Not a customer? Click the 'Start a free trial' link to begin a 30-day SaaS trial of our product and to join our community.
Existing Cisco AppDynamics customers should click the 'Sign In' button to authenticate to access the community
on
07-11-2017
02:47 PM
- edited on
06-08-2023
02:20 PM
by
Claudia.Landiva
Symptom | Troubleshooting and solution | More about this JVM flag
You observe the following error message is visible in the Agent logs:
[Thread-0] 22 Jun 2017 11:53:52,467 ERROR ConfigurationChannel - Exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
-Dappdynamics.force.default.ssl.certificate.validation=false
appdynamics.force.default.ssl.certificate.validation=false
This JVM flag means that minimal certificate validation is done, which means that the notBefore
and notAfter
are still checked.
If this property is set to true, full certification chain validation is done.
There is no way to fully disable the validation of notBefore
and notAfter
dates as that defies the purpose of SSL.
When this property is set to false, the X509Certificate.checkValidity
method is called, which would validate the certificate start and expiry dates.
https://docs.oracle.com/javase/8/docs/api/java/security/cert/X509Certificate.html#checkValidity--
how to enable ssl in controller and java jboss agent . i have read the above link but can't get it as i write command in command prompt it shows cp is not recognized as internal and external command
my controller is in windows
Hi,
we are using custom agent to change the date of the jvm and are getting errors on the agent even if we set this.
-Dappdynamics.force.default.ssl.certificate.validation=false
we are looking to use a reverse proxy between our agent and the controller but its not woking yet. Is there any way to skip this validation test?
Error log:
[Thread-7] 01 Mar 2018 15:54:17,355 ERROR ConfigurationChannel - Exception: java.security.cert.CertificateNotYetValidException: NotBefore: Thu Mar 29 20:00:00 EDT 2018 javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateNotYetValidException: NotBefore: Thu Mar 29 20:00:00 EDT 2018 at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) at sun.security.ssl.Handshaker.process_record(Handshaker.java:987) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) at com.singularity.ee.util.httpclient.c.createLayeredSocket(c.java:148) at com.singularity.ee.util.httpclient.c.connectSocket(c.java:193) at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:125) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:319) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:363) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:219) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72) at com.singularity.ee.util.httpclient.n.a(n.java:290) at com.singularity.ee.util.httpclient.n.a(n.java:205) at com.singularity.ee.rest.f.G(f.java:384) at com.singularity.ee.rest.f.F(f.java:337) at com.singularity.ee.rest.controller.request.b.F(b.java:116) at com.singularity.ee.rest.controller.request.c.a(c.java:35) at com.singularity.ee.agent.appagent.kernel.config.xml.m.a(m.java:1424) at com.singularity.ee.agent.appagent.kernel.config.xml.m.a(m.java:117) at com.singularity.ee.agent.appagent.kernel.config.xml.t.a(t.java:699) at com.singularity.ee.agent.appagent.kernel.config.xml.m.a(m.java:478) at com.singularity.ee.agent.appagent.kernel.config.xml.D.run(D.java:635) at com.singularity.ee.agent.appagent.kernel.config.xml.e.initialize(e.java:300) at com.singularity.ee.agent.appagent.kernel.m.start(m.java:146) at com.singularity.ee.agent.appagent.kernel.JavaAgent.initialize(JavaAgent.java:511) at com.singularity.ee.agent.appagent.kernel.JavaAgent.initialize(JavaAgent.java:308) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.singularity.ee.agent.appagent.AgentEntryPoint$1.run(AgentEntryPoint.java:647) Caused by: java.security.cert.CertificateNotYetValidException: NotBefore: Thu Mar 29 20:00:00 EDT 2018 at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:270) at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629) at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602) at com.singularity.ee.util.httpclient.f.checkServerTrusted(f.java:243) at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:985) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) ... 38 more
Hi Philippe,
appdynamics.force.default.ssl.certificate.validation=false
This means that minimal certificate validation is done. Which means, that the notBefore and notAfter are still checked. If this property is set to true full certification chain validation is done.
So there is no way to fully disable the validation of notBefore and notAfter dates as that defies the purpose of SSL.
When this property is set to false, X509Certificate.checkValidity method is called, that would validate the certificate start and expiry dates.
https://docs.oracle.com/javase/8/docs/api/java/security/cert/X509Certificate.html#checkValidity--
Either the cert needs to be corrected or you need to connect on non-SSL port.
I will ask the author of this article to explain the usage of this flag in full detail so that this confusion could be avoided further.
Regards,
Saradhi
Thank you! Your submission has been received!
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form