Unable to find valid certification path error when logging on to Help Desk Admin Portal (HDAP) and Self-Service Portal (SSP) for RSA Authentication Manager Prime Kit
Originally Published: 2020-06-08
Article Number
Applies To
RSA Product/Service Type: Authentication Manager, Authentication Manager Prime
Platform: Linux
Issue
- When a user tries to authenticate to either HDAP or SSP, the authentication fails with the following message:
Authentication Failed
- Alternatively, the UI loops back to the login screen.
- The following error is in the am8.log:
2020-06-08T21:33:59,179+0200,com.rsa.ucm.am8,27,INFO ,[RESULT_STATUS]:
getContext completes in 64ms. Result: (false)
Message: org.springframework.remoting.RemoteAccessException :
Could not access HTTP invoker remote service at [/ims-ws/httpinvoker/CommandServer];
nested exception is javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
Cause
Resolution
- Log in to the RSA Authentication Manager Prime server CLI.
- Run the following command to get the RSA Authentication Manager root certificate. Replace am84.testlab.com with your RSA Authentication Manager FQDN.
# openssl s_client -connect am84.testlab.com:7002 -showcerts CONNECTED(00000003) depth=1 CN = RSA root CA for am84.testlab.com verify error:num=19:self signed certificate in certificate chain --- Certificate chain 0 s:/CN=am84.testlab.com i:/CN=RSA root CA for am84.testlab.com -----BEGIN CERTIFICATE----- MIIDADCCAeigAwIBAgIQd7RyY5YpUjNT6BcaLREYFjANBgkqhkiG9w0BAQsFADAs MSowKAYDVQQDDCFSU0Egcm9vdCBDQSBmb3IgYW04NC5zYWJlcmxhYi5jb20wHhcN MTkwNTA5MTgzODUxWhcNMzcwMTAxMDAwMDAwWjAcMRowGAYDVQQDDBFhbTg0LnNh YmVybGFiLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAItEiCH8 cm84nd9ak9zyLxJEjLndgPTzYBXSVmsSkO8mVRchNhg4QcoImj2Vb/oOcs3DAybC /cnNOXgACiiA0l3hKjx6Yuno8zW36wI4PO3wsIp4BYgN16WLjECArJsZilYHRMBx 4LgXVLcCNRNDVclDoWu9Tzi2XdXug+Fr1hCK74amhzHj1hmRLKxc0dO1XKaaht3G XC0kgg7Bn8zgx1EQ+0NSbJC9s8qC6pY2b3kasKAkkWx67z40zg744vZWs4cObn41 iG2WpxNGQkrrIZK+fAZ7W9tNdQFwA+PAUipmF05krh4NaJFcX/Zd9NEmHElsMHRi BrvVCUJdmorWXQUCAwEAAaMuMCwwDAYDVR0TAQH/BAIwADAcBgNVHREEFTATghFh bTg0LnNhYmVybGFiLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAjx3FxuGBQtpy1PY0 8zDK+swMQQZGrA0O7evx02hnJgialETxlH9nPA1aOlvOtds0YJNf0qrsX+auylxm 28b67e61bTzMqcJGXEnyDwVn4k1+sKi6L7q++bVaWOAFNtv3DlqcQG+oAviJsk2v PRj1OqRdcP2nVvFosaWCI5KiK9fjI9FIzKDVWM62BGyOLzSlzJPPc/q9dvi5Tqwq G4vrK82xyH0kPnOH/9edSVXypEhVRVONDPzjQ+Wm/UqQaQ6y/rny3KjUMQIqORjG psh0kbkQMPiPP7HizJiUmlC83rIkEbMjSQgUtlEyEH9C06YVyVQwWs5tRuSLV3d0 ds2oTQ== -----END CERTIFICATE----- 