Occurrence opportunity
all the time
Occurrence scenario
1. The OD application calls aesconnector, so it accesses as follows. (The following is an excerpt from the OD log)

CTICommand.execute: request to manager is https://localhost:9443/aesconnector/CallInfoInitialCall?extension%3D59904&k=XHLGU0OPUf71kD9JCHrDHb96m9Ns8LQs

2. An SSL related error occured. Then the OD application cannot run with below exception.

[23/04/24 9:14:20:127 JST] 000c7d88 SystemErr R ***** Saw exception, tracing before report
[23/04/24 9:14:20:127 JST] 000c7d88 SystemErr R javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target

We would like to resolve above exception. So, please advice how should we any action.
Here after are our system deployments.
[[ EPM ]]
<swversion>
Avaya Connector Server
Version: RH8.4.64-AV04EP8
Offer Type: bundled
Operating System Version
Linux 4.18.0-372.26.1.el8_6.x86_64
<iaversion.php>
installagent 8.1.2.0.0202 full
docs 8.1.2.0.0202 full
vpms 8.1.2.0.0202 full
vpms 8.1.2.0.0341 patch
docs 8.1.2.0.0341 patch

<OVA for deploy>
ExperiencePortal-Primary-EPM-8.1.2.0.0202.ova
<Patches>
epavl-8.x.x.0.2210.tar.gz
EPM_8.1.2.0.0328.tar.gz
EPM_8.1.2.0.0341.tar.gz

[[ Web Application Server ]]
Orchestration Designer?08.12.11.01
JAVA?IBM Java V1.8.0
WAS?WebSphere Application Server V9.0.2.x
OS?RHEL8.1

Best regards, K.Yamahara

The attached file is our collected logs.

Hi.

Have you configured the tsapi.pro file accordingly (in our DevGuide https://download.avaya.com/css/public/documents/101083618 on page 599 ):

For CTIC (AESC) deployment, tsapi.pro needs 2 additional properties for talking to AES 4.2
through secure connection. The avayaprca,jks comes with cticonnector.war. You just need to
change the path to match your deployment. For example:
trustStoreLocation=/opt/apps/cticonnector/WEB-INF/lib/avayaprca.jks
trustStorePassword=password

Limitation
1. You can hear the status of the call if you are doing a blind call or a consult call with transfer
on ring set. Note that you cannot hear busy or invalid line (fast busy) because the switch
disallows a transfer to a busy line.
2. If you have CTI (AES) nodes in your application, you can’t run the application in HTML
mode. The application will stop when it hits the CTI (AES) nodes

Hi massimo-san,

Thank you for your quick reply.

>Have you configured the tsapi.pro file accordingly (in our DevGuide https://download.avaya.com/css/public/documents/101083618 on page 599 ):
[Kenji]
Yes. We already configured them into the tsapi.pro file.

Actually, we performed below steps at this time.
What kind of any other action require to resolve this exception?

1, Create an HTTP (non-secure) environment and confirm that we can get values from aesconnector in the test call flow.
We were able to create the environment without any problems.
2, Set WebSphere to be able to connect to HTTPS.
It worked fine up to Validate.jsp, but when I called it, the flow was not called and an error occurred.
When I looked at the log viewer, the errors PAVB_00225 / PAVB_00187 / PAVB_03064 were output.
PAVB_00225?Socket Error in function SSL_connect - SSL_ERROR_SSL (A failure in the SSL library occurred, usually a protocol error)
3, We configure "Enabling Server Identity Verification" on security setting from "Yes" to "No".
4, As a results, an SSL related error occured. Then the OD application cannot run with below exception.

[23/04/24 9:14:20:127 JST] 000c7d88 SystemErr R ***** Saw exception, tracing before report
[23/04/24 9:14:20:127 JST] 000c7d88 SystemErr R javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target

Best regards, K.Yamahara

Hi massimo-san,

Thank you for your quick support.

Furthermore , I created a similar environment in Tomcat and confirmed that values could be obtained from the aesconnector in the test call flow as below.
Instructions for Tomcat
1, Create an HTTP (non-secure) environment and confirm that we can get values from aesconnector in the test call flow.
2, Configure Tomcat so that it can be connected via HTTPS.
3, Create a self-certificate from the Certificates menu of runtimeconfig. Export the created self-certificate.
4, Import the self-certificate exported in 3 to the trusted certificate of the certificate on the EP management screen.
5, Change the flow launch URL from http to https in EP Admin, execute a test call flow, and confirm that the value can be obtained from aesconnector with HTTPS (secure access).

From the above, HTTPS access was successful in the Tomcat environment, but the problem occurred only in the WebSphere environment, so I think that the cause is in the settings related to WebSphere.

So, If my understanding is correct, we need to follow below procedure with WebSphere.
If it is wrong, please correct me.

1, Create an HTTP (non-secure) environment and confirm that we can get values from aesconnector in the test call flow.
I was able to create the environment without any problems.
2, Set WebSphere to be able to connect to HTTPS.
3, Create a self-certificate from Websphere management console. Export the created self-certificate.
4, Import the self-certificate exported in 3 to the trusted certificate of the certificate on the EP management screen.
5, Change the flow launch URL from http to https in EP Admin, execute a test call flow, and confirm that the value can be obtained from aesconnector with HTTPS (secure access).

Best regards, K.Yamahara

Hi.
Basing on the error message, it sounds as a certificate issue.

In case of the WS, Wilson stated:

- For websphere, you need to update the certificate using its console ( https://www.devconnectprogram.com/forums/posts/list/22022.page#p153539 )

- Are you adding certificate to Websphere or Tomcat? If it's Websphere, you would do it in the IBM console after you have exported the certificate from the device ( https://www.devconnectprogram.com/forums/posts/list/23503.page#p158919 )

I suggest to check the connection between the app and the AES.

Hi Massimo-san,

Thank you for your helpful support.

We just took a sniffer trace.
Then we confirmed TLS handshake failed between application "/***_****/Start" and AES connector "/aesconnector/CallInfoInitialCall" due to certificate unknown error.
Since it is after Server Hello message, so it is because client doesn’t trust the server certificate as a cause.

Therefore we decided to manually export the AES connector server certificate chain from the avayaprca.jks file and import into runtimeconfig trust certificates page.
Any way, we tried to use "fetch" button to download certificate from aesconnector URL. After the AES connector certificate chain is imported into trust list, the application was able to connect AES connector internally.

So, please close this forum.
Thank you and regards, Kenji