Urgent Help Needed in configuring the certificate to call the HTTPS service exposed by client

Dears,

We have an issue in calling the HTTPS service that is exposed by out client.

Out client doesn’t provided any certificates,

So, We tried to import the exposed WSDL file into SOAP UI and tried to test it, Which is working perfectly fine. Also identified that SAOP UI autimatically downloaded the SSL Certificates .

So downloaded the certificates from the browser and we are trying to use them.

Downloaded the CA Chain certificates and the actual certificate and imported them from the Admin->Secirity->Certificates->import client certificates. And tried to call the service but still, we are getting the error

iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier.

Please advice

Hi,

Let me see if I understood correctly:

  • your customer has a server which accepts SSL connections;
  • your customer did not provide his server’s certificate public key or any other information regarding that certificate;
  • your IS is going to connect to your customer’s server as a _client;
  • your IS does not have to provide a certificate;
  • your server IS is able to connect to your customer’s server but it fails with the message “iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier.” in your IS.

To debug this situation:

  • can yourself connect to the customer’s_server using a browser?
  • can you recover the security information from that server, that is, its security certificate information?
  • is the certificate signed by a known CA?
  • do you have that CA installed on your IS truststore?
  • are you using that truststore to validate outgoing communications?

You can use CLI commands (openssl and keytool) to verify some of this information.
You can also use a GUI like the KeyStore Explorer (search in the internet).

Best Regards,

Hi Gerardo Lisboa ,

Thanks for the quick reply ,

we are using IS Version 8.2,
we successfully created the connectors for the web service provided , but while calling that service we are facing the issue

below are my answers for your questions

  • can yourself connect to the customer’s_server using a browser?

Yes I am able to connect to the customer server with the WSDL using the browser from my system

  • can you recover the security information from that server, that is, its security certificate information?

I am able to recover all the certificates for that server from the browser

the Certificates I retrieved are
a). XXXXX RSA Certification Authority
b) XXXXX RSA Domain Validation Secure Server CA
c) Client certificates

  • is the certificate signed by a known CA?

Yes the certificate the cigned by CA

  • do you have that CA installed on your IS trust store?

No, in the trust store I haven’t installed that certificate, I just imported the certificate from the security - > Certificates → Import Client Certificates and restarted the IS, is it necessary to install the certificate in trust store? Please let me know

  • are you using that trust store to validate outgoing communications?
    we are not using the trust store, as it is my first time configuring the certificate, can you plz let me know the if it is necessary to import into trust store

Thanks ,
Annavaram Reddy

Hi,

It seems your IS is not able to verify the customer’s server certificate is valid because it does not know who signed it.

You can create a new truststore (it is easy with the KeyStore Explorer) from a copy of the base default truststore from sag and add the public keys of the CA chain.

I advise you to get those keys directly from the CA (the url should be in the information you received).

After you have a new truststore jks file with all the CAs, add it to the truststore list and make it the default truststore (I don’t know if there is a way to use it exclusively for the connection you are making).

Should you need more debug on the SSL connection, there are some settings you can you to increase the logging in the server.log and wrapper.log).

Best Regards,

Hi Gerardo Lisboa ,

The issue is resolved now, as the client certificate is expired it is getting rejecting from the CA certificate chain. Now client has renewed his certificate after which it is working fine

Thanks a lot for the reply