SSL handshake failure when connecting with an external HTTP server
If you receive an SSL handshake failure when connecting with an external HTTP server, you may need to add the signer to the local trust store.
Problem
SystemOut.log returns an SSL handshake failure error message when connecting from the Process Center to the Process Server. For example:CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "xx=xxxxx" was sent from target host:port "de1:xxx".
The signer may need to be addedto local trust store "/home/bpmsvt/ibm/BPM/v8.5/profiles/Node1Profile/config/cells/PCCell1/trust.p12"
located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml". The extended error message
from the SSL handshake exception is: "PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid
certification path to requested target".
Solution
If you determine that the request is trusted, add the external HTTP server certificate in to the Process Center.- Log into the administrative console.
- Click .
- Under Configuration settings, click Manage endpoint security configurations.
- Select the outbound configuration. For example, PCCell1(CellDefaultSSLSettings).
- Under Related Items, click Key stores and certificates and click CellDefaultTrustStore.
- Under Additional properties, click Signer certificates.
- Click Retrieve from port. The Configuration panel is displayed.
- Complete the following general properties fields:
- In the Host field, enter the IHS virtual host. For example, de1.
- In the Port field, enter the virtual host port. For example, 443.
- In the Alias field, enter the certificate alias. For example, de1_cert.
- Click OK and save your changes to the master configuration.
- Click Retrieve signer information.
- Verify that the certificate information is for a trusted certificate.
- Click Apply and Save.