|Applies To||RSA Product Set: RSA Identity Governance & Lifecycle|
RSA Version/Condition: 7.0.x, 7.1.x, 7.2.x
|Issue||After creating a RESTful web service AFX connector, the connector shows with a Running status but a test of the connector fails with:|
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path.
- Connector in a Running state:
- Output from a test of the connector:
- Accessing the same URL via a REST/SOAP tool has no issues:
|Cause||The SSL certificate for the REST API URL being accessed is not trusted in the RSA Identity Governance & Lifecycle truststore.|
|Resolution||Download the SSL certificate used by the URL being accessed and load it into the truststore. The example below shows how to obtain the certificate using Firefox and add the certificate to the truststore.|
- Launch Firefox.
- Open the URL being accessed by the AFX RESTful web service connector.
- In the left-hand corner, click on the lock icon or the Info button to see the certificate issuer.
- Click the > at the right for more details.
- Click the More Information button.
- Click View Certificate.
- Scroll down until you see the Download option:
PEM (cert) PEM (chain)
- Click on PEM (cert) to download the certificate in PEM format.
- Import the certificate to the JVM cacert as the root user:
keytool -importcert -alias startssl -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
-file <path to the cert saved in step 7a>
- After importing the certificate, restart the AFX server as the afx user: