ESMPROC fails with RC=0100, with message "java.io.IOException: Failed validating certificate paths" in the logs

Article Id: 125393
Status: Published
Updated On: 28-01-2019 11:05
Products:
CA CIS , CA Common Services for z/OS , CA 90s Services , CA Database Management Solutions for DB2 for z/OS , CA Common Product Services Component , CA Common Services , CA Datacom/AD , CA ecoMeter Server Component FOC , CA Easytrieve Report Generator for Common Services , CA Infocai Maintenance , CA IPC , Unicenter CA-JCLCheck Common Component , CA Mainframe VM Product Manager , CA Chorus Software Manager , CA On Demand Portal , CA Service Desk Manager - Unified Self Service , CA PAM Client for Linux for zSeries , CA Mainframe Connector for Linux on System z , CA Graphical Management Interface , CA Web Administrator for Top Secret , CA CA- Xpertware , CA Compress Data Compression for MVS , CA Compress Data Compression for Fujitsu
Issue/Introduction:

ESMPROC is failing with CC=100 and error message:

12:31:53.581 .main. INFO org.apache.coyote.http11.Http11NioProtocol - Initializing ProtocolHandler ."http-nio-7100".
12:31:53.646 .main. INFO org.apache.coyote.http11.Http11NioProtocol - Starting ProtocolHandler ."http-nio-7100".
12:31:54.300 .main. INFO com.ca.sslsocket.CASSLImplementation - keyStoreFile name is safkeyring://ESMSERV/MESMRING
12:31:54.552 .main. ERROR org.apache.coyote.http11.Http11NioProtocol - Failed to start end point associated with ProtocolHandler ."http-nio-7100". java.io.IOException: Failed validating certificate paths

The problem is that ESMPROC is unable to validate the authenticity of server certificate and fails to start, throwing the IOException in its logs.

Cause:

The signing certificate chain:

#1.  Cannot be found; or 
#2.  Is ambiguous 

in the keyring or cert stores being searched.  

Environment:

Release:
Component: ESMRIM

Resolution:

1.  (Cause #1) If you used your own signing certificate chain to generate the certificates for ESMPROC, all root and intermediary signing certificates must also be connected as CERTAUTHs to the keyring for ESMPROC (e.g. MESMRING).

2.  (Cause #1) If you used another trusted certificate to sign the server certificate, that certificate is unknown to the ESM and needs to be imported into the database and keyring.

3.  (Cause #2) If the keyring can satisfy the signing chain via more than one path, you can also get this message.