Unexpected error: ilog.rules.res.util.http.IlrConnectionException
IO error when contacting "/res/repositoryService"
This is the same problem that I saw at a client back in late 2012, and occurs because, unlike Process Designer, Rule Designer doesn't seem "smart" enough to retrieve the SSL certificates from the JVMs on which RES and RTS are running.
The solution is to grab the endpoint certificates from the RES and RTS URLs - I chose to use Internet Explorer to do this, and save the certificates, in DER encoded binary X.509 (.CER) format, to my hard drive ( C:\temp\rts.cer and C:\temp\res.cer respectively ).
PS Two useful links on the same subject here: -
Executing a scenario suite with a Scenario Service Provider (SSP) over HTTPS
"CertPathBuilderException: unable to find valid certification path to requested target" when connecting to Rule Team Server/Decision Center or Rule Execution Server over HTTPS
This is the same problem that I saw at a client back in late 2012, and occurs because, unlike Process Designer, Rule Designer doesn't seem "smart" enough to retrieve the SSL certificates from the JVMs on which RES and RTS are running.
The solution is to grab the endpoint certificates from the RES and RTS URLs - I chose to use Internet Explorer to do this, and save the certificates, in DER encoded binary X.509 (.CER) format, to my hard drive ( C:\temp\rts.cer and C:\temp\res.cer respectively ).
I then imported each into the Rule Designer's local SSL key/trust store ( CACerts ), as follows: -
"C:\Program Files\IBM\ODM851\jdk\bin\keytool.exe" -import -file c:\temp\odm.cer -alias RES-P71005LPAR1.static1.tec.hur.cdn -keystore "c:\Program Files\IBM\ODM851\jdk\jre\lib\security\cacerts" -storepass changeit
Owner: CN=P71005LPAR1, OU=P71005LPAR1Node01Cell, OU=DecisionServerNode01, O=IBM,
C=US
Issuer: CN=P71005LPAR1.static1.tec.hur.cdn, OU=Root Certificate, OU=odm85Cell, O
U=odm85Node1, O=IBM, C=US
Serial number: 912cd201ddc8
Valid from: 4/30/14 6:00 PM until: 4/30/15 6:00 PM
Certificate fingerprints:
MD5: 9A:7B:E3:1B:B1:02:D3:38:08:A4:4B:24:6D:04:CB:1B
SHA1: 47:42:81:7F:CC:A2:25:D3:5F:BE:47:6F:92:91:A8:74:F9:6C:ED:7B
SHA256: 86:3A:1D:49:EC:5B:08:E7:CE:03:9B:FD:59:13:B1:12:90:A9:5B:EE:45:
65:BE:5F:DA:19:B3:F9:54:8A:D2:4A
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: ProfileUUID:Dmgr01-DEPLOYMENT_MANAGER-1d2ca68d-5864-4176-a6ed-63293
baa9766]]
#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4e 7e a8 9c 7b fa f8 eb N.......
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
"C:\Program Files\IBM\ODM851\jdk\bin\keytool.exe" -import -file c:\temp\rts.cer -alias RTS-P71005LPAR1.static1.tec.hur.cdn -keystore "c:\Program Files\IBM\ODM851\jdk\jre\lib\security\cacerts" -storepass changeit
Owner: CN=P71005LPAR1, OU=P71005LPAR1Node01Cell, OU=DecisionCenterNode01, O=IBM,
C=US
Issuer: CN=P71005LPAR1.static1.tec.hur.cdn, OU=Root Certificate, OU=odm85Cell, O
U=odm85Node1, O=IBM, C=US
Serial number: d8b5af263526
Valid from: 5/1/14 3:51 PM until: 5/1/15 3:51 PM
Certificate fingerprints:
MD5: E5:BB:A2:FA:81:D1:2E:7C:23:50:9D:68:E7:E8:AA:71
SHA1: 77:33:BE:8C:14:AA:1B:CF:40:15:D8:A8:C9:3B:0F:7B:BB:0B:E3:94
SHA256: 4A:83:6E:61:1E:A1:65:D3:42:1A:79:F4:74:9E:2E:41:0A:B9:EE:7C:65:
C0:5F:DB:7A:01:36:03:29:E9:35:A4
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: ProfileUUID:Dmgr01-DEPLOYMENT_MANAGER-1d2ca68d-5864-4176-a6ed-63293
baa9766]]
#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 40 4d 83 cb f4 e0 56 b4 .M....V.
