Cloud Pak for Business Automation

 View Only

 Outbound HTTPS Calls Failing in IBM BAW Trial Cloud – SSLHandshakeException / PKIX path building failed

Jump to  Best Answer
Disha Shet's profile image
Disha Shet posted Tue February 03, 2026 12:34 PM

Hi Team,

I am using the Trial version of Cloud Pak for business automation.
I am trying to invoke REST endpoints from a Service Flow using a Server Script with tw.system.invokeREST(BPMRESTRequest).

And i have created an external service using yaml file.

However, every HTTPS endpoint fails with the same SSL error:

An exception occurred in activity "Service" of "Service Flow" with name "TokenService". Task instance id "Task.5371". Details: "Runtime error in script ("Process: 'TokenService' ProcessItem: 'Service' Type: 'ITEM'" 49:0). Internal Script error: com.lombardisoftware.core.TeamWorksException: javax.net.ssl.SSLHandshakeException: SSLHandshakeException

: PKIX path building failed sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

Could someone help me on how do i make the REST api call. 
Nitin Upasani's profile image
Nitin Upasani posted Tue February 03, 2026 02:46 PM  Best Answer

Have you imported endpoint SSL certificate in BAW key store? Do that and it will work.

nitin

Disha Shet's profile image
Disha Shet posted Wed February 04, 2026 05:30 PM

I am using the trial Cloud Pak for Business Automation.  Is it possible to import any certificates? what are the other possibilities.
I am trying to fetch the OAuth access token from Microsoft and getting 301/302 status code.

I have imported an Yaml file and created an external service. Then i am using the script within service flow to retrieve the access code.


Olivier Baltus's profile image
Olivier Baltus posted Sat February 28, 2026 03:44 AM

Hi,

Yes, even with the CP4BA trial, you generally have options to import / trust certificates (either at the OpenShift/cluster level, or by providing a component-specific truststore).

Regarding the 301/302: for Microsoft OAuth, it’s usually a sign that the request is not hitting the token endpoint in the expected way (wrong URL such as /authorize instead of /token, wrong HTTP method, or missing Content-Type: application/x-www-form-urlencoded). In some environments, a proxy/gateway can also trigger redirects.

I would therefore encourage you to first check the Location response header to see where it redirects, and to confirm you are doing a POST to:
https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token with a form-encoded body.

Related Content