Skip to main content
Question

IFS Apps 10 on prem - Certificate verification failed

  • November 12, 2022
  • 5 replies
  • 1407 views
C
Sidekick (Customer)
Forum|alt.badge.img+4
  • cgo
  • Sidekick (Customer)
  • 8 replies

Hello IFS Community,

After an IFS delivery our http server node cant be started due to:

D:\ifs\INSTANCENAME\wls_domain\INSTANCENAME\servers\HttpServer1\logs\HttpServer1.log

[2022-11-12T20:44:29.6552+01:00] [OHS] [ERROR:32] [OH99999] [ossl] [host_id: mws-server-name] [host_addr: ip-address] [pid: 12140] [tid: 1096] [user: IFS-Service] [VirtualHost: mws-server-name:48081] OHS:2057 Init: (mws-server-name:48081) Unable to initialize SSL environment, nzos call nzosSetCredential returned 28791
[2022-11-12T20:44:29.6552+01:00] [OHS] [ERROR:32] [OH99999] [ossl] [host_id: mws-server-name] [host_addr: 10.110.0.72] [pid: 12140] [tid: 1096] [user: IFS-Service] [VirtualHost: mws-server-name:48081] OHS:2171 NZ Library Error: Unknown error

We tried to perform a MWS reconfigure in order to re-import the valid SSL certificate, but we’re getting:

 

There a few similar issues in the knowledge db, but none applies 100 % to our situation:

 

Question: What is the trust anchor in this context?

Is it the  java cacert storage? 

If yes, which one:

D:\ifs\INSTANCENAME\java\jre\lib\security
D:\ifs\INSTANCENAME\instance\INSTANCENAME\security
D:\ifs\INSTANCENAME\instance\INSTANCENAME\security\ohs

etc.

….

We’ve imported the certifcate chain e.g into D:\ifs\extINSTANCENAME\java\jre\lib\security\cacerts, but it didn’t change the situation.

5 replies

S
Superhero (Employee)
Forum|alt.badge.img+21
  • Sajith D
  • Superhero (Employee)
  • 427 replies
  • November 13, 2022

Hi @cgo ,

if the installer is still complaining about the trust anchor even when you use the PKCS12 certificate with full path chain, it’s quite likely that VM you are running on is not able to validate the Root CA or the intermediate CA in the path chain for some reason (may be one of those expired?). You will be able to rule out obvious issues related to the CA certs by going in the certificates mmc and having a look at the certificate status for those. 

Cheers

C
1 person likes this
C
Sidekick (Customer)
Forum|alt.badge.img+4
  • cgo
  • Author
  • Sidekick (Customer)
  • 8 replies
  • November 14, 2022

Hi Sajith,

In MMC → local machine:

  • Root is in “Trusted Root Certifciation Authorities”.
  • ICA in “Intermediate Certifciation Authorities” (info, the most current ica was missing there for some reason). Last we week the http node was running though.
  • Server/Wildcard in “Personal”

Certificates have been re-imported to local machine as local admin & mws rebooted, but so far we’re having the same result.

But from IFS perspective the Trust Anchor = windows certificate storage?

Thats already an important info, thank you.

Charith Epitawatta
Ultimate Hero (Employee)
Forum|alt.badge.img+31

Hi @cgo,

Please refer to the following KBA and create a certificate containing the full chain of trust and see if the issue persists:

https://community.ifs.com/ifs-framework-experience-employees-partners-only-109/how-to-create-a-certificate-with-full-trust-chain-to-configure-tls-for-ifs-applications-18642

Hope this helps!

Charith - https://charith.xyz
C
Sidekick (Customer)
Forum|alt.badge.img+4
  • cgo
  • Author
  • Sidekick (Customer)
  • 8 replies
  • November 22, 2022

Hi Charith,

I can’t check the KBA, but the issue has been resolved. The trust anchor is not the windows certmgr, but the cacerts, which will get updated, when the certificate is being imported through a mws reconfigure.

The resolution was to have the certificate chain manually created in this form:

 

-----BEGIN CERTIFICATE-----
SERVER Certificate

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
INTERMEDIATE Certificate

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
ROOT Certificate

-----END CERTIFICATE----

 

After that the private key was added and then converted from CER to PFX.

 

Charith Epitawatta
1 person likes this
  • Charith Epitawatta
    Charith Epitawatta
Charith Epitawatta
Ultimate Hero (Employee)
Forum|alt.badge.img+31

Hi @cgo,

Glad to know the issue is resolved! The KBA is providing the same steps to create a single PFX file by combining all the certificates and the private key using OpenSSL. I will ask the moderators to make the KBA publicly accessible. 

Charith - https://charith.xyz
C
1 person likes this

Reply


Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings