Our push notification authenticator is failing in prod and non prod environments.

2019-09-05 10:58:49,182 [http-nio-8080-exec-11] INFO  pns.fcm.SSLUtils(53)  -> connection got successful

2019-09-05 10:58:49,247 [http-nio-8080-exec-11] ERROR aa.pns.PushNotificationService(90)  -> Failed to notify device.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)

        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)

        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)

        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)

        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)

        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)

        at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)

        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)

        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)

        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)

        at sun.security.validator.Validator.validate(Validator.java:260)

        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)

        ... 57 more

2019-09-05 10:58:49,248 [http-nio-8080-exec-11] INFO  aa.pns.PushNotificationService(302)  -> error msg is : {"device":"dh8UAGlxVoc:APA91bHWueOZA4UlP8lz8HbEGRpIl-S_MHNf6FO191FJeDIMvrI4aRX0Z98jMnhA49p5pLkEMOdXmCwK7uIAUjhD_HDkO0TqOVBZUB-rkA_F0c6fNHTLb7IqcnKhMg9XVsVgjeA5MaH0","Exception":"sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"}

2019-09-05 10:58:49,248 [http-nio-8080-exec-11] INFO  integrations.frontend.LifeCycleStateData(712)  -> Next state: 132 |20190905105833.983.601e1ab9

2019-09-05 10:58:49,248 [http-nio-8080-exec-11] INFO  integrations.frontend.LifeCycleStateData(712)  -> =OK=OK=OK=OK=OK,S#7=OK=NO=OK=OK=OK,S#52=presentRiskScript.jsp=OK=INCREASEAUTH=OK=OK=OK,S#52=chooseAuthMechanism.jsp=OK=OK=OK=OK,S#52=waitForPushResponse.jsp |20190905105833.983.601e1ab9

Release : 9.x

Component : AuthMinder(Arcot WebFort)

RiskMinder( Arcot RiskFort)

FCM uses a dedicated truststore for SSL connection to https://fcm.googleapis.com: dds$ARCOT_HOME/conf/afm/PushProvider.truststore. Since February 2018 Google changed *googleapis.com certificate path and they are not recognized anymore. Importing new certs in the truststore didn't work. Using a standard Java 7 trustsotre instead of the dedicated one solves the issue.

Follow below steps to resolve the issue:

1) Stop tomcat

2) mv $ARCOT_HOME/conf/afm/PushProvider.truststore $ARCOT_HOME/conf/afm/PushProvider.truststore_old

3) cp $JAVA_HOME/lib/security/cacerts $ARCOT_HOME/conf/afm/PushProvider.truststore

4) keytool -storepasswd -keystore $ARCOT_HOME/conf/afm/PushProvider.truststore 

change truststore password from "changeit" to "dost1234"

5) Restart the application server