function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Hari KrishnanHari Krishnan 

Apex Runtime Exception: toDerInputStream rejects tag type 77"|0xb661bce

Hi,

I'm trying to make an apex callout to external secured (HTTPS) web service and I'm getting the following exception:

 

common.apex.runtime.impl.ExecutionException: IO Exception: toDerInputStream rejects tag type 77"|0x24444ac2

 

The external web service is a Cast Iron Web Service. CA signed certificate is imported into Cast Iron.

 

Here are the steps I followed:

 

1. I exported the key along with the password from the Cast Iron WMC.

2. Added the following code:

instance.endpoint_x         = 'https://server.mycompany.com/mywebservice';
        instance.inputHttpHeaders_x = new Map<String, String>();
        updateStatusInstance.inputHttpHeaders_x.put('OrganizationId', UserInfo.getOrganizationId());
        String sKey = ''; // the key that was exported from Cast Iron
        Blob keyBlob = Blob.valueOf(sKey);
        String sKeyBase64 = EncodingUtil.base64Encode(keyBlob);
        updateStatusInstance.clientCert_x = sKeyBase64;
        updateStatusInstance.clientCertPasswd_x = 'password';
        updateStatusInstance.timeout_x          = 60000;

 

I followed the advice from the following threads/blogs, but I still getting this error. It looks like the error happens if the key is of DER type. But when I exported the key, I did select the PKCS#12 format.

 

http://boards.developerforce.com/t5/Apex-Code-Development/Mutual-SSL-on-WebSvc-callouts-getting-a-jump-on-Summer-08/td-p/75898

 

http://techblog.kruelintent.com/post/13821841289/how-to-connecting-to-a-secure-web-service-https-from

 

What am I doing wrong? Any help would be much appreciated.

 

Regards,

Hari Krishnan.

Best Answer chosen by Admin (Salesforce Developers) 
Hari KrishnanHari Krishnan

Yes, we solved this issue. I think the exception message is kind of misleading. 

 

Basically, it looks like Salesforce doesn't support DER/PEM certificates and it can accept only PKCS#12 as it can contian both the certificate (and the intermediate certificates and signer certificate) and the private key in a standardized manner. Check if you are using the PEM/DER; if it is, try to export the certificate in PKCS#12 format.

 

In my case, the issue was little different. I did exported as PKCS#12 from IBM WebSphere Cast Iron, but I extracted only the private key from the .PFX file and embedded into the code. With the help of Salesforce support, we found that we had to base64 encode the entire certificate and embed it into the code. The process works like this:

 

1. Import the signed certificate into Windows Certificates MMC

2. Export this certificate by right clicking the certificate->All Tasks->Export.

3. Click 'Next' and choose 'Yes, export the private key'.

4. Click 'Next' and choose 'Personal Information Exchange - PKCS # 12 (.PFX) option. Make sure you uncheck all the sub options.

5. Enter the password and the Confirm password and click 'Next'.

6. Specify the file name and click 'Next' and click 'Finish'.

7. Install the windows distribution of openssl (http://www.slproweb.com/products/Win32OpenSSL.html) and install in your workstation.

8. Create a folder 'myca' and copy the file that you created in the last step.

9. Open a command prompt and navigate to this folder and run the following commands from the command prompt

   a. set OPENSSL_CONF=c:\openssl-win32\bin\openssl.cfg (change the path if necessary)

   b. set PATH=%PATH%;C:\openssl-win32\bin

   c. openssl

   d. base64 -in <input file name> -out <output file name>.

10. Open the output file in any text editor and copy the encoded text and embed into your code. 

 

This fixed the issue in my case. Note that this is required only if you use the legacy method of using the certificates generated from the CSR that you created outside of Salesforce. Salesforce recommends to generate the CSR from them itself (Setup->Security Controls->Certificate and Key Management). This way, the private key is not shared outside of the salesforce.

 

I'm writing a detailed blog post on this and hopefully this should help people. The post can be found at http://krishhari.wordpress.com/2012/02/04/making-authenticated-web-service-callouts-from-salesforce-to-ibm-cast-iron-using-sslcertificatespart-i/.

 

Regards,

Hari Krishnan.

 

All Answers

acmegx765432345678acmegx765432345678

Any updates on this? We have a similar problem

Hari KrishnanHari Krishnan

Yes, we solved this issue. I think the exception message is kind of misleading. 

 

Basically, it looks like Salesforce doesn't support DER/PEM certificates and it can accept only PKCS#12 as it can contian both the certificate (and the intermediate certificates and signer certificate) and the private key in a standardized manner. Check if you are using the PEM/DER; if it is, try to export the certificate in PKCS#12 format.

 

In my case, the issue was little different. I did exported as PKCS#12 from IBM WebSphere Cast Iron, but I extracted only the private key from the .PFX file and embedded into the code. With the help of Salesforce support, we found that we had to base64 encode the entire certificate and embed it into the code. The process works like this:

 

1. Import the signed certificate into Windows Certificates MMC

2. Export this certificate by right clicking the certificate->All Tasks->Export.

3. Click 'Next' and choose 'Yes, export the private key'.

4. Click 'Next' and choose 'Personal Information Exchange - PKCS # 12 (.PFX) option. Make sure you uncheck all the sub options.

5. Enter the password and the Confirm password and click 'Next'.

6. Specify the file name and click 'Next' and click 'Finish'.

7. Install the windows distribution of openssl (http://www.slproweb.com/products/Win32OpenSSL.html) and install in your workstation.

8. Create a folder 'myca' and copy the file that you created in the last step.

9. Open a command prompt and navigate to this folder and run the following commands from the command prompt

   a. set OPENSSL_CONF=c:\openssl-win32\bin\openssl.cfg (change the path if necessary)

   b. set PATH=%PATH%;C:\openssl-win32\bin

   c. openssl

   d. base64 -in <input file name> -out <output file name>.

10. Open the output file in any text editor and copy the encoded text and embed into your code. 

 

This fixed the issue in my case. Note that this is required only if you use the legacy method of using the certificates generated from the CSR that you created outside of Salesforce. Salesforce recommends to generate the CSR from them itself (Setup->Security Controls->Certificate and Key Management). This way, the private key is not shared outside of the salesforce.

 

I'm writing a detailed blog post on this and hopefully this should help people. The post can be found at http://krishhari.wordpress.com/2012/02/04/making-authenticated-web-service-callouts-from-salesforce-to-ibm-cast-iron-using-sslcertificatespart-i/.

 

Regards,

Hari Krishnan.

 

This was selected as the best answer