Help
Not a customer? Start a free trial

Not a customer? Click the 'Start a free trial' link to begin a 30-day SaaS trial of our product and to join our community.

Existing Cisco AppDynamics customers should click the 'Sign In' button to authenticate to access the community

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How do I resolve SAAS java.security.cert.CertPathValidatorException errors?

pclark
AppDynamics Team (Retired)

on ‎07-20-2015 02:32 PM - edited on ‎11-27-2018 04:46 PM by

Issue

Java agent is unable to connect to the controller due to a certificate chaining error. This might be seen with IBM WebSphere. 

 

Errors similar to the following:

 

[AD Thread Pool-Global0] 10 Jun 2015 20:12:52,848 WARN XMLConfigManager - Certificate chain validation failed com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root CA, OU=www.digicert.com<http://www.digicert.com>, O=DigiCert Inc, C=US is not trusted; internal cause is: 
java.security.cert.CertPathValidatorException: Certificate chaining error attempting validation. 
[AD Thread Pool-Global0] 10 Jun 2015 20:12:52,849 ERROR ConfigurationChannel - Fatal transport error: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root CA, OU=www.digicert.com<http://www.digicert.com>, O=DigiCert Inc, C=US is not trusted; internal cause is: 
java.security.cert.CertPathValidatorException: Certificate chaining error 
[AD Thread Pool-Global0] 10 Jun 2015 20:12:52,849 WARN ConfigurationChannel - Could not connect to the controller/invalid response from controller, cannot get initialization information, controller host [stelo.saas.appdynamics.com<http://stelo.saas.appdynamics.com>], port[443], exception [Fatal transport error: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root CA, OU=www.digicert.com<http://www.digicert.com>, O=DigiCert Inc, C=US is not trusted; internal cause is: 
java.security.cert.CertPathValidatorException: Certificate chaining error]

 

Solution

 

The java agent is using the IBM JVM's jre/lib/security/cacerts file to validate the controller's certificate.

There are two ways to solve this problem:
1.) Use keytool to import the root of your controller's certificate chain, (the FTB CA's root cert), into jre/lib/security/cacerts
2.) Start your application with following JVM arguments: -Djavax.net.ssl.trustStore=/path/to/FTB_custom_trustStore.jks -Djavax.net.ssl.trustStorePassword=somepassword and make sure FTB_custom_trustStore.jks contains the FTB Certificate Authority root cert.

 

Labels:
0 Kudos
Version history
Last update:
‎11-27-2018 04:46 PM
Updated by:
On-Demand Webinar
Discover new Splunk integrations and AI innovations for Cisco AppDynamics.

Register Now!
Observe and Explore
Dive into our Community Blog for the Latest Insights and Updates!

Read the blog here
Contributors

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form

By clicking subscribe, I have read and understood the Privacy Policy and Terms of Use.
Platform
Solutions
Learn

Company
Support