Esko Logo Back to Esko Support
Choose your language for a machine translation:
Skip to end of metadata
Go to start of metadata

Context

This procedure should only be attempted if all else has failed and mostly not without intervention of an Esko support engineer. Please refer to the WebCenter installation manual on how to correctly install a certificate in your IIS Web Server. It also includes instructions on how to install certificates of intermediate certificate authorities (CA), which is likely to be required. If you use correctly signed certificates that are properly installed on the WebCenter side, no additional measures are needed on the Automation Engine side. The required root CA certificates should be baked in to the Java runtime that is installed with the Automation Engine.

When publishing from Automation Engine to a WebCenter site demanding HTTPS connection, you need to import security certificates into the Automation Engine keystore.

This procedure is required even when WebCenter is within the same LAN, but depending on the IT settings, it is possible that the HTTPS communication is only enforced when coming from outside.

When Automation Engine doesn’t have the appropriate certificates, publish will fail with the following (or similar) error message:

– javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

Procedure

Following is the procedure to install security certificates on Automation Engine:

  1. Login to the Automation Engine Server as a local administrator.
  2. Open a web browser and go to the secured WebCenter site.
  3. Download the SSL certificates to the desktop.
    1. Double click the yellow lock icon (or click Security Report from the Menu bar) to open the certificates window (see below).

    2. From the Certificate window, click the Certification Path tab. This will display the certificate hierarchy. You can determine the number of certificates needed based on the number of levels in the hierarchy.
    3. Export all the certificates in the hierarchy.
    4. Click View Certificate.
    5. Click the Details tab.
    6. Click Copy to File to begin the Export Wizard. Click Next.
    7. Select DER encoded binary… (.CER). Click Next.
    8. Use Browse or type in a valid path and name the certificate (*.cer). Using short path and name (such as c:\temp\vali.cer) is recommended. Click Next.
    9. Click Finish, OK and then OK.
    10. Repeat the above steps for each certificate in the hierarchy.
    11. Close the Certificate display windows and the web browser when finished.
  4. Import Certificate files into the keystore.
    1. Ensure you are logged into the Automation Engine Server with local Administrator privileges.
    2. Open a command prompt.
    3. Change to your Automation Engine software directory which contains the keytool utility: \bg_prog_fastserver_vxxx\jre\bin 

    4. Run the utility for each certificate downloaded, in the proper order:
      1. Syntax is: keytool –import –file <path>\*.cer –alias <aliasname> -keystore <keystore_path>.
      2. Your <keystore_path>, is path_to_bg_prog_fastserver_vxxx\jre\lib\security\cacerts 
      3. You will be prompted for a password . The password is: changeit (case sensitive).
      4. You might be asked to trust certificate. Enter Y for Yes. It is also possible that the tool tells you that this certificate is already installed. If so, then go on with the next certificate.
      5. When successful, you should get a Certificate was added to keystore message.
      6. Repeat for each certificate to import in the hierarchy.
      7. EXAMPLE: When your Automation Engine server software is installed on E:\Esko, you have two certificates in c:\temp: valicert.cer and starfield.cer. Valicert.cer was first in chain so, import this first, then repeat for Starfield.cer.
      8. At a command prompt, change to e:\esko\bg_prog_fastserver_vxxx\jre\bin.
      9. Type: Keytool –import –file c:\temp\valicert.cer –alias valicert –keystore e:\esko\bg_prog_fastserver_vxxx\jre\lib\security\cacerts.
      10. If asked for password, type changeit.
      11. If asked to Trust certificate, type Y.
      12. Repeat the same command for your next certificate, i.e., Startfield.cer.
  5. Reboot the Automation Engine computer to ensure that the changes take effect.
Article information
Applies to

Automation Engine all versions

WebCenter all versions

Created01-Jul-13
Last revised10-Jan-14
AuthorPDCO, JEDE
CW Number 
Contents

 

1 Comment

  1. This is no longer correct: certificates should only be imported in the JRE keystore in rare circumstances.  Usually the error message means that the intermediate certicates are not bound to the WebCenter web server.