Support Article
Error "peer not authenticated" on connect-REST request
SA-8003
Summary
Error "peer not authenticated" on connect-REST request
User is testing Pega 7.1.7 upgrade and is receiving error "peer not authenticated" on connect-REST request. This was working with same config in PRPC 6.3. User had the same issue in PRPC 6.3 during initial development and was resolved by SR-114965. The resolution included install of HFIX-9286 and also config changes in cloud environment as per pdn article: "https://pdn.pega.com/security/how-to-set-up-two-way-ssl-for-soap-over-http-using-rule-connect-soap". The issue is now occurring again on PRPC 7.1.7. The configurations are followed as earlier, but we are not sure if the HFIX exists in Pega 7.1.7.
Error Messages
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397)
at com.pega.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at com.pega.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:398)
at com.pega.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:496)
at com.pega.apache.http.conn.scheme.SchemeSocketFactoryAdaptor.connectSocket(SchemeSocketFactoryAdaptor.java:62)
at com.pega.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
at com.pega.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
at com.pega.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
at com.pega.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:573)
at com.pega.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:425)
at com.pega.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:825)
at com.pega.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:759)
at com.pegarules.generated.activity.ra_action_pyinvokerestconnector_ea5a601f5c30c4d8bb2e5da269e20397.step5_circum0(ra_action_pyinvokerestconnector_ea5a601f5c30c4d8bb2e5da269e20397.java:1276)
Steps to Reproduce
1) Submit connect-REST request to https URL of service.
Root Cause
The root cause of this problem is defect/misconfiguration in the PRPC operating environment.
In Pega7 Security improvements were made to Connect-REST rules so that it runs under a SecurityManager and SSLSocketFactory from within the Pega application and not resorting to the underlying JDK’s SecurityManager and SSLSocketFactory.
Resolution
This issue is resolved through the following local change:
- FTP or download the following KeyStore file from the server under following file system path to your windows environment
- FTP or download the following TrustStore file from the server under following file system path to your windows environment
- Login to PRPC DesignerStudio and create new “KeyStore” and “TrustStore” rules using the following details and upload the corresponding files from Step 1 and 2 above. Save and check-in the rules.
- KeyStore –
- Keystore type – JKS
- Keystore password – keystorepassword
- Upload File – keystore.file
- Truststore –
- Keystore type – JKS
- Keystore password – truststorepassword
- Upload File – truststore.file
- KeyStore –
- Open the Connect-REST rule form and specify the above created Truststore and Keystore in “Security settings” section under the “Service” tab. Save and check-in rule.
- Re-start the PRPC JVMs.
Published January 31, 2016 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.