Certificate chaining error - WebSphere Application Server

Sergio Rubio | Posts: 18

Certificate chaining error - WebSphere Application Server

Thursday, April 7, 2016 at 05:56am

Has anyone run into a Certificate chaining error when trying to make a call to createPackage? We are using IBM WebSphere BPM v8.5 and the eSignLive SDK 10.10.1, the certificate is installed in the Cell's defaultTrustStore, however,the eSignLive SDK call seems to ignore it. When added to the JRE's cacerts truststore, it works. java.security.cert.CertPathValidatorException: Certificate chaining error [4/6/16 15:36:16:658 EDT] 000001c1 SystemErr R at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:411) [4/6/16 15:36:16:658 EDT] 000001c1 SystemErr R at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:258) [4/6/16 15:36:16:658 EDT] 000001c1 SystemErr R at com.ibm.jsse2.util.h.b(h.java:119) [4/6/16 15:36:16:658 EDT] 000001c1 SystemErr R ... 124 more java.security.cert.CertPathValidatorException: Certificate chaining error [4/6/16 15:36:16:659 EDT] 000001c1 SystemErr R at com.ibm.security.cert.BasicChecker.(BasicChecker.java:111) [4/6/16 15:36:16:659 EDT] 000001c1 SystemErr R at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:178) [4/6/16 15:36:16:659 EDT] 000001c1 SystemErr R at com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:737) [4/6/16 15:36:16:659 EDT] 000001c1 SystemErr R at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:649) [4/6/16 15:36:16:659 EDT] 000001c1 SystemErr R at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:357) [4/6/16 15:36:16:659 EDT] 000001c1 SystemErr R ... 126 more [4/6/16 15:36:16:659 EDT] 000001c1 SystemErr R Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error [4/6/16 15:36:16:660 EDT] 000001c1 SystemErr R at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:298) [4/6/16 15:36:16:660 EDT] 000001c1 SystemErr R at com.ibm.security.cert.BasicChecker.(BasicChecker.java:108) [4/6/16 15:36:16:660 EDT] 000001c1 SystemErr R ... 130 more

April 7 Created

January 21 Last Updated

9 years ago Last Reply

2 Replies

1633 Views

2 Users

0 Likes

0 Links

imane chbani | Posts: 3

Reply to: Certificate chaining error - WebSphere Application Server

Thursday, April 7, 2016 at 09:11am

Hi , I think you will need to check if you have the root and intermediate cert also imported in the default cell trust store, also make sure that you unset the JRE ca trust cert and restart the web-server. This might help you fix the problem. Obviously during the handshake the WebSphere server where the SDK is used is not able to retrieve the trust cert from the defaults cell trust store and this can be caused by many reasons: 1. The user running the SDK does not have permission to retrieve the cert. 2. miss configuration of root , intermediate and signer cert each on the right place or anything else. Again this is not an SDK problem rather than infra problem. Kind regards, Imane

Sergio Rubio | Posts: 18

Reply to: Certificate chaining error - WebSphere Application Server

Wednesday, May 25, 2016 at 10:16am

In case this saves anyone some time, here are the two things that I found that caused me a huge headache: 1) The version of StringEntity available to me in WebSphere was older and did not have the method StringEntity(String, Charset) 2) The buildHttpClient() call in RestClient.java was unfriendly to WebSphere, it defaulted to using the Java cacerts store instead of WebSphere's default trust store, which caused issues when we had our various security appliances put into play. I ended up creating my own versions of EslClient.java and RestClient.java. EslClient.java changes were only necessary to use my custom version of RestClient. To get around method not found / classpath issues with #1 above, I used the older/available version of StringEntity:

StringEntity body = new StringEntity(jsonPayload, CHARSET_UTF_8);
            vs
StringEntity body = new StringEntity(jsonPayload, Charset.forName("UTF-8"));

And to use the WebSphere default Trust Store, I ended up adding the simple line .useSystemProperties() to the HttpClients.custom() call in RestClient.java's buildHttpClient(). I won't tell you how long that took me to find! Still looking at alternatives, as RestClient.java is an internal file for the Silanis SDK and I'd rather avoid making changes to the underlying SDK.

private CloseableHttpClient buildHttpClient() throws HttpException {
        final HttpClientBuilder httpClientBuilder = HttpClients.custom().useSystemProperties();