We are using Pega Platform 7.2.2 on Tomcat 8.5.15. We are making calls using SOAP Connectors over HTTPS as a client, but the server is presenting a certificate that has a CRLDP extension with an invalid URI. Is there a way to turn off CRL checking of a certificate within Pega? Tomcat has a crlFile attribute that if not defined it should not check against a CRL, however, this doesn’t affect the Pega behaviour.
The error happens from the InvokeAxis2 activity, but the exception is thrown from “sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) at sun.security.ssl.X509TrustManagerImpl.checkTrusted”. Are there any extension points within the Private API to modify behaviour of these classes?
The simple answer here is to request that the service provider fix their certificate problem. The root of your issue is that the security mechanisms built into Pega and Java are reacting correctly to issues with the certificate presented by the service.
Posted: 4 years ago
Posted: 28 Mar 2018 6:51 EDT
Ricky Grice (gricr1)
Technical Solutions Director
Thanks for the comment HOULJ, if only it were that simple. That was the first choice, but the impact to other applications and certificates means that is not an option. Appreciate that checking the CRL is standard security practice, but some app/web servers have the ability to turn this feature off, specifically Tomcat in this instance. However, this seems to have been overwritten within Pega.
I'm looking for ideas on how we can turn off this feature in Pega, either through using existing attributes/flags such as the ones used by Tomcat, or through changing the behaviour of the way the Private API calls the TrustManager.
Posted: 4 years ago
Posted: 28 Mar 2018 11:48 EDT
Jeff Houle (HOULJ)
Senior Software Engineer
As you seem intent on discussing the Pega Platform's internals, I am going to avoid further comments in this public space.
You are welcome to contact me via an internal channel about this, if you have further questions or ideas.