:215)
at com.wm.lang.flow.FlowInvoke.invoke(FlowInvoke.java:257)
at com.wm.lang.flow.FlowState.invokeNode(FlowState.java:520)
at com.wm.lang.flow.FlowState.step(FlowState.java:389)
at com.wm.lang.flow.FlowState.invoke(FlowState.java:360)
at com.wm.app.b2b.server.FlowSvcImpl.baseInvoke(FlowSvcImpl.java:1123)
at com.wm.app.b2b.server.invoke.InvokeManager.process(InvokeManager.java:646)
at com.wm.app.b2b.server.util.tspace.ReservationProcessor.process(ReservationProcessor.java:39)
at com.wm.app.b2b.server.invoke.StatisticsProcessor.process(StatisticsProcessor.java:49)
at com.wm.app.b2b.server.invoke.ServiceCompletionImpl.process(ServiceCompletionImpl.java:243)
at com.wm.app.b2b.server.invoke.ValidateProcessor.process(ValidateProcessor.java:49)
at com.wm.app.b2b.server.invoke.PipelineProcessor.process(PipelineProcessor.java:171)
at com.wm.app.b2b.server.ACLManager.process(ACLManager.java:299)
at com.wm.app.b2b.server.invoke.DispatchProcessor.process(DispatchProcessor.java:34)
at com.wm.app.b2b.server.AuditLogManager.process(AuditLogManager.java:377)
at com.wm.app.b2b.server.invoke.InvokeManager.invoke(InvokeManager.java:545)
at com.wm.app.b2b.server.invoke.InvokeManager.invoke(InvokeManager.java:382)
at com.wm.app.b2b.server.ServiceManager.invoke(ServiceManager.java:234)
at com.wm.app.b2b.server.comm.DefaultServerRequestHandler.handleMessage(DefaultServerRequestHandler.java:119)
at com.wm.app.b2b.server.HTTPMessageHandler.process(HTTPMessageHandler.java:156)
at com.wm.app.b2b.server.HTTPDispatch.handleRequest(HTTPDispatch.java:173)
at com.wm.app.b2b.server.Dispatch.run(Dispatch.java:397)
at com.wm.util.pool.PooledThread.run(PooledThread.java:127)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.wm.ext.jsse.JSSESecureSocketFactory.newSocket(JSSESecureSocketFactory.java:572)
at com.wm.ext.jsse.JSSESecureSocketFactory.createSocket(JSSESecureSocketFactory.java:466)
at com.wm.net.socket.pool.SocketPool.getSocketWrapper(SocketPool.java:197)
at com.wm.net.socket.pool.SocketPoolManager._getSocketWrapper(SocketPoolManager.java:128)
at com.wm.net.socket.pool.SocketPoolManager.getSocketWrapper(SocketPoolManager.java:110)
at com.wm.net.NetURLConnection.getSocket(NetURLConnection.java:1047)
at com.wm.net.NetURLConnection.openDirectConnection(NetURLConnection.java:1022)
at com.wm.net.NetURLConnection.connect(NetURLConnection.java:197)
at com.wm.net.NetURLConnection._getInputStream(NetURLConnection.java:414)
at com.wm.net.NetURLConnection.getInputStream(NetURLConnection.java:320)
at com.wm.net.HttpContext.getFinalInputStream(HttpContext.java:864)
at com.wm.net.HttpContext.getInputStream(HttpContext.java:353)
at com.wm.net.HttpContext.getInputStream(HttpContext.java:325)
at com.wm.net.HttpContext.get(HttpContext.java:367)
at com.wm.net.HttpContext.get(HttpContext.java:383)
at pub.clientimpl.http(clientimpl.java:870)
… 41 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at com.wm.ext.jsse.JSSESecureSocketFactory.newSocket(JSSESecureSocketFactory.java:567)
… 56 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:105)
at com.wm.ext.jsse.JSSETrustManager.checkServerTrusted(JSSETrustManager.java:72)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:922)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
… 64 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
… 72 more

Any idea? This was working fine yesterday! Anything that might have changed in my IS installation over night? I have not changed anything (as far as I know…)

Thanks!

Best regards,
Thomas

Hi Thomas,

can you check the keystores and certificates configured in the IntegrationServer and IntegrationCloud?

