Adding RRDI certificate to Tomcat (enable HTTPS on RRDI)
I'am working on enabling HTTPS on RRDI but I'am having several issues and I'am back in HTTP now.
I'm having Entrusts certificates on Jazz-team server and also in WebSphere where the RRDI is installed. But I think I'm missing something because I'm getting error on JTS.LOG that Entrusts certificate is not trusted. There is also same kind of errors on RRDI in WebSphere that Entrust certificate is not trusted. When I use browser and browse the CLM and RRDI addresses the certificates are trusted by browsers.
The error in JTS.LOG is:
2013-08-28 21:29:00,093 [http-bio-9443-exec-1742 @@ 21:28 simos /jts/service/com.ibm.team.reports.service.cognos.internal.ICognosReportService/] ERROR com.ibm.team.reports.service.cognos - ; nested exception is:
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error Connecting to https://jazzraportointi.kela.fi:9083/reporting
AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.o.a(o.java:9)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:567)
at com.ibm.jsse2.kb.a(kb.java:287)
at com.ibm.jsse2.kb.a(kb.java:481)
at com.ibm.jsse2.lb.a(lb.java:456)
at com.ibm.jsse2.lb.a(lb.java:578)
.........
Caused by: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.util.h.b(h.java:116)
at com.ibm.jsse2.util.h.b(h.java:91)
at com.ibm.jsse2.util.g.a(g.java:22)
at com.ibm.jsse2.pc.a(pc.java:98)
at com.ibm.jsse2.pc.checkServerTrusted(pc.java:31)
at com.ibm.jsse2.pc.b(pc.java:11)
at com.ibm.jsse2.lb.a(lb.java:540)
... 66 more
Caused by: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:411)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:258)
at com.ibm.jsse2.util.h.b(h.java:121)
... 72 more
Caused by: java.security.cert.CertPathValidatorException: The certificate issued by CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111)
at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:178)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:737)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:649)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:357)
... 74 more
Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:298)
at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:108)
... 78 more
2 answers
Hi Simo,
I assume you followed the steps in the infoCenter link below to enable SSL for your report server.
The error "CertPathValidatorException: Certificate chaining error" indicates you might not have all the certificates in your keystore. See the following technote:
Comments
Thank you for your answer! I have followed tows steps, but I'm not sure what is the certificate (file) exactly that I have to import in steps x, xi xii in this http://pic.dhe.ibm.com/infocenter/clmhelp/v4r0m3/topic/com.ibm.rational.rrdi.admin.doc/topics/t_int_ssl_reportsrv_jazz.html Infocenter page. As I told I'm using Entrust certificates and should the root certificate already as default in trust store?
