SSLHandshakeException PKIX path building failed message when using an SSL URL in the Portal Governance connector
search cancel

SSLHandshakeException PKIX path building failed message when using an SSL URL in the Portal Governance connector

book

Article ID: 408179

calendar_today

Updated On:

Products

CA Identity Suite

Issue/Introduction

Changing the Governance connector in Identity Portal to "Enable SSL" and entering an SSL port results in

Failed to start GmAdapter object: javax.net.ssl.SSLHandshakeException: SSLHandsakeException invoking https://governancehostname:ssl_port/eurekify/rest/idp/version: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

when attempting to start the connector.

Cause

Due to missing SSL trust - import certificate into $JAVA_HOME\jre\lib\security\cacerts.


Use the keytool command to import certificate, similar to:

>keytool -importcert -file <the ca cert file> -keystore $JAVA_HOME/jre/lib/security/cacerts 

 

You can check the certificates in the cacerts file using keytool list command:

>keytool -list -v -keystore {java}/jre/lib/security/cacerts

Resolution

To add the certificate to the Java Security Trust on the Identity Portal server:

1.  Gather the certificate.  This will vary depending on Environment.   If the certificate is applied directly in Governance, open the secure URL for Governance in a browser and click the Secure Lock Icon and export the certificate. 
There maybe additional certificates required, for example a Load Balancer certificate may also need to be added to the Trust store. 

3) Import the certificate to the Java security keystore, 'cacerts'

 keytool -importcert -keystore {Java_path}/jre/lib/security/cacerts -file <path to certificate>


you can optionally add alias:

-alias <alias for certificate>



A restart of the Application may be necessary for the certificate to be loaded.

Powered by Wolken Software