It's all about the answers!

Ask a question

CRJAZ0099E An HTTP error occurred when this URL was being accessed


Pankaj Sharma (40455) | asked Feb 14 '17, 5:48 p.m.
edited Feb 14 '17, 5:49 p.m.

 Hello Team,


I am writing a plugin to access the current logged-in user and to assign the same user to a contributer list. but my SystemOut.log file logs the following error, Please help

CRJAZ0099E An HTTP error occurred when this URL was being accessed: /ccm/versionCompatibility?clientVersion=6.0.2. Error details: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
java.security.cert.CertPathValidatorException: The certificate issued by CN=CDRoot-AD-Root-CA, EMAILADDRESS=cdroot_pki@chrysler.com, OU=ITI/NC, O=Chrysler LLC, L=Auburn Hills, ST=Michigan, C=US is not trusted; internal cause is: 
java.security.cert.CertPathValidatorException: Certificate chaining error.

</pre>

2 answers



permanent link
Donald Nong (14.4k314) | answered Feb 14 '17, 7:30 p.m.
edited Feb 14 '17, 7:31 p.m.

The SSL exception is quite typical. To resolve the issue, you need to import the certificates of entire certificate chain, that is, the certificate you are receiving, its issuer's certificate, its issuer's issuer's certificate, and etc, down to the root certificate. The correct terms for them are, personal certificate, intermediate certificates and root certificate. If you search "certificate chaining error", you will get lots of hits.

You did not say how you run the plugin, so I cannot tell you exactly how to import the certificates. Usually, you need to import them into the truststore of the JRE that runs your plugin (or any Java applications involved).


Comments
Pankaj Sharma commented Feb 14 '17, 10:48 p.m.

Thank You very much Donald!!!

I will try the same tomorrow at work, But just to let you know about my plugin, So that you can provide some more help on this.

My plugin is a followup action and executed when the workitem is saved, and my jts server is deployed on a linux bases server.

Please let me know if anything specific needs to be done.


Donald Nong commented Feb 15 '17, 12:05 a.m.

That's interesting. Assuming that the JTS server where your plugin is deployed to, and the CCM server that you are trying to connect to, are in the same deployment, they should already be configured in a way that SSL connections can be established between them. Is it not the case?

The steps for exporting/importing SSL keys depend on the application server in use. If WAS, they are similar to those outlined in the section of "
Setup SSL Handshake between the WAS profiles and IHS"
https://jazz.net/wiki/bin/view/Deployment/ConfigureCLMEnterpriseReverseProxy

Basically, you export the personal certificate from the server that you are trying to connect to, and import it into the truststore/keystore of the server where the SSL connection is initiated.


permanent link
Sudhir Balusu (261) | answered Feb 15 '17, 12:58 p.m.

 Hi Donald,

These are self signed certificates. It is deployed in a distributed environment with the reverse proxy set up and there are no issues with any cross application communication/handshakes. I have seen this in the past at multiple customers and I have had no issues given that this is test environment there were no CA issued certs.
Sudhir


Comments
Donald Nong commented Feb 16 '17, 12:37 a.m.

I'm a bit lost. Which part are you referring to? CA-signed or self-signed - it does not matter. As long as the SSL client does not recognize/accept the SSL certificate sending from the SSL server, the SSL connection will fail to establish. The function relying on the SSL connection will therefore fail.

If the error just randomly appears, in other words, the SSL connection sometimes works, sometime not, then it's a different issue.


Sudhir Balusu commented Feb 16 '17, 9:24 a.m.

 My comment was about the setup. Pankaj was this a client side plugin or a server side plugin? Since RTC has no issues communicating with JTS I would imagine the certs should not play a role....


Pankaj Sharma commented Feb 16 '17, 1:28 p.m. | edited Feb 16 '17, 1:28 p.m.

 Hello Donald & Sudhir,

This is a server side plugin Java API (executed by follow-up action upon saving a workitem)

We are trying to access Active Users from our plugin

 IContributor contributor = null;

ITeamRepository repo = TeamPlatform.getTeamRepositoryService().getTeamRepository(iac.getRepositoryURI());

repo.registerLoginHandler((ITeamRepository.ILoginHandler)new LoginHandler("XXX", "XXX"));

repo.login(monitor);

IContributorHandle[] iContributorHandles = operation.getProcessArea().getMembers(); 


Donald Nong commented Feb 16 '17, 7:11 p.m.

So the plugin fails to connect to the server which it is running on? So it's not between JTS and RTC. It's possible that the key store on the RTC server only contains a personal certificate (the one you see in the error message) without any server certificates (intermediate and root certificates that I mentioned in the other comment). Try to import the missing certificate into the key store and see how it goes.

Your answer


Register or to post your answer.