Consultor Eletrônico

Status: Unverified

SYMPTOM(s):

An OpenEdge Web Service Client fails with error 9318 when connecting to a secured Web Service

OpenEdge Web Service Consumer fails with error 9318 when connecting via HTTPS

Secure Socket Layer (SSL) failure. error code -54: unable to get local issuer certificate: for <hash file> in <path> (9318)

The WSDL Analyzer (bprowsdldoc) fails with error 11748

Error loading WSDL document <WSDL URL> : Fatal Error: connect operation failed (WinSock reported error=0) location <WSDL URL> (11748)

The WSDL Analyzer also returns the following error messages before error 11748:

Error message: 9318

Error message: 9407

Same WSDL is accessed via Web Browser and certificate is used with no errors

FACT(s) (Environment):

OpenEdge 10.1x
All Supported Operating Systems

CAUSE:

The Root CA has not been imported to OpenEdge

FIX:


Import the Root CA certificate. Here are the basic steps:

- Go to https://<WSDL URL> in Internet Explorer.
- Open the certificate in Internet Explorer by double-clicking on the padlock icon.
- Go to the "Certificate Path" tab.
- Click on the root certificate (the certificate at the top of the tree), then on "View Certificate".
- Go to the "Details" tab.
- Click on "Copy to File".
- Choose "Base-64 encoded X.509 (.CER)".
- Save the file with a .pem extension (or rename it afterwards).
- Go into Proenv and run:

mkhashfile <previously_saved_file>.pem

- OR -

certutil -format PEM -import <previously_saved_file>.pem
Note: Internet Explorer does not provide access to certain Root CA certificates. In cases where error 9318 shows a different hash file than the one generated by mkhashfile with the exported Root CA certificate from IE, try exporting the Root CA certificate with Firefox. At the time of this writing, this issue has only been noticed with the following certificate chain: "AddTrust External CA Root" -> "UTN-USERFirst-Hardware".