The CA Service Desk Manager (CA SDM) Maileater was working successfully but the access token is no longer being successfully refreshed after 90 days.

Despite the trust correction and valid configuration, Maileater still does not ingest received emails and no explicit OAuth/IMAP/TLS errors are logged. This suggests a silent failure scenario, likely a variant of KB article 432624, where Maileater's internal OAuth/IMAP processing fails to recover after a certificate chain change.

The standard NX_ROOT\log\maileater_nxd.log file shows the following errors:

Failed to connect to the Store.
Failed to get a fresh access token...can not proceed further

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

When enabling Maileater debug logging, the following additional errors can be seen in the NX_ROOT\log\maileater_nxd.log file:

DEBUG [ForkJoinPool-1-worker-5] c.c.S.maileater.Mailbox - [XXXXX:######] -> [ID:(XXXXX),HN:(outlook.office365.com)/Inbox] signalled for Mail Poll...

DEBUG [ForkJoinPool-1-worker-5] c.c.S.maileater.TextAPI - return true since we don't manage slump

DEBUG [ForkJoinPool-1-worker-5] c.c.S.maileater.Mailbox - [XXXXX:######] -> [ID:(XXXXX),HN:(outlook.office365.com)/Inbox] polling for mail...

DEBUG [ForkJoinPool-1-worker-5] c.c.S.m.ConnectSession - [XXXXX:######] Using encrypted password

DEBUG [ForkJoinPool-1-worker-5] c.c.S.m.c.JavaMailIMAPClient - [ID:(XXXXX),HN:(outlook.office365.com)] -> [IMAPS|993] Connecting to IMAP host...

ERROR [ForkJoinPool-1-worker-5] c.c.S.m.c.JavaMailIMAPClient - [ID:(XXXXX),HN:(outlook.office365.com)] -> [IMAPS|993] Failed to connect to the Store.

DEBUG [ForkJoinPool-1-worker-5] c.c.S.m.ConnectSession - Access Token has expired...generating a fresh one....and trying again...

DEBUG [ForkJoinPool-1-worker-5] c.c.S.mail.OAuthProcessor - Refreshing the Access Token...

DEBUG [ForkJoinPool-1-worker-5] c.c.S.mail.OAuthProcessor - Using common endpoint

ERROR [ForkJoinPool-1-worker-5] c.c.S.m.ConnectSession - Failed to get a fresh access token...can not proceed further....

TRACE [ForkJoinPool-1-worker-5] c.c.S.m.ConnectSession - [XXXXX:######] Failed to connect to IMAP4 server outlook.office365.com at port 993

Due to the issue with the access token not refreshing, CA SDM Maileater is unable to establish a secure connection with the mail server and incoming email processing stops.

CA Service Desk Manager 17.3 and 17.4.x
Windows and Linux OS
Conventional and Advanced Availability architectures
Maileater using Cloud based Office365

Microsoft updated their root certificate authority in January 2026 from DigiCert Global Root CA (G1) to DigiCert Global Root G2, breaking the trust chain for token renewal.

Since there is a root certificate change, the automatic refresh of the access token is no longer working.

1. Download the certificate attached to this KB article
   
   
2. Via the CA SDM UI, login as an Administrator and navigate to ADMINISTRATION->EMAIL->MAILBOXES
   
   
3. Select the mailbox(es) used for SDM Maieater
   
   
4. Note the name and location of the certificate defined in the 'CA Certificate Path' field
   
   
5. Take a backup of the certificates identified in step #4 above to a location other than the location specified in the 'CA Certificate Path' field
   
   
6. Copy the certificate downloaded in step #1 above to the same location, along with the same name, identified in the mailbox settings in step #4 above
   
   
7. Delete the nx.keystore file from NXROOT\pdmconf folder and delete the NX_KEYSTORE_REF entry from the NX_ROOT\NX.env file
   
   
8. Run the following command to restart the SDM mail processes which should import the new certificate
   

   pdm_bounce pdm_mail

9. Monitor SDM Maileater to see if the access token is refreshed properly

It is recommended to test all changes in a non-PROD environment first and please make sure that you have backups of any files altered before making any changes.

This update should be performed on either the primary or background SDM server, whichever one the maileater process is running on.  The "pdm_status" command will show which is the correct Service Desk server.

A run of the keytool command for the given certificate will show the following (first 7 lines)

>keytool -printcert -v -file login_microsoftonline.cer

Owner: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
Issuer: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: 33af1e6a711a9a0bb2864b11d09fae5
Valid from: Thu Aug 01 08:00:00 EDT 2013 until: Fri Jan 15 07:00:00 EST 2038
Certificate fingerprints:
         SHA1: DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4
         SHA256: CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F