Troubleshooting: SSL handshake exception in store preview

If you encounter problems with accessing store preview, ensure that you have enabled WebSphere Commerce foundation with SSL port 443 open and listening.

Problem

You cannot access store preview due to an SSL handshake exception. The web server certificate is imported over SSL port 443 during the foundation feature enablement. If the web server certificate is not imported, store preview might result in SSL handshake errors.

For example:

The following error might occur during feature enablement:

WASX7017E: Exception received while running file "/opt/WebSphere/CommerceServer70/components/foundation/subcomponents/search/deploy/scripts/retrieveSingerCert.jy"; 
exception information: com.ibm.websphere.management.cmdframework.CommandException
java.net.ConnectException: java.net.ConnectException: Connection refused

Java Result: 105

The following error might occur during store preview:

CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=hostname" was sent from target host:port "hostname:port".
The signer may need to be added to local trust store "..../trust.p12" located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml".
The extended error message from the SSL handshake exception is: "PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target".

To check if the web server certificate was imported successfully, either:

Check the WC_installdir/instances/instance_name/logs/enablefoundation_timestamp.log file for an error resembling the following snippet:


Exception received while running file "C:/WebSphere/CommerceServer70/components/foundation/subcomponents/search/deploy/scripts/retrieveSingerCert.jy"

or,

In the Solr server WebSphere Application Server Administrative Console, ensure that the web certificate has been imported successfully:
1. Expand Security > SSL certificate and key management > Key stores and certificates > trust_store_name > Signer certificates
  Where trust_store_name is the name of your trust store. For example, NodeDefaultTrustStore, or CellDefaultTrustStore.
2. Ensure that a valid certificate exists with the alias webcert.

Solution

If the web server certificate was not imported successfully, perform the following steps to resolve this issue:

Import the WebSphere Commerce search web server certificate for the WebSphere Commerce server.
1. Ensure that the WebSphere Commerce search web server SSL port 3738 is enabled and listening.
2. In the WebSphere Commerce WebSphere Application Server Administrative Console, expand Security > SSL Certificate and Key management > Key stores and certificates > trust_store_name > Signer certificates.
3. Select Retrieve from port.
4. Enter the WebSphere Commerce search web server host name, 3738 port number, and webcert alias.
5. Select Retrieve signer information.
6. Select OK and Save.
7. Restart the WebSphere Commerce server.
Import the WebSphere Commerce search web server certificate for the WebSphere Commerce search server.
1. Ensure that the WebSphere Commerce web server SSL port 443 is enabled and listening.
2. In the WebSphere Commerce search WebSphere Application Server Administrative Console, expand Security > SSL Certificate and Key management > Key stores and certificates > trust_store_name > Signer certificates.
3. Select Retrieve from port.
4. Enter the WebSphere Commerce web server host name, 443 port number, and webcert alias.
5. Select Retrieve signer information.
6. Select OK and Save.
7. Restart the WebSphere Commerce search server.

Important: You must reimport the web server certificates if they have been updated. For example, if they are updated from a self-signed certificate to a third-party SSL certificate.