Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

SSLPeerUnverifiedException invokes Rest service from Pega

SA-15471

Summary



Invoking a Connect-Rest rule for an SSL enabled Rest service fails.


Error Messages



Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:421)
at com.pega.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at com.pega.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:398)
at com.pega.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:496)
at com.pega.apache.http.conn.scheme.SchemeSocketFactoryAdaptor.connectSocket(SchemeSocketFactoryAdaptor.java:62)
at com.pega.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
at com.pega.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
at com.pega.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
at com.pega.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:573)
at com.pega.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:425)
at com.pega.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:825)
at com.pega.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:759)
at com.pegarules.generated.activity.ra_action_pyinvokerestconnector_ea5a601f5c30c4d8bb2e5da269e20397.step5_circum0(ra_action_pyinvokerestconnector_ea5a601f5c30c4d8bb2e5da269e20397.java:1274)
... 64 more


Steps to Reproduce



Invoke Connect-Rest service from Pega application.
 


Root Cause



A defect or configuration issue in the operating environment. The certificates needed to access the Rest service were not installed in the application server truststore.

When a user has a Connector rule for an HTTP-based protocol such as HTTP, SOAP, REST, and sometimes Email, the user may point to an SSL-enabled ("HTTPS") endpoint. The service that is connected will provide an SSL certificate to identify itself and secure the connection.

PRPC relies on the Application Server to "trust" the certificate that another service provided. When PRPC is deployed in tomcat, this usually means that the default java trust store is in use. IBM Websphere has its own trust store, controlled in the Admin Console.

When the certificate provided by a service is not in the trust store, or otherwise not trusted (for instance, it is out-of-date or issued to a different organization), PRPC cannot complete the connection and an exception such as "Peer not authenticated" results.

It is the responsibility of the user to ensure that the application server's trust store is set up correctly.



Resolution



Make the following change to the operating environment:

Add the required certificates to the application server truststore. 

http://pdn.pega.com/node/113491

Tags:

Pega Platform Pega Platform 7.1.7 Data Integration

Published January 31, 2016 - Updated October 8, 2020

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Visit the Collaboration Center

Did you find this content helpful?

Yes
No

Want to help us improve this content?
Suggest an edit

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us