Our push notification authenticator is failing in prod and non prod environments.
2019-09-05 10:58:49,182 [http-nio-8080-exec-11] INFO pns.fcm.SSLUtils(53) -> connection got successful
2019-09-05 10:58:49,247 [http-nio-8080-exec-11] ERROR aa.pns.PushNotificationService(90) -> Failed to notify device.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
... 57 more
2019-09-05 10:58:49,248 [http-nio-8080-exec-11] INFO aa.pns.PushNotificationService(302) -> error msg is : {"device":"dh8UAGlxVoc:APA91bHWueOZA4UlP8lz8HbEGRpIl-S_MHNf6FO191FJeDIMvrI4aRX0Z98jMnhA49p5pLkEMOdXmCwK7uIAUjhD_HDkO0TqOVBZUB-rkA_F0c6fNHTLb7IqcnKhMg9XVsVgjeA5MaH0","Exception":"sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"}
2019-09-05 10:58:49,248 [http-nio-8080-exec-11] INFO integrations.frontend.LifeCycleStateData(712) -> Next state: 132 |20190905105833.983.601e1ab9
2019-09-05 10:58:49,248 [http-nio-8080-exec-11] INFO integrations.frontend.LifeCycleStateData(712) -> =OK=OK=OK=OK=OK,S#7=OK=NO=OK=OK=OK,S#52=presentRiskScript.jsp=OK=INCREASEAUTH=OK=OK=OK,S#52=chooseAuthMechanism.jsp=OK=OK=OK=OK,S#52=waitForPushResponse.jsp |20190905105833.983.601e1ab9
Release : 9.x
Component : AuthMinder(Arcot WebFort)
RiskMinder( Arcot RiskFort)
FCM uses a dedicated truststore for SSL connection to https://fcm.googleapis.com: dds$ARCOT_HOME/conf/afm/PushProvider.truststore. Since February 2018 Google changed *googleapis.com certificate path and they are not recognized anymore. Importing new certs in the truststore didn't work. Using a standard Java 7 trustsotre instead of the dedicated one solves the issue.
Follow below steps to resolve the issue:
1) Stop tomcat
2) mv $ARCOT_HOME/conf/afm/PushProvider.truststore $ARCOT_HOME/conf/afm/PushProvider.truststore_old
3) cp $JAVA_HOME/lib/security/cacerts $ARCOT_HOME/conf/afm/PushProvider.truststore
4) keytool -storepasswd -keystore $ARCOT_HOME/conf/afm/PushProvider.truststore
change truststore password from "changeit" to "dost1234"
5) Restart the application server