Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

System not recognizing SOAP server certificates installed

SA-24720

Summary



User has two SOAP services that the Pega application is calling using Connect-SOAP rules:
  • First connect-soap call uses JVM level certificates for SSL handshake
  • Second connect-soap call requires username token and thus uses the WS-Security option.


The requirement is to supply all trust certificates at the JVM level trust store but WS-Security option requires keystore to be provided in Pega.


Error Messages



2016-06-02 13:33:37,489 [ WebContainer : 1] [ OpenPortal] [ your_app:02.01.01] ( internal.mgmt.Executable) ERROR your_host|127.0.0.1 your_user - Exception
com.pega.pegarules.pub.services.ConnectorException: Couldn't create SSL connection : Invalid SSL configuration: Keystore and Truststore both cannot be empty.
at com.pegarules.generated.activity.ra_action_invokeaxis2_ab4bacc4d22ff691fd98ed821335eb56.step8_circum0(ra_action_invokeaxis2_ab4bacc4d22ff691fd98ed821335eb56.java:2807)
at com.pegarules.generated.activity.ra_action_invokeaxis2_ab4bacc4d22ff691fd98ed821335eb56.perform(ra_action_invokeaxis2_ab4bacc4d22ff691fd98ed821335eb56.java:189)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3375)
at com.pegarules.generated.activity.ra_action_invoke_5e9e0cecbbfdfa9a2b1306e703ec4af8.step8_circum0(ra_action_invoke_5e9e0cecbbfdfa9a2b1306e703ec4af8.java:1032)


Steps to Reproduce

  1. Pick WS-Security option for an https SOAP endpoint.
  2. Run Connect-SOAP.
     

Root Cause



A defect in Pegasystems’ code or rules. The issue is with Pega 7.1.7 version. Pega 7.1.8 and later versions do not have this problem. If you look at step # 8 of invokeAxis2 Activity, observe the throw the said exception : throw new ConnectorException("Invalid SSL configuration: Keystore and Truststore both cannot be empty.");

In Pega 7.1.8 version, there is no exception and instead print this info:
if((keyStoreName == null || keyStoreName.length() == 0) && (trustStoreName == null || trustStoreName.length() == 0))
{
//Don't throw exception for backward compatibility with old connectors which have SSL configuration without WS-Security Profile
oLog.info("No PRPC TrustStore/KeyStore configured. The java environment's SSL/TLS context will be used.");
}
Pega 7.1.8 behavior is what is required.


Resolution



Perform the following local-change steps:
  1. Create a keystore Data instance leaving the file name for the keystore blank.
  2. Use this keystore for the second Connect-SOAP that uses WS-Security. This local change achieves the same result as Pega 7.1.8 update and the JVM level truststore will be used for SSL handshake for both services.

Published June 27, 2016 - Updated October 8, 2020

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us