**Ivy Version 7.0.2 and later**
The REST Client respects the well-known ivy ssl settings. Enable your custom truststore and import the self signed certificat:
[https://developer.axonivy.com/doc/latest/DesignerGuideHtml/ivy.introduction.html#ivy-introduction-preferences-sslclient][1]
**Ivy Version 7.0.1 and before**
You have multiple options:
- Put the certificate into the engines trustStore
- Use a custom connector
**Put the certificate into the engines trustStore**
1. import the certificate into the trusstore of the engine/designer under `configuration/truststore.jks`. I recommend to use something like the `KeyStore explorer` to do this. ![alt text][1]text][2]
2. activate the keystore globally for the JVM by setting system properties. You could do this either in a script/java call before the REST request is executed or in the `Axon.ivy Designer.ini` respectively the `*.ilc` file of the engine.
.
javax.net.ssl.trustStore=configuration/truststore.jks
javax.net.ssl.trustStorePassword=changeit
![alt text][2]text][3]
**Use a custom connector which allows unsecure hosts:**
Test with Axon.ivy 6.7.1. Currently this is a painful workaround.
- add the [jersey-apache-connector.jar][3] [jersey-apache-connector.jar][4] to the `/dropins` directory of your product
- copy the [jersey-apache-connector.jar][4] [jersey-apache-connector.jar][5] plus the [jersey-commons.jar][5] [jersey-commons.jar][6] and the [jersey-guava.jar][6] [jersey-guava.jar][7] into your project as well. And add them to the classpath. ![alt text][7]text][8]
- enable the apache-connector-provider via SPI.
- -- Create a file: /src/META-INF/services/org.glassfish.jersey.client.spi.ConnectorProvider
- -- In it paste the full qualified name of the connector: `org.glassfish.jersey.apache.connector.ApacheConnectorProvider`
- ![alt text][8]text][9]
- add a java class that configures the apache-connector to allow any certificate by any host (see below)
- use `CustomRest.unsecureClient("myRestSErviceName")` as entry point for your REST requests.
package com.axonivy.connectivity;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import javax.ws.rs.client.WebTarget;
import org.apache.http.config.Registry;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.conn.HttpClientConnectionManager;
import org.apache.http.conn.socket.ConnectionSocketFactory;
import org.apache.http.conn.socket.PlainConnectionSocketFactory;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.conn.BasicHttpClientConnectionManager;
import org.glassfish.jersey.apache.connector.ApacheConnectorProvider;
import ch.ivyteam.ivy.environment.Ivy;
public class CustomRest {
public static WebTarget unsecureClient(String serviceName)
{
Thread th = Thread.currentThread();
ClassLoader oldCtl = th.getContextClassLoader();
try
{
th.setContextClassLoader(ApacheConnectorProvider.class.getClassLoader());
HttpClientConnectionManager conMan = new BasicHttpClientConnectionManager(getConnectionRegistry(), null, null, null);
return Ivy.rest().client(serviceName)
.property("jersey.config.apache.client.connectionManager", conMan);
}
finally
{
th.setContextClassLoader(oldCtl);
}
}
private static Registry<ConnectionSocketFactory> getConnectionRegistry() {
SSLContext ctxt = createTrustAllContext();
HostnameVerifier verifyAllHosts = new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true;
}
};
SSLConnectionSocketFactory factory = new org.apache.http.conn.ssl.SSLConnectionSocketFactory(ctxt, verifyAllHosts);
return RegistryBuilder.<ConnectionSocketFactory>create()
.register("http", PlainConnectionSocketFactory.getSocketFactory())
.register("https", factory)
.build();
}
private static SSLContext createTrustAllContext() {
TrustManager[] certs = new TrustManager[]{new X509TrustManager() {
@Override
public X509Certificate[] getAcceptedIssuers() {
return null;
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
}};
SSLContext ctx = null;
try {
ctx = SSLContext.getInstance("TLS");
ctx.init(null, certs, new SecureRandom());
} catch (java.security.GeneralSecurityException e) {
throw new RuntimeException("failed to setup insecure ssl context", e);
}
return ctx;
}
}
[1]: https://developer.axonivy.com/doc/latest/DesignerGuideHtml/ivy.introduction.html#ivy-introduction-preferences-sslclient
[2]: https://answers.axonivy.com/upfiles/truststore.jks_withMyOwnZert.png
[2]: [3]: https://answers.axonivy.com/upfiles/axonIvyDesignerIni_trustStoreProps.png
[3]: https://mvnrepository.com/artifact/org.glassfish.jersey.connectors/jersey-apache-connector/2.25.1
[4]: https://mvnrepository.com/artifact/org.glassfish.jersey.connectors/jersey-apache-connector/2.25.1
[5]: https://mvnrepository.com/artifact/org.glassfish.jersey.connectors/jersey-apache-connector/2.25.1
[6]: http://central.maven.org/maven2/org/glassfish/jersey/core/jersey-common/2.25.1/jersey-common-2.25.1.jar
[6]: [7]: http://central.maven.org/maven2/org/glassfish/jersey/bundles/repackaged/jersey-guava/2.25.1/jersey-guava-2.25.1.jar
[7]: [8]: https://answers.axonivy.com/upfiles/libsForApacheConnector_UWPD9rq.png
[8]: [9]: https://answers.axonivy.com/upfiles/connectorProviderSPI_nxa9U0o.png
