Certificate chaining errors in an HTTPRequest node

Technote (troubleshooting)


Problem(Abstract)

You are unable to connect to a backend webservice using an HTTPRequest node in IBM Integration Bus (IIB) or WebSphere Message Broker (WMB).

Symptom

This set of errors will occur together:

javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed:

java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.;

internal cause is: java.security.cert.CertPathValidatorException:
The certificate issued by OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US is not trusted;

internal cause is: java.security.cert.CertPathValidatorException:
Certificate chaining error


Cause

A 'certificate chaining error' occurs when the provided chain of certificates cannot be validated.

The cause for the chaining error is provided in the previous message.
Here, one of the certificates is "not trusted".

A received certificate is "not trusted" when the Integration Server's truststore lacks a 'signer certificate' for the issuer of the received certificate.


Diagnosing the problem

'SSLHandshakeException' is a generic error to indicate a problem with an SSL handshake.
View the 'internal cause' messages to confirm whether you are receiving a CertPathValidatorException.
Then, confirm that the cause text is the same.

Resolving the problem

Verify that your truststore contains the proper 'signer certificate' for the certificate chain provided by the backend webservice.


If the proper signer certificate(s) exist in the truststore, then the handshake should complete. If not, you should confirm that all required certificates are present in the keystore of the webservice that WMB/IIB is communicating with. You may need to recreate the keystore with 'keytool' using the "genkey" option and re-import your application certificates if you are missing any components of the certificate chain.


Additional information regarding chains of trust and the WMB/IIB truststore:
In order to verify the digital signature on a particular certificate "A", the public key of certificate A's issuing Certification Authority (CA) must be present.

This public key will be issued on a signed certificate "B", which must be verified with the public key of certificate B's CA.

This public key will be issued on a signed certificate "C", and so on...

This "chain" of certificates will continue until one of the CA's has a certificate with a digital signature that is signed by itself. This is considered a "root" CA.

The default truststore in WMB/IIB is a file called 'cacerts'. It contains several root CA signer certificates.

Related information

JSSE tracing for SSL issues on the HTTPRequest node
Configuring HTTPRequest nodes to use SSL (HTTPS)
Configuring HTTP nodes to use SSL (HTTPS)


Cross reference information
Segment Product Component Platform Version Edition
Business Integration IBM Integration Bus Security AIX, HP-UX, Linux, Solaris, Windows 9.0

Product Alias/Synonym

WMB MB WebSphere Message Broker IBM Integration Bus IIB IBMIB MQ Integrator WBIMB WBI-MB MQSI WMQI

Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere Message Broker
Security

Software version:

7.0, 8.0

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

1369939

Modified date:

2014-04-10

Translate my page

Machine Translation

Content navigation