cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
pclark
AppDynamics Team (Retired)

Issue

Java agent is unable to connect to the controller due to a certificate chaining error. This might be seen with IBM WebSphere. 

 

Errors similar to the following:

 

[AD Thread Pool-Global0] 10 Jun 2015 20:12:52,848 WARN XMLConfigManager - Certificate chain validation failed com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root CA, OU=www.digicert.com<http://www.digicert.com>, O=DigiCert Inc, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error attempting validation.
[AD Thread Pool-Global0] 10 Jun 2015 20:12:52,849 ERROR ConfigurationChannel - Fatal transport error: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root CA, OU=www.digicert.com<http://www.digicert.com>, O=DigiCert Inc, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
[AD Thread Pool-Global0] 10 Jun 2015 20:12:52,849 WARN ConfigurationChannel - Could not connect to the controller/invalid response from controller, cannot get initialization information, controller host [stelo.saas.appdynamics.com<http://stelo.saas.appdynamics.com>], port[443], exception [Fatal transport error: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root CA, OU=www.digicert.com<http://www.digicert.com>, O=DigiCert Inc, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error]

 

Solution

 

The java agent is using the IBM JVM's jre/lib/security/cacerts file to validate the controller's certificate.

There are two ways to solve this problem:
1.) Use keytool to import the root of your controller's certificate chain, (the FTB CA's root cert), into jre/lib/security/cacerts
2.) Start your application with following JVM arguments: -Djavax.net.ssl.trustStore=/path/to/FTB_custom_trustStore.jks -Djavax.net.ssl.trustStorePassword=somepassword and make sure FTB_custom_trustStore.jks contains the FTB Certificate Authority root cert.

 

Version history
Last update:
‎11-27-2018 04:46 PM
Updated by:
June 26 Webinar
Discover new Splunk integrations and AI innovations for Cisco AppDynamics.


Register Now!

Observe and Explore
Dive into our Community Blog for the Latest Insights and Updates!


Read the blog here
Contributors