Knowledge Base

cancel
Showing results for 
Search instead for 
Did you mean: 

Troubleshooting EUM certificate error

Symptoms

 

When trying to enable EUM for an application from the EUM configuration window, we get the following error:

 

EUM_Error.jpg

 

Diagnosis

 

After analyzing the server.log file on the Controller machine we can see the below exceptions while connecting to EUM:

 

Communication failure with service (https://agg.eum-appdynamics.com/v2/account/xxxxxxxxxxxxxxxxxxxx/license/terms): javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

 

The above error occurs when the Controller trust store does not have the EUM client certificate, and the validation fails.

 

Solution

 

Follow the below steps to download the EUM certificate and import it to the Controller trust store:

 

1. Access the following URL in the browser: https://agg.eum-appdynamics.com/eumaggregator/get-version

  • For an on-premise EUM Server, access the below URL:
  • https://<EUMHost>:7002/eumaggregator/get-version
  • If you are using any alternate port for HTTPS, change the value accordingly.

 

2. Click on the lock icon on the URL bar to display the certificate details.

 

3. Export the certificate for the EUM Server and transfer it to the Controller host.

  • For exporting the certificate from the command line, run the following command to export the certificate into a file:
keytool -J-Dhttps.proxyHost=<proxy_host> -J-Dhttps.proxyPort=<proxy_port> -printcert -rfc -sslserver <eum_host>:<eum_ssl_port> 2>/dev/null > certs.pem

 

  • If you are not using a proxy server to connect from the controller to the EUM server, you can avoid the parameters for the proxy host and ports:
-J-Dhttps.proxyHost=<proxy_host> -J-Dhttps.proxyPort=<proxy_port>

 

  • The certs.pem file generated using this command may contain multiple certs presented by the server (server cert, proxy cert, etc).
  • Save individual certificate into a separate file like file1.pem, file2.pem, etc.
  • The individual certs will be enclosed as such:
-----BEGIN CERTIFICATE-----
.....
-----END CERTIFICATE-----

 

4. Navigate to the <AppDynamicsHome>/appserver/glassfish/domains/domain1/config directory. Use the following key tool command to import the certificate to the Controller trust store:

 

 

$JAVA_HOME/bin/keytool -import -trustcacerts -alias <alias> -file <certificate file> -keystore cacerts.jks

 

5. Run the above command for each of the certificates that you saved in the previous step.

 

6. Restart the app server.

 

Version history
Revision #:
6 of 6
Last update:
‎06-13-2018 11:19 AM
Updated by:
 
Labels (1)