KB-1067 Web service call authentication fails over HTTPS

This issue has been resolved in an Appian hotfix/new Appian version. Please apply the latest hotfix to your Appian installation or upgrade to the latest version of Appian.

Symptoms

When using the Call Web Service smart service, it fails to connect to the web service endpoint and the following error is generated in application server log:

INFO  [stdout] (ajp-/0.0.0.0:8009-7) com.appiancorp.ws.WSClientException: The WSDL cannot be processed because the remote server's certificate is invalid.  Check that the certificate has not expired. (APNX-1-4045-005)
...
INFO  [stdout] (ajp-/0.0.0.0:8009-7) Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

The server hosting the web service is not configured to send back a list of client certificate CA names to the client attempting to authenticate. This can be determined by running the following command, where <IP_ADDRESS> and <PORT> are the IP and port used by the server hosting the web service:

openssl s_client -showcerts -connect <IP_ADDRESS>:<PORT>

This will generate an output similar to the following (note that the output shown here has omitted the certificate strings and other information for readability):

CONNECTED(00000003)
---
Server certificate
subject=<SERVER>
issuer=<ISSUING CA>
---
No client certificate CA names sent
---
SSL handshake has read 4567 bytes and written 288 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher    : EDH-RSA-DES-CBC3-SHA
Session-ID: XXXX
Session-ID-ctx: 
Master-Key: YYYY
Key-Arg   : None
Start Time: 1447147689
Timeout   : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---

Notice the section that states "No client certificate CA names sent". This indicates that the server is not sending back a list of client certificate CA names, which Appian requires in order to authenticate properly.

This issue has been resolved via AN-57245 in the following Appian hotfixes/versions:

  • Appian 7.10 Hotfix Package O
  • Appian 7.11 Hotfix Package L
  • Appian 16.1 Hotfix Package K
  • Appian 16.2 Hotfix Package H
  • Appian 16.3 Hotfix Package D
  • Appian 17.1 Hotfix Package A
  • Appian 17.2

Action

Apply the latest hotfix to your Appian installation or upgrade to the latest version of Appian.

Workaround

The following workarounds can resolve this issue:

  1. Modify the web service to accept basic authentication. Once the web service accepts basic authentication, users can place the credentials specific to the web service in Third-Party Credentials in Tempo. This can be configured in Appian using the Secure Credentials Store.
  2. Configure the server hosting the web service to send back a list of client certificate CA names. Note that this can work with either a certificate signed using an internal Certificate Authority, or one signed using a public, trusted Certificate Authority.

Affected Versions

This article applies to Appian 17.1 and older.

Last Reviewed: July 2017

Related
Recommended