Hello

I have been trying to send an email from a CSHS using google smtp server in ICP4BA environment on IBM Tech Zone. In the logs, I can see the below errors :

{"type":"liberty_message","host":"icp4adeploy-bastudio-deployment-0.icp4adeploy-bastudio-service-headless.cp4ba-starter.svc.cluster.local","ibm_userDir":"\/opt\/ibm\/wlp\/usr\/","ibm_serverName":"defaultServer","message":"CWPKI0823E: SSL HANDSHAKE FAILURE: A signer with SubjectDN [CN=smtp.gmail.com] was sent from the host [smtp.gmail.com:587]. The signer might need to be added to local trust store [\/opt\/ibm\/wlp\/usr\/servers\/defaultServer\/resources\/security\/trusts.jks], located in SSL configuration alias [defaultSSLConfig]. The extended error message from the SSL handshake exception is: [unable to find valid certification path to requested target].","ibm_threadId":"00005c5d","ibm_datetime":"2023-05-05T05:21:15.165+0000","ibm_messageId":"CWPKI0823E","module":"com.ibm.ws.ssl.core.WSX509TrustManager","loglevel":"ERROR","ibm_sequence":"1683264075165_0000000005360","ext_appName":"IBM_BPM_Teamworks","ext_thread":"Default Executor-thread-447"}


I created a secret for gmail smtp server and added the secret name to the trusted_certificate_list in YAML of IBM Cloud Pak for Business Automation (CP4BA) multi-pattern Operator but still getting the same error

https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/22.0.2?topic=services-importing-certificate-external-service

Could someone suggest if something additional is needed to get this working ?

Thanks

Hello,

A possible explanation is an operator reconcialiation issue. So, certificate is not embedded in the deployment.
Check the ICP4ACluster instance status.
And check the certificate presence in the truststore.jks file with the command inside the container :
keystore -list -keystore /config/security/truststore.jks -storepass changeit -v

Hi,
 I am facing a similar issue but it is during discovery of new web service. I have the web server certificate added to the trust list in the custom resource of ICP4BA but I am getting the same error as yours. The web server certificate is in the trust.jks file (I checked using the keytool command). Did you manage to make any progress?

Thanks!

If I understand correctly, you are having issue adding a signer certificate for your target resource (in your scenario it is gmail smtp server). For this create the secret for your certificate in cp4ba namespace and specify the secret name under trusted_certificate_list: and restart the ibm operator pod. 

Hi,
 I did that from the very beginning. And using the command "keytool -list -rfc -keystore trust.jks", I can see that the web server certificate and the root certificate (we use internal CA) are both in the trust.jks file. Which means that the operator reconciles well.
 But still getting the "unable to find valid certification path to requested target" error in the log, when I try to add the WSDL from the web server. I am not sure how to increase the debugging for the SSL negotiation to find out exactly what is causing this problem.