Unable to see scan server/ SSLHandshakeException: PKIX path building failed

Unable to see scan server/ SSLHandshakeException: PKIX path building failed

Summary

This article provides instructions for resolving HTTP invoker remote service SSLHandshakeException.

Symptoms

Could not access HTTP invoker remote service. nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

In versions of Palamida EE > 6.6.2, the core server communicates with the scan server over http or https protocol instead of RMI. If the scan server is set up to communicate over https, or if this is a standalone server, then it will be necessary to import the certificate being served by Tomcat from the scan server to be imported into the JDK of the core server to be trusted.


Cause


Resolution

On the scan server:

  1. Read the file tomcat/conf/server.xml to make note of the alias of the certificate served by the keystore on that server:

    keystoreFile="palamida.jks"
    keyAlias="palamida"
    keypass="<your keystore/key password>"
  2. Export the certificate from the keystore into a .crt file which can be used to import into another keystore:

    $JAVA_HOME/bin/keytool -export -file palamida.crt -alias palamida -keystore palamida.jks
  3. Copy this palamida.crt file to the core server to a known location like /tmp

On the core server:

  1. As a user with root privileges, navigate to the path defined as $JAVA_HOME and copy the palamida.crt file from the scan server to the jre/lib/security location. For example if $JAVA_HOME is /usr/bin/java/jdk1.7.0_79:

    cd /usr/bin/java/jdk1.7.0_79/jre/lib/security
    cp /tmp/palamida.crt .
    cp cacerts cacerts.original
    ../../bin/keytool -import -file palamida.crt -keystore cacerts -storepass changeit -alias palamida

    Type yes when prompted to trust the certificate.

  2. After making these changes, change to the user running the Palamida process and restart the Palamida core server.

    su - palamida
    cd $palamida/tomcat/bin
    ./shutdown.sh
    ./startup.sh
Labels (1)
Was this article helpful? Yes No
No ratings
Version history
Revision #:
1 of 1
Last update:
‎Jun 07, 2018 02:08 AM
Updated by: