Making authenticated web service callouts from Salesforce to IBM Cast Iron using SSL/certificates–Part V

Architecture, IBM Cast Iron, Integration, Salesforce, Technology March 1, 2012 Comments: 18

Introduction

This article is the fifth and final in the five part article series on making authenticated web service callouts from Salesforce to IBM WebSphere Cast Iron. In this article, we will cover some of the issues that we come across in implementing SSL/Certificate based security and the solution to fix them. This is not an exhaustive list, but these are the most common problems one may face while implementing this type of security.

Certificate issues

PKIX path building failed

Exception message

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Solution

This exception can happen due to various reasons. The following list of actions might solve this issue.

  • If you are using two-way certificate authentication, then check whether you have included the certificate on your client side when you make the web service callout.
  • Make sure the certificate is not expired and valid.
  • Make sure to include the certificate if you enable two-way certificate authentication.

IO Exception: DER input, Integer tag error

Exception message

IO Exception: DER input, Integer tag error

Solution:

This exception can happen due to various reasons.

  • As explained previously, Salesforce will accept PKCS#12 certificates; if your certificate is DER/PEM, then you will receive this error. Once you use the PKCS#12 certificate this error should go away.
  • When you embed the third party certificate in the code and if the certificate content is tampered or if you incorrectly paste the certificate content, then you will receive this error

SSLPeerUnverifiedException: peer not authenticated

Exception message:

 javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated.

Solution:

There are many situations where this error can happen. This can be summarized as:

  • If your certificate has a chain of trust (which means that the certificate has intermediate certificates), then the order of the certificates in the chain has to be correct. The order is defined as follows:
    • The server certificate
    • The intermediate certificate that have signed your server certificate (only if the server certificate is not signed by root certificate)
    • The intermediate certificate that signed the above intermediate certificate
    • Include all the intermediate certificates as defined in the previous certificate except the root CA (this is usually already available in your server’s trust store)
  • One or more of the certificate in the chain has expired or not valid.
  • One or more of the intermediate certificate in the chain is missing.
  • One or more of the certificate in the chain is either a self-signed certificate or not trusted by Salesforce. The list of the CA that Salesforce supports can be found here.

IO Exception: Unable to tunnel through proxy.

Exception message:

IO Exception: Unable to tunnel through proxy. Proxy returns \"HTTP/1.0 503 Service unavailable

Solution:

This error happens if your firewall doesn’t allow access to your server where the web service is hosted. Making the firewall changes should fix this issue.

In general, when you see an issue, follow this check list to troubleshoot the issue:

  • Make sure you have the firewall settings in your enterprise is configured to allow the inbound web service call.
  • Check whether the certificate is expired or not.
  • Check if your chain of trust has valid certificates.
  • Make sure you embed the PKCS#12 certificate on the Salesforce side when you make a web service callout.

Most vendors provide tools to check your server/certificate. DigiCert’s tool can ping your server and retrieve the certificate and can provide you the report. Similarly, Verisign has its own tool to validate the certificates.

Conclusion:

This article series had in-depth analysis of how to make authenticated web service callouts from Salesforce to IBM WebSphere Cast Iron both one-way SSL/Certificate and two-way SSL/Certificates. Though this article uses Salesforce and IBM WebSphere Cast Iron as examples, the concept applies elsewhere whether you are making the authenticated web service callouts from Java client to .NET WCF Web Services or from Windows .NET Azure Web Services to SAP, albeit the implementation details will differ.

Tagged: , , , , , ,

18 thoughts on “Making authenticated web service callouts from Salesforce to IBM Cast Iron using SSL/certificates–Part V

  1. Making authenticated web service callouts from Salesforce to IBM Cast Iron using SSL/certificates–Part I | Hari Krishnan's Blog March 1, 2012 at 5:20 am Reply

    […] Part-5 Conclusion and Tips This article series will use Salesforce and IBM WebSphere Cast Iron to demonstrate the two way SSL/certificates concept. The implementation steps are specific to Salesforce and IBM WebSphere Cast Iron, but the concept is very generic and can be applied to any products/services. Each part of this article will also cover the basics before going into the details to help you understand how this works. […]

  2. thiru March 12, 2012 at 9:32 am Reply

    Awesome , was of great help!

