Call out to a web service from Uniface 9 SSL certificate issue.
Author: firstname.lastname@example.org (stuza1)
Problem: Unknown CA on ssl setup calling a web service form Uniface 9. I am aware this is not a pure Uniface issue and relates to Tomcat but also to Uniface configuration. 1. We have a call out to a web service working from Uniface 9/Tomcat on a windows system using http. 2. We are however encountering problems in setting up bi-directional ssl with client auth. 3. I suspect that I do not have something set up correctly in Uniface and / or Tomcat, I suspect that its the keyfile containing the trusted certificate authority of the server I am calling out to. (see the last line in point 6 below) I don't know which keystore is the problem. 4. The Uniface help file explains how to set up ca-bundle.crt and personal.crt for client auth - Verification for Web Services over HTTPS I have ca-bundle.crt in the \usys directory c:\Program Files (x86)\Compuware\Uniface 9.6.02\common\usys I have the personal.crt entry in the entry in the idf.asn [FILES] personal.crt c:\d\perscrt\personal.crt I have also a .keystore file in the home directory of the user that I am running IDF under. I have the same keystore file called keystore without the . in the common\tomcat\conf\SSL folder. 5. To enable SSL on the Tomcat server The following entry is active in ...common\tomcat\server.xml 6. I have added the Servers keychain/certificates and my keychain/certificates to the windows keystore (via a browser) 7. I am rechecking: a) I have the servers keychain / three certificates installed correctly (keystore format, certificates ) in ca-bundle.crt I also have my keychain and private key in ca-bundle.crt Checking the password is correct (list keystore) b) I have my private key and keychain installed in personal.crt 8. In the default server.xml as installed by uniface the keystoreFile points to conf/SSL/server_key There are also client_key server_trust client_trust keystores in the conf/SSL folder. I can't see in the Uniface/tomcat configs where these are used or relevant 9. Debugging /solving problems with establishing the SSL link seems to be difficult, the best idea I could come up with is to run a pcap and capture the traffic. I ran a pcap on the connection and I see the following Connection establish request(SYN): Server port https Connection establish (SYN+ACK): server port https I see "Client Hello" sent by my IP to server IP I then see "Server Hello" from the server IP to my IP I then see Certificate sent from Client IP to My IP I see Alert (Level: Fatal, Description: Unknown CA) set by my IP to the server IP Connection reset(RST) by client end ----------------------
This page has no comments.