VSE Recorder not capturing transactions when communication is over SSL and client side is IBM WebSphere

Document ID : KB000102694
Last Modified Date : 17/10/2018
Show Technical Document Details
Issue:
Trying to record a virtual service where communication is over SSL but I am having issues with the VSE Recorder not being able to capture traffic.
The client application is IBM WebSphere.
Cause:
When using the VSE Recorder, the options to Use SSL in the server and client side were enabled and you were using your own keystore that was created with the server certificate.
When looking at the HTTP/SSL Debug viewer, we were getting some exceptions because the keystore was missing the key pair for authentication, it had only the server certificate.

After we configured the recorder to use the webreckeys.ks, we were able to reach the VSE Recorder from the client application, but were getting the following exception: 
com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target 

We tried to import the lisa.cer to the application cacerts, but we were still facing the same exception.
Looking at the error, we could see it pointing to IBM - com.ibm.jsse2.util.h, and we could verify that the client application making the call to the VSE Recorder is WebSphere.
Resolution:
The following steps were taken to update the WebSphere truststore:
1. Log into the IBM WebSphere Application Server Integrated Solutions Console and navigate to Security > SSL Certificate and key management > Key stores and certificates.
2. Click CellDefaultTrustStore.
3. Click Signer Certificates.
4. Add a local certificate or retrieve a certificate from another server.
a. Add a local certificate by clicking Add.
b. Browse to the location where the file is stored and select the file - this will be the lisa.cer file you exported yesterday.
c. Provide an Alias for the certificate - the alias is lisa.
d. Click OK.
The root certificate is added to the list of signer certificates.
5. If using Tivoli® Access Manager or other proxies, also repeat steps 4-6 for your Tivoli Access Manager or other proxy servers.

These steps are documented in the link below: 
https://www.ibm.com/support/knowledgecenter/en/SSYGQH_6.0.0/admin/install/t_exchange_keys_network.html 

After these steps were completed, we were able to capture the transactions in the VSE Recorder.
Additional Information:
More information regarding the HTTP/SSL Debug Viewer in the link below:
HTTP and SSL Debug Viewer 
https://docops.ca.com/devtest-solutions/10-1/en/using/using-ca-application-test/using-devtest-workstation-with-ca-application-test/running-test-cases-and-suites/http-and-ssl-debug-viewer

SSL Handshake Summary
https://docops.ca.com/devtest-solutions/10-1/en/using/using-ca-application-test/using-devtest-workstation-with-ca-application-test/running-test-cases-and-suites/ssl-handshake-summary

How to collect SSL debugging information with DevTest?
https://comm.support.ca.com/kb/how-to-collect-ssl-debugging-information-with-devtest/KB000117725