Clarity XOG with HTTPS fails with error: "PKIX path building failed, unable to find valid certification path to requested target."
search cancel

Clarity XOG with HTTPS fails with error: "PKIX path building failed, unable to find valid certification path to requested target."


Article ID: 227031


Updated On:


Clarity PPM On Premise


You have an HTTPS Clarity setup on Linux and HTTPS Jaspersoft setup and communicating with Clarity over HTTPS. Both web applications are reachable via HTTPS and HTTPS and working on the server and between Jaspersoft and Clarity. You are trying to get the XOG client and XOGin a gel script to work over HTTPS. 

When running the XOG client on the Clarity application server, you get the following errors:

  • handshake_failure
  • broken pipe
  • XOG Invoke Failed

With ssl debug on in xog you get additional errors: X509Authentication - No X.509 cert selected for EC, RSA, RSASSA-PSS, DSA.

When running a XOG within a gel script (the same script works over HTTP) you get this error:

PKIX path building failed, unable to find valid certification path to requested target. 

When running the XOG client on a windows computer that can connect to the Clarity HTTPS web app via the browser You get the following errors:

  • Xog Invoke Failed
  • Connection refused
  • Some references to https.HttpsClient and ssl.sslsocket.

For the XOG client on the server, how does it know what certificate to send and where does it get it from? Does it use the same one in NSA? Do you need to put something in Java to specify the private key? 

For the XOG in a gel script, do you need to send a certification? If so how? Does it use the NSA settings?

The same questions apply when on a windows client.


Release : All Supported Releases


  1. Locate the Keystore location in the JRE.

    Typically this keystore is at JAVA_HOME\jre\lib\security\cacerts   -- OR -- JAVA_HOME\lib\security\cacerts

    The keytool that is used to access the keystore is typically installed with the JRE and ready to use.
  2. Run the standard keytool to import the certificate, from JAVA_HOME\jre\lib\security.

    keytool -import -trustcacerts -alias cert -file C:\temp\Cert.cer -keystore cacerts

    1. When prompted Enter keystore password:, enter "changeit". (By default keystores have a password of "changeit")
    2. When prompted Trust this certificate? [no]:, enter "yes".

      This imports the certificate into the keystore and displays the message: "Certificate was added to keystore".
  3. Open the Clarity URL and click the lock icon. 
  4. Open the certificate.
  5. Go to details and note the signature algorithm.

    For example: SHA256

  6. Note the value for Public Key

    For example: RSA (2048)
  7. Go to your web browser Developer Tools > Security and look for the cipher being used by the clarity server.

    For example:
  8. List the ciphers supported by your XOG client JAVA home. 
  9. Open the attached Main.txt file.
  10. Rename to

    <XOG JAVA_HOME>/bin/javac
  11. Run the application

    <XOG JAVA_HOME>/bin/java Main

    This will output a list of ciphers supported by the JVM
  12. The cipher listed in step 7 (the screenshot above) should appear in this output.
  13. Open /opt/clarity/tomcat-app-deploy/conf/server.xml
  14. Validate whether the cipher from step 7 (the screenshot above) is being forced or not
    For example:

    <Connector port="443" maxHttpHeaderSize="8192" address=""
    enableLookups="false" disableUploadTimeout="true"
    acceptCount="100" scheme="https" secure="true" clientAuth="false"
    keystoreFile="SomeDir/SomeFile.key" keystorePass="Poodle"
    truststoreFile="SomeDir/SomeFile.truststore" truststorePass="HomeRun"
    sslProtocol="TLSv1, TLSv1.1, TLSv1.2"


  15. Add the cipher here if it is missing

Additional Information

We can use "openssl s_client -connect" to get the complete chain of certificates and validate if what certificates we imported are the right ones.


Note: If the issue started happening after Java upgrade, as workaround you can repoint Clarity to the previous Java install in properties.xml & restart the services.


1635276419197__Main.txt get_app