ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

API Gateway: Policy manager crashes with error: sun.security.validator.ValidatorException: PKIX path building failed

book

Article ID: 186504

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway

Issue/Introduction

This article will discuss what to do when Policy Manager is crashing and logging the following error:

org.springframework.remoting.RemoteAccessException: Could not access HTTP invoker remote service at [https://securespangateway/ssg/manager/AuditAdmin]; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 

Cause

There are two root causes seen that can cause the error noted in this article:

  • The most frequent root cause is data corruption in the hidden .l7tech folder in the Users directory of the machine running Policy Manager
  • A rarer root cause is due to an expired certificate
    • This may include the default SSL certificate for the whole Gateway or whichever certificate was assigned to the Listen Port that Policy Manager is connecting to

Environment

This article applies to all supported API Gateway versions accessed via Policy Manager.

Resolution

To ensure there is no data corruption left on the machine running Policy Manager, follow the steps below:

  1. Close all running instances of Policy Manager
  2. Backup the folder located at c:\users\<user-name>\.l7tech
  3. Delete the .l7tech folder
  4. Relaunch Policy Manager, which will recreate the .l7tech folder using default values

If the issue remains, then the root cause may have been an expired certificate instead. The following steps should be followed if the above steps did not resolve the issue:

  1. Login via Policy Manager
  2. Review the Manage Certificates list and determine if any certificates are expired
    • If expired, replace the affected certificates and skip to step 4 after completion
    • If not expired, continue to the very next step
  3. Review the Private Keys list and ensure none of the certificates associated with them have expired
    • If expired, replace the affected certificates
  4. Reboot the Gateway servers in the cluster, and the issue should now be resolved

Additional Information

If any customizations were made to the .ini file such as to increase memory allocation to Policy Manager, that change should be reapplied after the above is completed