If you’re using FusionReactor with a Cloud license, the client connects to our services via encrypted SSL connections.
The certificate used to secure these connections is issued by DigiCert. Some older operating systems and some Java EE servers which supply their own keystores don’t have DigiCert’s current certificate in.
In these cases, you’ll see an SSL error in the console, when FusionReactor tries to connect to the Cloud. Java may also complain about being “unable to build a certificate chain“.
Previously we included our own keystore, but this was problematic as in some cases, it supplanted the JEE container’s own store. The certificates we supplied would also expire eventually, necessitating a forced-update of FusionReactor.
In order to fix this, simply import DigiCert’s certificate into your own keystore. As an example, here’s how to do it for IBM WebSphere, which supplies its own keystore. Adapt the path to your own keystore.
IBM WebSphere Liberty Profile 9.
Download the certificate:
wget https://www.digicert.com/CACerts/DigiCertGlobalRootCA.crt -o /tmp/digicert.crt
Import the certificate into the JKS keystore for your server. On our system, for the default WebSphere server, this is done as follows:
keytool -import -alias digicert-global-root-ca -file /tmp/digicert.crt -keystore /opt/IBM/WebSphere/Liberty/usr/servers/defaultServer/resources/security/key.jks
Issue Details
| Type | Technote |
|---|---|
| Issue Number | FRS-422 |
| Components | Cloud |
| Resolution | Fixed |
| Last Updated | 2019-11-25T11:08:31.293+0000 |
| Fix Version(s) | 7.0.0 |
