Home > WebSphere > Connect WebSphere to Salesforce.com via SSL

Connect WebSphere to Salesforce.com via SSL

So, you’ve got your spiffy WAS app that connects to salesforce.com, and deployed it on the app server, but when it actually tries to connect you’re getting errors like this:

[11/5/08 14:04:15:256 PST] 00000033 SystemOut     O CWPKI0022E: SSL HANDSHAKE FAILURE:  A signer with SubjectDN “CN=cs2-api.salesforce.com, OU=Applications, O=”Salesforce.com, Inc.”, STREET=The Landmark at 1 Martket, L=San Francisco, ST=California, POSTALCODE=94105, C=US, SERIALNUMBER=2991326, OID.2.5.4.15=”V1.0, Clause 5.(b)”, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US” was sent from target host:port “unknown:0”.  The signer may need to be added to local trust store “/apps/WebSphere/AppServer/profiles/AppSrv01/config/cells/ucasd16Cell01/trust.p12” located in SSL configuration alias “NodeDefaultSSLSettings” loaded from SSL configuration file “security.xml”.  The extended error messag e from the SSL handshake exception is: “No trusted certificate found”.

What to do? What your server is saying is, “I don’t have a trusted signer that matches the cert that I’m being presented with”. You probably see this all the time when you hit an untrusted (usually internal) web site and your browsers asks if you want to proceed (e.g., “The security certificate presented by this website was not issued by a trusted certificate authority.”). Typically you click yes, because you know the web site you’re hitting is one you trust. However, your server can’t do that, so you need to import that certificate for it.

There are a couple of ways to do this, and you can try each, depending on the site at salesforce.com that you’re hitting.

In the error logs we received two such errors as above, one for test.salesforce.com, the other for cs2-api.salesforce.com. I found I could use the backdoor method of getting the first certificate in the server’s trust store. First, I made a backup of the node’s trust.p12 file. Then I opened up the WAS console and went to – SSL certificate and key management – Key stores and certificates – CellDefaultTrustStore. This last is what is pointed to by the node “NodeDefaultSSLSettings” in the error above. Click on ‘Signer certificates’ then the ‘Retrieve from port’ button and put in the following info:

Host: test.salesforce.com
Port: 443
Alias: sfdc_test (call this anything you want)

Press the ‘Retrieve signer information’. You’ll see then a screen with a bunch of certifier numbers and keys similar to this:

Click on OK, and the certificate is added to your your for that cell.

I didn’t have that kind of luck with cs2-api.salesforce.com. WAS kept telling me that it couldn’t connect for some reason. So, I opened IE, went to https://cs2-api.salesforce.com/ and clicked the padlock. Click on View certificates, then the Details tab, and the Copy to File… button. Press Next, Next, and give the file a name and location. Next and Finish. Find the file and upload to a temporary location on your WAS server.

Go back to the WAS console and click on Add in the Signer Certificates screen. Give the certificate an alias (like sfdc_cs2) and enter the file location relative to your server. Set the Data type to ‘Binary DER data’ and click OK.

When that is successful, make sure your nodes are sync’d up and restart the server. You should now be able to connect to salesforce.com from the server with the app running there. If not, check the logs for errors similar to the one above and import the appropriate certificate using one of the above techniques. Also, make a note of the expiration date of these certs and put a reminder in your calendar to re-import them before that date.

Categories: WebSphere Tags: