Support Article

Connect-REST fails to connect

SA-36840

Summary



Connect-REST fails to connect to a service which excepts Server Name Indication (SNI) during handshake.

Error Messages


Exception caught during REST Connector connectivity test : Connection to service failed
com.pega.pegarules.pub.PRRuntimeException: Connection to service failed
.......
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431)
at com.pega.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)


Steps to Reproduce



1) Create Connect-REST or use existing one.
2) Click on "TestConnectivity".
3) Try running the actual activity which invokes the REST connector.
4) Verify the SSL debug log. The extension server_name will be missing in client hello:
ClientHello, TLSv1.2
Extension server_name, server_name: [type=host_name (0), value=<endpointserver.com>] ( This line is missing)


Root Cause



Server Name Indication (SNI) feature is not supported until Pega 7.2.2.

This is a is a known issue when a service provider is supporting multiple host names on a given IP address and port number. In Pega 7.2.2 the Apache libraries has been upgraded and is not feasible to port in older release.

Resolution



Perform the following local-change:

The solution is to work with the service provider to:

Change the default certificate for non-SNI clients

(Or)

Provide an alternate port to access the alternate host & certificate

(or)

Upgrade to Pega 7.2.2

Published April 20, 2017 - Updated May 9, 2017


100% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.