Pega 8.6.1 LinuxLite - SSL / TLS 1.2 for Service REST - SSLHandshareException

TerenceY0215 · March 29, 2022, 3:09am

With the Pega 8.6.1. LinuxLite VM from the CLSA Course, I noticed that Port 8443 is enabled for SSL. I was able to log into the User Portal using that port, despite getting a Cert warning from Chrome.

However, I run into a problem when I tried to test out OAuth2 for Service REST. I was able to call the Service REST from outside from VM using POSTMAN using the https URL on port 8443, I was not able to call the same Service REST from another application in the same VM.

I got the following error message:

Caught unhandled exception: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I saw these two articles:

I followed the steps to add

JAVA_OPTS=“$JAVA_OPTS -Dcom.sun.security.enableAIAcaIssuers=true”

But it didn’t fix the issue.

Has anybody encountered this problem with LinuxLite VM? Is Port 8443 supposed to be usable?

Thx in advance.

Terence

Damien · April 7, 2022, 8:31am

@TerenceY0215

Hello,

Is it feasible for you to download the latest version of the LSA VM? We have fixed the problem.
If not then let’s try these steps:

The problem is the certificate is not in the Java truststore so you need to add it

https://stackoverflow.com/questions/9619030/resolving-javax-net-ssl-sslhandshakeexception-sun-security-validator-validatore

Is there a certificate in /opt/tomcat/webapps/ROOT/sslcerts/? RootCA.crt?

open up a console: sudo keytool -import -alias example -cacerts -file RootCA.crt

sudo pwd = password

The default password is: changeit

Now you shouldn’t have a SSL handshake issue.

Note: You should be able to add the certificate into your VM browsers (FireFox and Chrome to be full https)

Please PM me if needed so we can progress on that and provide a solution to everyone

TerenceY0215 · April 8, 2022, 2:22am

@Damien

I have downloaded the LinuxLite image again.

https://academy.pega.com/topic/pclsa-mission-challenges/v2/in/29551/29561

I ran a comparison with the one that I used, which I downloaded last year in October, the two files are exactly the same.

Also, I wasn’t able to see any certificate in /opt/tomcat/webapps/ROOT/sslcerts/, and not able to find RootCA.crt.

Attached is the screenshot of the server.xml. Not sure if that helps.

JAYASHREENS · April 13, 2022, 8:28pm

@Damien hi, please can you share the link to the latest VM version which has this issue resolved. I’m too facing this issue from the VM downloaded from the link Creating the booking and FSG applications | Pega Academy and unable to resolve.

Damien · April 14, 2022, 12:18pm

@JAYASHREENS @TerenceY0215

Here are some files for you. This will allow you to have a secured connection on https://localhost:8443 only.

Steps:

Copy these files into the VM for instance in /opt/tomcat/webapps/ROOT/

/opt/tomcat/webapps/ROOT/keystore.p12
/opt/tomcat/webapps/ROOT/RootCA.crt

Open /opt/tomcat/conf/server.xml and replace the connectors with something like this (Change the property “keystoreFile” to point to your file):

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="25" SSLEnabled="true" acceptCount="100" clientAuth="false"
               disableUploadTimeout="true" enableLookups="false"
               scheme="https" secure="true" sslProtocol="TLS"
               keystoreFile="/opt/tomcat/webapps/ROOT/keystore.p12" keystorePass="password" keystoreType="PKCS12" />

sudo password = password

Ensure tomcat can acccess the file p12:

sudo chown -R tomcat:tomcat /opt/tomcat/webapps/ROOT/

Restart Tomcat

sudo service tomcat restart

Open firefox settings/certificate remove the existing if any and add the RootCA.crt (FF will say the connection is now secured)

Open up a console:

sudo keytool -import -alias example -cacerts -file /opt/tomcat/webapps/ROOT/RootCA.crt
sudo pwd = password

The default password is: changeit

Now you can do REST over SSL

SSL - Localhost only.zip (3.73 KB)

JAYASHREENS · April 14, 2022, 6:19pm

@Damien

Hi Damien,

I followed the instructions given above but still running onto the same issue.

After adding RootCA.crt in Firefox, it didn’t show connection is secure.
Console shows below error after keystore password is entered:
Enter keystore password:
keytool error: java.io.FileNotFoundException: RootCA.crt (No such file or directory)

Please let me know if I am missing something.

Thank you.

Regards,

Jayashree

SSL Issue.docx (289 KB)

JAYASHREENS · April 14, 2022, 7:28pm

@Damien

Thanks Damien!

Issue is resolved now.

Thanks,

Jayashree

Damien · April 14, 2022, 6:25pm

@JAYASHREENS

My bad I update my initial reply with the full path

sudo keytool -import -alias example -cacerts -file /opt/tomcat/webapps/ROOT/RootCA.crt

Damien · April 14, 2022, 7:21pm

@JAYASHREENS

Regarding your first issue, you have to restart tomcat

sudo service tomcat restart

Conversation		Replies	Views
SSL handshake issue calling rest APIs General security , dx-api , 8-8-5	5	698	September 5, 2024
The PDC keystore file does not exist in your system. General platform , pega-diagnostic-center , system-cloud-ops-administrator	1	98	March 24, 2025
Authentication Profile Oauth2.0: How to pass the header to the access token endpoint: General lead-system-architect , security , financial-services , 8-8-5	3	397	December 17, 2024
Personal Edition 8.7 Connect Rest Caught unhandled exception: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: General pega-platform , conversational-channels , partners-and-integrations , 8-7	4	1017	May 8, 2023
SSL Certificate Chain Error General security , system-administration , installation-and-deployment , 8-8-5	1	175	April 26, 2024

Pega 8.6.1 LinuxLite - SSL / TLS 1.2 for Service REST - SSLHandshareException

Related topics