You may also see messages like below when accessing some Data Insights before attempting to export:

AAI with HTTPS configured

• HTTPS root and intermediate certificate were not imported into the AAI keystore and the $JAVA_HOME/jre/lib/security/cacerts truststore
• The AAI admin password was changed but the hidden servicePass parameter was not set to match the current password

When reviewing the full set of AAI Logs, there was no error at the time of the export attempt, however on startup the server.log showed an error:

SEVERE [org.springframework.boot.SpringApplication] Application run failed: java.lang.RuntimeException: com.termalabs.common.serviceutils.ApiException: GET PROPERTY ERROR: MESSAGE = Server or service is not available
I/O error on GET request for "https:<hostname>aai/api/properties/serverParam/collectorService.dbMaintenance.purgeInterval": PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This indicates the certificate being used has a root and/or intermediate certificate from the certificate signing authority, however they have not been imported into the keystore for AAI and/or the $JAVA_HOME/jre/lib/security/cacerts truststore.

1. You can check to see if your AAI certificate has a root and intermediate certificate using the openssl command below:

openssl s_client -connect <AAI hostname>:<port number>

They will be listed under Certificate Chain.

2. The certificate provider should be able to provide the root and intermediate certificates.

3. Once you have the certificates you can import them into the keystore that AAI is using with the command below:

keytool -import -v -file <root cert>.cer -keystore /opt/aai/jboss/standalone/configuration/aaikey -storepass <password> -noprompt

keytool -import -v -file <intermediate cert>.cer -keystore /opt/aai/jboss/standalone/configuration/aaikey -storepass <password> -noprompt

4. Once the certs are imported to the AAI keystore, you can import the into the $JAVA_HOME/jre/lib/security/cacerts truststore with the command below:

keytool -importkeystore -srckeystore <AAI Install dir>/jboss/standalone/configuration/aai.keystore –destkeystore $JAVA_HOME/jre/lib/security/cacerts

5. You can verify the root and intermediate certificates have been imported by using the commands below:

keytool -list -v -keystore <AAI_HOME>/jboss/standalone/configuration/aai.keystore

keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

6. Restart the AAI service and make sure the server.log no longer shows the message below on startup:

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

7. Check the commonService.log, simulation.log and other logs for the message like below after AAI has fully initialized

[JawsRestApiCaller] login to JAWS server failed due to JAWS server initializing or incorrect credential, trying again

8. If those errors don't appear you can try the export/email, if those messages do appear you need to go to the AAI configuration tool and go to the parameters tab, then hidden parameters, and search for "servicePass".  This value needs to be set to the same password as the current JAWS admin password. If the admin user's password is changed pre 24.0 this will need to be set.  This should get automatically set if the password was changed after 24.x.  Once this is set, restart AAI and verify the errors stop after AAI fully initializes.

9. Attempt to email and/or export the Data Insight again