Clarity XOG with HTTPS fails with error: "PKIX path building failed, unable to find valid certification path to requested target."
Article ID: 227031
Updated On:
Products
Issue/Introduction
You have an HTTPS Clarity setup on Linux and HTTPS Jaspersoft setup and communicating with Clarity over HTTPS. Both web applications are reachable via HTTPS and HTTPS and working on the server and between Jaspersoft and Clarity. You are trying to get the XOG client and XOGin a gel script to work over HTTPS.
When running the XOG client on the Clarity application server, you get the following errors:
handshake_failurebroken pipeXOG Invoke Failed
With ssl debug on in xog you get additional errors: X509Authentication - No X.509 cert selected for EC, RSA, RSASSA-PSS, DSA.
When running a XOG within a gel script (the same script works over HTTP) you get this error:
PKIX path building failed, unable to find valid certification path to requested target.
When running the XOG client on a windows computer that can connect to the Clarity HTTPS web app via the browser You get the following errors:
Xog Invoke FailedConnection refused- Some references to https.HttpsClient and ssl.sslsocket.
For the XOG client on the server, how does it know what certificate to send and where does it get it from? Does it use the same one in NSA? Do you need to put something in Java to specify the private key?
For the XOG in a gel script, do you need to send a certification? If so how? Does it use the NSA settings?
The same questions apply when on a windows client.
Environment
Release : All Supported Releases
Resolution
- Locate the Keystore location in the JRE.
Typically this keystore is at JAVA_HOME\jre\lib\security\cacerts -- OR -- JAVA_HOME\lib\security\cacerts
The keytool that is used to access the keystore is typically installed with the JRE and ready to use. - Run the standard keytool to import the certificate, from JAVA_HOME\jre\lib\security.
keytool -import -trustcacerts -alias cert -file C:\temp\Cert.cer -keystore cacerts
- When prompted Enter keystore password:, enter "changeit". (By default keystores have a password of "changeit")
- When prompted Trust this certificate? [no]:, enter "yes".
This imports the certificate into the keystore and displays the message: "Certificate was added to keystore".
- Open the Clarity URL and click the lock icon.
- Open the certificate.
- Go to details and note the signature algorithm.
For example: SHA256 - Note the value for Public Key
For example: RSA (2048) - Go to your web browser Developer Tools > Security and look for the cipher being used by the clarity server.
For example: - List the ciphers supported by your XOG client JAVA home.
- Open the attached Main.txt file.
- Rename to Main.java.
<XOG JAVA_HOME>/bin/javac Main.java - Run the application
<XOG JAVA_HOME>/bin/java Main
This will output a list of ciphers supported by the JVM - The cipher listed in step 7 (the screenshot above) should appear in this output.
- Open /opt/clarity/tomcat-app-deploy/conf/server.xml
- Validate whether the cipher from step 7 (the screenshot above) is being forced or not
For example:
<Connector port="443" maxHttpHeaderSize="8192" address="192.168.1.1"enableLookups="false" disableUploadTimeout="true"acceptCount="100" scheme="https" secure="true" clientAuth="false"keystoreFile="SomeDir/SomeFile.key" keystorePass="Poodle"truststoreFile="SomeDir/SomeFile.truststore" truststorePass="HomeRun"sslProtocol="TLSv1, TLSv1.1, TLSv1.2"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,.... -
Add the cipher here if it is missing
Additional Information
We can use "openssl s_client -connect ppm.server.com:443" to get the complete chain of certificates and validate if what certificates we imported are the right ones.
Note: If the issue started happening after Java upgrade, as workaround you can repoint Clarity to the previous Java install in properties.xml & restart the services.
Attachments
Feedback
