Skip Ribbon Commands
Skip to main content
Navigate Up
Sign In

Quick Launch

Average Rating:

(14 Ratings)
facebook Twitter
Email
Print Bookmark Alert me when this article is updated

Feedback

"PMWS_33016 Web Service invoker encountered an error while invoking the Web Service: SSL certificate problem, verify that the CA cert is OK" running a PowerExchange for Web Services session
Problem Description

The following error occurs when running a PowerCenter session with a Web Services Consumer source or transformation:

[PMWS_33016] [ERROR] Web Service invoker encountered an error while invoking the Web Service. Reason: SSL certificate problem, verify that the CA cert is OK. Details:
error: 14090086: SSL routines: SSL3_GET_SERVER_CERTIFICATE: certificate verify failed

 

The session may also fail with this error:

Reason: Unknown SSL protocol error in connection

Cause
This issue occurs due to changes made in the Certificate options in PowerExchange for Web Services.
All Cert Authentication Certificates issued by major trusted certificate authorities (such as Verisign) are stored in the ca-bundle.crt file.

If the certificate bundle does not contain a certificate from a Certificate Authority that the Web Service Provider uses, you can convert the certificate of the Web Service Provider to PEM format and append it to the ca-bundle.crt file.
The private key for a client certificate must be in PEM format.

Solution

To add a certificate to the trust certificates file, do the following:

  1. Use Internet Explorer or any other browser to locate the certificate and create a copy:
    1. Go to the target URL using HTTPS (Example: https://gs0.salesforce.com/services/Soap/u/27.0) This is the same https that you use on the mapping/session.
    2. Double-click the padlock icon in the status bar of Internet Explorer.
    3. In the Certificate dialog box, click the Details tab.
    4. Choose All from the list.
    5. Click Copy to File. 
    6. Use the Certificate Export Wizard to copy the certificate in DER format.

  2. Convert the certificate from DER to PEM format. You can use the openssl commands to convert the certificates to the PEM format. The download links for openssl is in the Reference section of this KB article.

    Example

    openssl x509 -in server.der -inform DER -out server.pem -outform PEM

  3. Append the PEM certificate file to the certificate bundle, ca-bundle.crtThis file is located in <PowerCenter Install Folder>/server/bin.  Edit the ca-bundle.crt file in any text editor such as notepad, and add the certificate contents along with the label PEM Data:
    Note

    The label PEM Data: must be included for every certificate that you append. Check the existing ca-bundle.crt file for the format.

    Example

    PEM Data:
    -----BEGIN CERTIFICATE-----
    MIID+DCCAuCgAwIBAgIRANAeQ
    -----END CERTIFICATE-----

Web Services with a Chain of Certificates

If the secure Web Service contains a chain of trusted certificates, then it is necessary to add each certificate in the chain to the trusted certificates file up to the ROOT.
Repeat steps 1-3 above for every certificate in the chain.

Example

In the following example, the steps need to be repeated for the UTN root certificate and the Network Solutions CA certificate:

 
More Information

You can append data for multiple authentication certificates in the same ca-bundle.crt file which is present in the <PowerCenter Install Folder>/server/bin directory.

 

In some cases, the session might fail with "Reason: Unknown SSL protocol error in connection" even after updating the certificates from the browser. To resolve such errors, re-generate the certificate data by running the below openSSL command:

 

openssl s_client -connect host:port -showcerts > certinfo.txt

 

Example:

 

openssl s_client -connect site.com:443 -showcerts > certinfo.txt
 
Edit the certinfo.txt and copy each certificate text from ----BEGIN CERTIFICATE----- until ------END CERTIFICATE-------, and append the text to ca-bundle.crt with
PEM Data label
Applies To
Product: PowerCenter; PowerExchange
Problem Type:
User Type: Administrator; Developer
Project Phase:
Product Version: PowerExchange for Web Services 8.6; PowerExchange for Web Services 8.6.1; PowerExchange for Web Services 9.0; PowerExchange for Web Services 9.0.1; PowerExchange for Web Services 9.1
Database:
Operating System:
Other Software:

Reference

For more details on Certificates, refer to Chapter 2 of the PowerExchange for Web Services User and Administrator Guide.

OpenSSL for Windows can be downloaded from:

http://gnuwin32.sourceforge.net/packages/openssl.htm
http://www.openssl.org

The file to download and execute is: Complete package, except sources - Setup

For more information about adding certificates to the ca-bundle.crt file, see the curl documentation at:

http://curl.haxx.se/docs/sslcerts.html

CR 98205

Attachments
Last Modified Date:4/22/2015 10:32 PMID:18153
People who viewed this also viewed

Feedback

Did this KB document help you?



What can we do to improve this information (2000 or fewer characters)