Preventing SSL handshaking exceptions

To prevent SSL handshaking exceptions, ensure that the certificate of a server can be found in the truststore of a client. If the certificate is not found in the truststore and the client is a browser, a security alert dialog is displayed. A user can use the dialog to view the certificate and select whether to proceed.

When a web service is invoked from a Rich UI application, the EGL Rich UI Proxy establishes a HTTP or HTTPS connection between the proxy and web service. This connection is independent of the connection between the browser and proxy. If the web service has an HTTPS protocol, the connection between the proxy and web service uses SSL. Because no browser is available to display a security alert and prompt for a response, the certificate that belongs to the server of the web service must be in the truststore of the server of the EGL Rich UI Proxy before the connection is initiated. Otherwise a handshaking error occurs.

To obtain a copy of the server's certificate when calling a third-party web service, enter the URL of the web service in a browser over HTTPS. The way in which you receive the certificate of the server varies depending on the browser. A common way is through a "View Certificate" button, Details tab, and "Copy to File" button. Save the certificate to a file. Use the Administrative Console to open the truststore of your EGL Rich UI Proxy and import the saved certificate as a signer certificate.

Alternatively, you can connect to the remote SSL host and port and receive the signer certificate during the handshake by using the "Retrieve from port" option. If you try to use the SSL-enabled port 9444 you created in "SSL Example" to request a web service called from an HTML file requested on the WebSphere® default SSL port 9443, you a handshaking error occurs. To fix this problem, import the certificate that is associated with port 9444 into the truststore that is associated with port 9443:
  1. Start the WebSphere® V6.1 or V7.0 server that contains your EGL Rich UI Proxy. The proxy is deployed to the same location as the generated HTML file of your Rich UI application.
  2. Right click the server. Click Administration > Run administrative console.
  3. Log in to the Administrative Console.
  4. Expand Security and click SSL certificates and key management.
  5. Under Related Items, click Key stores and certificates.
  6. Click the appropriate truststore.
  7. Click Signer certificates.
  8. Click Retrieve from port.
  9. Specify the following values:
    Host
    localhost
    Port
    9444
    SSL configuration for outbound connection
    NodeDefaultSSLSettings
    Keystore name
    SampleCert
  10. Click Retrieve signer information > OK.
Restart the server. You should now be able to request a web service on port 9444 from port 9443 without receiving a handshaking error.