Server certificate rejected by ChainVerifier. How to get all correct certificates?
Article ID: KB0090811
Updated On:
| Products | Versions |
|---|---|
| TIBCO ActiveMatrix BusinessWorks | - |
| Not Applicable | - |
Description
Resolution:
Abstract:
==========
Server certificate rejected by ChainVerifier (How to get all correct certificates?)
Description:
==========
When you are accessing HTTPS website by HTTP or SOAP, if you got the following error:
BW-HTTP-100300;An IOException was thrown while trying to execute the Http method
BW-HTTP-100300;Job-2 Error in
...
BW-COMMON-100038 process initialization failed for
...
caused by: Initialization error in
...
caused by: An exception is received [ An exception is received [ while trying to load the certficiate: Server certificate is invalid ] ]
Environment:
==========
TIBCO ActiveMatrix BusinessWorks™ / All
Symptoms:
==========
If you enable tracing for http/ssl by the following propties:
bw.plugin.http.server.debug=true
java.property.javax.net.debug=ssl
Error messages:
cert chain is incomplete. Trying to complete from datastore
could not find trusted CA certificate with DN ...
server verification failed:
com.tibco.security.AXSecurityException: could not find trusted CA certificate with DN ...
ssl_debug(1): Sending alert: Alert Fatal: bad certificate
ssl_debug(1): SSLException while handshaking: Server certificate rejected by ChainVerifier
iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier
Cause:
==========
The "Server certificate rejected by ChainVerifier" error can be caused by a missing cert (usually the root CA),
A bad cert, the cert in the project does not match the cert on server side, etc.
Resolution:
==========
Use Internet Explorer or another browser to download certificates and put them in your BW project. You can also use Portecle to display and save the certificates in the chain.
Instructions for Internet Explorer 8:
-Go to the <web service address> in the browser
-Menu bar-> View-> Security Report-> View Certificates-> Certification Path
Instructions for Portecle:
-Menu bar-> Examine-> Examine SSL/TLS connections-> <Web service address>
---------------------------------------------------
If Portecle cannot show all the certificates.
Download the certificates by IE or other browser. Before doing so, clear the cached certificates in IE. The steps are as following (for IE 8):
-Go to Internet Options -> Content -> Certificates -> All tabs -> Select all certificates -> Remove
-Go to the <web service address> in the browser
-Menu bar -> View -> Security Report -> View Certificates -> Details -> Copy to File... -> Certification Path -> click every certification path -> View Certificates -> Details -> Copy to File...
Select .CER format. Do not to use .p7b format.
Put all certificates into or link them to your BW project.
Abstract:
==========
Server certificate rejected by ChainVerifier (How to get all correct certificates?)
Description:
==========
When you are accessing HTTPS website by HTTP or SOAP, if you got the following error:
BW-HTTP-100300;An IOException was thrown while trying to execute the Http method
BW-HTTP-100300;Job-2 Error in
...
BW-COMMON-100038 process initialization failed for
...
caused by: Initialization error in
...
caused by: An exception is received [ An exception is received [ while trying to load the certficiate: Server certificate is invalid ] ]
Environment:
==========
TIBCO ActiveMatrix BusinessWorks™ / All
Symptoms:
==========
If you enable tracing for http/ssl by the following propties:
bw.plugin.http.server.debug=true
java.property.javax.net.debug=ssl
Error messages:
cert chain is incomplete. Trying to complete from datastore
could not find trusted CA certificate with DN ...
server verification failed:
com.tibco.security.AXSecurityException: could not find trusted CA certificate with DN ...
ssl_debug(1): Sending alert: Alert Fatal: bad certificate
ssl_debug(1): SSLException while handshaking: Server certificate rejected by ChainVerifier
iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier
Cause:
==========
The "Server certificate rejected by ChainVerifier" error can be caused by a missing cert (usually the root CA),
A bad cert, the cert in the project does not match the cert on server side, etc.
Resolution:
==========
Use Internet Explorer or another browser to download certificates and put them in your BW project. You can also use Portecle to display and save the certificates in the chain.
Instructions for Internet Explorer 8:
-Go to the <web service address> in the browser
-Menu bar-> View-> Security Report-> View Certificates-> Certification Path
Instructions for Portecle:
-Menu bar-> Examine-> Examine SSL/TLS connections-> <Web service address>
---------------------------------------------------
If Portecle cannot show all the certificates.
Download the certificates by IE or other browser. Before doing so, clear the cached certificates in IE. The steps are as following (for IE 8):
-Go to Internet Options -> Content -> Certificates -> All tabs -> Select all certificates -> Remove
-Go to the <web service address> in the browser
-Menu bar -> View -> Security Report -> View Certificates -> Details -> Copy to File... -> Certification Path -> click every certification path -> View Certificates -> Details -> Copy to File...
Select .CER format. Do not to use .p7b format.
Put all certificates into or link them to your BW project.
Issue/Introduction
Server certificate rejected by ChainVerifier. How to get all correct certificates?
Additional Information
Also see:
KB:22963(Common errors in TIBCO ActiveMatrix BusinessWorks when using SSL communication.)
KB:29434(How to turn on detailed ssl/ security trace for debug?)
KB:41334(Is there any Security(SSL) hardening/best practices/Advanced configuration documentation for TIBCO BusinessWorks/Administrator/Designer?)
Feedback
Yes
No
Powered by
