Unable to validate certificate error on EM/Webview startup


Article ID: 140605


Updated On:


CA Application Performance Management Agent (APM / Wily / Introscope) CA Application Performance Management (APM / Wily / Introscope) INTROSCOPE


Upgraded the MOM and collectors to 10.7.0 and SP3. but upon MOM upgrade to sp3. it is not starting up. it is throwing below error

 [ERROR] [main] [Manager.EMWebServer] The EM Webstart service could not be started :Unable to validate certificate: the trustAnchors parameter must be non-empty




Missing configuration value in em-jetty-config.xml 


Release : 10.7.0

Component : APM Agents


The Doc section in https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/application-performance-management/10-7/administrating/configure-enterprise-manager/configure-enterprise-manager-communications.html

in Jetty Configuration Options for SSL

explains if ValidateCertificates is true then 

Modify em-jetty-config.xml and enable appropriate validation methods. This modification means that either both or the appropriate one of these following settings have to be enabled:

<Set name="enableCRLDP">true</Set> - the validation uses Certificate Revocation List file URL that is specified as an extension of X.509 certificate.

<Set name="enableOCSP">true</Set> - the validation uses OCSP responder. This OCSP responder URL can also be specified in X.509 certificate as an extension. If the certificate does not define this OCSP responder URL, it can be specified with <Set name="ocspResponderURL">http://example.com/ocsp</Set>.

For more information, see Jetty 9.4 SslContextFactory class documentation.