XOG with HTTPS fails with error: "PKIX path building failed, unable to find valid certification path to requested target."

book

Article ID: 227031

calendar_today

Updated On:

Products

Clarity PPM On Premise

Issue/Introduction

You have an HTTPS Clarity 15.9.3 setup on Linux and HTTPS Jaspersoft setup and communicating with Clarity over HTTPS. Both web applications are reachable via HTTPS and HTTPS and working on the server and between Jaspersoft and Clarity. You are trying to get the XOG client and XOGin a gel script to work over HTTPS. 

When running the XOG client on the Clarity application server, you get the following errors:

  • handshake_failure
  • broken pipe
  • XOG Invoke Failed

With ssl debug on in xog you get additional errors: X509Authentication - No X.509 cert selected for EC, RSA, RSASSA-PSS, DSA.

When running a XOG within a gel script (the same script works over HTTP) you get this error:

PKIX path building failed, unable to find valid certification path to requested target. 

When running the XOG client on a windows computer that can connect to the Clarity HTTPS web app via the browser You get the following errors:

  • Xog Invoke Failed
  • Connection refused
  • Some references to https.HttpsClient and ssl.sslsocket.

For the XOG client on the server, how does it know what certificate to send and where does it get it from? Does it use the same one in NSA? Do you need to put something in Java to specify the private key? 

For the XOG in a gel script, do you need to send a certification? If so how? Does it use the NSA settings?

The same questions apply when on a windows client.

Environment

Release : 15.9.3 On Premise

Resolution

  1. Locate the Keystore location in the JRE.

    Typically this keystore is at JAVA_HOME\jre\lib\security\cacerts.

    The keytool that is used to access the keystore is typically installed with the JRE and ready to use.
  2. Run the standard keytool to import the certificate, from JAVA_HOME\jre\lib\security.

    keytool -import -trustcacerts -alias mdecert -file C:\temp\mdeCert.cer -keystore cacerts

    1. When prompted Enter keystore password:, enter "changeit". (By default keystores have a password of "changeit")
    2. When prompted Trust this certificate? [no]:, enter "yes".

      This imports the certificate into the keystore and displays the message: "Certificate was added to keystore".
  3. Open the Clarity URL and click the lock icon. 
  4. Open the certificate.
  5. Go to details and note the signature algorithm.

    For example: SHA256

  6. Note the value for Public Key

    For example: RSA (2048)
  7. Go to your web browser Developer Tools > Security and look for the cipher being used by the clarity server.

    For example:
  8. List the ciphers supported by your XOG client JAVA home. 
  9. Open the attached Main.txt file.
  10. Rename to Main.java.

    <XOG JAVA_HOME>/bin/javac Main.java
  11. Run the application

    <XOG JAVA_HOME>/bin/java Main

    This will output a list of ciphers supported by the JVM
  12. The cipher listed in step 7 (the screenshot above) should appear in this output.
  13. Open /opt/clarity/tomcat-app-deploy/conf/server.xml
  14. Validate whether the cipher from step 7 (the screenshot above) is being forced or not
    For example:

    <Connector port="443" maxHttpHeaderSize="8192" address="192.168.1.1"
    enableLookups="false" disableUploadTimeout="true"
    acceptCount="100" scheme="https" secure="true" clientAuth="false"
    keystoreFile="SomeDir/SomeFile.key" keystorePass="Poodle"
    truststoreFile="SomeDir/SomeFile.truststore" truststorePass="HomeRun"
    sslProtocol="TLSv1, TLSv1.1, TLSv1.2"
    ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,

    ....

  15. Add the cipher here if it is missing

Additional Information

We can use "openssl s_client -connect ppm.server.com:443" to get the complete chain of certificates and validate if what certificates we imported are the right ones.

Attachments

1635276419197__Main.txt get_app