We have an issue with a JavaCallout step, we have a .jar class that calls a service https://, (TLS/SSL) this step throws this exception:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
We installed the certificate in apigee private cloud with the curl command, to build the curl command correctly we use this:
We create a keystore with this:
http://apigee.com/docs/management/apis/post/organi...
When we see the apigee admin web page the certificate is correctly installed.
What we didn't do is to upload .jar in the keystore.
http://apigee.com/docs/management/apis/post/organi...
---------------------------------------------
We have created a keystore with a certificate using keytool command in a local machine.
We have debugged the .jar class inside Eclipse environment that calls https://, (TLS/SSL) service, and It returns us an expected response.
We don't know what to do, What do you recommend us to do?
This configuration is apigee onpremise instalation v15.04.15 (7) nodes.
Regards,
Solved! Go to Solution.
We got the solution to this problem:
We downloaded the certificate for this example we named certificateCompanyAPIExample, you can download from the browser https:// SSL service (accept and download the certificate). the other way is using the openssl command and get the certificate in you screen, then you have to copy and past that code to a file an save it with any of this extensions ".cer" , ".pem", ".der", ".crt".
Command openssl example:
C:\Users\peter>openssl s_client -connect services.organization.com:443
Server certificate
-----BEGIN CERTIFICATE-----
MIIF3jCCBMagAwIBAgIBAjANBgkqhkiG9w0BAQsFADCB6TELMAkGA1UEBhMCQ0wx ETAPBgNVBAgTCFNhbnRpYWdvMREwDwYDVQQHEwhTYW50aWFnbzElMCMGA1UEChQc O2+NF5vQ765pEwXawpVob6QHBiBJIeSk4ZbfjTavHS6oo6B4T1izKUX0A1AY4PN+
-----END CERTIFICATE-----
Then you have to copy this certificate to every node in your cluster.
Then you have to import the certificate with the keytool provided by java.
cd /usr/java/jdk1.7.0_55/jre/bin
./keytool -importcert -file /usr/java/jdk1.7.0_55/jre/lib/security/certificateCompanyAPIExample -keystore /usr/java/jdk1.7.0_55/jre/lib/security/cacerts
It's everythings is ok, the only thing you must do it's restart every MP in you cluster, one by one.
Now try again executing your api with javacallout step calling https service.
Best regards,
Did you create a virtual host that uses your keystore? For more info on configuring SSL for the private cloud, see the docs here:
http://apigee.com/docs/api-services/content/config...
Stephen
When I call a https:// service from an apigee step servicecallout, It works ok, but when I call the same https:// service from a .jar class inside a javacallout It throws this error:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This question looks to be a duplicate of https://community.apigee.com/questions/5457/is-it-possible-to-access-ssl-key-store-and-trust-s.html. Regards!
Diego
The issue in this case isn't the same.
Francisco has an API called provisioning, that calls several diferentes services to provisioning digital services. The java logic is necesary to manage the particular provisioning process for every service. We are calling to our internal services by https://servicios.telefonicachile.cl/ but in the call for java, we have the issue mentioned. If we call by service callout, we don't need create the keystore, the services works fine. that's a sumary of the issue.
Regards!
HTTP/1.1 500 Internal Server Error
; nested exception is:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
There are a few ways to workaround this issue by leveraging the options suggested in the thread above Node.js, Service Callouts, and even Javascript httpclient. When I try to hit your URL, it returns the following error:
Would it be possible to use any of these options?
We got the solution to this problem:
We downloaded the certificate for this example we named certificateCompanyAPIExample, you can download from the browser https:// SSL service (accept and download the certificate). the other way is using the openssl command and get the certificate in you screen, then you have to copy and past that code to a file an save it with any of this extensions ".cer" , ".pem", ".der", ".crt".
Command openssl example:
C:\Users\peter>openssl s_client -connect services.organization.com:443
Server certificate
-----BEGIN CERTIFICATE-----
MIIF3jCCBMagAwIBAgIBAjANBgkqhkiG9w0BAQsFADCB6TELMAkGA1UEBhMCQ0wx ETAPBgNVBAgTCFNhbnRpYWdvMREwDwYDVQQHEwhTYW50aWFnbzElMCMGA1UEChQc O2+NF5vQ765pEwXawpVob6QHBiBJIeSk4ZbfjTavHS6oo6B4T1izKUX0A1AY4PN+
-----END CERTIFICATE-----
Then you have to copy this certificate to every node in your cluster.
Then you have to import the certificate with the keytool provided by java.
cd /usr/java/jdk1.7.0_55/jre/bin
./keytool -importcert -file /usr/java/jdk1.7.0_55/jre/lib/security/certificateCompanyAPIExample -keystore /usr/java/jdk1.7.0_55/jre/lib/security/cacerts
It's everythings is ok, the only thing you must do it's restart every MP in you cluster, one by one.
Now try again executing your api with javacallout step calling https service.
Best regards,
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |