Collector or AFX Connector or Collector or Connector TEST fails with "PKIX path building failed" in RSA Governance & Lifecycle
2 years ago
Article Number
000072099
Applies To
  • RSA Governance & Lifecycle 8.0.0
Issue

1.  RSA Identity Governance & Lifecycle Collector fails during collection or fails during test connection with the following error message in the aveksaserver.log file.

08/31/2023 08:45:29.967 ERROR
(Thread-412 (ActiveMQ-client-global-threads)) [com.aveksa.server.utils.NodeMessageBroker]
Exception while getting test data from collector
com.aveksa.server.runtime.ServerException: com.aveksa.common.DataReadException: com.aveksa.client.genericrest.GenericRestException:
CONNECTION_FAILED_WITHOUT_CODE javax.net.ssl.SSLHandshakeException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target. Caused by com.aveksa.client.genericrest.GenericRestException: CONNECTION_FAILED_WITHOUT_CODE javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target.

 

2.  RSA Identity Governance & Lifecycle AFX Connector fails during execution or fails during test connection with the following error message in the AFX log connector log file. 

 

2022-09-26 14:20:15.327 [ERROR] org.mule.transport.ldapx.LdapxConnector:361 - LDAPException: Connection lost waiting for results from corp.myserver.com:636 (91) Connect Error
javax.net.ssl.SSLHandshakeException: PKIX path building failed: java.security.cert.CertPathBuilderException: Could not build a validated path.
LDAPException: Connection lost waiting for results from corp.myservercom:636 (91) Connect Error
javax.net.ssl.SSLHandshakeException: PKIX path building failed: java.security.cert.CertPathBuilderException: Could not build a validated path.
at com.novell.ldap.Connection$ReaderThread.run(Unknown Source)
at java.lang.Thread.run(Thread.java:750)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: java.security.cert.CertPathBuilderException: Could not build a validated path.
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)

 

Cause

The trusted CA Certificate (or trusted CA Certificate chain) is not trusted specifically in the RSA Governance & Lifecycle keystore. 

RSA Governance & Lifecyle will attempt to validate the CA Certificate of any certificates used for SSL communication.  This error message is generated if the certificate cannot be validated by building a full path from the certificate up to a valid root CA certificate. 

Java contains a base list of common public CA certificates.  If your Collector or Connector is hosted on a server whose SSL certificate is signed by one of the common public CA venders, you will not see this error and will not have to trust the CA certificate explicitly.
 

If your endpoint is signed by a private CA this error indicates you must explicitly import the trusted CA certificate or CA chain. 

 

 

 

Resolution

This issue and the resolution is outlined in the "Deploying Remote Collection Agent and Provisioning Service" guide in the troubleshooting section.   Refer to that guide for current information for your product and version. 

The information is repeated in this KB article and is accurate at the time of authoring. 

To remediate this issue explicitly trust the third party CA certificate in RSA Governance & Lifecycle.  

Navigate to Files tab under the Admin/User Interface menu and select SSL Certificates.  Click the Upload button to upload your CA certificate in *.pem *.cer or *.crt format. 

 

screen1.png

 

For Local Aveksa Agents and Local AFX servers the certificate is valid immediately and no additional steps are required. 

For Remote Aveksa Agents or Remote AFX servers you will have to perform the following additional steps.

Aveksa trusted certificates are installed automatically when a new Remote Aveksa Agent or Remote AFX Server is deployed. 

  • If you have not already deployed your Remote Aveksa Agent or Remote AFX Server simply deploy these servers and the trusted certificates will be usable immediately. 
  • If you have already deployed your Remote Aveksa Agent or Remote AFX Server you may undeploy your existing servers and deploy new instances following the guidance for "deploying" in the "Deploying Remote Collection Agent and Provisioning Service" Guide.
  • Alternately if you have already deployed your Remote Aveksa Agent or Remote AFX Server and you do not want to redploy you can follow the guidance in the "Troubleshooting" section of the "Deploying Remote Collection Agent and Provisioning Service" guide for how to manually upload new keystore and configuration files to your existing instances. 

 

 

 

Related Articles

Trending Articles

Don't see what you're looking for?