Created by Thaza Karath, last modified by John McMahon on Jun 05, 2023
Purpose (problem description)

When the error 'unable to find valid certification path to requested target' is seen, it normally indicates that either:

  • The certificate of the URL accessed is not present in the JRE/JDK. So import the certificate into JRE/JDK following the steps described in this page.
  • The incorrect JRE/JDK is being used.  See below for some pointers for this case

The error can be seen in the log.

The error stack is shown below - 

javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1570)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:352)

To find the  AIP Console and DMT Logs please refer CAST Management Studio - Information - How to find logs 

Observed in CAST AIP


Release
Yes/No
8.3.x (tick)
Observed on RDBMS
RDBMS
Yes/No
CSS (tick)
Step by Step scenario
  1. Encountered error in log.
Action Plan
  1. To resolve the issue that occurs because the certificate of the site is not imported into the JRE/JDK used, then follow the steps below to import the certificate:
    1. To import the certificate, please follow the below steps;
      1. In the Browser URL for CAST Extend or HTTPS Maven repository – Click on the lock symbol to view the drop-down menu like below and click on Certificate.
      2. The Certificate window opens. Now click on Details Tab and perform the Copy to File click
      3. The certificate wizard opens - 
      4. While exporting select the first option.​
      5. Provide a file path with file name and save with the extension type .CER 
      6. Click on Finish. 
      7. To import the certificate into your JRE/JDK  - be careful if you have mutiple Java installations that you are importing the certificate into the proper keystore.
        1. From an admin Command prompt, run the below command –
        2. CLI
          On Windows: <JRE home>\bin\keytool -importcert -trustcacerts -file <certificate file> -keystore <JRE_JDK home>\lib\security\cacerts -storepass <password>

On Linux: <JRE home>/bin/keytool -importcert -trustcacerts -file <certificate file> -keystore <JRE_JDK home>/lib/security/cacerts -storepass <password>
<...> placeholders must be replaced with appropriate values:
<certificate file>: the path to the file containing the CER-encoded certificate
<JRE_JDK home>: the path to the JRE_JDK on the delivery machine
<password>: the password for the JRE/JDK's CA certs key store
    2. Restart the AIP service associated with the keystore (Imaging, Node and Console, etc.)

      1. Things to Note - 

        1.) If the issue is occurring when trying to connect to the maven repository from Delivery Manager tool/AIP Console, you need to import the certificate into the JRE embedded in the CAST Installation.

        2.) If the issue is occurring when trying to connect to Cast Extend from AIP Console, we need to import the certificate into the JRE installed on the Node machine

  2. Check your JDK/JRE version and make sure it is one supported by CAST.  If you need to install a new version then (the steps below show specific details for console, but similar steps would need to be done on other CAST products):
    1. Install your JDK
    2. Update the JAVA_HOME environment variable to the newly install jdk
    3. Please stop and then uninstall the console and node service (running uninstall-service.bat)
      1. remove the Windows Service by running the following batch file depending on your deployment mode: 
        • %PROGRAMFILES%\CAST\AipConsole\AipNode\tools\aip-node-service-uninstall.bat
          %PROGRAMFILES%\CAST\AipConsole\AipConsole\tools\aip-console-service-uninstall.bat
    4. Now make sure that the console and node service bat files are pointing to the correct new jdk path (verify this by opening the install service bat file in notepad - see step E for paths if needed):
      1. Should be something like this:
    5. Install the console and node service
      1. manually install the Windows Service using the following batch files:

        1. %PROGRAMFILES%\CAST\AipConsole\AipNode\tools\aip-node-service-install.bat
          %PROGRAMFILES%\CAST\AipConsole\AipConsole\tools\aip-console-service-install.bat

    6. Import the certificate in to the new jdk keystore
    7. Try to reproduce

If the above steps do not solve your issue contact CAST Technical Support. with the following Relevant input

 

Relevant input

  • Log file showing the error
  • A detailed list of the steps done
  • Screenshots from part of AIP showing the issue 


Notes/comments

Ticket # 28606

Related Pages