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
Note that the command will prompt you to Trust this certificate to which you need to respond yes :-)
Once both certificates are added to CACerts, I simply restarted Rule Designer, and was then able to publish projects to Decision Center (RTS) and rulesets to Decision Server (RES).
"C:\Program Files\IBM\ODM851\jdk\bin\keytool.exe" -import -file c:\temp\odm.cer -alias RES-P71005LPAR1.static1.tec.hur.cdn -keystore "c:\Program Files\IBM\ODM851\jdk\jre\lib\security\cacerts" -storepass changeit
Owner: CN=P71005LPAR1, OU=P71005LPAR1Node01Cell, OU=DecisionServerNode01, O=IBM,
C=US
Issuer: CN=P71005LPAR1.static1.tec.hur.cdn, OU=Root Certificate, OU=odm85Cell, O
U=odm85Node1, O=IBM, C=US
Serial number: 912cd201ddc8
Valid from: 4/30/14 6:00 PM until: 4/30/15 6:00 PM
Certificate fingerprints:
MD5: 9A:7B:E3:1B:B1:02:D3:38:08:A4:4B:24:6D:04:CB:1B
SHA1: 47:42:81:7F:CC:A2:25:D3:5F:BE:47:6F:92:91:A8:74:F9:6C:ED:7B
SHA256: 86:3A:1D:49:EC:5B:08:E7:CE:03:9B:FD:59:13:B1:12:90:A9:5B:EE:45:
65:BE:5F:DA:19:B3:F9:54:8A:D2:4A
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: ProfileUUID:Dmgr01-DEPLOYMENT_MANAGER-1d2ca68d-5864-4176-a6ed-63293
baa9766]]
#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4e 7e a8 9c 7b fa f8 eb N.......
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
"C:\Program Files\IBM\ODM851\jdk\bin\keytool.exe" -import -file c:\temp\rts.cer -alias RTS-P71005LPAR1.static1.tec.hur.cdn -keystore "c:\Program Files\IBM\ODM851\jdk\jre\lib\security\cacerts" -storepass changeit
Owner: CN=P71005LPAR1, OU=P71005LPAR1Node01Cell, OU=DecisionCenterNode01, O=IBM,
C=US
Issuer: CN=P71005LPAR1.static1.tec.hur.cdn, OU=Root Certificate, OU=odm85Cell, O
U=odm85Node1, O=IBM, C=US
Serial number: d8b5af263526
Valid from: 5/1/14 3:51 PM until: 5/1/15 3:51 PM
Certificate fingerprints:
MD5: E5:BB:A2:FA:81:D1:2E:7C:23:50:9D:68:E7:E8:AA:71
SHA1: 77:33:BE:8C:14:AA:1B:CF:40:15:D8:A8:C9:3B:0F:7B:BB:0B:E3:94
SHA256: 4A:83:6E:61:1E:A1:65:D3:42:1A:79:F4:74:9E:2E:41:0A:B9:EE:7C:65:
C0:5F:DB:7A:01:36:03:29:E9:35:A4
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: ProfileUUID:Dmgr01-DEPLOYMENT_MANAGER-1d2ca68d-5864-4176-a6ed-63293
baa9766]]
#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 40 4d 83 cb f4 e0 56 b4 .M....V.
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
Note that the command will prompt you to Trust this certificate to which you need to respond yes :-)
Once both certificates are added to CACerts, I simply restarted Rule Designer, and was then able to publish projects to Decision Center (RTS) and rulesets to Decision Server (RES).
PS Two useful links on the same subject here: -
Executing a scenario suite with a Scenario Service Provider (SSP) over HTTPS
"CertPathBuilderException: unable to find valid certification path to requested target" when connecting to Rule Team Server/Decision Center or Rule Execution Server over HTTPS
2 comments:
Hi I have tried the above approach to deploy my ruleapp on red but its not working still its giving same error as mentioned above ,do I need to import private key of certificate.is there any solution using ant file
@Abhinav
Hmm, that definitely worked for me, although I've not seen the problem again for a while now.
Check the certificates that you have in the client's cacerts store using keytool, and compare the signature against that which you see when you access Decision Center and/or Decision Server via a web browser.
If no joy, consider raising a PMR with IBM Support.
Cheers, Dave
Post a Comment