Problem

When using an own Root CA certificate, every application that operates with certificates should use the custom certificates. With these installed in TSIM, there is access to the GUI, however when starting the Object Browser, the connection is refused with the following error:

ERROR 2016-05-13 12:39:42,009 EdiEcServer [Thread-106] - ERROR: IO error when reading socket from host/10.1.10.30 - javax.net .ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

Resolution

With Service Pack 13 a functionality was added for the TSIM Eclipse Client Applications (Object Browser, ENGDAT Client, OFTP Monitoring) to use a custom client-side trust store which customers can use to import the custom CA Certificates that sign their custom SSLServer certificates. Once the SP is applied, when starting the applications a new file will be created on the client side, if not already existing: <client_installation_dir>/custom_truststore.properties; in this file, users can provide property values for locating their own trust store file in the local file system, and the password to access the trust store data (the password has to be given in encrypted form, by using the server-side script $ACTISEDI/tools/encryptclientpwd.sh to generate the encrypted value of the password read from console).

Typically, a System Administrator user will create and maintain the trust store, and will supply all other users the property values to be used in their local environments.

Customers that wish to change the default SSL Server Certificate delivered by default by Axway, need to take the following steps:

• Obtain the CA Certificate and the Certificate intended for SSL, signed by the CA Certificate
• Export the public part of the CA Certificate in a separate file
• Run the below command in an environment where JRE is installed, to create a custom trust store and import the CA Certificate:

keytool -importcert -file <path_to_exported_ca_file> -trustcacerts -alias <alias_for_the_imported_ca> -keystore <path_to_truststore_file_name> -storepass <trust_store_password>

• On TSIM server, run the below script in order to generate an encrypted value of the password entered in the previous step:

$ACTISEDI\tools\encryptclientpwd.sh

• Distribute the property values (trust store file path and encrytped password) to all the client application users, so that they will able to add them in the below file:

<local_tsim_applications_installation_directory>/custom_truststore.properties

At this point, all client applications should be perfectly functional, even if the SSL Server Certificate hasn't been actually changed.

• Deployment:

1. Backup the existing Certificate Manager repository
2. Import the CA Certificate and the SSL Server Certificate into Certificate Manager
3. Remove the old SSL Server Certificate
4. Restart AJAS.