IBM WebSphere 5.1 SOAP and Certs

Question

I'm fairly new to Java, but that is the language of choice at my company.  I have programmed in about every language execept Java.  So I'm picking it up as I go, not too bad so far.  Anyway I'm writing a Servlet based on the simple example of listing the Virtual Servers on a bigip.   I'm using SOAP to connect.  I'm getting an error on connecting that the cert is unknown.  I have tried using the InstallCert class that Joe wrote.  That doesn't seem to work, that is I run it and no other output (no news is good news, right?).  Is there another way to either get the self-signed cert on the system or configure the code to ignore it like I would in the browser? 
&nbsp;  
&nbsp; Error opening socket: javax.net.ssl.SSLHandshakeException: unknown certificate

tim_arp_112576 · Answer

It's working now.  I didn't end up change the keystore because that reference was correct.  I deleted the keystore I was trying.  Next, I used a tool from IBM called ikeyman.  This created the keystore with some default verisign certs in it.  Then I ran installCert.  So far so good.  Keyman -list showed the certs including the one I just added.  (the wierd thing was when I ran keyman -list initially I did not get prompted for a password.)  Ran my code and all is well.   
&nbsp;  
&nbsp; Thanks Joe!  ....You probably haven't heard the last from me though.  :wink:

joe_pruitt · Answer

installCert.java will just suck the certificate out of a ssl site and place it in the user.home/.keystore file.  This will place the file in the home directory of the account you are logged into.   
&nbsp;  
&nbsp; A way to verify that the keystore is created is to run the keytool -list command to list out the contents of the keystore.  You should see the certificate from the target system in there. 
&nbsp;  
&nbsp; You can also test that the certificate is installed properly by running any of the soap java sample applications in the SDK. 
&nbsp;  
&nbsp; Most likely is that your problem is that the WebSpere runtime is not running under the same user context that you installed the certificate into. 
&nbsp;  
&nbsp; The easiest solution I can see would be to move the .keystore file to a common location that is accessible to the WebSphere runtime and then configure your code in there to point to the new location. 
&nbsp;  
&nbsp; So, let's say you create a directory /trustedstuff and put the file in there.  Then in your code you need to specify the location of this keystore 
&nbsp;  
&nbsp; System.setProperty("javax.net.ssl.trustStore", "/trustedstuff/.keystore"); 
  
 ... 
 call.invoke(...); 
 ... 
&nbsp;  
&nbsp; Then the ssl runtime will know the correct location to look. 
&nbsp;  
&nbsp; Another debugging trick is to add the -Djavax.net.debug=ssl runtime argument to enable ssl level tracing.  Not sure how this works from a non-console based app but it's worth a try if things still aren't working out. 
&nbsp;  
&nbsp; Let me know if this works for you or not.   
&nbsp;  
&nbsp; -Joe

Forum Discussion

IBM WebSphere 5.1 SOAP and Certs

2 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

Use Kubernetes Cert-Manager to Maintain Let's Encrypt Certificates

SSL-Cert

SSL Cert expiration Tracker

Unable to update device cert

Net Soap Monitor