It's all about the answers!

Ask a question

Need help to overcome Certification exception while making REST API call in plugin code

TUSHAR PAKGARE (911) | asked Jun 11 '21, 5:26 a.m.
Plug code is throwing below exception while making REST API and need help to overcome this issue PKIX path building failed: <wbr> CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: <wbr> CertPathValidatorException: The certificate issued by CN=GlobalRootCA is not trusted; internal cause is: <wbr> CertPathValidatorException: Certificate chaining error  

Accepted answer

permanent link
Davyd Norris (2.4k217) | answered Sep 02 '21, 7:41 p.m.
edited Sep 02 '21, 7:42 p.m.
If you have installed your CLM applications in WAS then this completely changes everything.

Neither of these locations are relevant - each instance of a WAS server maintains its own list of trusted CAs so you have to add the CA to the specific was instance:

  1. Log on to the IBM WebSphere Integrated Solutions Console with an administrator account.
  2. Expand the tree for Security | SSL certificate and key management.
  3. On the SSL certificate and key management page, in the Related Items list, click Key stores and certificates.
  4. In the list of keystores and certificates, click the keystore you want to configure.
  5. Under Additional Properties, select Signer certificates.
  6. On the Signer Certificate page, click Add.
  7. On the General Properties page, enter the following values:
    • Alias. Enter the name used to identify the Root CA certificate in the keystore.
    • File name. Enter the full path to the Root CA certificate.
    • Data type. Select the encoding type of your certificate. If you have an ASCII PEM encoded certificate, select Base64-encoded ASCII data. If you have a DER encoded certificate, select DER encoded binary.
  8. Click Apply and OK.
  9. Click Save.
  10. To import server certificates to the keystore, under Additional Properties, select Personal Certificates.
  11. Click [Receive Certificate from CA].
  12. On the General Properties page, enter the following values:
    1. File name. Enter the full path to the server certificate.
    2. Data type. Select Base64-encoded ASCII data or DER encoded binary.
  13. Click Apply and OK.
  14. Click Save.
Michael Rowe selected this answer as the correct answer

6 other answers

permanent link
David Honey (1.8k17) | answered Jun 11 '21, 6:04 a.m.

Kevin Ramer commented Jun 14 '21, 11:09 a.m.

Assuming the OP is dealing with server plugin:
 Our experience is that while WebSphere and Liberty can have certificate Trust stores adding the certificate that gets flagged in the above fashion to said Trust does not solve the issue (even after restart).  Thus we add the certificates to the JRE trust store usually found in JRE_HOME/lib/security/cacerts and restart the Jazz server.

permanent link
Davyd Norris (2.4k217) | answered Jun 15 '21, 4:15 a.m.
You need to find what JRE your plug-in is running in:
- if this is a client side plug-in then it will be the JRE of the Eclipse instance
- if this is a server side plug-in then it's the JRE of the server

You then need to add the CA certificate to the cacert trust store, which will be found in the directory mentioned above


permanent link
Rational User (83) | answered Aug 25 '21, 10:40 a.m.
Hi Dave, Kevin, 

Thank you for your response. We found the certification already exists in two places. 
1) Application - /ALM/JazzTeamServer_6061/server/jre/lib/security, 
2) WAS - /opt/IBM/WebSphere9/AppServer/java/8.0/jre/lib/security. 

Do we need to place the cacerts anywhere else on the server? what we are missing here. We are still seeing the exception issue. 

permanent link
Davyd Norris (2.4k217) | answered Aug 25 '21, 8:36 p.m.
Is your plug in running in a client or on the server?

If it's running on a client then you need to update the CA store for the client - so if it's an Eclipse plug in, you need to update the Eclipse JRE's cacert store.

If it's a plug in running on the server then you need to update the cacert store for the JRE that the server is using, so if you're running ELM on WebSphere it'll be the JRE that WAS is using.

Kevin Ramer commented Aug 26 '21, 10:52 a.m.

I would also add that if you are updating the trust for WAS/Liberty they will probably need to be restarted so that its understanding of trust is refreshed. 

permanent link
Rational User (83) | answered Sep 02 '21, 3:08 p.m.

 Hi Dave, Kevin,

Thanks, It is a server slide plugin. The default cacert already present on the designated location on the server. We can see it in below path used by the application and WAS JRE.
1) Application install directory - /ALM/JazzTeamServer_6061/server/jre/lib/security, 
2) WAS install directory - /opt/IBM/WebSphere9/AppServer/java/8.0/jre/lib/security. 
The issue not resolved yet.  Any help would be much appreciated.

Davyd Norris commented Sep 02 '21, 7:41 p.m.

See below - not enough room in a comment

permanent link
Rational User (83) | answered Sep 03 '21, 8:15 a.m.

 Thank you for the detailed steps. Let me try this in our environment and revert with the results ASAP.

Michael Rowe commented Oct 19 '23, 3:58 p.m.

assuming no response will close this question as answered above. 

Your answer

Register or to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.