Skip to main content

Hi,

 

I have event actions with type - Rest Call. That generate a outboud message from IFS. This message fails  by the below error

ExecutionException from Sender thread 
Caused by: ifs.fnd.connect.senders.ConnectSender$TemporaryFailureException: Exception while sending data 
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

As per IFS, we should be able to import certificated by our own in IFS cloud.

This event action doesn’t use Routing addresses. But I tried to import the certificates using a dummy routing address. After importing there is no clue in the routing address whether we imported a certificate or not.

However that doesn’t solve the error.

Then I tried the below location

 

I was able to import the intermediate certificate but not the root certificate. For the root certificate it gives validation errors.

 

 

These certificated are correct and use in APP10.

Does any one know the correct place to import the certificates in IFS cloud which are needed for integrations ? 

 

 

 

 

 

 

 

I’m not an expert in this field, but i know the ifs connect certificates are imported here https://docs.ifs.com/techdocs/24r1/030_administration/030_integration/300_ifs_connect/030_routing_rules_addresses/#uploading_ssl_certificate
and should not be related to the “register root and intermediate certificates”

Hi @hhanse ,

 

As I mentioned in my question I tried the routing address option you as in your documentation reference.

My event action type is Rest call. Then the URL is specified in the Event action. I do not need a routing address. However I created a dummy routing address just for importing certificates by thinking the certificates installed to same place.

This doesn’t help. Still the error comes. I tried again today since there is no indication in routing address about certificated import status. Still I get the error.

Hi @Dumeesha Wanigarathna 

 

As @hhanse mentioned, by uploading the server certificate with chain to the routing address would resolve the path building exception.

Root/Intermediate certificate import IS used for the document signing and not for the use of IFS Connect.

 

Here are the steps you can follow to retrieve the server certificate chain and add to the routing address.

Tools need:

  • Server which is whitelisted by the 3rd party REST API. If it’s a public web service, it’s possible to perform this in your local PC

Step 1:

retrieve certificates from the server

openssl s_client -showcerts -connect SERVER:PORT

Eg: certificate retrieve from Twilio API endpoint

 

  1. Copy all the certificates to a single file

Each certificate is bounded by 

-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----

Make sure to copy only the certificates, not the certificate details

Check the attachment for a sample

  1. Import the saved fie to routing address

 

Hope it helps!

Damith

Hi @Dumeesha Wanigarathna 

I think I misread your question. My above reply is regarding how to add server certificate when the API is called via IFS Connect.

When using REST type event actions, it does not use IFS Connect and there’s no way of adding the server certificate from IFS as I’m aware.

You may need to contact IFS Cloud services team to add the certificate to the mws keystore in this situation.

This is a very interesting scenario and please share how you have solved it :)

 

Cheers!

Damith

FYI: 

IFS Documentation briefly mentioned how it can be done in remote deployment

Secured Communication - Technical Documentation For IFS Cloud

 

Hi @dsj ,

There is a ticket to IFS to get proper guidance for this. I will update this when I get a proper answer from them

Using trusted certificates makes life much easier! 🤓

At the moment Server certificate is unable to import at runtime via IFS Cloud Web for REST Event Call. Certificate import via installer is the only option to be used with REST Event Calls if your certificate is a self-signed certificate or a certificate that is not signed by a CA authority.

Hi All,

 

We were able to solve this issue via a work around and a fix provided by IFS. This is the update of how we solved this.

 

Summery of the problem we had -

We have Events with type - ‘Rest Call’ that generate out bound messages which send to the integration platform. When we send the messages we got the below error

javax.net.ssl.SSLHandshakeException: PKIX path building failed:

Rest Call type events do not go via routing rule/address set up and therefore we cannot utilize the functionality provided there to import certificate.

 

The solution -

IFS guided us to use the Keystore functionality as a work around. 

1.0 Go to Solution Manager/Users and Permissions/ Keystores

2.0 Import the PFX certificate with a keystore key. The certificate should be with all the chain of certificate root and intermediate in one file and the format should be .pfx. Furthermore there should be a keystore key for the file. Otherwise it will not taken in to IFS as a type - ‘Keystore’.

3.0 Add a HTTP header parameter as below

ssl:KeyStoreId:KeyStoreIDHere

SSL parameter and value need to be separated by ‘:’.in Rest Call type Event actions.

IFS has done a bug fix in this case ‘:’ is there in the parameter as well. 

 

There were good article address similar scenarios and thank you all for sharing them to solve this issue. 

https://docs.ifs.com/techdocs/24r1/030_administration/030_integration/300_ifs_connect/030_routing_rules_addresses/#address_data

Check the section for ‘Mutual Authentication’

 

 

Reply


Terms & ConditionsCookie settings