Configuring WebSphere 8 SSL (HTTPS Between Apps)

Question

I have two web apps that I am installing in WAS 8, and they need to communicate with one another using HTTPS (This may not be the best way to handle communication in WAS, but these apps are provided as is and I typically run them in Tomcat which causes no problems).

In Tomcat, I simply set up a certificate for the server, then I save the client certificate from the web browser and add it to the JVM that executes Tomcat. I have to have the certiface information in both the key store and trust store, since the tomcat server acts as both client and server (since it is inter-app communication).

I need to setup something similar in WAS. So far, I have gone into the management console and imported the default certificate from the default key store into the default trust store.

After restarting the server and attempting to communicate between the apps, I get the following exception:

R javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
[5/22/13 8:05:05:353 EDT] 000000ee SystemErr     R  at com.ibm.jsse2.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:167)
[5/22/13 8:05:05:353 EDT] 000000ee SystemErr     R  at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
[5/22/13 8:05:05:353 EDT] 000000ee SystemErr     R  at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:390)
[5/22/13 8:05:05:353 EDT] 000000ee SystemErr     R  at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
[5/22/13 8:05:05:353 EDT] 000000ee SystemErr     R  at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
[5/22/13 8:05:05:353 EDT] 000000ee SystemErr     R  at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
[5/22/13 8:05:05:354 EDT] 000000ee SystemErr     R  at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:562)
[5/22/13 8:05:05:354 EDT] 000000ee SystemErr     R  at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
[5/22/13 8:05:05:354 EDT] 000000ee SystemErr     R  at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
[5/22/13 8:05:05:354 EDT] 000000ee SystemErr     R  at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
[5/22/13 8:05:05:354 EDT] 000000ee SystemErr     R  at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:732)

Update/More Data:

I added some ssl debugging arguments for the VM and got the following:

[5/22/13 8:40:46:002 EDT] 00000094 SystemOut     O %% Invalidated:  [Session-10, SSL_RSA_WITH_RC4_128_MD5]
[5/22/13 8:40:46:002 EDT] 00000094 SystemOut     O pool-3-thread-1, SEND TLSv1 ALERT:  fatal, description = certificate_unknown
[5/22/13 8:40:46:002 EDT] 00000094 SystemOut     O pool-3-thread-1, WRITE: TLSv1 Alert, length = 2
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, READ: TLSv1 Alert, length = 2
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, RECV TLSv1 ALERT:  fatal, certificate_unknown
[5/22/13 8:40:46:003 EDT] 00000094 SystemOut     O pool-3-thread-1, called closeSocket()
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, called closeOutbound()
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, closeOutboundInternal()
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, SEND TLSv1 ALERT:  warning, description = close_notify
[5/22/13 8:40:46:003 EDT] 00000094 SystemOut     O pool-3-thread-1, handling exception: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
    java.security.cert.CertPathValidatorException: The certificate issued by CN=rothbard, OU=Root Certificate, OU=rothbardNode01Cell, OU=rothbardNode01, O=IBM, C=US is not trusted; internal cause is: 
    java.security.cert.CertPathValidatorException: Certificate chaining error
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, WRITE: TLSv1 Alert, length = 2
[5/22/13 8:40:46:003 EDT] 00000094 SystemOut     O pool-3-thread-1, IOException in getSession():  javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
    java.security.cert.CertPathValidatorException: The certificate issued by CN=rothbard, OU=Root Certificate, OU=rothbardNode01Cell, OU=rothbardNode01, O=IBM, C=US is not trusted; internal cause is: 
    java.security.cert.CertPathValidatorException: Certificate chaining error
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, called closeInbound()
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, closeInboundInternal()
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, closeOutboundInternal()
[5/22/13 8:40:46:004 EDT] 00000094 SystemOut     O pool-3-thread-1, called close()
[5/22/13 8:40:46:004 EDT] 00000094 SystemOut     O pool-3-thread-1, called closeInternal(true)

MORE: I have reproduced the problem, or at least a similar problem, outside of WAS using http-client, which might be where the actual problem lies. So, the question may be how to properly get http-client to use chained certificates from WAS.

Answer 1

My particular issue was ultimately caused by the fact that I needed to import the entire certificate chain into the JVMs trusted certificates and not just the certificate for the web application alone.