search

ot4i / ace-docker

75 stars 167 forks source link

Message flow throws IBMCertPathBuilderException in ACE on CP4I #116

Closed abudavis closed 4 years ago

abudavis commented 4 years ago

We deployed a message flow in ACE on CP4I that calls/consumes a REST endpoint externally over HTTPS. However we get the following error, the server.conf.yaml is also attached. It would be great If you could kindly point us in the right direction to look.

Note: The keystore is verified to work OK, tested it by having ACE expose an API for consumption via an Openshift route. The trust store is also setup. The setup was done by running the provided generateSecrets.sh against the crt/key files.

-- integration server log --
2020-04-20 07:43:56.770660: An HTTP error occurred. The HTTP Request-Line was: 'GET /u2api-rest/execute/M10MI/GetHead?CONO=100&DLIX HTTP/1.1
2020-04-20 07:43:56.770696: Socket error detected whilst invoking Web service located at host u2api.redacted.com, port 20008, path /u2api-rest/execute/M10MI/GetHead.
2020-04-20 07:43:56.770720: An error occurred whilst performing an SSL socket operation. Operation: connect. Error Text: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target.
2020-04-20 07:43:57.796 36 unable to negotiate SSL connection. Client key alias supplied was [].
Exception in thread "Thread-20" 2020-04-20 07:43:57.797 36 javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target
2020-04-20 07:43:57.797 36 at com.ibm.jsse2.k.a(k.java:41)
2020-04-20 07:43:57.798 36 at com.ibm.jsse2.av.a(av.java:147)
2020-04-20 07:43:57.798 36 at com.ibm.jsse2.D.a(D.java:103)
2020-04-20 07:43:57.800 36 at com.ibm.jsse2.av.a(av.java:288)
2020-04-20 07:43:57.800 36 at com.ibm.jsse2.av.i(av.java:136)
2020-04-20 07:43:57.800 36 at com.ibm.jsse2.av.a(av.java:1001)
2020-04-20 07:43:57.800 36 at com.ibm.jsse2.av.startHandshake(av.java:991)
2020-04-20 07:43:57.801 36 at com.ibm.broker.imbsslsocket.MbSslSocket.connectTimeoutInternalNoProxy(MbSslSocket.java:39
2020-04-20 07:43:57.801 36 at com.ibm.broker.imbsslsocket.MbSslSocket.connectTimeout(MbSslSocket.java:225)
2020-04-20 07:43:57.801 36 Caused by: com.ibm.jsse2.util.h: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target
2020-04-20 07:43:57.802 36 at com.ibm.jsse2.util.f.a(f.java:71)
2020-04-20 07:43:57.802 36 at com.ibm.jsse2.util.f.b(f.java:10)
2020-04-20 07:43:57.802 36 at com.ibm.jsse2.util.e.a(e.java:19)
2020-04-20 07:43:57.802 36 at com.ibm.jsse2.aD.a(aD.java:7)
2020-04-20 07:43:57.803 36 at com.ibm.jsse2.aD.a(aD.java:151)
2020-04-20 07:43:57.803 36 at com.ibm.jsse2.aD.checkServerTrusted(aD.java:39)
2020-04-20 07:43:57.803 36 at com.ibm.jsse2.E.a(E.java:848)
2020-04-20 07:43:57.804 36 ... 9 more
2020-04-20 07:43:57.804 36 Caused by: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target
2020-04-20 07:43:57.804 36 at com.ibm.security.cert.SunCertPathBuilder.build(SunCertPathBuilder.java:139)
2020-04-20 07:43:57.805 36 at com.ibm.security.cert.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:124)
2020-04-20 07:43:57.805 36 at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:292)
2020-04-20 07:43:57.805 36 at com.ibm.jsse2.util.f.a(f.java:118)
2020-04-20 07:43:57.806 36 ... 15 more
-- integration server log --

server.conf.yaml :

-- server.conf.yaml snippet --
BrokerRegistry:
  brokerKeystoreType: 'JKS'                          # Key store type
  brokerKeystoreFile: '/home/aceuser/ace-server/keystore.jks'                             # Location of the broker key store
  brokerKeystorePass: 'setdbparms::keystore'     # Resource alias containing the key store password "brokerKeystore::password"
  brokerTruststoreType: 'JKS'                        # Trust store type
  brokerTruststoreFile: '/home/aceuser/ace-server/truststore.jks'                           # Location of the broker trust store
  brokerTruststorePass: 'setdbparms::truststore' 

ResourceManagers:
  JVM:
    keystoreType: 'JKS'                # JVM key store type
    keystoreFile: '/home/aceuser/ace-server/keystore.jks'                # JVM location of the key store
    keystorePass: 'setdbparms::keystore'                # JVM resource alias containing the key store password
    truststoreType: 'JKS'              # JVM trust store type
    truststoreFile: '/home/aceuser/ace-server/truststore.jks'              # JVM location of the trust store
    truststorePass: 'setdbparms::truststore'

  HTTPSConnector:
    KeyAlias: 'testace'
    KeyPassword: 'setdbparms::keystore'         # Set the password or alias to the password of the key 'P4s5w0rd'
    KeystoreFile: '/home/aceuser/ace-server/keystore.jks'
    KeystorePassword: 'setdbparms::keystore'    # Set the password or alias to the password of the keystore   'P4s5w0rd'
    KeystoreType: 'JKS'             # Set the keystore type, can be 'JKS' or 'P12'. Default is JKS.
    TruststoreFile: '/home/aceuser/ace-server/truststore.jks'
    TruststorePassword: 'setdbparms::truststore'  # Set the password or alias to the password of the keystore  'P4s5w0rd'
    TruststoreType: 'JKS'
-- server.conf.yaml snippet --
abudavis commented 4 years ago

bad certificate, closing the issue.