"Unable to find valid certification path to requested target" in arcotafm.log
search cancel

"Unable to find valid certification path to requested target" in arcotafm.log

book

Article ID: 72833

calendar_today

Updated On:

Products

CA Advanced Authentication CA Strong Authentication CA Risk Authentication

Issue/Introduction

AFM fails to connect to State Manager on HTTPS
arcotafm.log shows following error :

2018-03-06 17:25:38,859 [https-jsse-nio-8443-exec-6] ERROR toksvr.client.SimpleTSClientImpl(324)  -> Unable to send request to server!
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)

Environment

CA Advanced Authentication : 9.x
App Server : Apache Tomcat

Cause

Customer had the following set in arcotafm.properties :

  • ArcotSMTrustStore=/certs/tsclient.truststore 
  • ArcotSMTrustStorePassword=123456 

Where, 
ArcotSMTrustStore specifies the path where the root  CA SSL certificate of State Manager needs to be present.

Customer did import the root CA SSL certificate to the tsclient.truststore file but at the wrong location.
They did import the root CA SSL certs to the tsclient.truststore file located at : <ARCOT_HOME>/adapterAFM/certs

[<Current Working Directory>]# pwd
/opt/CA/AdvAuth/adapterAFM/certs
[<Current Working Directory>]# ls -ltr
total 8
-rwxr-xr-x. 1 root root 2402 Jan 30 00:23 tsclient.keystore
-rwxr-xr-x. 1 root root 1024 Jan 30 00:23 tsclient.truststore

The location the Application Server looks for the root CA certificates needs to be specified as discussed  below:
The root CA certs needs to be imported to <tomcat>/webapps/arcotafm/WEB-INF/classes/certs/tsclient.truststore file.

/opt/apache-tomcat-8.5.24/webapps/arcotafm/WEB-INF/classes/certs
[root@I4491 certs]# ls -latr
total 40
-rw-r-----. 1 root root 1024 Jul 21  2017 tsclient.truststore
-rw-r-----. 1 root root 2402 Jul 21  2017 tsclient.keystore




 

Resolution

Import the root CA SSL certificate of State Manager into tsclient.truststore that is located at "<tomcat>/webapps/arcotafm/WEB-INF/classes/certs/"

Here in this example the Application Server as Tomcat is used. Your Application server may be one of your choice (for example Oracle Weblogic, IBM Websphere etc.) 

Additional Information

None.

Powered by Wolken Software