3

I am trying to access the 3rd party SOAP service(securedSOAPService) from IBM Worklight 6.1 application server through HTTP Adapter.

Following is the configuration of adapter.xml of HTTP Adapter,

<?xml version="1.0" encoding="UTF-8"?>
<wl:adapter xmlns:wl="http://www.worklight.com/integration" xmlns:http="http://www.worklight.com/integration/http" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="demoAdapter">
   <displayName>demoAdapter</displayName>
   <description />
   <connectivity>
      <connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
         <protocol>https</protocol>
         <domain>mydomain.com</domain>
         <port>8080</port>
      </connectionPolicy>
      <loadConstraints maxConcurrentConnectionsPerNode="2" />
   </connectivity>
   <procedure name="securedSOAPService" />
</wl:adapter>

Below are the observations:

  • The services returns "javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated" when service “securedSOAPService” is configured with TLS1.2.

  • When we change the service to use TLS1.0, it works fine.

I want to enable HTTP adapter to work when Service is configured on TLS1.2.

Note: SSL is not configured on Worklight server.

sohel shaikh
  • 61
  • 9
  • 1
    It appears your Application server ( on which MFP is) is initiating the call with TLS 1.0? Is it that your server does not have TLS 1.2 enabled? Check your application server's SSL QoS settings. – Vivin K Jan 12 '18 at 17:46
  • We haven't enabled SSL configuration on this server. I want to enable TLS 1.2 without enabling SSL, is it possible to do so? – sohel shaikh Jan 13 '18 at 10:17
  • I take it that your client to server connection is not over SSL, but MFP server to backend is. TLS is a cryptographic protocol for secure communication. – Vivin K Jan 15 '18 at 08:13
  • I got your point Vivin. I will check the QoS policies of server. – sohel shaikh Jan 16 '18 at 05:41
  • I have updated the QoS policies and added TLS1.2 in registry using this [link](https://support.quovadisglobal.com/kb/a433/how-to-enable-tls-1_2-on-windows-server-2008-r2.aspx) but still, I am not able to make a valid request of TLS1.2 to service. – sohel shaikh Jan 16 '18 at 11:56
  • Has the backend's certificates been added to the Application server's trust store? – Vivin K Jan 17 '18 at 13:57
  • yes, I have added the certificate to the application server and I am able to access WSDL of the service from internet explorer without any issue of a certificate. – sohel shaikh Jan 18 '18 at 07:04
  • @sohelshaikh is your issue is resolved? – Mohammad Ashfaq Jan 22 '18 at 08:33
  • No :(, we are still looking for a resolution. – sohel shaikh Feb 02 '18 at 06:13

1 Answers1

0

Finally we figured out a solution which will work for limited ciphers of newer protocols(i.e. TLSv1.1,TLSv1.2),

  1. Updated JAVA to 1.7.0_80 (or higher).
  2. Enabled the TLS 1.1 and TLS 1.2 support from Java configuration.
  3. change the configuration of TLSv1.2 in server.xml (link)
  4. Added configuration in jvm.options of TLSv1.2 to make connection with higher protocol.
  5. Added third party library 'BouncyCastle' to enable DH keypair.
  6. Alter configuration in java.security add entry for BouncyCastle.
  7. Restart the server.

Note: This will work for limited ciphers only. Best practice would be to use a newer version of java.

Thanks a lot Mohammed Ashfaq for your help!

sohel shaikh
  • 61
  • 9