ESMPROC fails with RC=0100, with message "java.io.IOException: Failed validating certificate paths" in the logs
book
Article ID: 125393
calendar_today
Updated On:
Products
CA CISCA Common Services for z/OSCA 90s ServicesCA Database Management Solutions for DB2 for z/OSCA Common Product Services ComponentCA Common ServicesCA Datacom/ADCA ecoMeter Server Component FOCCA Easytrieve Report Generator for Common ServicesCA Infocai MaintenanceCA IPCUnicenter CA-JCLCheck Common ComponentCA Mainframe VM Product ManagerCA Chorus Software ManagerCA On Demand PortalCA Service Desk Manager - Unified Self ServiceCA PAM Client for Linux for zSeriesCA Mainframe Connector for Linux on System zCA Graphical Management InterfaceCA Web Administrator for Top SecretCA CA- XpertwareCA Compress Data Compression for MVSCA Compress Data Compression for Fujitsu
Issue/Introduction
ESMPROC is failing with CC=100 and error message:
12:31:53.581 .main. INFO org.apache.coyote.http11.Http11NioProtocol - Initializing ProtocolHandler ."http-nio-7100". 12:31:53.646 .main. INFO org.apache.coyote.http11.Http11NioProtocol - Starting ProtocolHandler ."http-nio-7100". 12:31:54.300 .main. INFO com.ca.sslsocket.CASSLImplementation - keyStoreFile name is safkeyring://ESMSERV/MESMRING 12:31:54.552 .main. ERROR org.apache.coyote.http11.Http11NioProtocol - Failed to start end point associated with ProtocolHandler ."http-nio-7100". java.io.IOException: Failed validating certificate paths
The problem is that ESMPROC is unable to validate the authenticity of server certificate and fails to start, throwing the IOException in its logs.
Cause
The signing certificate chain:
#1. Cannot be found; or #2. Is ambiguous
in the keyring or cert stores being searched.
Environment
Release: Component: ESMRIM
Resolution
1. (Cause #1) If you used your own signing certificate chain to generate the certificates for ESMPROC, all root and intermediary signing certificates must also be connected as CERTAUTHs to the keyring for ESMPROC (e.g. MESMRING).
2. (Cause #1) If you used another trusted certificate to sign the server certificate, that certificate is unknown to the ESM and needs to be imported into the database and keyring.
3. (Cause #2) If the keyring can satisfy the signing chain via more than one path, you can also get this message.