CA APM 10.7 EM log shows "Cannot send EM topology due: 'SSLHandshakeException: PKIX path building failed ..."


Article ID: 101474


Updated On:


APP PERF MANAGEMENT CA Application Performance Management Agent (APM / Wily / Introscope) CUSTOMER EXPERIENCE MANAGER INTROSCOPE


The EM log contains repeated INFO level message:
[INFO] [Thread-ClusterTopologyPoller] [Manager.AppMap] Cannot send EM topology due: 'SSLHandshakeException: PKIX path building failed: unable to find valid certification path to requested target' Will retry.
Data visibility under Team Center Map layers "APM Infrastructure Layer" & "Infrastructure Layer" will also likely be impacted.


This message occurs when the 10.7 EM Web Server is configured to use the secure connector enabled in the em-jetty-config.xml file.
When the Introscope_Enterprise_Manager.lax or EMService.conf file is configured to add JSSE tracing property "" the EM log shows a "certificate_unknown" for the SSL handshake every 10 seconds.
In 10.7 there is new functionality to make the EM behave like an http-client to the same/another EM and the security is more strict i.e. when a secure EM web server is being used an invalid/untrusted certificate will cause the error.


APM 10.7


There are 2 options:
1. When the em-jetty-config.xml file has been configured to use a certAlias corresponding to the private key/public certificate pair that has been imported into the EM_HOME/config/internal/server/keystore file then the corresponding public certificate also needs to be exported and imported it into the EM_HOME/jre/lib/security/cacerts file. The following 10.7 documentation ink covers this:
NOTE: The default em-jetty-config.xml file uses certAlias "caapm" issued by which is a self-signed certificate which is normally replaced by the end user when implementing SSL. If "caapm" is used even if its public certificate is exported from EM_HOME/config/internal/server/keystore file and imported into the EM_HOME/jre/lib/security/cacerts file, that will still cause an exception due to the hostname not matching the certificate e.g.
[INFO] [RemoteHttpCallServiceExecutor-15] [Manager.AppMap.RemoteHttp] SSLPeerUnverifiedException: Host name 'xxxxxxxxxx' does not match the certificate subject provided by the peer (, OU=Agile Operations, O=CA, L=Santa Clara, ST=California, C=US) 

2. As of June 7 10.7 SP1 is released which provides the ability to disable certificate hostname validation in the em-jetty-config.xml which will also prevent the original exception. The required setting is: <Set name="verifyHostnames">false</Set>
10.7 GA also had this property but it did not prevent the exception in that release. 

Additional Information

A similar exception message is reported in this existing KB which can also cause problems :
KB: "Cannot send EM topology due: SSLPeerUnverifiedException" message in the EM log after upgrading to 10.7: