It's all about the answers!

Ask a question

Adding RRDI certificate to Tomcat (enable HTTPS on RRDI)


Simo Suurla (681424) | asked Aug 29 '13, 3:02 a.m.
retagged Aug 29 '13, 10:57 a.m. by Ralph Earle (25739)
 I'am working on enabling HTTPS on RRDI but I'am having several issues and I'am back in HTTP now.

I'm having Entrusts certificates on Jazz-team server and also in WebSphere where the RRDI is installed. But I think I'm missing something because I'm getting error on JTS.LOG that Entrusts certificate is not trusted. There is also same kind of errors on RRDI in WebSphere that Entrust certificate is not trusted. When I use browser and browse the CLM and RRDI addresses the certificates are trusted by browsers.

The error in JTS.LOG is:
2013-08-28 21:29:00,093 [http-bio-9443-exec-1742 @@ 21:28 simos /jts/service/com.ibm.team.reports.service.cognos.internal.ICognosReportService/] ERROR com.ibm.team.reports.service.cognos                 - ; nested exception is: 
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
java.security.cert.CertPathValidatorException: The certificate issued by CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US is not trusted; internal cause is: 
java.security.cert.CertPathValidatorException: Certificate chaining error Connecting to https://jazzraportointi.kela.fi:9083/reporting
AxisFault
 faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
 faultSubcode: 
 faultString: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
java.security.cert.CertPathValidatorException: The certificate issued by CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US is not trusted; internal cause is: 
java.security.cert.CertPathValidatorException: Certificate chaining error
 faultActor: 
 faultNode: 
 faultDetail: 
{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
java.security.cert.CertPathValidatorException: The certificate issued by CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US is not trusted; internal cause is: 
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.o.a(o.java:9)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:567)
at com.ibm.jsse2.kb.a(kb.java:287)
at com.ibm.jsse2.kb.a(kb.java:481)
at com.ibm.jsse2.lb.a(lb.java:456)
at com.ibm.jsse2.lb.a(lb.java:578)
.........
Caused by: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
java.security.cert.CertPathValidatorException: The certificate issued by CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US is not trusted; internal cause is: 
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.util.h.b(h.java:116)
at com.ibm.jsse2.util.h.b(h.java:91)
at com.ibm.jsse2.util.g.a(g.java:22)
at com.ibm.jsse2.pc.a(pc.java:98)
at com.ibm.jsse2.pc.checkServerTrusted(pc.java:31)
at com.ibm.jsse2.pc.b(pc.java:11)
at com.ibm.jsse2.lb.a(lb.java:540)
... 66 more
Caused by: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
java.security.cert.CertPathValidatorException: The certificate issued by CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US is not trusted; internal cause is: 
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:411)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:258)
at com.ibm.jsse2.util.h.b(h.java:121)
... 72 more
Caused by: java.security.cert.CertPathValidatorException: The certificate issued by CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US is not trusted; internal cause is: 
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111)
at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:178)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:737)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:649)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:357)
... 74 more
Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:298)
at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:108)
... 78 more

2 answers



permanent link
Kot T. (1.5k11219) | answered Aug 29 '13, 8:36 a.m.
JAZZ DEVELOPER

Hi Simo,

I assume you followed the steps in the infoCenter link below to enable SSL for your report server.

http://pic.dhe.ibm.com/infocenter/clmhelp/v4r0/index.jsp?topic=%2Fcom.ibm.rational.rrdi.admin.doc%2Ftopics%2Ft_general_was_ssl.html

The error "CertPathValidatorException: Certificate chaining error" indicates you might not have all the certificates in your keystore. See the following technote:

http://www-01.ibm.com/support/docview.wss?uid=swg21369939


Comments
Simo Suurla commented Aug 30 '13, 2:32 a.m.

Thank you for your answer! I have followed tows steps, but I'm not sure what is the certificate (file) exactly that I have to import in steps x, xi xii in this http://pic.dhe.ibm.com/infocenter/clmhelp/v4r0m3/topic/com.ibm.rational.rrdi.admin.doc/topics/t_int_ssl_reportsrv_jazz.html Infocenter page. As I told I'm using Entrust certificates and should the root certificate already as default in trust store?



permanent link
Ali Manji (59147) | answered Aug 29 '13, 8:38 a.m.
JAZZ DEVELOPER
Hi Simo - try going through this InfoCenter Help topic and the related sub-topics to clear up this issue:

http://pic.dhe.ibm.com/infocenter/clmhelp/v4r0m3/topic/com.ibm.rational.rrdi.admin.doc/topics/t_general_was_ssl.html

Regards,
Ali

Your answer


Register or to post your answer.