Knowledge Base

cancel
Showing results for 
Search instead for 
Did you mean: 

How do I resolve SAAS java.security.cert.CertPathValidatorException errors?

Issue

Java agent is unable to connect to the controller due to a certificate chaining error. This might be seen with IBM WebSphere. 

 

Errors similar to the following:

 

[AD Thread Pool-Global0] 10 Jun 2015 20:12:52,848 WARN XMLConfigManager - Certificate chain validation failed com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root CA, OU=www.digicert.com<http://www.digicert.com>, O=DigiCert Inc, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error attempting validation.
[AD Thread Pool-Global0] 10 Jun 2015 20:12:52,849 ERROR ConfigurationChannel - Fatal transport error: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root CA, OU=www.digicert.com<http://www.digicert.com>, O=DigiCert Inc, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
[AD Thread Pool-Global0] 10 Jun 2015 20:12:52,849 WARN ConfigurationChannel - Could not connect to the controller/invalid response from controller, cannot get initialization information, controller host [stelo.saas.appdynamics.com<http://stelo.saas.appdynamics.com>], port[443], exception [Fatal transport error: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root CA, OU=www.digicert.com<http://www.digicert.com>, O=DigiCert Inc, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error]

 

Solution

 

The java agent is using the IBM JVM's jre/lib/security/cacerts file to validate the controller's certificate.

There are two ways to solve this problem:
1.) Use keytool to import the root of your controller's certificate chain, (the FTB CA's root cert), into jre/lib/security/cacerts
2.) Start your application with following JVM arguments: -Djavax.net.ssl.trustStore=/path/to/FTB_custom_trustStore.jks -Djavax.net.ssl.trustStorePassword=somepassword and make sure FTB_custom_trustStore.jks contains the FTB Certificate Authority root cert.

 

Version history
Revision #:
2 of 2
Last update:
‎11-27-2018 04:46 PM
Updated by:
 
Labels (1)
Contributors
0 Kudos