For this example, we'll try to access https://login.salesforce.com
If you enter this URL into an HTTP Client Connector and attempt a connection either by pressing the Connect and Next buttons in the Schema area of an Attribute Map, or by dropping the Connector into an AL and running it, then you will see this error:
ERROR - [HTTPClientConnector] CTGDIS810E handleException - cannot handle exception , callreply
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
This handy button will request the certificate and then store it in the TDI Server's keystore (as specified in the solution.properties file by the property named javax.net.ssl.trustStore).
Once imported, the Java VM needs a restart in order for it to use this newly acquired cert. This means that you must recycle your TDI Server before a successful connection is possible.
This is all well and good, but if you're scripting your own components then it would be better if the missing certificate could be detected and then automatically imported. Fortunately, this is very simple to do with a single line of script in TDI.
msg = com.ibm.di.security.GetSSLCertificate.installCertificateFrom(baseurl, 443)
The baseurl argument is the 'https://...' address you want to access, and 443 is the default port for HTTPS. If the socket you are trying to reach includes a specific port number, then you can use this in the above call. If the request or the keystore update fail then the returned String is an error message describing this failure. If the client cert exists already in your keystore, then the message will tell you that the cert is already trusted. And if the requested certificate is successfully added to your keystore, the message will indicate this.
CTGDIS1957I Added certificate with subject: CN=login.salesforce.com, OU=Applications, O="Salesforce.com, Inc", L=San Francisco, ST=California, C=US.
Once TDI has been restarted then you can make secure connections to this service.