Hello, I am working on Salesforce Integration.


* I have created a snap-in in JAVA which makes a HTTP POST to following login URL:


[i][b]LOGINURL + GRANTSERVICE + "&client_id=" + CLIENTID + "&client_secret=" + CLIENTSECRET + "&username=" + USERNAME + "&password=" + PASSWORD + "&access_token=offline";[/b][/i]



* I have created a HTTP Client like:


[b][i]@SuppressWarnings("deprecation")
public CloseableHttpClient getHttpClient() {
try {
final SSLContext sslContext = SSLUtilityFactory.createSSLContext(SSLProtocolType.TLS);
final SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslContext,
SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
httpClient = HttpClients.custom().setSSLSocketFactory(sslsf).build();
} catch (final SSLUtilityException e) {
logger.error("Exception occured while getting SSL Context", e);
}
return httpClient;
}[/i][/b]



* This snap-in successfully got deployed on Breeze but throws following error when web service is called:


[b]testsalesforceintegration3 ERROR - testsalesforceintegration3-1.1.0.0.3 - Error while connectiong to salesforce.
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error[/b]



* I already had imported a self-signed certificate on Breeze which is received from Salesforce.


Could anyone please guide me asap to resolve the issue.

The certificate you installed must not have covered this cert path. It looks like you need to install this root certificate as a trusted CA certificate:
VeriSign Class 3 Public Primary Certification Authority - G5

The public CA certificates are not trusted on Breeze by default.

Thanks JoelEzell

Hi Joel,

We are getting this issue in collaboratory environment and I tried importing certificates in two ways.

1) Imported certificates using SMGR->Inventory->Breeze2-> Import from file -> to all store type.
PFA the screenshot of certificate imported. But this way our error is not resolved.

2) I tried putting certificates to "/etc/pki/ca-trust/source/anchors/" directory on Breeze2 node and then
updating the ca trust store using these command "update-ca-trust enable; update-ca-trust extract" but this require "root/sudo" permission to my users which is not given by default hence unable to test.

Please suggest on above.

Regards,
Tanaji Bhale.

The best way to import the cert is to log into SMGR, go to the Breeze section, click on the check-box next to the cluster you are importing the cert into, and then go to the Certificate Management menu, then Install Trust Certificate.

Your option 1 would also work, but I don't think it will trigger anything on the Breeze servers to reload the certs. You would need to restart your apps (if you implemented the start/stop functionality) OR restart the server for them to be picked up.

Thanks Nick, you led me to what I believe the issue is here. Prior to Breeze 3.3, there was no way for a snap-in to be notified if the provisioned trust / identity certificates had changed. If the same SSLContext object is reused across all multiple outbound connections to Salesforce, the snap-in would never load the new trusted certificates. This is true regardless of whether the trust certificate is done from the Inventory page or from the Breeze page. Try doing a "was restart" (must be root) from the command line, or redeploy the snap-in to force it to reload the certificates.

Snap-ins running on Breeze 3.3 can implement a listener to be advised when certificates change. Our new OutboundHttps sample snap-in shows how to do this.

Thanks for reply Nick & Joel.

I'm using breeze 3.2.0.1.320111 version & by re-installing snap-in didn't solved my problem so I restarted breeze cluster from SMGR->Breeze section but unfortunately breeze cluster goes down for my lab :( , Anyway I have notified about this to collab support team and will resume my work after their fix :) .

Regards,
Tanaji Bhale.

OK, let us know how it goes for you.

Hi guys. Our Lab is up again.

As a brief, I am performing CRUD operations on Salesforce CRM data through snap-in. Leads, Accounts, Opportunities, Contacts, etc data is available with Salesforce account. Connected app is created to get client ID and secret key. REST API POST LOGIN request using developer account credentials and client ID & secret key gives me ACCESS TOKEN which then after used to call other API requests.

As mentioned earlier we have imported trusted certificate and then restarted the breeze server. We are trying out the things on two different breeze servers. But the same error persists - "Certificate Chaining Error"


Any suggestions/comments/guidance are appreciated.

Rohini wrote:Hi guys. Our Lab is up again.
As mentioned earlier we have imported trusted certificate and then restarted the breeze server. We are trying out the things on two different breeze servers. But the same error persists - "Certificate Chaining Error"

Are you sure you are seeing the same Verisign certificate as the issue in the logs?

If so, can you send the actual URL you are connecting to? We wouldn't need the URL Path, just the https://servername/ part so we have an idea of the type of cert they are trying to send.