In my project I am forced to use a third party REST service which is only accessible over HTTPS. Unfortunately the certificate is self signed. What can I do to accept untrusted certifticates?

asked 29.08.2017 at 07:54

SupportIvyTeam's gravatar image

SupportIvyTeam ♦♦
accept rate: 77%

Ivy Version 7.0.2 and later

The REST Client respects the well-known ivy ssl settings. Enable your custom truststore and import the self signed certificat:

Ivy Version 7.0.1 and before

You have multiple options:

  • Put the certificate into the engines trustStore
  • Use a custom connector

Put the certificate into the engines trustStore

  1. import the certificate into the trusstore of the engine/designer under configuration/truststore.jks. I recommend to use something like the KeyStore explorer to do this. alt text
  2. activate the keystore globally for the JVM by setting system properties. You could do this either in a script/java call before the REST request is executed or in the Axon.ivy Designer.ini respectively the *.ilc file of the engine.


alt text

Use a custom connector which allows unsecure hosts:

Test with Axon.ivy 6.7.1. Currently this is a painful workaround.

  • add the jersey-apache-connector.jar to the /dropins directory of your product
  • copy the jersey-apache-connector.jar plus the jersey-commons.jar and the jersey-guava.jar into your project as well. And add them to the classpath. alt text
  • enable the apache-connector-provider via SPI.
  • -- Create a file: /src/META-INF/services/org.glassfish.jersey.client.spi.ConnectorProvider
  • -- In it paste the full qualified name of the connector: org.glassfish.jersey.apache.connector.ApacheConnectorProvider
  • alt text
  • add a java class that configures the apache-connector to allow any certificate by any host (see below)
  • use CustomRest.unsecureClient("myRestSErviceName") as entry point for your REST requests.
    package com.axonivy.connectivity;
    import org.apache.http.config.Registry;
    import org.apache.http.config.RegistryBuilder;
    import org.apache.http.conn.HttpClientConnectionManager;
    import org.apache.http.conn.socket.ConnectionSocketFactory;
    import org.apache.http.conn.socket.PlainConnectionSocketFactory;
    import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
    import org.apache.http.impl.conn.BasicHttpClientConnectionManager;
    import org.glassfish.jersey.apache.connector.ApacheConnectorProvider;
    import ch.ivyteam.ivy.environment.Ivy;
    public class CustomRest {
        public static WebTarget unsecureClient(String serviceName)
            Thread th = Thread.currentThread();
            ClassLoader oldCtl = th.getContextClassLoader();
                HttpClientConnectionManager conMan = new BasicHttpClientConnectionManager(getConnectionRegistry(), null, null, null);
                        .property("jersey.config.apache.client.connectionManager", conMan);
        private static Registry<ConnectionSocketFactory> getConnectionRegistry() {
            SSLContext ctxt = createTrustAllContext();
            HostnameVerifier verifyAllHosts = new HostnameVerifier() {
                public boolean verify(String hostname, SSLSession session) {
                    return true;
            SSLConnectionSocketFactory factory = new org.apache.http.conn.ssl.SSLConnectionSocketFactory(ctxt, verifyAllHosts);
            return RegistryBuilder.<ConnectionSocketFactory>create()
                    .register("http", PlainConnectionSocketFactory.getSocketFactory())
                    .register("https", factory)
        private static SSLContext createTrustAllContext() {
            TrustManager[] certs = new TrustManager[]{new X509TrustManager() {
                public X509Certificate[] getAcceptedIssuers() {
                    return null;
                public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
                public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
            SSLContext ctx = null;
            try {
                ctx = SSLContext.getInstance("TLS");
                ctx.init(null, certs, new SecureRandom());
            } catch ( e) {
                throw new RuntimeException("failed to setup insecure ssl context", e);
            return ctx;
This answer is marked "community wiki".

answered 29.08.2017 at 07:56

Reguel%20Wermelinger's gravatar image

Reguel Werme... ♦♦
accept rate: 70%

edited 05.12.2017 at 10:18

Alex%20Suter's gravatar image

Alex Suter ♦♦

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 29.08.2017 at 07:54

Seen: 4,735 times

Last updated: 05.12.2017 at 10:18