Hi,

We are facing an issue in our project when trying to set up WS-Security. A certificate chain is used here and the certificates are kept in the following way –

- The root and the intermediate certs are kept in the Pega truststore

- The client is signing the request using a leaf cert

The request is failing and we see the following error in the logs and in the response –

<soap:Fault>

<faultcode>wsse:FailedAuthentication</faultcode>

<faultstring>Certificate validation failed</faultstring>

</soap:Fault>

The application is running on Websphere Proprietary information hidden

We have been able to replicate the issue using SOAP UI by following these steps –

1) Create 3 level key pair using keystore explorer.
A -- B (A) -- C(B)
2)Use this jks as keystore in SOAP UI.
3) Export certificates A.cer (root), B.cer (immediate), C.cer (leaf) fom keystore explorer.
4) Create a jks file and import B.cer into this. Use this jks file as truststore in the ws-security profile instance.
5) Use this ws-secuirty profile to enable web security for a SOAP service.
6) The web security configuration uses in-flow as below
Signature Algorithm -RSA-SHA1
Digest SHA256
Signature Key Identifier - Binary Security Token
7) Invoke the soap service from soap-ui using that keystore in outgoing WS-Secuirty configuration. Use B as alias so that the signature has to check certificate B

We raised an SR for this and got the following reply –

ROOT CAUSE
Issue with IBM WebSphere

RESOLUTION
Please follow the resolution IBM suggested in the following link.
http://www-01.ibm.com/support/docview.wss?uid=swg21651084

We have also tried this, but the issue did not resolve.

Has anyone faced this issue? If yes, then how did you resolve it?

Thanks

Deepankar

**Moderation Team has archived post**

This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.