After installing APM 10.7 HF 24 seeing PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
search cancel

After installing APM 10.7 HF 24 seeing PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

book

Article ID: 125732

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope) INTROSCOPE

Issue/Introduction

After installing APM 10.7 HF 24. seeing in logs repeating PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 

Environment

APM 10.7/10.8

Cause

The issue is that the customer's trust store does not contain the appropriate certificate. 
. Their Jetty configuration specifies their own key store but they kept the trust store unchanged. Inspecting the trust stores shows that they are unmodified from how they were delivered by installer.

Resolution

Import the "CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE" certificate---the root CA certificate for their server certificate---into the config/internal/server/keystore so that it can be used to trust certificates sent by other parts of the cluster. This root CA is part of the JRE that is shipped with EM, so they can export if from jre/lib/security/cacerts with "keytool -exportcert -v -alias addtrustexternalca -file addtrustexternalca.crt -keystore cacerts -storepass changeit" and then import it into config/internal/server/keystore with "keytool -importcert -v -trustcacerts -alias addtrustexternalca -storepass password -keystore keystore -file addtrustexternalca.crt".