  3. Ben March 31, 2012 at 4:35 pm Reply

    Do you know if Cast Iron can be put behind a reverse proxy as well as a firewall in the DMZ ie. WebSeal and work as before?

    • Hari Krishnan March 31, 2012 at 10:35 pm Reply

      I think reverse proxy itself should work, but in a DMZ, I don’t know. I checked the Cast Iron documentation and there is no mention about this.

      • jinesh June 4, 2012 at 6:48 pm Reply

        Hi Hari,
        From where can we download Cast Iron Documentation to know more about this product

        Thanks,
        Jinesh

  4. guguri October 12, 2012 at 6:05 am Reply

    Do you know for Two-way SSL certificate, we can use self-signed certificate on IBM Cast Iron product?

    • Hari Krishnan October 12, 2012 at 4:28 pm Reply

      You can use self-signed certificate with Cast Iron, but the client application may or may not work. If your client is your in-house applications, for e.g. java/.NET, then you can make it work. If it is Salesforce, then Salesforce will not accept self signed certificates, if it doesn’t originate from Salesforce.

      • guguri October 13, 2012 at 5:35 am Reply

        If the system has 3 component, “Salesforce -> web proxy -> Cast Iron”, can we use self – signed certificate with signed by web proxy?

  5. Murugappan December 12, 2012 at 8:15 pm Reply

    I am getting this error which i am trying to use the generated class in SF (CI Management API)

    System.CalloutException: IO Exception: Unable to tunnel through proxy. Proxy returns “HTTP/1.0 404 Not Found”

    could you tell me why this is happening? I have no clue

    • Hari Krishnan January 7, 2013 at 7:18 pm Reply

      404 says that the resource doesn’t exist in the URL that you have configured at your origination. Please check your Cast Iron Web Service configuration to get the right URL

  6. Cyril January 18, 2013 at 10:47 am Reply

    Excellent article !!!

  7. sandy October 8, 2013 at 2:04 pm Reply

    Hi Hari krishnan ,

    Error : Received fatal alert: unknown_ca

    Environment details :

    a) Cast iron Studio 6.4.0.1
    b)The FTP Endpoint : FTPS Explicit SSL
    c)Cast iron acts as client

    But by executing the configuration via the WMC , we hit error:” Received fatal alert: unknown_ca”

    What course of action can we take now to avoid this error?

    • Hari Krishnan October 8, 2013 at 4:34 pm Reply

      Hi Sandy,
      I no longer work on IBM Cast Iron and don’t have access to Cast Iron to even try it. That said, what I sense from the above error is that there could be an issue with your certificates. Check the correctness and validity of the certificates from your certificate provider or using tools like openssl. Try with other clients such as filezilla or WinSCP to see you can upload/download from the FTP site.

  8. cprabakar February 6, 2014 at 7:01 pm Reply

    Hi Hari, Thank you for this detailed article on implementing 2-way SSL in Salesforce. We are planning to use 2-way SSL in an Apex Callout to a webservice we have exposed. I have created a CSR from Salesforce that I am going to get signed by a CA. I know I have to upload the signed certificate, but, do I also need to upload the same certificate on our IIS application ?

    • Hari Krishnan February 6, 2014 at 9:24 pm Reply

      When you enable HTTPS in your IIS, you need to upload certificate signed by public CA. This is for the one-way SSL. For two-way SSI, if you are using IIS as the web service provider, then you need to add apex code to send the certificate. If this certificate is self-signed, then you need to upload this certificate to Salesforce. If it’s signed by public CA, then you don’t need to upload.

  9. Babu Mannem April 3, 2014 at 8:07 pm Reply

    Hi Hari,

    Excellent articles, we are implementing mutual SSL with data encryption between Salesforce and Our company enterprise web services. We are facing couple of issues, can I get a your contact info for a quick discussion.

    Thanks
    Babu

  10. GK May 9, 2015 at 4:06 pm Reply

    Hi Hari, I am making callout to external system, certificate is uploaded in salesforce (preffered method), Same certificate I uploaded in external system (they expose some UI) but they are saying that they expect Key in certificate, Do this certifiacte + Key goes implicitly in request ? but it throws Authentication error, I do not find key in SF, it remains hidden. but does it goes in request automatically, what could be the reasons I am getting aiuthentication error with both Self Signed/ signed certficate

Leave a reply to jinesh Cancel reply