Worklight Development SSL issue (unable to find certificate chain)

Question

I have been reviewing all the links related to the issue that I'm facing and I couldn't get/understand what I'm doing wrong:

Description:

I'm trying to configure my local WL development server to connect securely to our backend.

our PaaS team gave me our WL Enterprise keystore which contains all the certificate required to connect to the backend. The keystore is .p12.

in worklight.properties:

#SSL certificate keystore location.
ssl.keystore.path=conf/ecommerce_bk_mobile.p12
#SSL certificate keystore type (jks or PKCS12)
ssl.keystore.type=PKCS12
#SSL certificate keystore password.
ssl.keystore.password=*****

the SSL alias and password is also set:

banking.services.ssl.certificate.alias=bkdev1_wl
banking.services.ssl.certificate.password=******

Adapter.xml:

<connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
            <protocol>https</protocol>
            <domain>mbcdev1mobile.com</domain>
            <port>PORT-NUM</port>   
            <sslCertificateAlias>${banking.services.ssl.certificate.alias}</sslCertificateAlias>
           <sslCertificatePassword>${banking.services.ssl.certificate.password}</sslCertificatePassword>
        </connectionPolicy>

I have validated that the p12 key has the certificate I need:

However, the error I'm getting is:

Unable to find certificate chain with alias: 'bkdev1_wl'

(The configuration mentioned above matches our actual enterprise server,but the enterprise server is able to connect, and I'm not through my local one)

1.How can I turn on the SSL logging on WL development server?

(I did added <logging traceSpecification="*=fine: com.worklight.*=debug=enabled : com.ibm.ws.ssl.*=all=enabled"/> )but it didn't work.

2.What Am I missing?

3.Is there a clear steps on how to set it up?

WL version: 6.2.0.01.20150214-1613

Thanks

EDIT

I have been reviewing the configuration and I have the following quires:

After I turned on the SSL logging, I found out that WL is going after its default store which is (key.js) located under this path:

/Users/sam/Documents/workspace/WorklightServerConfig/servers/worklight/resources/security/key.jks

meaning that WL is not even reading its own property where I set the key store location:

ssl.keystore.path=conf/ecommerce_bk_mobile.p12

I did the following too: inside my runtime-web.xml located under:

/Users/sam/Documents/workspace/WorklightServerConfig/IPAS

I forced the server to pick up my key:

<env-entry>
    <description>[OPTIONAL] SSL certificate keystore location. Default: conf/default.keystore.</description>
    <env-entry-name>ssl.keystore.path</env-entry-name>
    <env-entry-type>java.lang.String</env-entry-type>
    <env-entry-value>conf/ecommerce_bk_mobile.p12</env-entry-value>
</env-entry>

<env-entry>
    <description>[OPTIONAL] SSL certificate keystore type. Valid keystore types: jks, PKCS12. Default: jks.</description>
    <env-entry-name>ssl.keystore.type</env-entry-name>
    <env-entry-type>java.lang.String</env-entry-type>
    <env-entry-value>PKCS12</env-entry-value>
</env-entry>

<env-entry>
    <description>[OPTIONAL] SSL certificate keystore password.Default: worklight.</description>
    <env-entry-name>ssl.keystore.password</env-entry-name>
    <env-entry-type>java.lang.String</env-entry-type>
    <env-entry-value>********</env-entry-value>
</env-entry>

I'm not sure if I need to make any changes on my jvm.options file to force WL to go after the key store path I'm defining in its property:

JVM Content:

-Dfile.encoding=UTF-8
-Duser.language=en
-Duser.country=US
-Djava.awt.headless=true
-Dwas.debug.mode=true
-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=10777
-Dcom.ibm.websphere.ras.inject.at.transform=true
-Dcom.ibm.ws.jmx.connector.client.rest.readTimeout=180000
-Dibm.worklight.admin.db.type=DERBY
-Xmx1024m

-DwlDevEnv.enableCreateTables=true
-Djmx.remote.x.client.connection.check.period=0

-DwlSyncStart=false

Answer 1

Two questions:

• Are you using mutual authentication?
  When mutual authentication is enabled, worklight checks if backend is genuine by checking its certificate and backend also checks if the client (in this case worklight adapter) is genuine by checking its certificate. If you are not using mutual authentication, you dont need to set sslCertificateAlias and sslCertificatePassword in adapter connection policy.
• If you indeed need mutual authentication, Are you sure your p12 file is proper? I am suspecting your p12 file may have some issue.

To rule out the possibility of anything going wrong with p12 file you can do this,

Create a single CA certificate by concatenating all the CA certificates in your trust chain

To do this, Get all the CA certificates which are part of the trust chain of your certificate. Copy each of those into a file, say cacerts.pem. For example, if you have three CA certs in your trust chain, you can concatenate and create one single file containing all of them, for example, cat ca1.crt ca2.crt ca3.crt >> cacerts.pem

So what you have now is one single file which has all the ca certificates which are part of the trustchain. Before you go ahead, check what you have is the right one, by executing this command, openssl verify -verbose -CAfile cacerts.pem server.crt (replace server.crt with your certificate file name). You should see server.crt: OK.

Create p12 file using the CA certificate created earlier

Now create a p12 file by importing your server certificate, its private key and the ca certificate file we created earlier.

openssl pkcs12 -export -in server.crt -inkey serverprivate.key -chain -CAfile cacerts.pem -name "bkdev1_wl" -out ecommerce_bk_mobile.p12 .

It will ask you for private key password followed by the export password, ensure whatever you give for export password, you use it as the value of ssl.keystore.password in worklight.properties.

Next ensure you have provided the alias we used in the earlier command while defining the properties you have mentioned, banking.services.ssl.certificate.alias=bkdev1_wl and the value of banking.services.ssl.certificate.password, should be the property of the private key and not the p12 file

Try connecting and check. If you still get error, please share what you see in worklight side and what you see at backend server side.