SSL connection fails with a "Peer not authenticated" error

Connections to an external system over HTTPS results in a certificate chaining error.

Symptoms

When attempting to connect to an external target over SSL, the connection fails with the following exception:

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

Cause

This exception indicates that the Java application's truststore was unable to validate the certificate chain. This can occur when the external target's certificates have not been imported into the truststore or one or more of the certificates have expired.

Resolution

Import the target certificate chain into the application truststore.

Use the steps in Enabling SSL connections with external servers procedure in the Administration Guide.

Logging

If the resolution fails, you can enable detailed logging for SSL connections.

  1. Open the file: /opt/IBM/tivoli/wlp/usr/server/<cluster servername>/jvm.options

  2. Add the following line:

    -Djavax.net.debug=all

  3. Save the changes and restart the server.

Note: Detailed logging should be output to /opt/IBM/tivoli/wlp/usr/server/<cluster servername>/logs/trace.log. Logging will include details about the truststore and which certificates are used to perform validation of the certificate chain.