Need help to overcome Certification exception while making REST API call in plugin code
Plug code is throwing below exception while making REST API and need help to overcome this issue
com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.
<wbr>
CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.
<wbr>
CertPathValidatorException: The certificate issued by CN=GlobalRootCA is not trusted; internal cause is: java.security.cert.
<wbr>
CertPathValidatorException: Certificate chaining error
|
Accepted answer
If you have installed your CLM applications in WAS then this completely changes everything.
Neither of these locations are relevant - each instance of a WAS server maintains its own list of trusted CAs so you have to add the CA to the specific was instance:
Michael Rowe selected this answer as the correct answer
|
6 other answers
David Honey (1.8k●1●7)
| answered Jun 11 '21, 6:04 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER The following may be of some help: https://jazz.net/wiki/bin/view/Deployment/ConfigureCACertificates
Comments
Kevin Ramer
commented Jun 14 '21, 11:09 a.m.
Assuming the OP is dealing with server plugin:
|
You need to find what JRE your plug-in is running in:
- if this is a client side plug-in then it will be the JRE of the Eclipse instance
- if this is a server side plug-in then it's the JRE of the server
You then need to add the CA certificate to the cacert trust store, which will be found in the directory mentioned above
JRE_HOME/lib/security/cacerts
|
Hi Dave, Kevin,
Thank you for your response. We found the certification already exists in two places.
1) Application - /ALM/JazzTeamServer_6061/server/jre/lib/security,
2) WAS - /opt/IBM/WebSphere9/AppServer/java/8.0/jre/lib/security.
Do we need to place the cacerts anywhere else on the server? what we are missing here. We are still seeing the exception issue.
|
Is your plug in running in a client or on the server?
If it's running on a client then you need to update the CA store for the client - so if it's an Eclipse plug in, you need to update the Eclipse JRE's cacert store.
If it's a plug in running on the server then you need to update the cacert store for the JRE that the server is using, so if you're running ELM on WebSphere it'll be the JRE that WAS is using.
Comments
Kevin Ramer
commented Aug 26 '21, 10:52 a.m.
I would also add that if you are updating the trust for WAS/Liberty they will probably need to be restarted so that its understanding of trust is refreshed. |
Hi Dave, Kevin,
Thanks, It is a server slide plugin. The default cacert already present on the designated location on the server. We can see it in below path used by the application and WAS JRE.
1) Application install directory - /ALM/JazzTeamServer_6061/server/jre/lib/security,
2) WAS install directory - /opt/IBM/WebSphere9/AppServer/java/8.0/jre/lib/security.
The issue not resolved yet. Any help would be much appreciated.
|
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.