ESMPROC fails with RC=0100, with message " Failed validating certificate paths" in the logs


Article ID: 125393


Updated On:


CA CIS CA Common Services for z/OS CA 90s Services CA Database Management Solutions for DB2 for z/OS CA Common Product Services Component CA Common Services CA Datacom/AD CA ecoMeter Server Component FOC CA Easytrieve Report Generator for Common Services CA Infocai Maintenance CA IPC Unicenter CA-JCLCheck Common Component CA Mainframe VM Product Manager CA Chorus Software Manager CA On Demand Portal CA Service Desk Manager - Unified Self Service CA PAM Client for Linux for zSeries CA Mainframe Connector for Linux on System z CA Graphical Management Interface CA Web Administrator for Top Secret CA CA- Xpertware CA Compress Data Compression for MVS CA Compress Data Compression for Fujitsu


ESMPROC is failing with CC=100 and error message:

12:31:53.581 .main. INFO org.apache.coyote.http11.Http11NioProtocol - Initializing ProtocolHandler ."http-nio-7100".
12:31:53.646 .main. INFO org.apache.coyote.http11.Http11NioProtocol - Starting ProtocolHandler ."http-nio-7100".
12:31:54.300 .main. INFO - keyStoreFile name is safkeyring://ESMSERV/MESMRING
12:31:54.552 .main. ERROR org.apache.coyote.http11.Http11NioProtocol - Failed to start end point associated with ProtocolHandler ."http-nio-7100". Failed validating certificate paths

The problem is that ESMPROC is unable to validate the authenticity of server certificate and fails to start, throwing the IOException in its logs.


The signing certificate chain:

#1.  Cannot be found; or 
#2.  Is ambiguous 

in the keyring or cert stores being searched.  


Component: ESMRIM


1.  (Cause #1) If you used your own signing certificate chain to generate the certificates for ESMPROC, all root and intermediary signing certificates must also be connected as CERTAUTHs to the keyring for ESMPROC (e.g. MESMRING).

2.  (Cause #1) If you used another trusted certificate to sign the server certificate, that certificate is unknown to the ESM and needs to be imported into the database and keyring.

3.  (Cause #2) If the keyring can satisfy the signing chain via more than one path, you can also get this message.