Reputation: 2060
IBM Liberty SSL HANDSHAKE FAILURE
I am using Liberty 16.0.0.4
I am trying to call xxxx SOAP services, but i got the following errors
[ERROR ] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN CN=xxxx, was sent from the target host. The signer might need to be added to local trust store serverHome/resources/security/key.jks, located in SSL configuration alias defaultSSLConfig. The extended error message from the SSL handshake exception is: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I used next command to generate certificate
openssl s_client -connect xxxxURL:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > xxx.cert
Then injecting it into liberty jks default file with next command
keytool -import -trustcacerts -alias xxxSigner -file xxx.cert -keystore *pathToHomeServer/resources/security/key.jks* -storepass Liberty -storetype jks
Also this is my server.xml tags related to that
<featureManager>
<feature>webProfile-7.0</feature>
<feature>jaxb-2.2</feature>
<feature>concurrent-1.0</feature>
<feature>javaMail-1.5</feature>
<feature>localConnector-1.0</feature>
<feature>jaxws-2.2</feature>
<feature>apiDiscovery-1.0</feature>
<feature>ssl-1.0</feature>
</featureManager>
<keyStore id="defaultKeyStore" location="${server.config.dir}/resources/security/key.jks" password="{xor}EzY9Oi0rJg==" type="jks" />
<keyStore id="defaultTrustStore" location="${server.config.dir}/resources/security/key.jks" password="{xor}EzY9Oi0rJg==" type="jks" />
<sslDefault sslRef="defaultSSLConfig" />
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" sslProtocol="TLSv1.2"/>
<httpEndpoint id="defaultHttpEndpoint" httpPort="9080" httpsPort="9443">
<sslOptions sslRef="defaultSSLConfig"></sslOptions>
</httpEndpoint>
So what is the problem my side which
Upvotes: 2
Views: 3434
Answers (2)
Reputation: 1002
Not sure why your approach is not working, but another way to go about it is to use a browser to retrieve the certificate and then keytool to add it, as described here (see the 8/5/2015 comment at the bottom of the article): developer.ibm.com/wasdev/docs/single-sign-google-liberty
Upvotes: 3
Reputation: 17872
Does it work if you explicitly add the signer itself, shown at the bottom of the stack of certs when you append -showcerts to your openssl command?
Upvotes: 0
Related Questions
- Liberty Exception SSLv3
- SSLHandshakeException after migration from websphere-liberty 16 to version 17
- SSL config for outbound connections doesn't work in websphere-liberty 17.0.0.2
- websphere ssl handshake failure
- Add certificate to truststore to enable SSL communication
- SSL handshake failure for liberty application using cloudant
- SSL Handshake Error with WebSphere using Java
- javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException while connecting to a secure port
- SSL Handshake Failure between IBM Liberty and Cloudant
- Outbound SSL connection in WLP