com.iplanet.services.comm.client.SendRequestException: sun.security.validator.ValidatorException: PKIX path building failed:
I did with following steps but its throwing exception:
1.I have installed openam 10.0.0 on windows server 2003.
2.Configured tomcat with ssl on the same windows server machine.
3.It is configured correctly and openam url is accessible with https.
4.Installed openam client sdk on another machine which is ubuntu machine and from that ubuntu machin i am trying to login to openam server using
AuthContext lc = new AuthContext("/","https://server.ensarm.com:8443/openam/namingservice");
AuthContext.IndexType indexType = AuthContext.IndexType.MODULE_INSTANCE;
lc.login(indexType, "DataStore");
return lc;
But i am getting following exception:
ERROR: Naming service connection failed for https://server.ensarm.com:8443/openam/namingservice
com.iplanet.services.comm.client.SendRequestException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I didn't understand what could be the problem.Is it due to to my java keystore (needed for ssl configuration) is on windows server machine and i have no keystore on ubuntu machine,
OR
need to import keystore into ubuntu machine.?? Please can anyone help me to get out of this.
Answer
“javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:” It means the server does not have a valid certificate from an Authorized CA.
You are facing this exception because you are try to connect through SSL (https). You would need to import the server certificate into the JRE KeyStore.
Perform the following steps to resolve it:
Getting the certificate: Type the URL (e.g. https://server.ensarm.com:8443/openam/namingservice) in your browser.
- You will now probably see a dialog box warning you about the certificate. Now click on the 'View Certificate' and install the certificate. Ignore any warning messages.
- Next step would be to install export the certificate and installing it in the jre keystore. Use keytool certificate management utility to perform thishttp://download.oracle.com/javase/1.3/docs/tooldocs/win32/keytool.html .
- Exporting certificate: Go to Tools->'Internet Options' ->Content->Certificates. Once you open the certificates, locate the one you just installed under 'Trusted Root Certification Authorities". Select the right one and click on 'export'. You can now save it (DER encoded binary) as e.g. mycert.cer.
- Go to JRE\BIN and use the keytool -import command to import the file into your cacerts keystore. E.g. keytool --import -alias MYCA -keystore ..\lib\security\cacerts -file c:\mycert.cer. Enter keystore password: (by default it will be “changeit”).Input “yes” to the prompts.
- Run command keytool -list -keystore ..\lib\security\cacerts . You will now see a list of all the certificates including the one you just added.