- Revenera Community
- :
- Code Insight
- :
- Code Insight Knowledge Base
- :
- Unable to see scan server/ SSLHandshakeException: PKIX path building failed
- Mark as New
- Mark as Read
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Unable to see scan server/ SSLHandshakeException: PKIX path building failed
Unable to see scan server/ SSLHandshakeException: PKIX path building failed
Summary
This article provides instructions for resolving HTTP invoker remote service SSLHandshakeException.Symptoms
Could not access HTTP invoker remote service. nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
In versions of Palamida EE > 6.6.2, the core server communicates with the scan server over http or https protocol instead of RMI. If the scan server is set up to communicate over https, or if this is a standalone server, then it will be necessary to import the certificate being served by Tomcat from the scan server to be imported into the JDK of the core server to be trusted.
Cause
Resolution
On the scan server:
-
Read the file tomcat/conf/server.xml to make note of the alias of the certificate served by the keystore on that server:
keystoreFile="palamida.jks" keyAlias="palamida" keypass="<your keystore/key password>"
-
Export the certificate from the keystore into a .crt file which can be used to import into another keystore:
$JAVA_HOME/bin/keytool -export -file palamida.crt -alias palamida -keystore palamida.jks
- Copy this palamida.crt file to the core server to a known location like /tmp
On the core server:
-
As a user with root privileges, navigate to the path defined as $JAVA_HOME and copy the palamida.crt file from the scan server to the jre/lib/security location. For example if $JAVA_HOME is /usr/bin/java/jdk1.7.0_79:
cd /usr/bin/java/jdk1.7.0_79/jre/lib/security cp /tmp/palamida.crt . cp cacerts cacerts.original ../../bin/keytool -import -file palamida.crt -keystore cacerts -storepass changeit -alias palamida
Type yes when prompted to trust the certificate.
-
After making these changes, change to the user running the Palamida process and restart the Palamida core server.
su - palamida cd $palamida/tomcat/bin ./shutdown.sh ./startup.sh