cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Not a customer? Start a free trial

Click the Start a free trial link to start a 15-day SaaS trial of our product and join our community as a trial user. If you are an existing customer do not start a free trial.

AppDynamics customers and established members should click the sign in button to authenticate.

Knowledge Base

How to disable SSL certification validation in communication between Agent and Controller

Problem:

The Java or Database Agent stops communicating, or can not communicate to the Controller.

 

The following error message is visible in the Agent logs:

 

[Thread-0] 22 Jun 2017 11:53:52,467 ERROR ConfigurationChannel - Exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

Solution:

  1. Verify if the SSL certificate is installed and enabled by following the documentation: Enable SSL for Java Agent
  2. Alternatively, run the Java Agent with the following system property to resolve the issue:
    • -Dappdynamics.force.default.ssl.certificate.validation=false

 

More information on this jvm flag:

appdynamics.force.default.ssl.certificate.validation=false

 

This means that minimal certificate validation is done, which means that the notBefore  and notAfter are still checked.

 

If this property is set to true, full certification chain validation is done. 

 

There is no way to fully disable the validation of notBefore and notAfter dates as that defies the purpose of SSL. 

 

When this property is set to false, X509Certificate.checkValidity method is called, which would validate the certificate start and expiry dates.

 

https://docs.oracle.com/javase/8/docs/api/java/security/cert/X509Certificate.html#checkValidity--

Version history
Last update:
‎06-08-2018 12:58 PM
Updated by:
Labels (1)
By replying you agree to the Terms and Conditions of the AppDynamics Community.
0 Kudos
Comments

how to enable ssl in controller and java jboss agent . i have read the above link but can't get it as i write command in command prompt it shows cp is not recognized as internal and external command

my controller is in windows

Hi,

     we are using custom agent to change the date of the jvm and are getting errors on the agent even if we set this.

  • -Dappdynamics.force.default.ssl.certificate.validation=false

we are looking to use a reverse proxy between our agent and the controller but its not woking yet.  Is there any way to skip this validation test?

Error log:

[Thread-7] 01 Mar 2018 15:54:17,355 ERROR ConfigurationChannel - Exception: java.security.cert.CertificateNotYetValidException: NotBefore: Thu Mar 29 20:00:00 EDT 2018
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateNotYetValidException: NotBefore: Thu Mar 29 20:00:00 EDT 2018
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
        at com.singularity.ee.util.httpclient.c.createLayeredSocket(c.java:148)
        at com.singularity.ee.util.httpclient.c.connectSocket(c.java:193)
        at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:125)
        at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:319)
        at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:363)
        at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:219)
        at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195)
        at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86)
        at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108)
        at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72)
        at com.singularity.ee.util.httpclient.n.a(n.java:290)
        at com.singularity.ee.util.httpclient.n.a(n.java:205)
        at com.singularity.ee.rest.f.G(f.java:384)
        at com.singularity.ee.rest.f.F(f.java:337)
        at com.singularity.ee.rest.controller.request.b.F(b.java:116)
        at com.singularity.ee.rest.controller.request.c.a(c.java:35)
        at com.singularity.ee.agent.appagent.kernel.config.xml.m.a(m.java:1424)
        at com.singularity.ee.agent.appagent.kernel.config.xml.m.a(m.java:117)
        at com.singularity.ee.agent.appagent.kernel.config.xml.t.a(t.java:699)
        at com.singularity.ee.agent.appagent.kernel.config.xml.m.a(m.java:478)
        at com.singularity.ee.agent.appagent.kernel.config.xml.D.run(D.java:635)
        at com.singularity.ee.agent.appagent.kernel.config.xml.e.initialize(e.java:300)
        at com.singularity.ee.agent.appagent.kernel.m.start(m.java:146)
        at com.singularity.ee.agent.appagent.kernel.JavaAgent.initialize(JavaAgent.java:511)
        at com.singularity.ee.agent.appagent.kernel.JavaAgent.initialize(JavaAgent.java:308)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at com.singularity.ee.agent.appagent.AgentEntryPoint$1.run(AgentEntryPoint.java:647)
Caused by: java.security.cert.CertificateNotYetValidException: NotBefore: Thu Mar 29 20:00:00 EDT 2018
        at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:270)
        at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
        at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602)
        at com.singularity.ee.util.httpclient.f.checkServerTrusted(f.java:243)
        at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:985)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
        ... 38 more

Hi Philippe,

appdynamics.force.default.ssl.certificate.validation=false

 

This means that minimal certificate validation is done. Which means, that the notBefore  and notAfter are still checked. If this property is set to true full certification chain validation is done. 

 

So there is no way to fully disable the validation of notBefore and notAfter dates as that defies the purpose of SSL. 

 

When this property is set to false, X509Certificate.checkValidity method is called, that would validate the certificate start and expiry dates.

 

https://docs.oracle.com/javase/8/docs/api/java/security/cert/X509Certificate.html#checkValidity--

 

Either the cert needs to be corrected or you need to connect on non-SSL port.

I will ask the author of this article to explain the usage of this flag in full detail so that this confusion could be avoided further.

 

Regards,
Saradhi