Certificate Error Connecting to RRDI from CLM
Hi all,
I have created a report in RRDI. I go into our CM application, go to Reports -> Report Resources and click on the 'Create Resource From Custom Report' button.
The message 'Cannot reach the IBM Rational Reporting Server. Please check network connectivity and verify the server location is correct and the server is running.' is displayed in red at the top of the screen.
Checking the logs ... the jts.log contains the following types of error (I have taken the real hostname out and replaced with <hostname>) :
2013-06-27 10:30:34,071 [ http-bio-9443-exec-31692] ERROR com.ibm.team.reports.service.cognos - ; nested exception is:
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=<hostname>, OU=Root Certificate, OU=ReportingCell, OU=RationalReportingNode01, O=IBM, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error Connecting to https://<hostname>:59082/reporting
AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=<hostname>, OU=Root Certificate, OU=ReportingCell, OU=RationalReportingNode01, O=IBM, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=<hostname>, OU=Root Certificate, OU=ReportingCell, OU=RationalReportingNode01, O=IBM, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.o.a(o.java:25)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:499)
at com.ibm.jsse2.kb.a(kb.java:483)
at com.ibm.jsse2.kb.a(kb.java:48)
at com.ibm.jsse2.lb.a(lb.java:426)
at com.ibm.jsse2.lb.a(lb.java:194)
at com.ibm.jsse2.kb.s(kb.java:93)
at com.ibm.jsse2.kb.a(kb.java:128)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:516)
at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:400)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:787)
at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:640)
at com.cognos.org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
at com.cognos.org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:192)
at com.cognos.org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:405)
at com.cognos.org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:139)
at com.cognos.org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at com.cognos.org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:119)
at com.cognos.org.apache.axis.SimpleChain.invoke(SimpleChain.java:84)
at com.cognos.org.apache.axis.client.AxisClient.invoke(AxisClient.java:166)
at com.cognos.org.apache.axis.client.Call.invokeEngine(Call.java:2785)
at com.cognos.org.apache.axis.client.Call.invoke(Call.java:2768)
at com.cognos.org.apache.axis.client.Call.invoke(Call.java:2444)
at com.cognos.org.apache.axis.client.Call.invoke(Call.java:2367)
at com.cognos.org.apache.axis.client.Call.invoke(Call.java:1813)
at com.cognos.developer.schemas.bibus._3.ContentManagerServiceStub.queryMultiple(ContentManagerServiceStub.java:7043)
at com.ibm.team.reports.service.cognos.internal.CognosReportServiceHelper.getReports(CognosReportServiceHelper.java:341)
at com.ibm.team.reports.service.cognos.internal.CognosReportService.perform_GET(CognosReportService.java:161)
at com.ibm.team.repository.service.TeamRawService.service(TeamRawService.java:82)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
at java.lang.reflect.Method.invoke(Method.java:611)
at org.eclipse.soda.sat.core.internal.record.ExportProxyServiceRecord.invoke(ExportProxyServiceRecord.java:361)
at org.eclipse.soda.sat.core.internal.record.ExportProxyServiceRecord.access$0(ExportProxyServiceRecord.java:347)
at org.eclipse.soda.sat.core.internal.record.ExportProxyServiceRecord$ExportedServiceInvocationHandler.invoke(ExportProxyServiceRecord.java:56)
at $Proxy671.service(Unknown Source)
at com.ibm.team.repository.servlet.AbstractTeamServerServlet.doRestService(AbstractTeamServerServlet.java:914)
at com.ibm.team.repository.servlet.AbstractTeamServerServlet.handleRequest2(AbstractTeamServerServlet.java:2100)
at com.ibm.team.repository.servlet.AbstractTeamServerServlet.handleRequest(AbstractTeamServerServlet.java:1924)
at com.ibm.team.repository.servlet.AbstractTeamServerServlet.service(AbstractTeamServerServlet.java:1800)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.eclipse.equinox.http.registry.internal.ServletManager$ServletWrapper.service(ServletManager.java:180)
at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:126)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:76)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.eclipse.equinox.servletbridge.BridgeServlet.service(BridgeServlet.java:120)
at com.ibm.team.repository.server.servletbridge.JazzServlet.service(JazzServlet.java:68)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.ibm.team.repository.server.servletbridge.BridgeFilter.processDelegate(BridgeFilter.java:133)
at com.ibm.team.repository.server.servletbridge.BridgeFilter.doFilter(BridgeFilter.java:154)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:581)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:336)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:897)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:919)
at java.lang.Thread.run(Thread.java:738)
As you can see we're using https to access RRDI.
