Question
Last activity: 6 Oct 2015 4:49 EDT
Connect REST:-"** Caught unhandled exception: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated" ---7.1.9
Hi,
By using Connect-Rest ,Unable to make connectivity to the authenticated service ,as getting the below exception.
** Caught unhandled exception: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated.
After refer the couple of articles ,it's a bug with pega operating system .
Couple of articles in PDN provides the resolution for this issue ,but i was confused by having different approaches .
Approach 1:- I saw a post saying that this issue was addressed in SR-A3349. Has it been addressed in 7.1.9 version ?
Approach 2:-there is a post saying that the following JVM arguments needs to be added to the environment. How to do that ?
-Djavax.net.ssl.keyStore=C:/tomcat/client_keystore.keystore
-Djavax.net.ssl.keyStorePassword=client_keystore_pw_mypassword
Hi,
By using Connect-Rest ,Unable to make connectivity to the authenticated service ,as getting the below exception.
** Caught unhandled exception: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated.
After refer the couple of articles ,it's a bug with pega operating system .
Couple of articles in PDN provides the resolution for this issue ,but i was confused by having different approaches .
Approach 1:- I saw a post saying that this issue was addressed in SR-A3349. Has it been addressed in 7.1.9 version ?
Approach 2:-there is a post saying that the following JVM arguments needs to be added to the environment. How to do that ?
-Djavax.net.ssl.keyStore=C:/tomcat/client_keystore.keystore
-Djavax.net.ssl.keyStorePassword=client_keystore_pw_mypassword
-Djavax.net.ssl.trustStore= C:/tomcat/client_truststore.keystore
-Djavax.net.ssl.trustStorePassword= client_truststore_pw_mypassword
Approach 3:- I could see one more article in PDN for the same issue.
Please suggest me the best approach for 7.1.9 version.
Accepted Solution
Pegasystems Inc.
GB
Hi Brahmeswara,
The video posted by Aditya is definately the way to go: it shows how to associate a 'Security Profile' with the Connect SOAP Rule.
What you need to do before that (not shown in the video) is to create 'JKS' file outside of PRPC and import the certficiate into it: you can then upload the JKS file itself to PRPC*
To create a JKS file and upload a trusted certficaite you can use the standard JVM tool 'keytool' for this - or you can use GUI-based programs to make it a bit easier - personally I quite like the 'Keystore Explorer' - but up to you.
Thanks
John
[ *What I have done in the past by mistake is to think that you have upload the certificate file itself into PRPC; this is not correct; the Certficate has to exist within a JKS file and that is uploaded to PRPC. ]
Solution suggested in Approach 1 has been now been fixed in the code in Pega 719.
Its good practice to let Pega manage the keystore for SSL handshake rather than passing them as a JVM arguments. Did you try passing the truststore in the Connect-REST's Service tab?
Thanks Aditya for your response,
truststore is not configured under service settings , and if it's required to be configured then please help me out with the configuration.
I could see that it's an instances of DATA-ADMIN-SECURITY-KEYSTORE" class.but not sure how to configure the filename/type/password.
Following Discussion should give you more information:
For your question on what should be in the truststore watch the following video (You need to mention the value for truststore, if this is 1-WAY SSL):
https://mesh.pega.com/meshvideos/5590
Truststore should contain the trust certificates inside the JKS file provided to you by your REST service endpoint team.
Accepted Solution
Pegasystems Inc.
GB
Hi Brahmeswara,
The video posted by Aditya is definately the way to go: it shows how to associate a 'Security Profile' with the Connect SOAP Rule.
What you need to do before that (not shown in the video) is to create 'JKS' file outside of PRPC and import the certficiate into it: you can then upload the JKS file itself to PRPC*
To create a JKS file and upload a trusted certficaite you can use the standard JVM tool 'keytool' for this - or you can use GUI-based programs to make it a bit easier - personally I quite like the 'Keystore Explorer' - but up to you.
Thanks
John
[ *What I have done in the past by mistake is to think that you have upload the certificate file itself into PRPC; this is not correct; the Certficate has to exist within a JKS file and that is uploaded to PRPC. ]