"Unable to find valid certification path to requested target" in arcotafm.log
search cancel

"Unable to find valid certification path to requested target" in arcotafm.log


Article ID: 72833


Updated On:


CA Advanced Authentication CA Strong Authentication CA Risk Authentication


AFM fails to connect to State Manager on HTTPS
arcotafm.log shows following error :

2018-03-06 17:25:38,859 [https-jsse-nio-8443-exec-6] ERROR toksvr.client.SimpleTSClientImpl(324)  -> Unable to send request to server!
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)


CA Advanced Authentication : 9.x
App Server : Apache Tomcat


Customer had the following set in arcotafm.properties :

  • ArcotSMTrustStore=/certs/tsclient.truststore 
  • ArcotSMTrustStorePassword=123456 

ArcotSMTrustStore specifies the path where the root  CA SSL certificate of State Manager needs to be present.

Customer did import the root CA SSL certificate to the tsclient.truststore file but at the wrong location.
They did import the root CA SSL certs to the tsclient.truststore file located at : <ARCOT_HOME>/adapterAFM/certs

[<Current Working Directory>]# pwd
[<Current Working Directory>]# ls -ltr
total 8
-rwxr-xr-x. 1 root root 2402 Jan 30 00:23 tsclient.keystore
-rwxr-xr-x. 1 root root 1024 Jan 30 00:23 tsclient.truststore

The location the Application Server looks for the root CA certificates needs to be specified as discussed  below:
The root CA certs needs to be imported to <tomcat>/webapps/arcotafm/WEB-INF/classes/certs/tsclient.truststore file.

[root@I4491 certs]# ls -latr
total 40
-rw-r-----. 1 root root 1024 Jul 21  2017 tsclient.truststore
-rw-r-----. 1 root root 2402 Jul 21  2017 tsclient.keystore



Import the root CA SSL certificate of State Manager into tsclient.truststore that is located at "<tomcat>/webapps/arcotafm/WEB-INF/classes/certs/"

Here in this example the Application Server as Tomcat is used. Your Application server may be one of your choice (for example Oracle Weblogic, IBM Websphere etc.) 

Additional Information