I have checked the URL that the applications use to access RRDI and I have checked the value of 'Trusted URIs for client authorization and redirection' in the advanced properties of the JTS and admin page. Both are correct.
Does anyone have any suggestion as to what the problem may be?
Many Thanks,
Robin
I have created a report in RRDI. I go into our CM application, go to Reports -> Report Resources and click on the 'Create Resource From Custom Report' button.
The message 'Cannot reach the IBM Rational Reporting Server. Please check network connectivity and verify the server location is correct and the server is running.' is displayed in red at the top of the screen.
Checking the logs ... the jts.log contains the following types of error (I have taken the real hostname out and replaced with <hostname>) :
2013-06-27 10:30:34,071 [ http-bio-9443-exec-31692] ERROR com.ibm.team.reports.service.cognos - ; nested exception is:
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=<hostname>, OU=Root Certificate, OU=ReportingCell, OU=RationalReportingNode01, O=IBM, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error Connecting to https://<hostname>:59082/reporting
AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=<hostname>, OU=Root Certificate, OU=ReportingCell, OU=RationalReportingNode01, O=IBM, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=<hostname>, OU=Root Certificate, OU=ReportingCell, OU=RationalReportingNode01, O=IBM, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.o.a(o.java:25)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:499)
at com.ibm.jsse2.kb.a(kb.java:483)
at com.ibm.jsse2.kb.a(kb.java:48)
at com.ibm.jsse2.lb.a(lb.java:426)
at com.ibm.jsse2.lb.a(lb.java:194)
at com.ibm.jsse2.kb.s(kb.java:93)
at com.ibm.jsse2.kb.a(kb.java:128)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:516)
at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:400)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:787)
at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:640)
at com.cognos.org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
at com.cognos.org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:192)
at com.cognos.org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:405)
at com.cognos.org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:139)
at com.cognos.org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at com.cognos.org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:119)
at com.cognos.org.apache.axis.SimpleChain.invoke(SimpleChain.java:84)
at com.cognos.org.apache.axis.client.AxisClient.invoke(AxisClient.java:166)
at com.cognos.org.apache.axis.client.Call.invokeEngine(Call.java:2785)
at com.cognos.org.apache.axis.client.Call.invoke(Call.java:2768)
at com.cognos.org.apache.axis.client.Call.invoke(Call.java:2444)
at com.cognos.org.apache.axis.client.Call.invoke(Call.java:2367)
at com.cognos.org.apache.axis.client.Call.invoke(Call.java:1813)
at com.cognos.developer.schemas.bibus._3.ContentManagerServiceStub.queryMultiple(ContentManagerServiceStub.java:7043)
at com.ibm.team.reports.service.cognos.internal.CognosReportServiceHelper.getReports(CognosReportServiceHelper.java:341)
at com.ibm.team.reports.service.cognos.internal.CognosReportService.perform_GET(CognosReportService.java:161)
at com.ibm.team.repository.service.TeamRawService.service(TeamRawService.java:82)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
at java.lang.reflect.Method.invoke(Method.java:611)
at org.eclipse.soda.sat.core.internal.record.ExportProxyServiceRecord.invoke(ExportProxyServiceRecord.java:361)
at org.eclipse.soda.sat.core.internal.record.ExportProxyServiceRecord.access$0(ExportProxyServiceRecord.java:347)
at org.eclipse.soda.sat.core.internal.record.ExportProxyServiceRecord$ExportedServiceInvocationHandler.invoke(ExportProxyServiceRecord.java:56)
at $Proxy671.service(Unknown Source)
