Troubleshooting: SSLHandShakeException error when launching Commerce Enabled Portal portlets

Problem

When you a launch a Commerce Enabled Portal portlet within a portal you receive the following exception:

javax.net.ssl.SSLHandshakeException: unknown certificate
at com.ibm.jsse.be.a(Unknown Source)
at com.ibm.jsse.be.startHandshake(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.b.n(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.p.connect(Unknown Source)
at com.ibm.net.ssl.www.protocol.http.bw.getInputStream(Unknown Source)
at com.ibm.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream(Unknown Source)
at com.ibm.commerce.portal.httpclient.HttpClient.getThisURLContentsReal(Unknown Source)
at com.ibm.commerce.portal.httpclient.HttpClient.getThisURLContents(UnknownSource)
javax.net.ssl.SSLHandshakeException: Certificate not Trusted
at com.ibm.jsse.be.a(Unknown Source)
at com.ibm.jsse.be.startHandshake(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.b.n(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.p.connect(Unknown Source)
at com.ibm.net.ssl.www.protocol.http.bw.getInputStream(Unknown Source)
at com.ibm.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream(Unknown Source)
at com.ibm.commerce.portal.httpclient.HttpClient.getThisURLContentsReal(Unknown Source)
at com.ibm.commerce.portal.httpclient.HttpClient.getThisURLContents(UnknownSource)

This error occurs when the SSL certificate in the WebSphere Portal application server and JDK is either invalid or missing. Normally the SSL certificate is imported during the Commerce Enabled Portal installation procedure. However, if you are reinstalling Commerce Enabled Portal, this step is not done automatically unless you also removed the SSL certificate when you uninstalled Commerce Enabled Portal.

Solution

To resolve this problem, you need to manually import the SSL certificate.

  1. First, extract the SSL certificate from the IBM HTTP server on the WebSphere Commerce node:
    1. On the WebSphere Commerce node, select Start > Programs >IBM HTTP Server > Start Key Management Utility. The IBM Key Management window displays.
    2. From the Key Database File menu, select Open. Browse to the keyfile.kdb file. By default this file is located in the IBM HTTP Server_installdir/ssl.
    3. Select the keyfile.kdb file. Click Open. The Password Prompt dialog displays. Type the password and click Open.
    4. In the Key database content section, select Personal Certificates from the list.
    5. Select the SSL certificate. Click Extract Certificate. The Extract Certificate to a file dialog displays.
    6. From the Data type list, select Base 64-encoded ASCII data.
    7. Save the certificate to a temporary location. For example, c:\temp\cert.arm.
    8. Click OK.
  2. Copy the SSL certificate from the temporary location to a temporary location on the WebSphere Portal server node.
  3. Import the SSL certificate into the WebSphere Portal JDK:
    1. On the WebSphere Portal node, do the following:
      • At a command prompt, type the following: cd to WAS_HOME/bin. Type:ikeyman. The IBM Key Management window displays.
      • From the Key Database File menu, select Open. Browse to the cacerts file: WAS_HOME/java/jre/lib/security/cacerts.
      • Select cacerts. Leave the "Key database type" to be "JKS". The Password Prompt dialog displays. Type the KeyStorePassword and click OK.
        (Note: KeyStorePassword can be found in WC_installDir/Portals/config/wpsconfig.properties file.)
      • In the Key database content section, select Signer Certificates from the list.
      • If wcepcertificate displays in the list, delete it.
      • Click Add. The Add CA's Certificate from File dialog displays. Click Browse and browse to the location of the cert.arm file you extracted above. For example, c:\temp\cert.arm. Click Open. Then click OK. The Enter a Label dialog displays.
      • Type wcepcertificate in the label field. Click OK.
  4. Import the SSL certificate into the DummyServerTrustFile.jks file by doing the following:
    1. From the Key Database File menu, select Open. Browse to the DummyServerTrustFile.jks file. By default this file is located in WAS_HOME/etc.
    2. Select the DummyServerTrustFile.jks file. Click Open, then click OK. The Password Prompt dialog displays. Type the TrustStorePassword and click Open.
      (Note: TrustStorePassword is found in WC_installDir/Portals/config/wpsconfig.properties file).
    3. In the Key database content section, select Signer Certificates from the list.
    4. If wcepcertificate displays in the list, delete it.
    5. Click Add. The Add CA's Certificate from File dialog displays. Click Browse and browse to the location of the cert.arm file you extracted above. For example, c:\temp\cert.arm. Click Open. Then click OK. The Enter a Label dialog displays.
    6. Type wcepcertificate in the label field. Click OK.
  5. Save your changes.
  6. Close the IBM Key Management program.
  7. Restart the WebSphere Portal server.
  8. Restart the IBM Http Server and WebSphere Commerce server on WebSphere Commerce node

Feedback