LANSA integrator, SOAP agent and SSl

This Q&A forum allows users to post and respond to "How Do I Do ....." questions. Please do not use to report (suspected) errors - you must use your regional help desk for this. The information contained in this forum has not been validated by LANSA and, as such, LANSA cannot guarantee the accuracy of the information.
Post Reply
kno_dk
Posts: 136
Joined: Tue Feb 23, 2016 12:00 am

LANSA integrator, SOAP agent and SSl

Post by kno_dk » Tue Oct 22, 2019 1:03 am

Hi.

we have use the soap agent service to connect to at SAP system from an IBM I. We are now testing their new HTTPS web-service. But I now getting an error trying to use this HTTPS webservice.
I get this error:
SOAP fault code : {http://schemas.xmlsoap.org/soap/envelop ... rException
SOAP fault actor : <null>
SOAP fault string : javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
Create trace file : SOAP_FAULT.XML
SOAPFault file: /LANSA_dcxpgmlib/jsm/instance/trace/441908/2019-10-17/CLIENT00008474_SAPWS23_T/SOAP_FAULT.XML
Command : SOAPFAULT "{http://schemas.xmlsoap.org/soap/envelop ... rException javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error"


I have imported the GeoTrust RSA CA 2018 (and their parent CA) into the IBM I Certificate manager.

Is there anybody who have made any SOAP Agent function with SSL/https?
Is there something I am missing?

/Klaus

soa
Posts: 339
Joined: Mon Dec 07, 2015 3:15 pm

Re: LANSA integrator, SOAP agent and SSl

Post by soa » Tue Oct 22, 2019 8:35 am

Lansa Integrator does not use the IBM Certificate Manager. You need to import the certificate in the cacerts.jks file. There is a project type for this,

kno_dk
Posts: 136
Joined: Tue Feb 23, 2016 12:00 am

Re: LANSA integrator, SOAP agent and SSl

Post by kno_dk » Tue Oct 22, 2019 6:27 pm

Hi
Okay.

I am not an expert into certificates. Which type of projects should i choose to import the certificate for the server I am trying to connect to?

Thanks.

/Klaus

soa
Posts: 339
Joined: Mon Dec 07, 2015 3:15 pm

Re: LANSA integrator, SOAP agent and SSl

Post by soa » Wed Oct 23, 2019 8:31 am

You need to create PKI editor project. See documentation 7.16. Basically you need to create a project. Grab a copy of cacerts,jks from \jsm\instance\system and open it with a pk editor, insert your certificate and then put it back in \instance\system and then restart the instance.

kno_dk
Posts: 136
Joined: Tue Feb 23, 2016 12:00 am

Re: LANSA integrator, SOAP agent and SSl

Post by kno_dk » Thu Oct 24, 2019 5:39 am

Hi

I have now created the Keystore file, imported the Ca and the intermediate and root CAs into the cacerts.jks file.
I have restarted the JSM but I still get the same error.

Do I need to make some settings in the manager.properties file in the jsm?

/klaus

caseywhite
Posts: 121
Joined: Thu May 26, 2016 1:17 am

Re: LANSA integrator, SOAP agent and SSl

Post by caseywhite » Thu Oct 24, 2019 7:16 am

You need to update the manager.properties to point to the .jks file.
Set the javax.net.ssl.keyStore* and javax.net.ssl.trustStore* values.

See these 2 help links for more info.
https://docs.lansa.com/14/en/lansa093/c ... 6_0075.htm
https://docs.lansa.com/14/en/lansa093/c ... mp_020.htm

From the first link see the section Java Trust/Key Store to make sure you copied the default cacerts.jks and added entries to it instead of just adding the ones you need. It might still work but it would be a good idea to start with the defaults and then add the additional ones.

kno_dk
Posts: 136
Joined: Tue Feb 23, 2016 12:00 am

Re: LANSA integrator, SOAP agent and SSl

Post by kno_dk » Thu Oct 24, 2019 8:52 pm

hi.

I have dowloaded the cacerts from QOpenSys\QIBM\ProdData\JavaVM\jdk626\32bit\jre\lib\security on my IBM I.
Opened it in the LANSA integrator studio in the PKI editor.
Imported the certificate of the server I am trying to connect with, and the intermediate and root CAs into the cacerts.jks .

Should the cacerts.jks be moved to jsm\instance\system om my IBM I?
I have changed the manager.properties in JSM to:
# SSL configuration
#
java.protocol.handler.pkgs
javax.net.ssl.keyStore=cacerts.jks
javax.net.ssl.keyStoreType=jks
javax.net.ssl.keyStorePassword=1234pass
javax.net.ssl.trustStore=cacerts.jks
javax.net.ssl.trustStoreType=jks
javax.net.ssl.trustStorePassword=1234pass
javax.net.debug=all
javax.net.debug=ssl,handshake,data,trustmanager
#

is that okay or am I missing anything?
I am not able to restart the jsm right now (production) so i have to have everythig ready to test tonight.

Thanks

/klaus

kno_dk
Posts: 136
Joined: Tue Feb 23, 2016 12:00 am

Re: LANSA integrator, SOAP agent and SSl

Post by kno_dk » Fri Oct 25, 2019 4:36 am

Hi

I have now tested this.

And I get an different error now:
Service : SALESORDERSAPVERSION3
Operation : SALESORDER_SIMULATE
Past pivot : false
Optimization : false
SOAP Action : http://sap.com/xi/WebService/soap1.1
Message form : FORM_SOAPENVELOPE
Create trace file : SOAP_REQUEST000001.XML
No service handlers
SOAP fault code : {http://schemas.xmlsoap.org/soap/envelop ... rException
SOAP fault actor : <null>
SOAP fault string : javax.net.ssl.SSLException: SSL initialization was not previously performed for this job.
Create trace file : SOAP_FAULT.XML
SOAPFault file: /LANSA_dcxpgmlib/jsm/instance/trace/823845/2019-10-24/CLIENT00000001_SAPWS23_T/SOAP_FAULT.XML
Command : SOAPFAULT "{http://schemas.xmlsoap.org/soap/envelop ... rException javax.net.ssl.SSLException: SSL initialization was not previously performed for this job."

Any suggestions to this error?

/klaus

caseywhite
Posts: 121
Joined: Thu May 26, 2016 1:17 am

Re: LANSA integrator, SOAP agent and SSl

Post by caseywhite » Sat Oct 26, 2019 6:05 am

I haven't seen that error before. I like to put my cacerts.jks in the pki subdiretory within the instance directory. So my reference to the cacerts.jks would be =pki/cacerts.jks instead of =cacerts.jks

Not sure if that will resolve your issue but could be worth a try.

kno_dk
Posts: 136
Joined: Tue Feb 23, 2016 12:00 am

Re: LANSA integrator, SOAP agent and SSl

Post by kno_dk » Mon Oct 28, 2019 12:50 am

Hi

I tried to move the cacerts.jks file to PKI folder and the change the manager.properties file to point to pki folder.

I think it works better, because now it says HTTP (401)Unauthorized"

So now I can test a bit more.

Thanks.
/klaus

kno_dk
Posts: 136
Joined: Tue Feb 23, 2016 12:00 am

Re: LANSA integrator, SOAP agent and SSl

Post by kno_dk » Tue Oct 29, 2019 1:11 am

Hi

It works.

Thanks for the input!

/Klaus

Post Reply