000034426 - RSA Archer endpoint fails to test from UCF connection manager (Secops 1.3.x) with a new Archer 6.1 Environment

Document created by RSA Customer Support Employee on Nov 24, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034426
Applies ToRSA Product Set: Security Management
RSA Product/Service Type: SecOps
RSA Version/Condition: 1.3
Platform: Windows
O/S Version: Server 2012 R2
IssueClient had a fully function SA - Secops - Archer 5.5 environment. They got a new Archer 6.1 installed. Tried to edit the Archer endpoints on the UCF connection manager and it fails. 
17 Nov 2016 08:54:58,538 | ERROR - SAIMArcherEndpoint.testEndpointConnection(103) | Failed to test the Archer Endpoint connection
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
    at sun.security.ssl.Handshaker.processLoop(Unknown Source)
    at sun.security.ssl.Handshaker.process_record(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(Unknown Source)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
    at com.rsa.vrm.collector.endpoint.archer.SAIMArcherEndpoint.getArcherSessionToken(SAIMArcherEndpoint.java:140)
    at com.rsa.vrm.collector.endpoint.archer.SAIMArcherEndpoint.testEndpointConnection(SAIMArcherEndpoint.java:85)
    at com.rsa.vrm.collector.connection.TestEndpointExecutable.execute(TestEndpointExecutable.java:23)
    at com.rsa.vrm.collector.client.CommandLineClient.runExecutables(CommandLineClient.java:151)
    at com.rsa.vrm.collector.client.CommandLineClient.runMenu(CommandLineClient.java:59)
    at com.rsa.vrm.collector.client.CommandLineClient.runMenu(CommandLineClient.java:62)
    at com.rsa.vrm.collector.client.CommandLineClient.run(CommandLineClient.java:37)
    at com.rsa.vrm.collector.client.CommandLineClient.main(CommandLineClient.java:26)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
    at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
    at sun.security.validator.Validator.validate(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
    ... 21 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
    at java.security.cert.CertPathBuilder.build(Unknown Source)
    ... 27 more

CauseThe endpoint is not able to see that we have new ssl certificates in place.
ResolutionDelete the existing endpoint and recreate them. Make sure that the new ssl certificates including the root certificate exist on the java cert store.
Steps to Add the certificate to the JAVA key store

  • Download and install KeyStore Explorer on the web server.
   NOTE: This is tool is a free open source tool and is not affiliated with RSA in any way.
  • Open KeyStore Explorer
   NOTE: When you open this the first time, you may be required to install a Java extension.
   User-added image
  • Inside of the KeyStore Explorer, clike “File” > “Open” and then navigate to the Java Keystore (“cacerts” is the name of the file and can be searched for if you cannot find the path.).
   NOTE: In a default installation of Java, this file can be found in “C:/Program Files/Java/<Install Version>/lib/security/cacerts”.
  • You will be prompted to enter the password of the KeyStore. If this is the default KeyStore and the password has not been changed, the password will be “changeit”, without the quotes.
  • You should now see a list off each of the certificates that are currently included in the Java KeyStore.
   User-added image
  • Go to Tools -> Import Trusted Certificate or click the red ribbon/certificate icon in the menu bar.
   User-added image
  • A file browser will open. Navigate and open the certificate file that you created 
  • You may receive the following message. This is fine, just click okay and then you will manually accept the certificate trust.
   User-added image
  • You will now see a window that looks similar to this. You will not need to change anything. Click “OK”.
   User-added image
  • You will then receive the following message. Click Yes.
   User-added image
  • You will then be given the option to set an alias for the cert. This will default to the name that is assigned in the windows CA store. Click OK.
    User-added image
  • After the certificate has imported successfully, you will get the following message. Click OK.
   User-added image
   IMPORTANT: Repeat the above importing process for each certificate that you exported from Archer IIS Server. You can have anywhere from 1 to many certificates to import.
  •  Click File -> Save.
   Important: If you do not save, the import will not commit.
    User-added image
  • Close KeyStore Explorer.
  • Restart SAIM and Watchdog services.