Troubleshooting: SSL handshake exception in store preview

If you encounter problems with accessing store preview, ensure that your web server certificate is imported and valid.

Problem

You cannot access store preview due to an SSL handshake exception. If the web server certificate is not imported or if the web server certificate expired, store preview might result in SSL handshake errors.

For example, the following error might occur during store preview:
CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=hostname" was sent from target host:port "hostname:port".
The signer may need to be added to local trust store "..../trust.p12" located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml".
The extended error message from the SSL handshake exception is: "PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target".
To check if the web server certificate was imported successfully:
  • In the Solr server WebSphere Application Server Administrative Console, ensure that the web certificate was imported successfully:
    1. Expand Security > SSL certificate and key management > Key stores and certificates > trust_store_name > Signer certificates

      Where trust_store_name is the name of your trust store. For example, NodeDefaultTrustStore, or CellDefaultTrustStore.

    2. Ensure that a valid certificate exists with the alias webcert.

Solution

If the web server certificate was not imported successfully or if the certificate expired, then perform the following steps to resolve this issue:
  1. Import the WebSphere Commerce search web server certificate for the WebSphere Commerce server.
    1. Ensure that the WebSphere Commerce search web server SSL port 3738 is enabled and listening.
    2. In the WebSphere Commerce WebSphere Application Server Administrative Console, expand Security > SSL Certificate and Key management > Key stores and certificates > trust_store_name > Signer certificates.
    3. Select Retrieve from port.
    4. Enter the WebSphere Commerce search web server host name, 3738 port number, and webcert alias.
    5. Select Retrieve signer information.
    6. Select OK and Save.
    7. Restart the WebSphere Commerce server.
  2. Import the WebSphere Commerce search web server certificate for the WebSphere Commerce search server.
    1. Ensure that the WebSphere Commerce web server SSL port 443 is enabled and listening.
    2. In the WebSphere Commerce search WebSphere Application Server Administrative Console, expand Security > SSL Certificate and Key management > Key stores and certificates > trust_store_name > Signer certificates.
    3. Select Retrieve from port.
    4. Enter the WebSphere Commerce web server host name, 443 port number, and webcert alias.
    5. Select Retrieve signer information.
    6. Select OK and Save.
    7. Restart the WebSphere Commerce search server.
Important: You must reimport the web server certificates if they have been updated. For example, if they are updated from a self-signed certificate to a third-party SSL certificate.