Why do I see error as "An IOException was thrown while trying to execute the Http method caused by: iaik.security.ssl.SSLException: Server certificate rejectedby ChainVerifier”
Article ID: KB0089658
Updated On:
| Products | Versions |
|---|---|
| TIBCO ActiveMatrix BusinessWorks | - |
| Not Applicable | - |
Description
Resolution:
NOTE: This FAQ refers to BW 5.2.1 Hotfix 8
the current SSL configurations for BusinessWorks ONLY support bilateral or two-way SSL where BW as a client MUST present a certificate. In EMS, for example, you can have unilateral SSL and the Client need not present a certificate in order to enter into a handshake. Also, EMS allows the Client to explicitly trust the server without specifying any equivalent of the Trusted Certificates folder. About Trusted Certificates folder, In our document, it says:"Location of the trusted certificates on this machine. The trusted certificates are a collection of certificates from servers to whom you will establish connections. If the server you wish to establish a connection to presents a certificate that does not match one of your trusted certificates, the connection is refused. This prevents connections to unauthorized servers. "
you need to have the whole “Chain”, not just the Certificate for the Server; by whole chain, this includes the hierarchy of the Server Certificate itself, the Signing Certificate Authority certificates, and any other intermediate CA certificates up to and including the Root CA certificate. Yes, it is a collection, but I could have a collection of just Server Certificates and no CA certs, which would fail. Connection is refused if you don’t have the certificate *and* you don’t have the full chain.
The above error is caused by not having full chain of certificates.
NOTE: This FAQ refers to BW 5.2.1 Hotfix 8
the current SSL configurations for BusinessWorks ONLY support bilateral or two-way SSL where BW as a client MUST present a certificate. In EMS, for example, you can have unilateral SSL and the Client need not present a certificate in order to enter into a handshake. Also, EMS allows the Client to explicitly trust the server without specifying any equivalent of the Trusted Certificates folder. About Trusted Certificates folder, In our document, it says:"Location of the trusted certificates on this machine. The trusted certificates are a collection of certificates from servers to whom you will establish connections. If the server you wish to establish a connection to presents a certificate that does not match one of your trusted certificates, the connection is refused. This prevents connections to unauthorized servers. "
you need to have the whole “Chain”, not just the Certificate for the Server; by whole chain, this includes the hierarchy of the Server Certificate itself, the Signing Certificate Authority certificates, and any other intermediate CA certificates up to and including the Root CA certificate. Yes, it is a collection, but I could have a collection of just Server Certificates and no CA certs, which would fail. Connection is refused if you don’t have the certificate *and* you don’t have the full chain.
The above error is caused by not having full chain of certificates.
Issue/Introduction
Why do I see error as "An IOException was thrown while trying to execute the Http method caused by: iaik.security.ssl.SSLException: Server certificate rejectedby ChainVerifier”
Feedback
Yes
No
Powered by
