I have created a Docker image using Open Liberty and with my custom application to be hosted in Azure as Web App Service. Everything is working fine except when I try to access another controller hosted on Azure (https://mycontrollerurl.azurewebsites.net/....) I do see an error from logs:-

[ERROR ] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN CN=*.azurewebsites.net was sent from the target host. The signer might need to be added to local trust store /opt/ol/wlp/output/defaultServer/resources/security/key.p12, located in SSL configuration alias defaultSSLConfig. The extended error message from the SSL handshake exception is: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 2019-04-27T15:44:49.047295297Z java.security.cert.CertPathValidatorException: The certificate issued by CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE is not trusted; internal cause is:

Can someone help me how I can create my SERVER.xml file to include the cert and any other steps I need to perform? I am just 2 days old Novice on Liberty and trying to fix the issue for my dev team. Can you please let me know how I can get this CERT issue fixed?

UPDATE : ISSUE RESOLVED (Thanks to Bruce for pointing me out):- 1. I had to download azurewebsite Certificate (very easy just do from browser)you can get all steps from article here 2. Save that Azurewebsites Certficate file to same directory as my DOCKERFILE is. 3. Modify my DOCKERFILE to look like:- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ FROM open-liberty:webProfile8 COPY --chown=1001:0 server.xml /config/ COPY --chown=1001:0 ancConnector-Liberty.war /config/dropins/ # Add the Azure Certificate to enable HTTPS connection. COPY --chown=1001:0 azurewebsites.cer opt/ol/wlp/output/defaultServer/resources/security/ WORKDIR /opt/ol/wlp/output/defaultServer/resources/security/ RUN keytool -noprompt -importcert -file azurewebsites.cer -alias azurewebsites -keystore key.jks -storepass Liberty -storetype jks` ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Thats all, BUILD the image and we are good to go! Everything is working now! Hope it helps someone in future.

1 Answers

1
Bruce T. On Best Solutions

You need to add the signer cert from azure to the truststore file of Liberty so it will "trust" that site. The process is here:

https://www.ibm.com/support/knowledgecenter/SS7K4U_liberty/com.ibm.websphere.wlp.zseries.doc/ae/twlp_add_trust_cert.html