Visual LANSA Forum

Hi.

we have use the soap agent service to connect to at SAP system from an IBM I. We are now testing their new HTTPS web-service. But I now getting an error trying to use this HTTPS webservice.
I get this error:
SOAP fault code : {http://schemas.xmlsoap.org/soap/envelop ... rException
SOAP fault actor : <null>
SOAP fault string : javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
Create trace file : SOAP_FAULT.XML
SOAPFault file: /LANSA_dcxpgmlib/jsm/instance/trace/441908/2019-10-17/CLIENT00008474_SAPWS23_T/SOAP_FAULT.XML
Command : SOAPFAULT "{http://schemas.xmlsoap.org/soap/envelop ... rException javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error"


I have imported the GeoTrust RSA CA 2018 (and their parent CA) into the IBM I Certificate manager.

Is there anybody who have made any SOAP Agent function with SSL/https?
Is there something I am missing?

/Klaus

Lansa Integrator does not use the IBM Certificate Manager. You need to import the certificate in the cacerts.jks file. There is a project type for this,

Hi
Okay.

I am not an expert into certificates. Which type of projects should i choose to import the certificate for the server I am trying to connect to?

Thanks.

/Klaus

You need to create PKI editor project. See documentation 7.16. Basically you need to create a project. Grab a copy of cacerts,jks from \jsm\instance\system and open it with a pk editor, insert your certificate and then put it back in \instance\system and then restart the instance.

Hi

I have now created the Keystore file, imported the Ca and the intermediate and root CAs into the cacerts.jks file.
I have restarted the JSM but I still get the same error.

Do I need to make some settings in the manager.properties file in the jsm?

/klaus

You need to update the manager.properties to point to the .jks file.
Set the javax.net.ssl.keyStore* and javax.net.ssl.trustStore* values.

See these 2 help links for more info.
https://docs.lansa.com/14/en/lansa093/c ... 6_0075.htm
https://docs.lansa.com/14/en/lansa093/c ... mp_020.htm

From the first link see the section Java Trust/Key Store to make sure you copied the default cacerts.jks and added entries to it instead of just adding the ones you need. It might still work but it would be a good idea to start with the defaults and then add the additional ones.

hi.

I have dowloaded the cacerts from QOpenSys\QIBM\ProdData\JavaVM\jdk626\32bit\jre\lib\security on my IBM I.
Opened it in the LANSA integrator studio in the PKI editor.
Imported the certificate of the server I am trying to connect with, and the intermediate and root CAs into the cacerts.jks .

Should the cacerts.jks be moved to jsm\instance\system om my IBM I?
I have changed the manager.properties in JSM to:
# SSL configuration
#
java.protocol.handler.pkgs
javax.net.ssl.keyStore=cacerts.jks
javax.net.ssl.keyStoreType=jks
javax.net.ssl.keyStorePassword=1234pass
javax.net.ssl.trustStore=cacerts.jks
javax.net.ssl.trustStoreType=jks
javax.net.ssl.trustStorePassword=1234pass
javax.net.debug=all
javax.net.debug=ssl,handshake,data,trustmanager
#

is that okay or am I missing anything?
I am not able to restart the jsm right now (production) so i have to have everythig ready to test tonight.

Thanks

/klaus

Hi

I have now tested this.

And I get an different error now:
Service : SALESORDERSAPVERSION3
Operation : SALESORDER_SIMULATE
Past pivot : false
Optimization : false
SOAP Action : http://sap.com/xi/WebService/soap1.1
Message form : FORM_SOAPENVELOPE
Create trace file : SOAP_REQUEST000001.XML
No service handlers
SOAP fault code : {http://schemas.xmlsoap.org/soap/envelop ... rException
SOAP fault actor : <null>
SOAP fault string : javax.net.ssl.SSLException: SSL initialization was not previously performed for this job.
Create trace file : SOAP_FAULT.XML
SOAPFault file: /LANSA_dcxpgmlib/jsm/instance/trace/823845/2019-10-24/CLIENT00000001_SAPWS23_T/SOAP_FAULT.XML
Command : SOAPFAULT "{http://schemas.xmlsoap.org/soap/envelop ... rException javax.net.ssl.SSLException: SSL initialization was not previously performed for this job."

Any suggestions to this error?

/klaus

I haven't seen that error before. I like to put my cacerts.jks in the pki subdiretory within the instance directory. So my reference to the cacerts.jks would be =pki/cacerts.jks instead of =cacerts.jks

Not sure if that will resolve your issue but could be worth a try.

Hi

I tried to move the cacerts.jks file to PKI folder and the change the manager.properties file to point to pki folder.

I think it works better, because now it says HTTP (401)Unauthorized"

So now I can test a bit more.

Thanks.
/klaus

Hi

It works.

Thanks for the input!

/Klaus