RTC 601/02 ping test to Jenkins server fails with java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath
If there are builds configured which run with an secured Jenkins (SSL) it is not possible to request those builds from RTC 6.0.1 /6.0.2 version
When you perform a "ping" test RTC client to Jenkins server, you will see the following error message.
Exception: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j:PKIX path building failed: java.security.cert.CertPathBuilderException:
PKIXCertPathBuilderImpl could not build a valid CertPath.;
...
...
error
Test connection FAILED!
This issue wasn't seen in 5.0.2 version. What has been changed in 6.x version which leads to this failure?
You've added the certificate to Application Server, yet isn't able to find the certificate and ping fails, why?
When you perform a "ping" test RTC client to Jenkins server, you will see the following error message.
Exception: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j:PKIX path building failed: java.security.cert.CertPathBuilderException:
PKIXCertPathBuilderImpl could not build a valid CertPath.;
...
...
error
Test connection FAILED!
This issue wasn't seen in 5.0.2 version. What has been changed in 6.x version which leads to this failure?
You've added the certificate to Application Server, yet isn't able to find the certificate and ping fails, why?
2 answers
To Resolve in RTC 601/602
1. You need to export Jenkins server certificates to JRE used by the application server.
2. Find the certificates which is used Jenkins server, either open ikeyman from the JRE shipped in WAS or use command line option.
4. Add the Jenkins server certificates as signer certificates to that cacerts keystore
5. Save changes. Restart WAS application server.
5. Perform, ping test, you will find connection is working.
You're done!
For command line options:
1) Locate the JRE path (depend on OS) in your application server
2) Navigate to bin folder of JRE and adjust certificates location as your company certificates.
For example the following we've used to import a my-cert-root-ca.cer to JRE cacerts
C:\ProgramFiles\IBM\WebSphere85\AppServer\java\bin>keytool -importcert -file C:\tmp\Certificates\my-cert-root-ca.cer -alias my-cert-root-ca -keystore ..\jre\lib\security\cacerts -keypass changeit
3) Verify the certificates by running a list command.
C:\ProgramFiles\IBM\WebSphere85\AppServer\java\bin>keytool -list -v -keystore C:\ProgramFiles\IBM\WebSphere855\AppServer\java\jre\bin\cacerts
1. You need to export Jenkins server certificates to JRE used by the application server.
2. Find the certificates which is used Jenkins server, either open ikeyman from the JRE shipped in WAS or use command line option.
4. Add the Jenkins server certificates as signer certificates to that cacerts keystore
5. Save changes. Restart WAS application server.
5. Perform, ping test, you will find connection is working.
You're done!
For command line options:
1) Locate the JRE path (depend on OS) in your application server
2) Navigate to bin folder of JRE and adjust certificates location as your company certificates.
For example the following we've used to import a my-cert-root-ca.cer to JRE cacerts
C:\ProgramFiles\IBM\WebSphere85\AppServer\java\bin>keytool -importcert -file C:\tmp\Certificates\my-cert-root-ca.cer -alias my-cert-root-ca -keystore ..\jre\lib\security\cacerts -keypass changeit
3) Verify the certificates by running a list command.
C:\ProgramFiles\IBM\WebSphere85\AppServer\java\bin>keytool -list -v -keystore C:\ProgramFiles\IBM\WebSphere855\AppServer\java\jre\bin\cacerts