5 Replies Latest reply on Jul 20, 2018 6:48 AM by bhim mantha

    How to call a REST service in ICRT that requires SSL certificates?

    Leeroy Jenkins Active Member

      Hey there!

       

      Consider this case:

       

      I want to call a REST service from an ICRT process running on my secure agent. That REST service requires basic authentication and an SSL certificate that was provided by the service provider (I've got a .pfx-file along with a password for this).

       

      I can call that service with SoapUI and configure my request using the 'KeyStore' option there, selecting the .pfx-certificate and providing the password.

       

      I can't see an equivalent option in ICS Application Integration when I create a service connector for that REST service. In the 'Binding' tab there are only fields for Basic Authentication shown. Where can I tell ICRT that it should use the certificate file/password when calling the service?

       

       

      Thanks for you help!

        • 1. Re: How to call a REST service in ICRT that requires SSL certifactes?
          bhim mantha Guru

          Hello ,

           

          Please look at the document here and let us know if that helps you.

           

          Configuration of Client Certificate Authentication

          • 2. Re: How to call a REST service in ICRT that requires SSL certifactes?
            Leeroy Jenkins Active Member

            The document you linked was rather old, I didn't see the options in my secure agent administrator page. However, there are different entries there, that might be the way to solve this:

             

             

            I treid to import my certificates and keys into the trust-store/key-store in process-engine/conf/ directory using java keytool, but ICRT still can't reach the service, closing with the usual error:

             

            javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException

             

             

             

             

            However, I managed to split my pfx-certificate into separate files for key/public cert/certificate chain and with those, call the service using CURL:

             

            curl -E ./file.crt.pem --key ./file.key.pem https://myServiceURL -v --cacert ./cacerts.crt

             

            Where do I have to import those files for the secure agent to work?

            • 3. Re: How to call a REST service in ICRT that requires SSL certifactes?
              bhim mantha Guru

              In order to import .pfx file , this is what I do . I use Keystore explorer.

               

              Open keystore explorer , open ae.keystore (password is password)

               

              Click on Tools->Import KeyPair

               

              Here the password is keystore password which is password

               

              Save changes to Keystore and restart the agent .

              • 4. Re: How to call a REST service in ICRT that requires SSL certifactes?
                Leeroy Jenkins Active Member

                Thanks, I tried Keystore Explorer to import the certificate into ae.keystore. The tool is really helpful in doing that, however it doesn't do anything different than what I tried with java keytool command line, I still get the error message 'javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed'.

                I have implemented a workaround now in my process that executes the working curl-command. Still, it would be nice to solve this using a Service Connector, so I opened a support case.

                 

                 

                I wanted to mention that the service I'm trying to reach uses 2-way SSL, so I need to provide a client certificate (file.crt.pem in curl-command), and I have stored that, along with the private key (file.key.pem) in ae.keystore under a new alias. I also tried to change the parameter 'key-alias' in the admin-page from 'localhost' to this new alias, but that also didn't work.

                 

                 

                Any further ideas?

                • 5. Re: How to call a REST service in ICRT that requires SSL certifactes?
                  bhim mantha Guru

                  Hi ,

                   

                  The instructions I gave are for 2 way SSL . That is how I have done in the past where the service requires me to present a client certificate .I would just import the key pair into ae.keystore by pointing to the  .pfx file.

                   

                  You shouldn't have to change any properties on the admin page for the secure agent in this case.

                   

                  Since you have already opened a case , I'll let Support respond.

                   

                  Do check your catalina log for any exceptions when SA is starting . An example of this would be not providing the password as "password" for ae.keystore when you import the keys.

                   

                  -Bhim