Looks like you are missing an intermediate CA certificate.

You might want to check the cacerts file of the jvm (the one which is used for running the IntegrationServer) as well to find out if it contains the neccessary CA certificates.

Regards,
Holger

Hi Holger,

Thanks a lot for your quick reply. I have checked the cacerts file at C:\SoftwareAG\jvm\jvm\jre\lib\security (hope this is the right one?) with keytool: It includes the CA certs from GetTrust used by https://integration.webmethodscloud.com. It also includes the CA certs used by https://www.welt.de which is also not working. So it does not seem to be caused by missing entries in the cacerts file.

After that, I uninstalled all Software AG programs and re-installed only the Integration Server and the Designer. Now the behavior is a bit different, but still very strange:

  • When I call pub.client:http from a flow service, it is working fine for both http and https target URLs
  • When I invoke any of the Integration Cloud functions in the IS Administration (update settings, upload account or upload application), it will always succeed first, but then every later request will fail with SunCertPathBuilderException
  • When I run my flow with pub.client:http again, it will succeed, and after that, the Integration Cloud functions in the IS Administration will succeed again one time and fail after that
  • The account testing does not work - it fails after timeout (no SunCertPathBuilderException)
  • In the Integration Cloud itself, I can see the account and the application, but the account testing also fails (after timeout, no SunCertPathBuilderException), and when I start creating an integration and click on Load Data (in step 2), the request fails - again after timeout (no SunCertPathBuilderException)
  • Building integrations with the pre-configured SaaS applications is working fine

Any idea?

Best regards,
Thomas

Hi Thomas,

you are lloking at the right file, if this is the jvm the IS is running on.

But this still sounds strange as it is sometimes working and sometimes not.

Regards,
Holger

Has there been a final solution for this topic? I ran into the same issue.
I’ve installed the certs in EVERY cacerts file I found on the integration server, still I get the

"com.wm.app.b2b.server.ServiceException: java.io.IOException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

Error. Any other place where I can look into? Is it my servers problem?

Hi Simon,

we have configured a custom truststore jks file, which contains our intermediates CAs imported with “-trustcacerts” parameter by using java keytool. This will also trust the CAs stored in cacerts file by default.

This custom jks file is imported as a Truststore under Security → Keystores in IS Admin and then assigned to the Truststore function under Security → Certificates. IntegrationServer needs to be stopped and started once after doing so.

After that the IntegrationServer should trust any certificates issued by any CA in the custom truststore jks file or in the base cacerts file of the jvm (jvm/jre/lib/security/cacerts).

Regards,
Holger

Are you trying out the trial version of the cloud?
If yes…I think the SAG people mentioned that the hybrid integration feature was not available on the Cloud trial version

Varghese

Thank you guys!

I misread the subject of this thread…we experience the issue when calling ANY https endpoint from the intergration server.

@Holger: We did it your way when installing the server - I just added ssl to the wrapper log and now I can see “HTTP Handler 127.0.0.1, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown”, so the reason might be our very own proxy certificate. I will investigate further and let you guys know if I find a solution.

@Varghese: no, we use IS/IC in production. But for a more complex interface I wanted to use the integration server instead of the cloud to call an https endpoint.

Thanks Simon

Hi,

Check which certificate you are sending in the Web Service Endpoint Alias entry you use in your WSD.

Which version are you using? Not all WM versions support TLS 1.2 (and you might have to force its use in extra settings).

Does the target server have your certificates installed or at least the public certificate of the CA used to sign them?

You can also increase the SSL logging to trace the issue (on extra settings and also on custom_wrapper.conf).

Best regards,

Bom dia Gerardo,

Do I actually need to set an endpoint in my IS webview? I’m quite new to the webMethods products. Currently I just use pub.client:http and add the url in the URL field with our proxy activated (via alias).

I’m on version 10.1. calling https://google.com (just for testing of the SSL functionality), in the actual case I will do an OAuth2 flow against a service.

The increased logging tells me ‘certificate_unknown’

Any help is much appreciated, as without SSL the project will fail :confused:

Obrigado!

Hi,

If you are not using SOAP that is ok but are you setting the correct keys in the session before the call?

Have you double checked the “Service Development Help” steps on making an SLL call?

Best regards,