I get an error when i import a wsdl from a https endpoint saying ‘peer not verified’. Looks like the truststore in UI needs to be configured to accept this cert. How can i do it? This is a on-prem deployment.
UPDATE: It looks like UI has a different truststore than the runtime
Thanks,
Mukundha
@Mukundha,
Have you reviewed
http://apigee.com/docs/api-services/content/configuring-ssl-edge-backend-service - this, of course, highlights the connectivity to the backend.
Does http://apigee.com/docs/api-services/content/keystores-and-truststores#createatruststore show you how can update the truststore?
Thanks Rajeev, yeah i looked at the docs, but this is for the UI, I don’t have problems at runtime, only during the import. So looks like UI maintains a different truststore
@Mukundha Madhavan - Have you resolved this problem?
I can use a custom cert on a secure virtual host in Apigee Edge.
I have the keystore set up properly and can successfully invoke APIs on that vhost, using curl from an external client, as long as I configure curl to trust that certificate.
To configure the Trace UI to trust the cert, I needed to add it to the list of certs trusted by the OS, on the server where edge-ui is running. For RHEL >=6 and Centos >=6, this means:
sudo yum install ca-certificates
sudo update-ca-trust force-enable
sudo cp mycert.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract
/opt/apigee/apigee-service/bin/apigee-service edge-ui restart
I did this on 16.09, and it worked nicely.
This helped @Dino Thanks!!
Edge UI fails with this error message, as there isn’t any option in the documentation to configure the truststore used by Edge UI when opening SSL tunnel to management server:
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This was expected, as we need to provide the truststore provided by our company, we cannot use the standard JDK truststores.
Trying to import our certificate chain to the Java cacerts, keytool tells us that it’s already present.
Any option to configure truststores for Edge UI?
We use Apigee 4.19.01.00.