I’m attempting to configure wM 7.1.2 to connect to customers outside our infrastructure and they require us to present a certificate for authentication. Within the IS i’ve configured a proxy server that points to a 3rd party software. Also within IS i’ve configured secrurity/certificates/outbound ssl certificates. When attempting a connection the customer partner is sending a “Peer sent alert: Alert Fatal: handshake failure” error back to us. Any thoughts to as why we are seeing this error?

You need to configure the certs on the proxy (Revers gateway server) in the HTTPS ports which talks to Internal IS ports and share the certs with your TP or let them download from the https URL you gave them…Is that what you did or trying test?

HTH,
RMG

RMG thanks for the quick response. However this is for outbound connectivity not inbound. So the reverse gateway server isn’t in play. The IS instance connects to apache then out to the customer.

Please check this Empower KB article: KB #: 1614327009 and debug:

Description:

Original Article Number : 0 : Cx (ssl client) facing SSL Handshake error in HTTPS call with partner (ssl server). IS thrown exceptions: ERROR: com.wm.app.b2b.server.ServiceException: iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake failure [HR][/HR]Resolution:

Suggested cx to turn on following IS server settings to debug the ssl handshake: watt.ssl.iaik.debug=true watt.net.ssl.debug=true nohup file printed out: ssl_debug(31): Accepted certificate authorities: From the list, it shown no CA certificates which belongs to Cx. Hence Cx IS (acts as a client) failed to locate a corresponding client certificate signed by these CAs and presented empty client certificate to partner: ssl_debug(1): No client certificate available, sending empty certificate message… Told Cx that their partner must includes Cx CA certificates (Root and Intermediate) in their CA list. After that, Accepted certificate authorities list shown Cx’s CA certificates but still with same handshake failure. Investigate further found: ssl_debug(1): Server sent a 1024 bit RSA certificate, chain has 4 elements. The chain should contains only 2 elements. Suggested Cx to check with their partner if they have install the CA certificates correctly. After correction made, now ssl handshake done successfully

HTH,
RMG

KB #: 1614322026

Description:

Original Article Number : 0 : We have configured IS 7.1.1 (running on Solaris) with outbound proxies (Settings > Proxy Servers) for both HTTP and HTTPS. The HTTP proxy works fine, but HTTPS fails during handshake. The test we did was using pub.client:http to a known valid https:// address. We know that the proxy itself and target website are working OK, because we have done exactly the same test from a similarly configured 6.0.1 IS and it is successful. The target website does not require client certificate authentication. We configured outbound SSL debug logging and see the following: ssl_debug(12): Starting handshake (iSaSiLk 3.03)… ssl_debug(12): Sending v2 client_hello message, requesting version 3.1… ssl_debug(12): Received alert message: Alert Fatal: handshake failure ssl_debug(12): SSLException while handshaking: Peer sent alert: Alert Fatal: handshake failure ssl_debug(12): Shutting down SSL layer… [HR][/HR]Resolution:

This problem will be solved in new version 8 and it can be fixed installing fix IS_7-1-1_SrvPrtcl_Fix3.

set up the logging and get the following when trying to post to the customer…
ssl_debug(1): Starting handshake (iSaSiLk 3.03)…
ssl_debug(1): Sending v2 client_hello message, requesting version 3.1…
ssl_debug(1): Received v3 server_hello handshake message.
ssl_debug(1): Server selected SSL version 3.1.
ssl_debug(1): Server created new session C0:77:3C:46:87:B2:54:1A…
ssl_debug(1): CipherSuite selected by server: SSL_RSA_WITH_RC4_128_MD5
ssl_debug(1): CompressionMethod selected by server: NULL
ssl_debug(1): Received certificate handshake message with server certificate.
ssl_debug(1): Server sent a 1024 bit RSA certificate, chain has 1 elements.
ssl_debug(1): Received certificate_request handshake message.
ssl_debug(1): Accepted certificate types: RSA, DSS, Unknown (64)
ssl_debug(1): Accepted certificate authorities:
ssl_debug(1): (empty list)
ssl_debug(1): Received server_hello_done handshake message.
ssl_debug(1): No client certificate available, sending empty certificate message…
ssl_debug(1): Sending client_key_exchange handshake message (1024 bit)…
ssl_debug(1): Sending change_cipher_spec message…
ssl_debug(1): Sending finished message…
ssl_debug(1): Received alert message: Alert Fatal: handshake failure
ssl_debug(1): SSLException while handshaking: Peer sent alert: Alert Fatal: handshake failure
ssl_debug(1): Shutting down SSL layer…

Notice this line:
ssl_debug(1): No client certificate available, sending empty certificate message…

seems your IS is not sending cert for SSL.
Check on the internal server:
Security > Certificates >SSL Key has a value configured.

yes this part shows error pointer,please check your IS SSL certs setup:

ssl_debug(1): No client certificate available, sending empty certificate message…

Customer is actually not broadcasting their CA authorities. IS then doesn’t send a cert and we then see the handshake error. Resolution was to set watt.security.ssl.client.ignoreEmptyAuthoritiesList to true. Thanks RMG for all your help.

Glad you got the resolution: