PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
search cancel

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

book

Article ID: 434320

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

There is a requirement to switch from public trusted CA (certificate authority) to internal CA.

After adding Internal Root CA and Internal Intermediate CA certs to the cert-bundle.cert file on access gateway, the /example calls are not validating the certificate.

Access gateway server.log shows error:

[dd/mm/yyyy:13:55:58-246] [INFO] - yyyy-mm-ddT13:55:58.246-0400 ERROR postToAgent - I/O error occured when connecting to "https://myexample-ag.example.com/example/"

[dd/mm/yyyy:13:55:58-246] [INFO] - yyyy-mm-ddT13:55:58.246-0400 ERROR postToAgent - javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Environment

OS: Windows
Access gateway server version : 12.8 SP7

Cause

This is custom designed data flow.

/example calls is a back channel call to a local host first, without contacting DNS.

This local host is not accessible directly from external traffic.

The local host is not defined in proxyrules.xml.

Based on above factors, the request /example back channel call is NOT going through proxyrules.xml, so cert-bundle.cert file never kick in. 

That is, adding certs to cert-bundle.cert file will not help this situation.

The error is not encountered during proxying to back end app server, rather stopped at Tomcat java layer, where jvm ssl layer itself can not verify its signed root CA cert.

Resolution

Note: The solution belongs to 3rd party product, outside of core Broadcom support scope, hence steps are informational only.

Please back up existing installation before any changes.

keytool can be found in the bin directory of Java installation (e.g. C:/Program Files (x86)/Java/jre1.8/bin/keytool.exe).

//This will list all the certs inside the default keystore, and one can verify if the new certs are NOT in it.

keytool -list -v -keystore "C:\Program Files\Java\jre1.8.0_202\lib\security\cacerts" 

The command will prompt for entering storepass, use default value "changeit" from Oracle if this was never changed.

//Import the new certs into the store with -trustcacerts flag

keytool -import -alias myrootCA -trustcacerts -file /path/to/server.cer -keystore "path/to/cacerts"

List all the certs again to verify.

After that restart Access gateway and test the application.

Powered by Wolken Software