ERROR[com.ca.commons.security.ssl.CustomDefaultStoreSSLSocketFactory] Failed to verify server certificate chaincom.ibm.jsse2.util.h: PKIX path building failed:

book

Article ID: 20291

calendar_today

Updated On:

Products

DIRECTORY CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On SECURITY MISC CODES SINGLE SIGN ON - LEGACY CA Data Protection (DataMinder) CA User Activity Reporting

Issue/Introduction

Description:

After upgrading from IM 12.6 to 12.6 SP1 the following certificate error occurs when trying to connect on a TLS connection to an LDAP.

[2/12/13 15:10:14:676 EST] 00000015 SystemOut O 15:10:14,674 ERROR [com.ca.commons.security.ssl.CustomDefaultStoreSSLSocketFactory] Failed to verify server certificate chain com.ibm.jsse2.util.h: PKIX path building failed:
java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=DXCertGenCA, O=DXCertGenPKI, C=AU is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining
error
at com.ibm.jsse2.util.f.b(f.java:113)
at com.ibm.jsse2.util.f.b(f.java:61)
at com.ibm.jsse2.util.e.a(e.java:22)
at com.ibm.jsse2.pc.a(pc.java:100)
at com.ibm.jsse2.pc.checkServerTrusted(pc.java:15)
at
com.ca.commons.security.ssl.CustomDefaultStoreSSLSocketFactory$TraceTrustManager.checkServerTrusted(CustomDefaultStoreSSLSocketFactory.java:137)
at com.ibm.jsse2.lb.a(lb.java:5)

The reason for the error is that a defect has been resolved in 12.5SP14, that has been rolledup into r12.6SP1, and which impacts SSL-enabled JNDI user stores.

If the certificate is currently in another keystore, like in the default WebSphere store, for example, the path to the certificate is now invalid.

Peer certificate verification is now enforced, and the user store SSL server certificate must be added into JRE's default trust store. This default trust store is typically JAVA_HOME\jre\lib\cacerts or jssecacerts. You may use the JDK's utility keytool to add the certificate.

Solution:

Use only the JAVA (jre) keystore location for the certificate. Add the certificate to the Java's JRE default trust store. This default trust store is typically JAVA_HOME\jre\lib\cacerts or jssecacerts. You may use the JDK's utility keytool to add the certificate.

Environment

Release:
Component: IDMGR