After installing APM 10.7 HF 24 seeing PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
book
Article ID: 125732
calendar_today
Updated On:
Products
CA Application Performance Management Agent (APM / Wily / Introscope)INTROSCOPE
Issue/Introduction
After installing APM 10.7 HF 24. seeing in logs repeating PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Environment
APM 10.7/10.8
Cause
The issue is that the customer's trust store does not contain the appropriate certificate. . Their Jetty configuration specifies their own key store but they kept the trust store unchanged. Inspecting the trust stores shows that they are unmodified from how they were delivered by installer.
Resolution
Import the "CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE" certificate---the root CA certificate for their server certificate---into the config/internal/server/keystore so that it can be used to trust certificates sent by other parts of the cluster. This root CA is part of the JRE that is shipped with EM, so they can export if from jre/lib/security/cacerts with "keytool -exportcert -v -alias addtrustexternalca -file addtrustexternalca.crt -keystore cacerts -storepass changeit" and then import it into config/internal/server/keystore with "keytool -importcert -v -trustcacerts -alias addtrustexternalca -storepass password -keystore keystore -file addtrustexternalca.crt".