IBM Support

Avoiding certificate chaining errors when loading Public Encryption/Digital Signature certificates.

Troubleshooting


Problem

This document will discuss what happens when the Intermediate or Root Certificates are missing and WPG was not able to build the complete path for the Certificate chain.

Cause

WPG will attempt to build and validate the certificate path if the bcg.build_complete_certpath= true property is set in the bcg.properties file. This property is set to true by default. If the path can not be verified you will receive the following errors in the bcg_router.log file:

StackTrace:java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
at com.ibm.bcg.util.CertPathUtil.buildCertPath(CertPathUtil.java:454)
at com.ibm.bcg.util.CertPathUtil.validateCertPathWithReset(CertPathUtil.java:189)
at com.ibm.bcg.util.PKCS7Util.checkCertificateValidity(PKCS7Util.java:1490)
at com.ibm.bcg.util.PKCS7Util.encryptBytesS(PKCS7Util.java:292)...

Further down in the trace, you will see another error in the bcg_router..log file where WPG can not find a valid certificate:

StackTrace:com.ibm.bcg.util.BcgException: Could not get Valid encryption Certificate
at com.ibm.bcg.util.PKCS7Util.encryptBytesS(PKCS7Util.java:301)
at com.ibm.bcg.ediint.doc.ASDocBase.encrypt(ASDocBase.java:855)...

Resolving The Problem

The Leaf certificate for Encryption/Digital Signature must be loaded under the participant as seen in the screen shots below.

If we look at the "General" tab of the Leaf certificate for Encryption/Digital Signature, we see the "Issued to: IBM_WPG_Support.ibm.com" and the "Issued by: VeriSign Class 3 Security Server CA".

Note: The "Issued by: VeriSign Class 3 Security Server CA", is the Intermediate Certificate in the chain which will need to be extracted, if you have not already done so.

Then if we click on the same certificates "Certification Path" tab, we will see the complete path for the CA chain. As you can see in the below screen shot, the highlighted section in the chain "VeriSign Class 3 Security Server CA". This is the Intermediate certificate that must be loaded under Hub Operator" as Root/Intermediate. To insure you have the correct intermediate certificate to up load, you can extract this certificate from the Leaf certificate.


1). From this screen you can extract the Intermediate certificate, by clicking on the "View Certificate" button. This will display the Intermediate certificate "Issued by: Class Public Primary Certificate Authority" ( which is the Root Certificate).



2). To extract the Intermediate certificate, click on the "Details" tab and then click on the "Copy to File" button as seen in the screen shot above.



3). On the "Welcome to the Certificate Export Wizard" screen click on the "Next" button.



4). Select the radio button for the correct format: "DER encoded binary X.509 (.CER)" and then click "Next" button.



5). You may browse or type in path and file name for the certificate to be saved then click on the "Next" button.



6). The "Completing Certificate Export Wizard" screen is displayed. Click on the "Finish" button and you are now ready to upload the Intermediate certificate to the Hub Operator profile as Root/Intermediate as shown in the screen shot bellow.



Now you can open the Intermediate certificate you just created. You will see it was "Issued by: Class Public Primary Certificate Authority" on the general tab ( This is the Root Certificate).

To extract the Root certificate, click on the "Details" tab and follow steps 1 through 6 again to extract the Root Certificate. Once extracted you will need to upload to WPG, under profile Hub Operator as Root/Intermediate.




Here is the extracted Root Certificate. In this example, you see that the Root Certificate was "Issued by: Class 3 Public Primary Certificate Authority".

[{"Product":{"code":"SSDKJ8","label":"WebSphere Partner Gateway Enterprise Edition"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.2.1.1;6.2.1.0;6.2.0.5;6.2.0.4;6.2.0.3;6.2.0.2;6.2.0.1;6.2;6.1.1.2;6.1.1.1;6.1.1;6.1.0.3;6.1.0.2;6.1.0.1;6.1;6.0.0.7;6.0.0.6;6.0.0.5;6.0.0.4;6.0.0.3;6.0.0.2;6.0.0.1;6.0;6.2.1.2","Edition":"Advanced;Enterprise","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21266207