Question
Pega 8.6.1 LinuxLite - SSL / TLS 1.2 for Service REST - SSLHandshareException
With the Pega 8.6.1. LinuxLite VM from the CLSA Course, I noticed that Port 8443 is enabled for SSL. I was able to log into the User Portal using that port, despite getting a Cert warning from Chrome.
However, I run into a problem when I tried to test out OAuth2 for Service REST. I was able to call the Service REST from outside from VM using POSTMAN using the https URL on port 8443, I was not able to call the same Service REST from another application in the same VM.
I got the following error message:
Caught unhandled exception: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I saw these two articles:
https://community.pega.com/support/support-articles/exception-while-connecting-external-service
I followed the steps to add
JAVA_OPTS="$JAVA_OPTS -Dcom.sun.security.enableAIAcaIssuers=true"
But it didn't fix the issue.
Has anybody encountered this problem with LinuxLite VM? Is Port 8443 supposed to be usable?
Thx in advance.
Terence
Accepted Solution
Here are some files for you. This will allow you to have a secured connection on https://localhost:8443 only.
Steps:
Copy these files into the VM for instance in /opt/tomcat/webapps/ROOT/
- /opt/tomcat/webapps/ROOT/keystore.p12
- /opt/tomcat/webapps/ROOT/RootCA.crt
Open /opt/tomcat/conf/server.xml and replace the connectors with something like this (Change the property "keystoreFile" to point to your file):
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="25" SSLEnabled="true" acceptCount="100" clientAuth="false"
disableUploadTimeout="true" enableLookups="false"
scheme="https" secure="true" sslProtocol="TLS"
keystoreFile="/opt/tomcat/webapps/ROOT/keystore.p12" keystorePass="password" keystoreType="PKCS12" />
sudo password = password
Ensure tomcat can acccess the file p12:
sudo chown -R tomcat:tomcat /opt/tomcat/webapps/ROOT/Restart Tomcat
sudo service tomcat restartOpen firefox settings/certificate remove the existing if any and add the RootCA.crt (FF will say the connection is now secured)
Open up a console:
Here are some files for you. This will allow you to have a secured connection on https://localhost:8443 only.
Steps:
Copy these files into the VM for instance in /opt/tomcat/webapps/ROOT/
- /opt/tomcat/webapps/ROOT/keystore.p12
- /opt/tomcat/webapps/ROOT/RootCA.crt
Open /opt/tomcat/conf/server.xml and replace the connectors with something like this (Change the property "keystoreFile" to point to your file):
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="25" SSLEnabled="true" acceptCount="100" clientAuth="false"
disableUploadTimeout="true" enableLookups="false"
scheme="https" secure="true" sslProtocol="TLS"
keystoreFile="/opt/tomcat/webapps/ROOT/keystore.p12" keystorePass="password" keystoreType="PKCS12" />
sudo password = password
Ensure tomcat can acccess the file p12:
sudo chown -R tomcat:tomcat /opt/tomcat/webapps/ROOT/Restart Tomcat
sudo service tomcat restartOpen firefox settings/certificate remove the existing if any and add the RootCA.crt (FF will say the connection is now secured)
Open up a console:
sudo keytool -import -alias example -cacerts -file /opt/tomcat/webapps/ROOT/RootCA.crt
sudo pwd = password
The default password is: changeit
Now you can do REST over SSL
Hello,
Is it feasible for you to download the latest version of the LSA VM? We have fixed the problem. If not then let's try these steps:
The problem is the certificate is not in the Java truststore so you need to add it
Is there a certificate in /opt/tomcat/webapps/ROOT/sslcerts/? RootCA.crt?
open up a console: sudo keytool -import -alias example -cacerts -file RootCA.crt
sudo pwd = password
The default password is: changeit
Now you shouldn't have a SSL handshake issue.
Note: You should be able to add the certificate into your VM browsers (FireFox and Chrome to be full https)
Please PM me if needed so we can progress on that and provide a solution to everyone
I have downloaded the LinuxLite image again.
https://academy.pega.com/topic/pclsa-mission-challenges/v2/in/29551/29561
I ran a comparison with the one that I used, which I downloaded last year in October, the two files are exactly the same.
Also, I wasn't able to see any certificate in /opt/tomcat/webapps/ROOT/sslcerts/, and not able to find RootCA.crt.
Attached is the screenshot of the server.xml. Not sure if that helps.
@Damien hi, please can you share the link to the latest VM version which has this issue resolved. I'm too facing this issue from the VM downloaded from the link Creating the booking and FSG applications | Pega Academy and unable to resolve.
Accepted Solution
Here are some files for you. This will allow you to have a secured connection on https://localhost:8443 only.
Steps:
Copy these files into the VM for instance in /opt/tomcat/webapps/ROOT/
- /opt/tomcat/webapps/ROOT/keystore.p12
- /opt/tomcat/webapps/ROOT/RootCA.crt
Open /opt/tomcat/conf/server.xml and replace the connectors with something like this (Change the property "keystoreFile" to point to your file):
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="25" SSLEnabled="true" acceptCount="100" clientAuth="false"
disableUploadTimeout="true" enableLookups="false"
scheme="https" secure="true" sslProtocol="TLS"
keystoreFile="/opt/tomcat/webapps/ROOT/keystore.p12" keystorePass="password" keystoreType="PKCS12" />
sudo password = password
Ensure tomcat can acccess the file p12:
sudo chown -R tomcat:tomcat /opt/tomcat/webapps/ROOT/Restart Tomcat
sudo service tomcat restartOpen firefox settings/certificate remove the existing if any and add the RootCA.crt (FF will say the connection is now secured)
Open up a console:
Here are some files for you. This will allow you to have a secured connection on https://localhost:8443 only.
Steps:
Copy these files into the VM for instance in /opt/tomcat/webapps/ROOT/
- /opt/tomcat/webapps/ROOT/keystore.p12
- /opt/tomcat/webapps/ROOT/RootCA.crt
Open /opt/tomcat/conf/server.xml and replace the connectors with something like this (Change the property "keystoreFile" to point to your file):
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="25" SSLEnabled="true" acceptCount="100" clientAuth="false"
disableUploadTimeout="true" enableLookups="false"
scheme="https" secure="true" sslProtocol="TLS"
keystoreFile="/opt/tomcat/webapps/ROOT/keystore.p12" keystorePass="password" keystoreType="PKCS12" />
sudo password = password
Ensure tomcat can acccess the file p12:
sudo chown -R tomcat:tomcat /opt/tomcat/webapps/ROOT/Restart Tomcat
sudo service tomcat restartOpen firefox settings/certificate remove the existing if any and add the RootCA.crt (FF will say the connection is now secured)
Open up a console:
sudo keytool -import -alias example -cacerts -file /opt/tomcat/webapps/ROOT/RootCA.crt
sudo pwd = password
The default password is: changeit
Now you can do REST over SSL
Hi Damien,
I followed the instructions given above but still running onto the same issue.
1. After adding RootCA.crt in Firefox, it didn't show connection is secure.
2. Console shows below error after keystore password is entered: Enter keystore password: keytool error: java.io.FileNotFoundException: RootCA.crt (No such file or directory)
Please let me know if I am missing something.
Thank you.
Regards,
Jayashree