Support Article
RESTFul Services fail with SSLPeerUnverifiedException
SA-11532
Summary
RESTFul services fail with SSL exception.
Error Messages
2015-06-17 17:25:24,897 [ WebContainer : 78] [ STANDARD] [ ] ( internal.mgmt.Executable) ERROR - Exception
com.pega.pegarules.pub.services.ConnectorException: Caught unhandled exception: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.pegarules.generated.activity.ra_action_pyinvokerestconnector_ea5a601f5c30c4d8bb2e5da269e20397.step5_circum0(ra_action_pyinvokerestconnector_ea5a601f5c30c4d8bb2e5da269e20397.java:1678)
at com.pegarules.generated.activity.ra_action_pyinvokerestconnector_ea5a601f5c30c4d8bb2e5da269e20397.perform(ra_action_pyinvokerestconnector_ea5a601f5c30c4d8bb2e5da269e20397.java:137)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3375)
at com.pegarules.generated.activity.ra_action_invoke_6a91441c4f6e5048b63360383ae1b952.step7_circum0(ra_action_invoke_6a91441c4f6e5048b63360383ae1b952.java:1002)
at com.pegarules.generated.activity.ra_action_invoke_6a91441c4f6e5048b63360383ae1b952.perform(ra_action_invoke_6a91441c4f6e5048b63360383ae1b952.java:172)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3375)
...
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1662)
Caused by:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.ibm.jsse2.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:17)
at com.pega.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at com.pega.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:398)
at com.pega.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:496)
at com.pega.apache.http.conn.scheme.SchemeSocketFactoryAdaptor.connectSocket(SchemeSocketFactoryAdaptor.java:62)
at com.pega.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
at com.pega.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
at com.pega.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
at com.pega.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:573)
at com.pega.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:425)
at com.pega.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:825)
at com.pega.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:759)
at com.pegarules.generated.activity.ra_action_pyinvokerestconnector_ea5a601f5c30c4d8bb2e5da269e20397.step5_circum0(ra_action_pyinvokerestconnector_ea5a601f5c30c4d8bb2e5da269e20397.java:1274)
... 115 more
Steps to Reproduce
Invoke Connect-REST, to call RESTFul webservice with TLS Enabled to observe the issue.
Root Cause
The root cause of this problem is defect/misconfiguration in the operating environment. "pyInvokeRestConnector" activity was setting the SSL protocol to SSL when the service expected a TLS protocol during the SSL handshake.
Connect-REST rule has been enhanced in Pega 7.1.8 where you, as an application developer, can pass in the SSL protocol at PRPC level.
Resolution
This issue is resolved through the following local-change:
Override the pyInvokeRestConnector activity to the local ruleset. Modify Java code in Step 4,
Change the following line:
String protocol = "SSL";
TO
String protocol = "TLS";
This issue is fixed in Pega 7.1.8.
Published July 13, 2015 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.