Issue
WS-Security profile for Outbound SOAP Secured Web Service needs the "x509 certificate" in PEM format only
ProblemWS-Security profile for Outbound SOAP Secured Web Service allows to create "x509 certificate" in both CER and PEM format.
SymptomsIf a customer creates or update a WS-Security profile for Outbound SOAP Secured Web Service with a "x509 certificate" other than PEM, they could receive the following errors on the system logs or in the localhost:
- Error signing SOAP envelope: java.io.IOException: Invalid keystore format: sun.security.provider.JavaKeyStore.engineLoad
- SOAP Msg Outbound - SOAPMessageClient : Error executing SOAP request: Error signing SOAP envelope
- Unable to extract Key from KeyStore: com.glide.certificates.DBKeyStoreFactory.getPrivateKeyFromKeyStore
WS-Security assumes the certificate is encoded in PEM format and it could not retrieve it
ResolutionPlease perform the following actions to resolve your problem.
To accomplish action A:
- Export from the keystore the new certificate used by the secure WS, in PEM format . You will need to know the certificate alias for this operation or
if you have a cer X509 certificate, you could convert it as follow:
> openssl x509 -inform der -in certificate.cer -out certificate.pem - Import into ServiceNow the new provided keystore. We recommend in PKCS12 format.
- Import into ServiecNow the new x509 certificate in PEM format.
- Modify the WS security X509 Outbound profile for this WS call to correctly point to: a) the new keystore record, b) the new certificate record , and c) the certificate alias.
Note: WS-Security only allows X509 certificates in PEM format to be used. |