Tips for calling an SSL/HTTPS-based URLAdded by IBM on June 28, 2011 | Version 1 (Original)
|For issues relating to conflicts and untrusted certificate errors, note that your keys/certificates need to be installed with the correct JVM.
For issues relating to conflicts and untrusted certificate errors, note that your keys/certificates need to be installed with the correct JVM.
The Java VM typically ships with known/trusted Certificate Authority (CA) certificates under jre/lib/security in a file called cacerts. In some cases, the CA certificates shipped with the JVM do not include the CA certificate used to sign the SSL server certificate in use on the server you are trying to make a service call to.
Troubleshooting tools and tips
- Java ships with a keytool for managing/creating keys and certificates.
- WebSphere AppServer ships with an ikeyman tool specifically for managing the keys/certificates associated with the application server and it's JVM.
- You can use a browser to load https URL from the destination server, then right mouse click in the page and then on the Certificates button, and export the server certificate chain (in DER format), for example as: C:\temp\cert.crt.
Run ../AppServer/bin/ikeyman.bat and open the ../AppServer/java/jre/lib/security/cacerts file.
Note: The default password for these Java CA certicicate files is typically changeit (all one word, all lower case). If, when you verify that the CA cert which had signed this particular SSL server's cert is not there, import it from the C:\temp\cert.crt file, using the Add button.
- For other Java VMs not embedded with WebSphere, you should use the key tool (ikeyman or keytool) that ships with that JVM.
- For Tomcat, see http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html.
- For Eclipse, you will also need to know which Java VM you're using if you have multiple, so that you install the cert(s) into the correct Java key store(s). For example, Eclipse -> Window -> Preferences -> Java -> Installed JREs.
For more detailed information, see the Java and Websphere documentation relating to the configuration of CA certificates.
Parent topic: Web Service Call builder