1 s:/CN=RSA root CA for am84.testlab.com i:/CN=RSA root CA for am84.testlab.com -----BEGIN CERTIFICATE----- MIIDFjCCAf6gAwIBAgIQQG5GCR508OGVjrg3mG5FlDANBgkqhkiG9w0BAQsFADAs MSowKAYDVQQDDCFSU0Egcm9vdCBDQSBmb3IgYW04NC5zYWJlcmxhYi5jb20wHhcN MTkwNTA5MTgzODUxWhcNMzcwMTAxMDAwMDAwWjAsMSowKAYDVQQDDCFSU0Egcm9v dCBDQSBmb3IgYW04NC5zYWJlcmxhYi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQCg0dOTxAdWKfDsViAZ5tQHmJ5mxdzwrkXFDfmqVbixIr6T1GM+ nah+rfTecjkbs4Q8+VnN341eTFdTkgD0CCBdemMm1abH2YviiyqV3qYXuVggDR/J cuO66oVS2lZqbxfUaT4V/oTH2PqWFVz5XHHcLQycFgTgOuFPAzKZhb3B7HaRngGX KNjHTbXkdKeRoxtjJC0Frj9liZaxZ3XcTH9aSB5+dWNn14W81Fxb+oao/wf8O0o9 kXIZ8rzkIvKO7Btr5yz8NpqpYjm/4s8j4TXUz5dm4aJU7RQCSyEG6QpxnYinte0k DcWoCzyT3NSOYlMvm/t1rJFwH2c97gBcSBzjAgMBAAGjNDAyMBIGA1UdEwEB/wQI MAYBAf8CAQEwHAYDVR0RBBUwE4IRYW04NC5zYWJlcmxhYi5jb20wDQYJKoZIhvcN AQELBQADggEBAD5wsTkk9rEKFdp1NbLHdPjdhEn91BlMlj047Nq/5KvD85THWd73 MpM/V9Vfx3SR+t8vXmPRD1C5NlxaCR2Q9nscMX3xl337s1dVXN0BT11vzZiG3OAD 3b2yOCrGTL8NYggtgWzD9FVAnbiIqM7RduckpvpwzK2Y3weekBVAkelmWGoRuYtv CF36UUghEKYd3a4vjIJmoLasDn/meW6IQB0RO1LTggRhBRRRcxt+e2dHWc+WnDr4 lX6ODLY7U2I5+4n1Vyq/42bvXVsAuijS90khbHAx9GTo1nqTQRmUri4X9bTjH8lF e6ftQ6yfEn2Upms6uTPu66KBPED+7wZtsP4= -----END CERTIFICATE-----
- Create a new certificate file:
touch /tmp/amrootCA.cer
- Open the new /tmp/amrootCA.cer in a text editor and copy the root CA certificate into that file:
-----BEGIN CERTIFICATE----- MIIDFjCCAf6gAwIBAgIQQG5GCR508OGVjrg3mG5FlDANBgkqhkiG9w0BAQsFADAs MSowKAYDVQQDDCFSU0Egcm9vdCBDQSBmb3IgYW04NC5zYWJlcmxhYi5jb20wHhcN MTkwNTA5MTgzODUxWhcNMzcwMTAxMDAwMDAwWjAsMSowKAYDVQQDDCFSU0Egcm9v dCBDQSBmb3IgYW04NC5zYWJlcmxhYi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQCg0dOTxAdWKfDsViAZ5tQHmJ5mxdzwrkXFDfmqVbixIr6T1GM+ nah+rfTecjkbs4Q8+VnN341eTFdTkgD0CCBdemMm1abH2YviiyqV3qYXuVggDR/J cuO66oVS2lZqbxfUaT4V/oTH2PqWFVz5XHHcLQycFgTgOuFPAzKZhb3B7HaRngGX KNjHTbXkdKeRoxtjJC0Frj9liZaxZ3XcTH9aSB5+dWNn14W81Fxb+oao/wf8O0o9 kXIZ8rzkIvKO7Btr5yz8NpqpYjm/4s8j4TXUz5dm4aJU7RQCSyEG6QpxnYinte0k DcWoCzyT3NSOYlMvm/t1rJFwH2c97gBcSBzjAgMBAAGjNDAyMBIGA1UdEwEB/wQI MAYBAf8CAQEwHAYDVR0RBBUwE4IRYW04NC5zYWJlcmxhYi5jb20wDQYJKoZIhvcN AQELBQADggEBAD5wsTkk9rEKFdp1NbLHdPjdhEn91BlMlj047Nq/5KvD85THWd73 MpM/V9Vfx3SR+t8vXmPRD1C5NlxaCR2Q9nscMX3xl337s1dVXN0BT11vzZiG3OAD 3b2yOCrGTL8NYggtgWzD9FVAnbiIqM7RduckpvpwzK2Y3weekBVAkelmWGoRuYtv CF36UUghEKYd3a4vjIJmoLasDn/meW6IQB0RO1LTggRhBRRRcxt+e2dHWc+WnDr4 lX6ODLY7U2I5+4n1Vyq/42bvXVsAuijS90khbHAx9GTo1nqTQRmUri4X9bTjH8lF e6ftQ6yfEn2Upms6uTPu66KBPED+7wZtsP4= -----END CERTIFICATE-----
