Handling https SSLHandshake Exception

The Enterprise Gateway product with version 17.2.8 or higher uses JDK 1.8.0_141. JDK 1.8.0_141 restricts algorithms that are used in the chain of trust of the server certificate presented by a web server and requires the chain of trust to use a well known trusted certificate authorities (CA). If these criteria are not met you will receive the following exception when you attempt to establish an https connection.

SSLHandshakeException

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The workaround is not applicable to the following Enterprise Gateway products

VxWorks products

MESInteface-IT
deviceWISE Enterprise Gateway for ERPC

Do one of the following to handle this exception:

Contact your web server administrator to update the server certificate to one that uses a certificate chain signed by a well known trusted Certificate Authority (CA).

Specify a customized java keystore in the transport definition. To achieve it:
- Use the java keytool utility to create a java key store that includes all the certificates in the certificate chain to verify the authenticity of the server certificate. For more information about the keytool, see https://docs.oracle.com/cd/E19830-01/819-4712/ablqw/index.html
- Specify this keystore in the transport panel Keystore and TrustStore fields as described in the following links for HTTP or WS_SOAP transports

- - Defining an HTTP transport
  - Defining a web service (SOAP) transport

Import the certificate chain into the Enterprise Gateway's default trust store. To achieve it:
- Contact your IT administrator to get all the certificates in the chain of trust required to verify the authenticity of your web server certificate
- Import these certificates into the default trust store file called cacerts. The location of this file depends on the Enterprise Gateway product you are working with
  - For Windows and Linux the file is located in the [ Runtime Installation root ]/jre/lib/security directory.
  - For AIX the file is located within your JRE directory. For instance, /usr/java8/jre/lib/security directory.
    This is a less preferred option for the following reasons
    Impacts all other Java applications running on that AIX system.
    The cacerts file will be overwritten when the Enterprise Gateway product is reinstalled for Windows or Linux or when the JRE is re-installed for AIX.