000031132 - IMG on websphere - collector SSL test fails

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031132
Applies ToRSA Product Set: Identity Management and Governance
RSA Product/Service Type: Enterprise Software
RSA Version/Condition: 6.8.1
Platform: WebSphere
Platform (Other): null
O/S Version: null
Product Name: RSA-0018011
Product Description: Access Request Manager
IssueIMG 6.9.1 running on WebSphere .  Trying to do a collection by LDAPS , the test connection is failing with a SSL certificate chaining error that indicates the certificate issued by the CA is not trusted.   The server.keystore already has the trusted root imported has been made available to WebSphere, as well as the trusted root certificate 
Symptom:  aveksaServer.log shows: 
(timestamp) INFO (Thread-87) [SystemOut] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "hostname" was sent from target host:port "null:null". The signer may need to be added to local trust store "/home/oracle/fulfillment-handlers/security/cacerts" located in SSL configuration alias "DefaultSystemProperties" loaded from SSL configuration file "System Properties". The extended error message from the SSL handshake exception is: 
"PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; 
internal cause is: 
java.security.cert.CertPathValidatorException: The certificate issued by (the CA) is not trusted; 
internal cause is: 
java.security.cert.CertPathValidatorException: Certificate chaining error". 
CauseThe server.keystore already has the trusted root imported has been made available to WebSphere, as well as the trusted root certificate, as per the installation documentation. However, in some instances, the trusted root needs to be in an additional location
ResolutionPut the trusted root certificate into the directory specified by the error, in this example it is 
/home/oracle/fulfillment-handlers/security/cacerts 
restart the application in WebSphere 

Attachments

    Outcomes