Need help to overcome Certification exception while making REST API call in plugin code
Plug code is throwing below exception while making REST API and need help to overcome this issue
com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.
<wbr>
CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.
<wbr>
CertPathValidatorException: The certificate issued by CN=GlobalRootCA is not trusted; internal cause is: java.security.cert.
<wbr>
CertPathValidatorException: Certificate chaining error
Accepted answer
If you have installed your CLM applications in WAS then this completely changes everything.
Neither of these locations are relevant - each instance of a WAS server maintains its own list of trusted CAs so you have to add the CA to the specific was instance:
- Log on to the IBM WebSphere Integrated Solutions Console with an administrator account.
- Expand the tree for Security | SSL certificate and key management.
- On the SSL certificate and key management page, in the Related Items list, click Key stores and certificates.
- In the list of keystores and certificates, click the keystore you want to configure.
- Under Additional Properties, select Signer certificates.
- On the Signer Certificate page, click Add.
-
On the General Properties page, enter the following values:
- Alias. Enter the name used to identify the Root CA certificate in the keystore.
- File name. Enter the full path to the Root CA certificate.
- Data type. Select the encoding type of your certificate. If you have an ASCII PEM encoded certificate, select Base64-encoded ASCII data. If you have a DER encoded certificate, select DER encoded binary.
- Click Apply and OK.
- Click Save.
- To import server certificates to the keystore, under Additional Properties, select Personal Certificates.
- Click [Receive Certificate from CA].
-
On the General Properties page, enter the following values:
- File name. Enter the full path to the server certificate.
- Data type. Select Base64-encoded ASCII data or DER encoded binary.
- Click Apply and OK.
- Click Save.
6 other answers
The following may be of some help: https://jazz.net/wiki/bin/view/Deployment/ConfigureCACertificates
Comments
Assuming the OP is dealing with server plugin:
Our experience is that while WebSphere and Liberty can have certificate Trust stores adding the certificate that gets flagged in the above fashion to said Trust does not solve the issue (even after restart). Thus we add the certificates to the JRE trust store usually found in JRE_HOME/lib/security/cacerts and restart the Jazz server.
You need to find what JRE your plug-in is running in:
- if this is a client side plug-in then it will be the JRE of the Eclipse instance
- if this is a server side plug-in then it's the JRE of the server
You then need to add the CA certificate to the cacert trust store, which will be found in the directory mentioned above
JRE_HOME/lib/security/cacerts
Hi Dave, Kevin,
Thank you for your response. We found the certification already exists in two places.
1) Application - /ALM/JazzTeamServer_6061/server/jre/lib/security,
2) WAS - /opt/IBM/WebSphere9/AppServer/java/8.0/jre/lib/security.
Do we need to place the cacerts anywhere else on the server? what we are missing here. We are still seeing the exception issue.
Is your plug in running in a client or on the server?
If it's running on a client then you need to update the CA store for the client - so if it's an Eclipse plug in, you need to update the Eclipse JRE's cacert store.
If it's a plug in running on the server then you need to update the cacert store for the JRE that the server is using, so if you're running ELM on WebSphere it'll be the JRE that WAS is using.
Hi Dave, Kevin,
Thanks, It is a server slide plugin. The default cacert already present on the designated location on the server. We can see it in below path used by the application and WAS JRE.
1) Application install directory - /ALM/JazzTeamServer_6061/server/jre/lib/security,
2) WAS install directory - /opt/IBM/WebSphere9/AppServer/java/8.0/jre/lib/security.
The issue not resolved yet. Any help would be much appreciated.
