AppWorx, Dollar Universe and Sysload Community

 View Only
Expand all | Collapse all

Automic 9.3.1 Upgrade -- javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:

  • 1.  Automic 9.3.1 Upgrade -- javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:

    Posted Mar 10, 2020 09:11 AM
    We've upgraded to Automic 9.3.1 successfully and are now trying to get the new client working on Windows.
    The user_keystore & user_keystore_config steps are executed.
    copied those files to C:\Users\<user name>\.AppWorx\ and remoteagent as well.
    the connections.properties have AMTEST=https://testbanner.test.edu/uc4
    The new client jar file launches, but when we try to login we get the following error:

    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    In the interest of needing to get this working, we've proceeded with the following:

    1. Imported self-signed certificate into client PC Java cacerts.
    2. Packaged this cacerts file in "security" subdirectory in Client.zip for distribution.
    3. Modified client.properties in Client.zip with: runOptions=-Djavax.net.ssl.trustStore="security/cacerts"

    This is currently working for us and we have tested on multiple client PCs.

    Any idea why this issue is occuring

    ------------------------------
    Parashuram Jadhav
    ------------------------------


  • 2.  RE: Automic 9.3.1 Upgrade -- javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:

    Posted Mar 10, 2020 11:49 AM
    Hi Parashuram,
    Try copying the keystore files to new directory structure:
    C:\Users\<user name>\AppWorx\AM_MASTER_NAME

    **Note**
    there is no . before AppWorx in this example.

    HTH,
    Scott



  • 3.  RE: Automic 9.3.1 Upgrade -- javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:

    Posted Mar 10, 2020 11:56 AM
    I did that too but no luck.


  • 4.  RE: Automic 9.3.1 Upgrade -- javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:

    Posted Mar 10, 2020 12:04 PM
    Hi,
    And could you confirm you have the same user_keystore and user_keystore_config file in ~/data directory on the Master and you are using OpenJDK 11.0.2 (when you start the master you see this is the Java it is pointing to)?

    Thanks,
    Scott


  • 5.  RE: Automic 9.3.1 Upgrade -- javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
    Best Answer

    Posted Mar 11, 2020 11:04 AM
    Hi everyone, I hope this helps. I had to work through this myself and found the answer. Depending on what documentation you look at the references to 
    the placement of the keystores could be the Appworx or  .Appworx.  I found out the hard way it needs to be the one without the period. It's a new directory. 
    The .Appworx I believe still is used.   For V9.3.1 you need the Appworx\<instance>  directories. For me I have mine in my
    C:\Users\rblumlei\Appworx\AMPROD|AMTEST|AMUPGD directories on my PC.     A lot of this depends on the Java you have on the host or PC. 
    If using Java 8 201 or less on host, and PC you don't need them. Once you upgrade either you need them. If you create them then using a lower level than 201, then you need them on your PC.  A lot of combinations. 
    The online, and PDF docs had some documentation errors.  I finally saw in the client debug log an error that it was looking in Appworx not .Appworx. 
    I create them on the master, and push the keystores out to the agents data directories. 


    I hope this helps. 

    Rich 



  • 6.  RE: Automic 9.3.1 Upgrade -- javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:

    Posted Mar 23, 2020 12:20 PM
    Hi all,

    This thread is a great resource as I plan my own 9.3.1 upgrade. Is it sufficient to generate a self-signed certificate into cacert, or will the client's java complain if the certificate is not from a third party?

    jim

    ------------------------------
    Core Services Specialist
    University of New Mexico
    ------------------------------



  • 7.  RE: Automic 9.3.1 Upgrade -- javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:

    Posted Mar 23, 2020 12:41 PM
    Hi everyone, 
    What I did was upgrade the JAva to 1.8..0_231, then su as the user the master runs under. I user the Java keytool command to create the pair.
    I run the command to encrypt the keys password.  I then copy the user_keystore* files to the remote agents data directories, and assigned the proper ownership, and permissions.  Then I copied the keystore files to my PC under the appropriate <instance> directory. 
    I do the same procedure for my 3 instances.   No need for a specific signing from an outside authority. 

    Rich 




  • 8.  RE: Automic 9.3.1 Upgrade -- javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:

    Posted Apr 28, 2020 10:26 AM
    Hi Rich,

    Thanks for sharing your information.  I have a couple of questions.

    1.  Are your keystore files unique to each master, or did you create one set of keystores and use the one set (user_keystore, user_keystore_config) for all 3 masters?  

    2.  On your pc's, do your users have one client directory where they start RunClient.jar (meaning they have all 3 masters listed in the connections.properties file)... or.... do you have 3 different client directories, one for each master?

    Thanks!

    ------------------------------
    Ellucian
    ------------------------------



  • 9.  RE: Automic 9.3.1 Upgrade -- javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:

    Posted Apr 28, 2020 10:45 AM
    Hi  Lucy, 

    We have 3 instances AMUPGD, AMTEST, and AMPROD. most of our users use AMPROD, but a lot of them user AMTEST. 
    If they need access to a specific instance we have to create an account for them which is still using individual passwords. We are not using any sort of LDAP component yet, even though there might be some support for it. 

    We packaged on the local client files into a directory AM_Client which we pass out to the users. We used Microsoft teams to hav ethem download the zip. I took the client.zip file from the installation, and customized various file like connections.properties, and client.properties. 
    I also customized the Intro.html file so they can't download the file. they need to get the customized files from us.. Since the users need to have an account, we have all the systems in the connections.properties file.  I also customize the client.properties for a bit. I turn on debugging, and have a few sample Java paths in there. I like the ability to change my Java this way. 

    I have my client directory extracted to C:\local\AM_Client


    The user_keystore files I built for each master. For each master I copy the files to the remote agents data directories. Then copy the files to my PC under C:\Users\rblumle\Appworx\<Instance name>        With V9.3.1 it is Appworx, not .Appworx.    

    we have spate downloads for the keystores the users need to do. If they don't have a login then they can't get in, but they are separate. 

    With V9.3.1 there is a bug in the client.  We are using ojdbc8.jar on the hosts.  We experienced a problem if a user types an invalid password or gets a password prompt it was not working.  I worked with support, and the fix was to take the ojdbc8.jar and copy it under the 
    AM_Client\jars directory on my PC.  We packaged this up for the users to include this.  Support told me this is fixed in V9.3.2. 

    I hope this information helps. 

    Take care, Rich 



  • 10.  RE: Automic 9.3.1 Upgrade -- javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:

    Posted Apr 29, 2020 07:49 PM

    Is anyone else now able to access the community page?

     

    Kenny Hutchins, CSM
    Dev Ops Engineer | IT-Infrastructure and Operations

    image001.png@01D5CAD7.50FAF0E0

    8403 Colesville Rd, 14th fl

    Silver Spring, MD  20910

    Office: 202.682.6603

    Mobile: 240.338.5307

    Fax: 202.962.8842

    Khutchin@ullico.com

     

     

    Notice. This message is intended only for use by the person or entity to which it is addressed. Because it may contain confidential information intended solely for the addressee, you are notified that any disclosing, copying, downloading, distributing or retaining of this message, and any attached files, is prohibited and may be a violation of state or federal law. If you received this message in error, please notify the sender by reply email, and delete the message and all attached files. Please be aware that all email communications sent or received through ullico.com email accounts will be processed through the Exchange Online Protection System. Thank you.