Question
Virtusa
GB
Last activity: 23 Mar 2017 15:17 EDT
Connect-rest , one way SSL , Caught unhandled exception: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
I am invoking connect-rest to call the rest service enabled with https oneway ssl. i have got the .cer file from the service provider, and i created the keystore.jks file using keytool -importcert -file service.cer -keystore keystore.jks -alias "Alias" .
after that i created the keystore rule in pega and i have uploaded keystore.jks file and i referred the keystore rule in the connect-rest rule. But getting Caught unhandled exception: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated .
Please provide me the remediation steps to fix this issue. am i missing any steps that need to be performed.
***Updated by moderator: Lochan to update Categories***
JPMorgan Chase & Company
US
Hi,
Could you please confirm Is it One-way or Two-way authentication.
To verify if Two-way SSL is configured in IBM Websphere, go to SOAP Endpoint(Server) Websphere server console, under SSL certificate and key management > SSL configuration > NodeDefaultSSLSettings > Quality of protection (QoP) settings, Client authentication should be set to "required", if its set to None, then its One-way SSL.
Once the right SSL connection type was determined to One-Way SSL, enable DEBUG on below classes :
1. Add “-Djava.net.debug=all” JVM argument to print all the transaction during SSL handshake.
2. Enable DEBUG on Pega package “com.pega.pegarules.integration.engine.internal.ssl.SSLUtils.java”
Virtusa
GB
2017-03-02 13:46:18,801 [http-apr-8081-exec-3] [ STANDARD] [ ] ( internal.ssl.SSLUtils) DEBUG Single X509KeyManager found, returning.
2017-03-02 13:46:18,802 [http-apr-8081-exec-3] [ STANDARD] [ ] ( internal.ssl.SSLUtils) DEBUG Single X509TrustManager found, returning.
2017-03-02 13:46:18,802 [http-apr-8081-exec-3] [ STANDARD] [ ] ( internal.ssl.SSLUtils) DEBUG Initializing SSLContext
2017-03-02 13:46:18,803 [http-apr-8081-exec-3] [ STANDARD] [ ] ( internal.ssl.SSLUtils) DEBUG - Adding protocols suggsted by Pega's Data Page
2017-03-02 13:46:18,805 [http-apr-8081-exec-3] [ STANDARD] [ ] ( internal.ssl.SSLUtils) DEBUG - Adding protocols suggsted by Pega's Data Page
2017-03-02 13:46:18,806 [http-apr-8081-exec-3] [ STANDARD] [ ] ( internal.ssl.SSLUtils) DEBUG - No lowest protocol chosen
2017-03-02 13:46:18,814 [http-apr-8081-exec-3] [ STANDARD] [ ] (ector.Rule_Connect_REST.Action) ERROR - javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
2017-03-02 13:46:18,814 [http-apr-8081-exec-3] [ STANDARD] [ ] (ector.Rule_Connect_REST.Action) ERROR - javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
Pegasystems Inc.
IN
Also consider checking the dynamic system setting : https/allowAllHostnames
If it is enabled, try disabling it and let us know the outcome.
Infosys Technologies
NL
Hi Hari Krishna,
One of the possibilities for the error is when one of the certificates in the "Certificate Chain" is missing, which can be verified from the "SSL Debug" logs.
Certificate chain includes: Root, intermediate and CA (Certificate Authority) certificates.
SSL Debug has to be set at the JVM level and the parameters and process depends on the Applciation Server in use.
Once debug logs are collected verify them to find out the missing certificate and add it to the trust store either at the application level, application server level or at the JVM level (CA Certs file).
Try the above approach, if you are not able to resolve the issue, kindly raise an SR with Pega Support, providing the above details.
Tech Mahindra
CA
We ran into the same issue, we are using 7.1.8 on Apache Tomcat
Telnet to service provider on that port is totally working fine.
In our environment i don't see the DSS https/allowAllHostnames at all
is the below link of any importance but it talks about 7.1.9
https://community.pega.com/support/support-articles/not-able-connect-rest-and-soap-service
Any update on this.