Print this page

TIBCO - Why do I get a CertChainVerifier exception when performing a login call?

Knowledge Article Number 000175169
Description When performing a login API call we are hitting the below exception:

"validating certificate chain looking in datastore for certificate with
DN cn=VeriSign Class 3 International Server CA - G3,ou=Terms of use at https://www.verisign.com/rpa (c)10,ou=VeriSign Trust Network,o=VeriSign, Inc.,c=US match found looking in datastore for certificate with DN cn=VeriSign Class 3 Public Primary Certification Authority - G5,ou=(c) 2006 VeriSign, Inc. -

For authorized use only,

ou=VeriSign Trust Network,o=VeriSign, Inc.,c=US CA certificate with correct DN, but fingerprint 'CB17 E431 673E E209 FE45 5793 F30A FA1C' found.

Continuing search

No match found CA certificate with issuer ou=Class 3 Public Primary Certification Authority,o=VeriSign, Inc.,c=US and serial number 1B09 3B78 6096 DA37 BBA4 5194 46C8 9678 is not a trusted certificate server verification failed:
com.xyz.security.AXSecurityException: CA certificate with issuer ou=Class 3 Public Primary Certification Authority,o=VeriSign, Inc.,c=US and serial number 1B09 3B78 6096 DA37 BBA4 5194 46C8 9678 is not a trusted certificate
at com.tibco.security.CertChainVerifier.validateAndCompleteChain(CertChainVerifier.java:215)
Resolution In this case one way SSL is performed, which means that Salesforce will present its server certificate to TIBCO, and TIBCO will verify if the chain of certificates presented is trusted (included in its keystore). If the exact chain of trust is not included in its keystore a CertChainVerifier exception is thrown. 

Notice in this particular scenario there is already a certificate for VeriSign, Inc. but the one stored locally in TIBCO's keystore contains a different fingerprint as the one presented by Salesforce, which means that the local TIBCO's keystore must be updated to trust Salesforce's chain of trust (root + intermediate certs). In other words, for the SSL handshake to succeed you will probably need to install the complete chain of certificates (root + intermediate certificates).
 
In addition, notice you do not need to purchase a CA signed certificate or generate a self signed certificate. You just need to download the chain of trust used by Salesforce and install it in TIBCO's keystore.

To download Salesforce's chain of trust you may use your browser as follows:

1. Go to domain TIBCO is trying to connect to (e.g. https://na1.salesforce.com or https://login.salesforce.com).
2. Click on little lock symbol on the right side of the address bar.
3. Click on "View Certificates", this will open the certificate viewer.
4. Go to Certification Path tab.
5. For the root and intermediate certificates you will need to click View Certificate, and then in the details tab click on Copy To File

This other article goes through the steps to merge a certificate chain: https://help.salesforce.com/apex/HTViewSolution?id=000204513&language=en_US

For more information on how to prepare for certificate changes, check https://resources.docs.salesforce.com/sfdc/pdf/security_certificate_changes.pdf




promote demote