Catalog is unable to connect to ITPAM and noted below error in view.log (under Catalog install's log directory):

[ITPAMWebserviceManager] Catalog connection to ITPAM failed.
org.apache.axis.AxisFault: ; nested exception is: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Same logging may also include:

 [ITPAMQueueManager] Queue: itpam is being blocked.

Issue may arise after a recent RU update to the environment.

Release : 17.3  RU19 or higher and all later releases

CA Service Catalog/Process Automation

PAM certificate missing in Catalog trust store

In the case of certain RU updates, OpenJDK may also be upgraded to remediate vulnerabilities.

Catalog application JDK is located at "USM_HOME/embedded/jdk", where USM_HOME indicates Catalog installation directory.

Once this folder is replaced with the latest content, all the certificates that are imported into the trust store are removed and need to be reimported

1. Download the PAM certificate from the browser or fetch it from PAM Server.
   
   
   
2. Import the certificate into the truststore of CA Service Catalog using keytool command. Open command prompt in 'USM_HOME\embedded\jdk\bin' and execute following command
   

   keytool -import -alias ITPAM -file <PAM.cer> -keystore "C:\Program Files\CA\Service Catalog\embedded\jdk\lib\security\cacerts"

   
   
   Note: Replace <PAM.cer> with PAM certificate location. 

Keytool.exe is a utility that comes with any Java implementation.  You may need to include the path to the executable.  Example:

C:\java-install\bin\keytool.exe -import -alias ITPAM -file <PAM.cer> -keystore "C:\Program Files\CA\Service Catalog\embedded\jdk\lib\security\cacerts"