Discussion:
Cannot get cert HTTPClient "Get Certificate"
(too old to reply)
n***@gmail.com
2018-11-07 21:11:33 UTC
Permalink
Cannot get the "Get Certificate" button to get certain certs.

Using script, I get this:

msg = com.ibm.di.security.GetSSLCertificate.installCertificateFrom("https://login.salesforce.com/", 443)

returns
CTGDIS1955W Did not receive any certificate


microsoft.com site will get a cert, so does oracle.com

curl works

Any ideas?
j***@gmail.com
2018-11-08 05:16:34 UTC
Permalink
Could be an issue with the SSL/TLS version.
This depends on the JVM version in your TDI/SDI installation.

Try to add
com.ibm.di.SSLProtocols=TLSv1.2
to solution.properties.


Here is a link with more information
https://developer.ibm.com/answers/questions/285548/how-do-i-enable-tlsv12-support-in-security-directo/
n***@gmail.com
2018-11-08 17:57:07 UTC
Permalink
Post by j***@gmail.com
Could be an issue with the SSL/TLS version.
This depends on the JVM version in your TDI/SDI installation.
Try to add
com.ibm.di.SSLProtocols=TLSv1.2
to solution.properties.
Here is a link with more information
https://developer.ibm.com/answers/questions/285548/how-do-i-enable-tlsv12-support-in-security-directo/
Hi

I've got these protocols in the local solution.properties file:
## ----------------------------------
## Protocols to use for SSL/TLS
## ----------------------------------
#com.ibm.di.SSLProtocols=TLSv1,TLSv1.1,TLSv1.2
com.ibm.di.SSLProtocols=TLSv1.2
com.ibm.di.SSLServerProtocols=TLSv1,TLSv1.1,TLSv1.2
com.ibm.jsse2.overrideDefaultProtocol=TLSv1.2

org.eclipse.equinox.http.jetty.ssl.protocol=TLSv1.2
##

But still gives me the "CTGDIS1955W Did not receive any certificate" message
I updated the IBM JRE to 8 (7.2.0-ISS-SDI-LA0018) and latest SDI fixpack
release=ibmdi_72
version=7.2.0.5
family=integrat
product=Security Directory Integrator
level=201805310042
j***@gmail.com
2018-11-09 07:05:58 UTC
Permalink
Mysterious. It worked for me when I added
com.ibm.di.SSLProtocols=TLSv1.2
to solution.properties.

You could verify that you are looking at the correct solution.properties file,
it must be in the solution directory,
and the property should not be redefined with another value later in the file.

Your SDI version has the required fixpack level.

If everything else fails, create a small AssemblyLine (cert) with just the script to import the certificate, export this to p.xml, and add this property to solution.properties:
javax.net.debug=ssl

Then run the Assemblyline from the command line:
./ibmdisrv -c p.xml -r cert -R
and look at the debug output. It might give you a clue as to why the SSL handshake does not transfer any certificate.
Remove the javax.net.debug property from solution.properties afterwards, it produces too much for normal use.
Loading...