When the Administrative UI is accessed over SSL, the server secures the connection using a self-signed certificate by default. Siteminder documentation describes how to replace the Administrative UI server self-signed certificate with a certificate that is signed by a trusted Certificate Authority (CA).

Document that was been followed is below:

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/installing/install-the-administrative-ui/optional-obtain-and-import-a-trusted-certificate-into-the-administrative-ui.html

Command line:

keytool -importcert -alias jboss_key -file cert.p7b -keystore keyStore.jks -storepass changeit -v

Error:

keytool error: java.lang.Exception: Failed to establish chain from reply
java.lang.Exception: Failed to establish chain from reply
        at sun.security.tools.keytool.Main.establishCertChain(Unknown Source)
        at sun.security.tools.keytool.Main.installReply(Unknown Source)
        at sun.security.tools.keytool.Main.doCommands(Unknown Source)
        at sun.security.tools.keytool.Main.run(Unknown Source)
        at sun.security.tools.keytool.Main.main(Unknown Source)

Release : 12.8.03

Component : SITEMINDER WAM UI

The cause of problem was that the .P7B file was not being exported with whole chain.

Customer should examine the .p7b file using command below and ensure intermediate certificate (if any) is included.

openssl pkcs7 -in example.org.cer.pem.p7b -noout -print_certs

If you do need to import the intermediate cert, then gave them a different alias from server certificate alias jboss_key.

Once intermediate certificate is imported, issue is resolved.

https://knowledge.broadcom.com/external/article/160027/error-keytool-error-javalangexception-fa.html