TIBCO - Why do I get a CertChainVerifier exception when performing a login call?
|Knowledge Article Number||000175169|
|Description||When performing a login API call we are hitting the below exception:
"validating certificate chain looking in datastore for certificate with
For authorized use only,
ou=VeriSign Trust Network,o=VeriSign, Inc.,c=US CA certificate with correct DN, but fingerprint 'CB17 E431 673E E209 FE45 5793 F30A FA1C' found.
No match found CA certificate with issuer ou=Class 3 Public Primary Certification Authority,o=VeriSign, Inc.,c=US and serial number 1B09 3B78 6096 DA37 BBA4 5194 46C8 9678 is not a trusted certificate server verification failed:
com.xyz.security.AXSecurityException: CA certificate with issuer ou=Class 3 Public Primary Certification Authority,o=VeriSign, Inc.,c=US and serial number 1B09 3B78 6096 DA37 BBA4 5194 46C8 9678 is not a trusted certificate
|Resolution||In this case one way SSL is performed, which means that Salesforce will present its server certificate to TIBCO, and TIBCO will verify if the chain of certificates presented is trusted (included in its keystore). If the exact chain of trust is not included in its keystore a CertChainVerifier exception is thrown.
Notice in this particular scenario there is already a certificate for VeriSign, Inc. but the one stored locally in TIBCO's keystore contains a different fingerprint as the one presented by Salesforce, which means that the local TIBCO's keystore must be updated to trust Salesforce's chain of trust (root + intermediate certs). In other words, for the SSL handshake to succeed you will probably need to install the complete chain of certificates (root + intermediate certificates).
To download Salesforce's chain of trust you may use your browser as follows:
1. Go to domain TIBCO is trying to connect to (e.g. https://na1.salesforce.com or https://login.salesforce.com).
2. Click on little lock symbol on the right side of the address bar.
3. Click on "View Certificates", this will open the certificate viewer.
4. Go to Certification Path tab.
5. For the root and intermediate certificates you will need to click View Certificate, and then in the details tab click on Copy To File
This other article goes through the steps to merge a certificate chain: https://help.salesforce.com/apex/HTViewSolution?id=000204513&language=en_US
For more information on how to prepare for certificate changes, check https://resources.docs.salesforce.com/sfdc/pdf/security_certificate_changes.pdf