000033298 - How to fix the ValidatorException: PKIX path SSL certificate error when connecting to AFX Restful webservice in RSA Via Lifecycle and Governance

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000033298
Applies ToRSA Product Set: RSA Via Lifecycle and Governance (RSA Via L&G)
RSA Product/Service Type: Appliance
RSA Version/Condition: 7.0
Platform: Wildfly
IssueWhile attempting to connect to a restful web service through an AFX connector, it gives the following certificate error:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path.

The connector will be created successfully and it will be in "Running" state. However, when clicking Test Connector or Test Connector Capabilities, the certificate error displays.
User-added image

The error below displays when testing the connector, and in few cases it might not show the certificate error in the URL:
User-added image

When trying with the SOAP UI, there are no issues:
User-added image
ResolutionReplacing the AFX folder and certificate fixes this issue. Follow the steps below:
  1. Launch Firefox.
  2. Open the URL.
  3. In the left hand corner, click on the lock icon or the Info button to see the certificate issuer.
  4. Optionally click the > at the right for more details.
  5. Click the More Information button.
  6. Click View Certificate.  
  User-added image

  1. Switch to the Details tab to export the certificate into either .cer or .pem format.  
    1. Click Export and save the file in the correct format.
  2. Import the certificate to the JVM cacert.  The command to import the certificate is:

  3. keytool -importcert -alias startssl -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -file <path to the cert saved in step 7a>

  4. After importing the certificate, restart the AFX server.