Description:

After upgrading from IM 12.6 to 12.6 SP1 the following certificate error occurs when trying to connect on a TLS connection to an LDAP.

[2/12/13 15:10:14:676 EST] 00000015 SystemOut O 15:10:14,674 ERROR [com.ca.commons.security.ssl.CustomDefaultStoreSSLSocketFactory] Failed to verify server certificate chain com.ibm.jsse2.util.h: PKIX path building failed:
java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=DXCertGenCA, O=DXCertGenPKI, C=AU is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining
error
at com.ibm.jsse2.util.f.b(f.java:113)
at com.ibm.jsse2.util.f.b(f.java:61)
at com.ibm.jsse2.util.e.a(e.java:22)
at com.ibm.jsse2.pc.a(pc.java:100)
at com.ibm.jsse2.pc.checkServerTrusted(pc.java:15)
at
com.ca.commons.security.ssl.CustomDefaultStoreSSLSocketFactory$TraceTrustManager.checkServerTrusted(CustomDefaultStoreSSLSocketFactory.java:137)
at com.ibm.jsse2.lb.a(lb.java:5)

The reason for the error is that a defect has been resolved in 12.5SP14, that has been rolledup into r12.6SP1, and which impacts SSL-enabled JNDI user stores.

If the certificate is currently in another keystore, like in the default WebSphere store, for example, the path to the certificate is now invalid.

Peer certificate verification is now enforced, and the user store SSL server certificate must be added into JRE's default trust store. This default trust store is typically JAVA_HOME\jre\lib\cacerts or jssecacerts. You may use the JDK's utility keytool to add the certificate.

Solution:

Use only the JAVA (jre) keystore location for the certificate. Add the certificate to the Java's JRE default trust store. This default trust store is typically JAVA_HOME\jre\lib\cacerts or jssecacerts. You may use the JDK's utility keytool to add the certificate.