After configuring certificate/authentication for RACF the Endevor Web Services health check is successful and all is green, but Endevor Web Interface UI shows error:

Unable to fetch EWS instances unexpected error: service request error: HTTP 'httpExecute' request to ' https://hostname:8443/EndevorService/api/v2' failed: com.ibm.jsse2.util.j: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested

The log file endevor-web-interface.log shows the following details:

2024-03-20 09:19:25.784 INFO  https-jsse-nio-8443-exec-5              
(com.broadcom.endevor.webinterface.request.ServiceRequest:74) service 
request: created for target:                                          
https://hostname:8443/EndevorService/api/v2        
                                                                      
2024-03-20 09:19:25.784 INFO  https-jsse-nio-8443-exec-5              
(com.broadcom.endevor.webinterface.request.ServiceRequest:274) Service
Request: begin 'performGET' request for:                              
https://hostname:8443/EndevorService/api/v2        
                                                                      
2024-03-20 09:19:25.816 ERROR  https-jsse-nio-8443-exec-5             
(c.broadcom.endevor.webinterface.request.ServiceRequestException:35)  
service request error: HTTP 'httpExecute' request to                  
'https://hostname:8443/EndevorService/api/v2'      
failed: com.ibm.jsse2.util.j: PKIX path building failed:              
com.ibm.security.cert.IBMCertPathBuilderException: unable to find     
valid certification path to requested target                          

The Endevor Web Services certificate has not been imported into the Web Interface Java TrustStore. 

See documentation page Install Endevor Web Interface and section "Enable Connection to Secured Endevor Web Services"

In summary:

1. Download the certificate used by Endevor Web Services. Either the security admin can provide the certificate used by the Web Services keyring, or launch health check URL (https://hostname:port/EndevorService/) to export the Base-64 encoded X.509 (.cer) certificate using these steps: How to Download the SSL Certificate From a Website in Windows.
   NOTE: use BIN mode to FTP the downloaded .cer file to USS
   
   
2. Use keytool command to import certificate into default Web Interface Java TrustStore or create a new TrustStore to hold just the Web Services certificate:
   
   EITHER: JAVA_HOME/bin/keytool -importcert -alias your_alias -keystore JAVA_HOME/lib/security/cacerts -file your_ws.cer
   OR: JAVA_HOME/bin/keytool -importcert -alias your_alias -keystore your_truststore.jks -file your_ws.cer
   (use JAVA_HOME as defined in the WSTOMENV environment variable member)
   
   
3. Update WSTOMENV (changeit is the default password for the default Java TrustStore )
   
   -Djavax.net.ssl.trustStore=JAVA_HOME/lib/security/cacerts
   -Djavax.net.ssl.trustStorePassword=changeit
   (use JAVA_HOME as defined in the WSTOMENV environment variable member)

NOTE: Setting up PassTickets support is a Prerequisite for using the Endevor Web Interface. It is listed as such in the Install Endevor Web Interface - Prerequisites section.

A change has been made to the linked page Set Up PassTicket Authentication  to emphasise that is required.