0

I created a message flow having rest request node to connect to an API. API security enabled received the following error:

BIP3165S: An error occurred whilst performing an SSL socket operation. Operation: connect. Error Text: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target.

How do I solve this issue in my message flow? I disabled SSL but still received the same error.

SunScorpio19
  • 29
  • 6
Miguel Jackson
  • 1
  • 1
  • Did you add CA certficate of API to a truststorage? – Igor Murzich Nov 07 '22 at 09:37
  • Yep I did. So I baasically want to know how did I consume a api that as basic authentication enable, within a message bus using IBM app connect – Miguel Jackson Nov 09 '22 at 10:16
  • We'd need a little more context for the error please. BIP3165 is a little generic in that it could be raised for both outbound and inbound socket connections. The core of it is that we're trying to connect to an endpoint that's providing a certificate that we can't authenticate with the certs in the trust store. It's possible that the endpoint is certified by an intermediate CA but hasn't presented said intermediate cert to us and hence we can't build the path. If it's a request, then try running `openssl s_client -connect host:port` and see if OpenSSL is willing to connect. – andreasmartens Feb 06 '23 at 11:25

1 Answers1

0

What is the SSL client and server endpoints? Assuming this connection is:

WAS (server) <------SSL------> API (Client)

In one-way SSL, the solution is to add the root or intermediate certificate (from the WAS server's chain) to the client's trust store.

"PKIX path building failed" usually indicates that the SSL client was unable to authenticate the SSL server (remote host). To authenticate the server, the client needs to have the server's root or intermediate certificate in its trust store.

If this is happening with traditional WebSphere as the client, we can try to add the signer certificate with retrieve from port.

If mutual authentication is enabled, the issue can be with the server being unable to authenticate the client.

Either way, an SSL exception should not occur with SSL disabled. Maybe the server wasn't re-started after disabling SSL? Maybe SSL wasn't disabled correctly (on both endpoints)? Maybe the API was still trying to use HTTPS with SSL disabled?

Logan Haas
  • 1
  • 1