- Check the AMIS setenv.sh file (by default it is in <Prime_installation_directory>/configs/amis/tomcat-amis/setenv.sh) to confirm the truststore.jks location and password:
#!/bin/sh # AM PRIME VARIABLES ============================================================= # OPTIONAL TO UPDATE TOMCAT_HTTPS_PORT=8443 export CATALINA_OPTS="$CATALINA_OPTS -Dkeystore.file=$AMPRIMECWD/certificates/amis_keystore_new.jks" export CATALINA_OPTS="$CATALINA_OPTS -Dkeystore.pass='password'" export CATALINA_OPTS="$CATALINA_OPTS -Dssl.alias=amis" export CATALINA_OPTS="$CATALINA_OPTS -Djavax.net.ssl.trustStore=$AMPRIMECWD/certificates/truststore.jks" export CATALINA_OPTS="$CATALINA_OPTS -Djavax.net.ssl.trustStorePassword='password'" #export CATALINA_OPTS="$CATALINA_OPTS -Dsyslog.server=logs.company.com" ...
- Import the certificate into the truststore.jks. Enter the file password when prompted. The installation directory might be different to each instance, but the file names are the same.
/opt/rsa/primekit/java/latest/bin/keytool -import -alias am8rootca \ -file /tmp/amrootCA.cer -keystore /opt/rsa/primekit/certificates/truststore.jks Enter keystore password:
- When prompted whether to trust the certificate, type yes and press Enter.
Trust this certificate? [no]: yes Certificate was added to keystore
- Restart the RSA Authentication Manager Prime Kit services:
service tomcat-amis restart service tomcat-hdap restart service tomcat-ssp restart
Notes
- The RSA Authentication Manager Prime Kit installation directory will differ from one environment to the other. The administrator should be aware of the installation directory. However, the subdirectories and file names will not change.
- Restarting the service steps will differ from one environment to the other. The administrator should know how to restart a certain service in their environment.
Related Articles
Modify the RSA SecurID Access Prime Self-Service Portal (SSP) or Help Desk Admin Portal (HDAP) session timeout value Number of Views Unauthorized error when logging in to RSA Authentication Manager Help Desk Admin Portal (HDAP) or Self-Service Portal (SSP… Number of Views RSA Authentication Manager Prime Help Desk Admin Portal Unlock User option grayed out Number of Views RSA SecurID Help Desk Administration Portal logon fails in RSA Authentication Manager Prime Number of Views RSA Authentication Manager Prime Help Desk Admin (HDAP) and/or Self-Service Portal (SSP) not accessible after upgrade to R… Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
Don't see what you're looking for?
