BFG startup "Validate Bitbucket Server connection error" "PKIX path building failed"
search cancel

BFG startup "Validate Bitbucket Server connection error" "PKIX path building failed"

book

Article ID: 420809

calendar_today

Updated On:

Products

Endevor

Issue/Introduction

Endevor Bridge For Git (BFG) startup fails with "Validate Bitbucket Server connection error" showing failed SSL connection to Bitbucket server:

*****
 Caused by: org.springframework.boot.context.properties.bind.validation.BindValidationException: Binding validation errors on app
    - Error in object 'app': codes ÝAppPropertiesValid.app,AppPropertiesValid¨; arguments Ýorg.springframework.context.support.DefaultMessageSourceResolvable: codes Ýapp.,¨; arguments ݨ; default message ݨ¨; default message ÝValidate Bitbucket Server connection error: com.ca.endevor.integration.connector.rest.exception.RestConnectorException: org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://stash.example.com/rest/oauth2/latest/token": com.ibm.jsse2.util.l: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.l: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target
     at com.ca.endevor.integration.connector.rest.SpringRestClient.reportError(SpringRestClient.java:176)
*****

Per techdocs page: Set up Git Server Communication > Authentication Methods > Bitbucket: Configure Application Link, OAuth2 has been done by Bitucket GitAdmin and the client-id and client-secret have been specified in the application yml file.

Environment

Endevor Bridge For Git

Cause

A custom certificate for Bitbucket server is being used and BFG does not trust it.

Resolution

The Bitbucket client CA certificate needs to be added to the BGF truststore.

By default the BFG truststore is the Java truststore file: <JAVA_HOME>/lib/security/cacerts.
That is used for a secure connection to Endevor Web Services per this doc. page: Enable a Connection to Secured Endevor Web Services

Similarly the same truststore or own truststore should be used for a secure connection to the Bitbucket server.

To use own truststore e.g. /TEST/EBG1/BFG/client.truststore.p12, need to change the BFG STC JCL to use it.
That is per the above page Enable a Connection to Secured Endevor Web Services and page Use JCL to Run Bridge for Git on the Mainframe
i.e. add these lines
-Djavax.net.ssl.trustStore=/TEST/EBG1/BFG/client.truststore.p12 
-Djavax.net.ssl.trustStorePassword=<password>

Powered by Wolken Software