Handling https
SSLHandshake Exception
The Enterprise Gateway product with version 17.2.8 or higher uses JDK 1.8.0_141. JDK 1.8.0_141 restricts algorithms that are used in the chain of trust of the server certificate presented by a web server and requires the chain of trust to use a well known trusted certificate authorities (CA). If these criteria are not met you will receive the following exception when you attempt to establish an https connection.
SSLHandshakeException
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The workaround is not applicable to the following Enterprise Gateway products
VxWorks products
- MESInteface-IT
- deviceWISE Enterprise Gateway for ERPC
Do one of the following to handle this exception:
- Contact your web server administrator to update the server certificate to one that uses a certificate chain signed by a well known trusted Certificate Authority (CA).
- Specify a customized java keystore in the transport
definition. To achieve it:
- Use the java keytool utility to create a java key store that includes all the certificates in the certificate chain to verify the authenticity of the server certificate. For more information about the keytool, see https://docs.oracle.com/cd/E19830-01/819-4712/ablqw/index.html
- Specify this keystore in the transport panel Keystore and TrustStore fields as described in the following links for HTTP or WS_SOAP transports
- Import the certificate chain into the Enterprise
Gateway's default trust store. To achieve it:
- Contact your IT administrator to get all the certificates in the chain of trust required to verify the authenticity of your web server certificate
- Import these certificates into the default
trust store file called cacerts. The
location of this file depends on the Enterprise
Gateway product you are working with
- For Windows and Linux the file is located in the [ Runtime Installation root ]/jre/lib/security directory.
For AIX the file is located within your JRE directory. For instance, /usr/java8/jre/lib/security directory.
This is a less preferred option for the following reasons
- Impacts all other Java applications running on that AIX system.
- The cacerts file will be overwritten when the Enterprise Gateway product is reinstalled for Windows or Linux or when the JRE is re-installed for AIX.