websphereibm-mobilefirstmobilefirst-adapterssslhandshakeexceptionmfp

IBM MFP Calling a JS adapter procedure from a JS adapter cause SSLHandshakeException by IHS


I have two javascript adapter:adapterA、adapterB

And I need call adapterA after that the adapterA will call adapterB(use MFP.Server.invokeProcedure, in the same mfp server) using this API

when I call in mfp localhost, it works

http://localhost:9080/mfp/api/adapters/AdapterA/test

then I call https after I import mfp cer to jre cacerts

It works fine too

https://localhost:443/mfp/api/adapters/AdapterA/test

My question is I have IHS Server to redirect mfp services

when I call api by IHS http url

http://{domain}/mfp/api/adapters/AdapterA/test

It works

when I call api by IHS https url

https://{domain}/mfp/api/adapters/AdapterA/test

mfp server will get error like this:

enter image description here

com.ibm.mfp.server.js.adapter.internal.JavascriptManagerImpl E FWLST0904E: Exception was thrown while invoking procedure: test in adapter: adapterB java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target at com.ibm.mfp.server.js.adapter.internal.invocation.JavaScriptIntegrationLibraryImplementation.invokeProcedure(JavaScriptIntegrationLibraryImplementation.java:255)


but my IHS plugin only set http

enter image description here

how can I resolve this issue and avoid this issue

enter image description here

thanks


Solution

  • When the MobileFirst server creates the request to reach adapter B, the default behaviour is to frame the request, based on the URL of the currently executing request. That is, it uses the request originally used to reach adapter A, to frame the request to reach the target adapter B.

    It works well in case 1, where the webserver is accessed using a "http://.." URL. In case 2, where MFP1 has to make an outbound call to the webserver using the "https://.." URL, it needs to first complete a SSL Handshake with the webserver. In case the MFP1 JVM lacks the certificates of the webserver, it fails to establish SSL Handshake and can lead to the error you saw.

    In your case, there are two approaches you can take:

    1. Choose to keep the adapter A to adapter B call internal to MFP1. This prevents the outbound "https://" call and you will not see the problem. Additionally, this helps in keeping the travel time shorter and also prevent a new connection on the webserver. To enable this setting, use the JNDI property mfp.adapter.invocation.url. For instance, if you set the value of this property to "http://localhost:9080/mfp", adapter B will be invoked as "http://localhost:9080/mfp/api/adapters/adapterB". The call stays local. More details on this property here.
    2. If you wish to retain the request to adapter B go through the webserver using the secure endpoint, then you should ensure the webserver's root certificates are made available to the MFP1 JVM's trust store so that SSL handshake can be established successfully.