at com.ibm.team.repository.servlet.AbstractTeamServerServlet.doRestService(AbstractTeamServerServlet.java:914)
at com.ibm.team.repository.servlet.AbstractTeamServerServlet.handleRequest2(AbstractTeamServerServlet.java:2100)
at com.ibm.team.repository.servlet.AbstractTeamServerServlet.handleRequest(AbstractTeamServerServlet.java:1924)
at com.ibm.team.repository.servlet.AbstractTeamServerServlet.service(AbstractTeamServerServlet.java:1800)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.eclipse.equinox.http.registry.internal.ServletManager$ServletWrapper.service(ServletManager.java:180)
at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:126)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:76)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.eclipse.equinox.servletbridge.BridgeServlet.service(BridgeServlet.java:120)
at com.ibm.team.repository.server.servletbridge.JazzServlet.service(JazzServlet.java:68)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.ibm.team.repository.server.servletbridge.BridgeFilter.processDelegate(BridgeFilter.java:133)
at com.ibm.team.repository.server.servletbridge.BridgeFilter.doFilter(BridgeFilter.java:154)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:581)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:336)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:897)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:919)
at java.lang.Thread.run(Thread.java:738)
As you can see we're using https to access RRDI.
I have checked the URL that the applications use to access RRDI and I have checked the value of 'Trusted URIs for client authorization and redirection' in the advanced properties of the JTS and admin page. Both are correct.
Does anyone have any suggestion as to what the problem may be?
Many Thanks,
Robin
Accepted answer
Hi Robin - Though you are using RRDI 2.0.1, you should be able to follow the steps in this Info Center help topic (and the related sub-topics) to enable SSL for the RRDI Report Server.
http://pic.dhe.ibm.com/infocenter/clmhelp/v4r0m3/topic/com.ibm.rational.rrdi.admin.doc/topics/t_general_was_ssl.html
Regards,
Ali
http://pic.dhe.ibm.com/infocenter/clmhelp/v4r0m3/topic/com.ibm.rational.rrdi.admin.doc/topics/t_general_was_ssl.html
Regards,
Ali
Comments
Hi Ali,
I have followed those steps already, from the 4.0.2 help section and can access RRDI using https just fine to create the reports. Only the access from the CLM server while trying to import the reports as report resources fails ...
Many Thanks,
Robin
Hi Robin - Did you look at the the steps in this sub-section (http://pic.dhe.ibm.com/infocenter/clmhelp/v4r0m3/topic/com.ibm.rational.rrdi.admin.doc/topics/t_int_ssl_reportsrv_jazz.html). Note: If you are running Tomcat - follow step c. or step d. for WebSphere.
Regards,
Ali
Difficult to choose an accepted answer as I think you were all correct! I chose this one as it was directing me to the very page I needed and I am indeed running my CLM on Tomcat - which I had failed to mention!
Thanks all who answered for pointing me in the right direction. I'll not get to restart the JTS until the weekend at the earliest so hopefully it'll all work next week!!
2 other answers
Hi Robin, as far as I know an alert always comes for self-signed certificates and to me it looks like the CLM server certificate has not been imported in the RRDI server trust store or the problem lies on that area.
Comments
Hi Indradri,
I can log into RRDI using credentials from the CLM user database - wouldn't this imply that the RRDI server can access the CLm server ok?
I don't remember importing any certificates from the CLm server into the RRDI server.... can you point me to the help section for that?
Thanks,
Robin
Comments
Robin Parker
Jun 27 '13, 5:46 a.m.Sorry, left out important information:
We're running CLM 4.0.2 and RRDI 2.0.1 using Websphere 8.0 and all of this is running on RHEL 5.x
Thanks.