'javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path' error when testing a RESTful Web Service AFX Connector in RSA Identity Governance & Lifecycle

3 years ago

Originally Published: 2020-04-10

Article Number

000049780

Applies To

RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.x, 7.1.x, 7.2.x

Issue

After creating a RESTful web service AFX connector, the connector shows with a Running status but a test of the connector fails with:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path.

Connector in a Running state:

Output from a test of the connector:

Accessing the same URL via a REST/SOAP tool has no issues:

Cause

The SSL certificate for the REST API URL being accessed is not trusted in the RSA Identity Governance & Lifecycle truststore.

Resolution

Download the SSL certificate used by the URL being accessed and load it into the truststore. The example below shows how to obtain the certificate using Firefox and add the certificate to the truststore.

Launch Firefox.
Open the URL being accessed by the AFX RESTful web service connector.
In the left-hand corner, click on the lock icon or the Info button to see the certificate issuer.
Click the > at the right for more details.
Click the More Information button.
Click View Certificate.

Scroll down until you see the Download option:

PEM (cert) PEM (chain)

Click on PEM (cert) to download the certificate in PEM format.
Import the certificate to the JVM cacert as the root user:

keytool -importcert -alias startssl -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit 
-file <path to the cert saved in step 7a>

After importing the certificate, restart the AFX server as the afx user:

afx stop
afx start

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles