SA-26232

Summary

Certificate errors occur sporadically in Connect-SOAP test connectivity. Server restart clears the issue, but it returns after two test connections. Configuration is stated to be identical in a lower environment, where issue is not reproduced.

Error Messages

Fail
Service URL 'https://server.com/servicename value is invalid: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed:
java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=Citi Internal Root CA Untrusted, DC=Citi, DC=net is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error

Steps to Reproduce

Open Connect-Soap rule, and test the connectivity.

Root Cause

A defect in Pegasystems’ code or rules. Pega does not pick the certificate and key pair always when they are defined in application server level keystore and trust store for connectors.

Resolution

Perform the following local-change:
Enable the WS-security, and add the truststore and keystore at connector level.