Wednesday, January 18, 2017

IBM Worklight : SSLPeerUniverfiedException: peer not authenticated issue

It's been a long time since I last posted here and finally, today's post will break this lock to continue a
chapter of sharing knowledge between developers around.

Problem Background:

A few weeks back I encountered the issue as written on the subject of this post "SSLPeerUniverifiedException: peer not authenticated" when trying to hit REST base HTTPS service from Worklight Http Adapter reported in Worklight Server log during google search I found a lot of forum threads discussing the same issue found multiple possible reasons behind this reported exception.

Possible Reasons are:
  • Your server doesn't have valid SSL certificate
  • Certificate expired (Below command can be used to verify the date of certificate validity)
    • keytool -list -v -keystore [certificate file]
  • Your server might be configured with different trusted keystore other than the default ( cacerts file is a default used by JVM )

Solution:

Some may found this solution straightforward  (if you are a frequent visitor of IBM Knowledge Center ) and tried to make it simpler as possible.

A very first step to identify and keep the correct certificate ready for deployment within the server.

Open the base https:// URL of exposed services in chrome browser you'll see the green lock icon on the left in URL bar. Just double click on it to proceed export this certificate. (Figure - 1)

Figure - 1

now move the Details tab and use "copy to File" button to export this certificate file. (Figure - 2)

Figure - 2
 Follow the Figure - 3 to proceed to final step and export this somewhere in your machine use .cer file extension to save this file.

Figure - 3
Add Certificate in IBM Trust Store

To add this certificate in the trustore you must check and verifiy the truststore configured in IBM Worklight Server, by keeping the 3rd possible reason in your mind go to the folder location "C:\IBM\WebSphere\Liberty\usr\servers\WorklightServer\" and open the "jvm.options" with notepad or any other editor and search the entry "-Djavax.net.ssl.trustStore" if you found one that means your server is configured with custom trustore with its location defined. for example

-Djavax.net.ssl.trustStore = C:\IBM\WebSphere\Liberty\usr\servers\WorklightServer\resources\security\key.jks
since key.jks is using for trustore we have to add last exported certificate into file and to do this we use IBM Key Management tool (Figure - 4). Open the key.jks file will prompt for password by default password "worklight".

Figure - 4
Note: In windows use "run as adminstrater" option to open this utility.

Figure - 5 illustrate to add this certificate under "Signer Certificates" use Add button to browse your certificate file and you're have successfully add your .cer file in your keystore.

Figure - 5
Now copy and replace this modified .jks file the same Worklight Server location you copied it from.

and Finally,  restart Worklight Server.

Additional info:

If you want to keep the system certs coming from JDK separate from your own trusted signer certs, you can use the liberty's truststore properties which you can specify in server.xml (you can refer to "Full SSL Configuration Example" given here) As this liberty documentation says "If there is no default SSL configuration in Liberty, then the JSSE's default SSLContext is used. The JSSE's default SSLContext uses the cacerts file for the keystore and truststore