Open Workbench Issues (certificate ssl)

Document ID : KB000055129
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:   

The application has been configured to be SSL enabled.
A pop up box with the following message:
"Accept Certificate - Unknown certificate; proceed?" is displayed when we open Open Workbench (OWB). We would like this process to be seamless and not display this window. Although the option to save is displayed this doesn't seem to be saving the certificate for future use as the next time we open OWB, the same message is displayed.
We need to have some more understanding about what the 'Save' button is doing to explain why the certificate is not being stored.


Solution:   

The SSL certificate has not been installed on the local machine, and that it is not provided by a "commonly trusted root CA" (for example, a self-generated or internal company certificate, that Sun Java didn't install by default).
When you install Java (or IE, or any application that handles SSL) it installs a number of "root authority ceriificates" from companies like Verisign.

Any certificates for SSL servers that have these "trusted CA certificate" providers as a root will be accepted immediately.
So if the SSL certificate on the system does not come from a 'normal' trusted root, the client machine you are running OWB from says "don't know who this.. can't trust it" and rejects it.
If you install the certificate, java will then recognize it. When you install an SSL certificate in Microsoft Internet Explorer (IE), you get a dialog box for doing this. However with java you must use the command line.

When you access the CA PPM application on the SSL port with Microsoft Internet Explorer, you will see a dialog box that asks about the certificate?
Click on View Certificate and go to the Details tab of the dialog box that pops up. Do not install the certificate using this dialog, since IE and Java do not use the same certificate stores. Instead, click on the Copy to File button.

This only exports the "public" portions of the certificate to the file that is given to any client requesting a connection to the server. NO private portions of the certificate will be inadvertently delivered to the client this way.
Use the defaults including format. Save to a file name such as "c:\test.cer" using the wizard.

Run the following Sun Java "keytool" command. Change the path names as appropriate, but the command should look something like this:

C:\<java>\bin\keytool -import -keystore C:\<java>\lib\security\cacerts -keyalg RSA -file c:\test.cer -trustcacerts

You will be prompted for a keystore password.
The default keystore password to use is: changeit

This procedure should work for "self signed" certificates.

More Information:
1. Make sure the Java_home environment variable is specified on the client machine.
2. Make sure the bin folder for your java version is in the path.
3. Make sure that only one version of Java is referenced in the path statement.

Please note you have to install this on every client machine so you need to consider whether this is cost effective and also note the security issues if user try to access application from outside.