Certificates

Certificates

InterFormNG2 Secure Connection Requirements and Certificate Management

InterFormNG2 offers various integrations with other systems. Some of these integrations require a secure connection encrypted with TLS.
If the service we integrate with requires a secure connection using HTTPS, SMTPS, or SMTP/startTLS, then InterFormNG2 requires a valid and trusted certificate in the Java runtime environment.

Certificate Validation Requirement
If the certificate is invalid or not trusted, you may encounter an error message such as:
Warning
PKIX path building failed... Unable to find valid certification path to requested target
If the target server is hosted on-premise, we highly recommend obtaining a certificate from a trusted certificate authority (CA) and installing it on the target server.
Notes
When you use your certificate while referring to the local host, then you should consider to use the host name (or the IP-address) of the machine (instead of Localhost). The host name or IP-address used should be listed in the certificate used.
Alternative Solution
Alternatively, you may install the untrusted certificate into the Java runtime trust store (cacerts).
However, this procedure is NOT covered by the InterForm support agreement.

Checking Trusted Certificate Authorities in Java
To see a list of all certificate authorities trusted by Java, run the following command in the JAVA_HOME directory:
keytool -keystore "jre\lib\security\cacerts" \
    -storepass changeit \
    -list

"C:\Program Files\InterFormNG2\jre\bin\keytool" 
    -keystore "C:\Program Files\InterFormNG2\jre\lib\security\cacerts" 
    -storepass changeit -list
In a standard Windows installation of InterFormNG2, the JAVA_HOME directory is the same as the InterFormNG2 installation directory.

Integrations Requiring a Valid Certificate
The following integrations may require a valid certificate on the target server:
  1. E-mail Server
  2. ActiveMQ
  3. IBM MQ
  4. InterSigning
  5. Office365 SharePoint
  6. Nextway Next
  7. d.velop documents
  8. eSignAnyWhere
  9. DigitalSign
  10. IDM

Self-Signed Certificates Policy

Self-signed certificates are NOT covered by the standard InterForm support agreement.
If assistance is required for self-signed certificates, support may be provided as a paid service.

Handling "PKIX path building failed" Error

If you encounter an error similar to:
Warning
PKIX path building failed: XXXX: unable to find valid certification path to requested target.
One possible solution is to install the certificate in the Java runtime trust store (cacerts).
NotesImportant Notes Before Proceeding
  1. Backup the cacerts file before installation.
  2. Consult your system administrator before making changes, as this affects the entire machine.
  3. You will need to reinstall the certificate if Java is upgraded in the future.
  4. InterForm is not responsible for any issues arising from executing the steps below.
Installing a Certificate on Windows
Notes
If the certificate is issued by a issuer, that is trusted by Windows, then you can use this hint to make InterFormNG2 trust the same certificates as Windows.
Step 1: Get the certificate
Export the certificate from the external system (e.g. d3.ecm):

Step 2: Start CMD as an administrator
Step 3: Install the Certificate
Execute the following command, replacing the file path and alias as needed:
"C:\Program Files\InterFormNG2\jre\bin\keytool" 
 -import 
 -keystore "C:\Program Files\InterFormNG2\jre\lib\security\cacerts" 
 -storepass changeit 
 -alias d3ecm 
 -file "C:\temp\d3ecm-prodserver-customerabc-local.pem"
If you are replacing an old certificate in the keystore, then you might get the error message: keytool error: java.lang.Exception: Certificate not imported, alias already exists

If so, then you first need to delete the old alias before you can install the new. You can do that with this command:
keytool 
 -delete 
 -noprompt 
 -alias "d3ecm" 
 -keystore "C:\Program Files\InterFormNG2\jre\lib\security\cacerts"
- and then you can install the new version of the certificate.

Installing a Certificate on IBM i (AS/400)
Notes
In the example below we refer to a certificate store named cecarts in the folder /home/mydir and a certificate named ca.cer also found in directory /home/mydir. You need to change the references below to match your certificate and certificate store.
Step 1: Start QSHELL
Run the following command to start QSHELL:
STRQSH
Step 2: Copy the Certificate Store, if needed
Execute the following command, replacing the file paths as needed:
cp /QOpenSys/QIBM/ProdData/JavaVM/jdk17/64bit/lib/security/cacerts /home/mydir/cacerts
Step 3: Install the Certificate
Execute the following command, replacing the file paths and alias as needed:
keytool -import \
    -file /home/mydir/ca.cer \
    -alias CertAuth \
    -keystore /home/mydir/cacerts \
    -storepass changeit \
    -noprompt
Step 4: Update access and timestamp on properties file for user IFORMNG2
Execute the following command, replacing the file path as needed:
touch -C 819 /home/IFORMNG2/SystemDefault.properties

Step 5: Set the path to the new keystore copy for user IFORMNG2
Execute the following command, replacing the file paths as needed:
echo javax.net.ssl.trustStore=/home/mydir/cacerts >> /home/IFORMNG2/SystemDefault.properties
Parameters:
/home/mydir/ca.cer → Replace with the actual path and filename of the certificate.
/home/mydir/cacerts → Path to the copy of Java runtime trust store.
/QOpenSys/QIBM/ProdData/JavaVM/jdk17/64bit/lib/security/cacerts → Path to the Java runtime trust store.

Related Information

    • Related Articles

    • How to setup InterFormNG2 to trust certificates, that are trusted by Windows

      It is possible to setup InterFormNG2 to trust the same certificates, that are trusted by Windows - provided that InterFormNG2 is installed on Windows of course. That can be done by setting up special options for the Java session in which InterFormNG2 ...

    • Others library

      You can use the others section of the library for other resources e.g. digital certificates, that are used for digitally signing PDF files.

    • Delete resource

      This workflow component deletes a resource from the Library. Related workflow components are: List resources, Resource to payload, Resource to attachment and Save in resources. An example of how this can be used with the List resources can be found ...

    • Resource to payload

      The shortcut workflow resource to payload can be used for exchanging the normal payload of the workflow with a resource found in the InterFormNG2 resource library. This can e.g. be used for using an XML resource file instead of the XML file, that ...

    • Resource to attachment

      You can attach any file from the NG2 resources as an attachment to an email with the workflow component, Resource to attachment. The email can later e.g. be emailed or saved with this resource with either of the components, Create PDF email or Create ...