AppDynamics Knowledge Base
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
New Article

How do I resolve SAAS java.security.cert.CertPathValidatorException errors?

How do I resolve SAAS java.security.cert.CertPathValidatorException errors?

Issue

Java agent is unable to connect to the controller due to a certificate chaining error. This might be seen with IBM WebSphere. 

Errors similar to the following:

[AD Thread Pool-Global0] 10 Jun 2015 20:12:52,848 WARN XMLConfigManager - Certificate chain validation failed com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root CA, OU=www.digicert.com<http://www.digicert.com>, O=DigiCert Inc, C=US is not trusted; internal cause is: 
java.security.cert.CertPathValidatorException: Certificate chaining error attempting validation. 
[AD Thread Pool-Global0] 10 Jun 2015 20:12:52,849 ERROR ConfigurationChannel - Fatal transport error: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root CA, OU=www.digicert.com<http://www.digicert.com>, O=DigiCert Inc, C=US is not trusted; internal cause is: 
java.security.cert.CertPathValidatorException: Certificate chaining error 
[AD Thread Pool-Global0] 10 Jun 2015 20:12:52,849 WARN ConfigurationChannel - Could not connect to the controller/invalid response from controller, cannot get initialization information, controller host [stelo.saas.appdynamics.com<http://stelo.saas.appdynamics.com>], port[443], exception [Fatal transport error: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root CA, OU=www.digicert.com<http://www.digicert.com>, O=DigiCert Inc, C=US is not trusted; internal cause is: 
java.security.cert.CertPathValidatorException: Certificate chaining error]

Solution

The java agent is using the IBM JVM's jre/lib/security/cacerts file to validate the controller's certificate.

There are two ways to solve this problem:
1.) Use keytool to import the root of your controller's certificate chain, (the FTB CA's root cert), into jre/lib/security/cacerts
2.) Start your application with following JVM arguments: -Djavax.net.ssl.trustStore=/path/to/FTB_custom_trustStore.jks -Djavax.net.ssl.trustStorePassword=somepassword and make sure FTB_custom_trustStore.jks contains the FTB Certificate Authority root cert.

Labels (1)
Labels:
0 Karma
Version history
Last update:
‎07-20-2015 02:32 PM
Updated by:
Splunk Employee
Top