Support Article

RESTFul Services fail with SSLPeerUnverifiedException

SA-11532

Summary



RESTFul services fail with SSL exception.

Error Messages



2015-06-17 17:25:24,897 [   WebContainer : 78] [  STANDARD] [ ] (      internal.mgmt.Executable) ERROR - Exception
com.pega.pegarules.pub.services.ConnectorException: Caught unhandled exception: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
 at com.pegarules.generated.activity.ra_action_pyinvokerestconnector_ea5a601f5c30c4d8bb2e5da269e20397.step5_circum0(ra_action_pyinvokerestconnector_ea5a601f5c30c4d8bb2e5da269e20397.java:1678)
 at com.pegarules.generated.activity.ra_action_pyinvokerestconnector_ea5a601f5c30c4d8bb2e5da269e20397.perform(ra_action_pyinvokerestconnector_ea5a601f5c30c4d8bb2e5da269e20397.java:137)
 at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3375)
 at com.pegarules.generated.activity.ra_action_invoke_6a91441c4f6e5048b63360383ae1b952.step7_circum0(ra_action_invoke_6a91441c4f6e5048b63360383ae1b952.java:1002)
 at com.pegarules.generated.activity.ra_action_invoke_6a91441c4f6e5048b63360383ae1b952.perform(ra_action_invoke_6a91441c4f6e5048b63360383ae1b952.java:172)
 at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3375)
 ...
 at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
 at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
 at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
 at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1662)
Caused by:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
 at com.ibm.jsse2.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:17)
 at com.pega.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
 at com.pega.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:398)
 at com.pega.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:496)
 at com.pega.apache.http.conn.scheme.SchemeSocketFactoryAdaptor.connectSocket(SchemeSocketFactoryAdaptor.java:62)
 at com.pega.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
 at com.pega.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
 at com.pega.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
 at com.pega.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:573)
 at com.pega.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:425)
 at com.pega.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:825)
 at com.pega.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:759)
 at com.pegarules.generated.activity.ra_action_pyinvokerestconnector_ea5a601f5c30c4d8bb2e5da269e20397.step5_circum0(ra_action_pyinvokerestconnector_ea5a601f5c30c4d8bb2e5da269e20397.java:1274)
 ... 115 more


Steps to Reproduce



Invoke Connect-REST, to call RESTFul webservice with TLS Enabled to observe the issue.

Root Cause



The root cause of this problem is defect/misconfiguration in the operating environment. "pyInvokeRestConnector" activity was setting the SSL protocol to SSL when the service expected a TLS protocol during the SSL handshake.
Connect-REST rule has been enhanced in Pega 7.1.8 where you, as an application developer, can pass in the SSL protocol at PRPC level.



Resolution



This issue is resolved through the following local-change:

Override the pyInvokeRestConnector activity to the local ruleset. Modify Java code in Step 4,
Change the following line:

String protocol = "SSL"; 
TO
String protocol = "TLS";

This issue is fixed in Pega 7.1.8.

Published July 13, 2015 - Updated October 8, 2020


0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.