on Jun 14, 2016Article Content
| Article Number | 000031132 |
| Applies To | RSA Product Set: Identity Management and Governance RSA Product/Service Type: Enterprise Software RSA Version/Condition: 6.8.1 Platform: WebSphere Platform (Other): null O/S Version: null Product Name: RSA-0018011 Product Description: Access Request Manager |
| Issue | IMG 6.9.1 running on WebSphere . Trying to do a collection by LDAPS , the test connection is failing with a SSL certificate chaining error that indicates the certificate issued by the CA is not trusted. The server.keystore already has the trusted root imported has been made available to WebSphere, as well as the trusted root certificate Symptom: aveksaServer.log shows: (timestamp) INFO (Thread-87) [SystemOut] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "hostname" was sent from target host:port "null:null". The signer may need to be added to local trust store "/home/oracle/fulfillment-handlers/security/cacerts" located in SSL configuration alias "DefaultSystemProperties" loaded from SSL configuration file "System Properties". The extended error message from the SSL handshake exception is: "PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by (the CA) is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error". |
| Cause | The server.keystore already has the trusted root imported has been made available to WebSphere, as well as the trusted root certificate, as per the installation documentation. However, in some instances, the trusted root needs to be in an additional location |
| Resolution | Put the trusted root certificate into the directory specified by the error, in this example it is /home/oracle/fulfillment-handlers/security/cacerts restart the application in WebSphere |