Support Article
Connect-REST fails to connect
SA-36840
Summary
Connect-REST fails to connect to a service which excepts Server Name Indication (SNI) during handshake.
Error Messages
Exception caught during REST Connector connectivity test : Connection to service failed
com.pega.pegarules.pub.PRRuntimeException: Connection to service failed
.......
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431)
at com.pega.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
Steps to Reproduce
1) Create Connect-REST or use existing one.
2) Click on "TestConnectivity".
3) Try running the actual activity which invokes the REST connector.
4) Verify the SSL debug log. The extension server_name will be missing in client hello:
ClientHello, TLSv1.2
Extension server_name, server_name: [type=host_name (0), value=<endpointserver.com>] ( This line is missing)
Root Cause
Server Name Indication (SNI) feature is not supported until Pega 7.2.2.
This is a is a known issue when a service provider is supporting multiple host names on a given IP address and port number. In Pega 7.2.2 the Apache libraries has been upgraded and is not feasible to port in older release.
Resolution
Perform the following local-change:
The solution is to work with the service provider to:
Change the default certificate for non-SNI clients
(Or)
Provide an alternate port to access the alternate host & certificate
(or)
Upgrade to Pega 7.2.2
Published May 9, 2017 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.