Appreciations accepted

Vladlen Litvinov, the author: If you have some job offer for me, I'm ready to discuss it. View Vladlen Litvinov's profile on LinkedIn

Password

Tuesday, March 5, 2013

Step by step solution of java.security.cert.CertPathValidatorException: Certificate chaining error seen with IBM Business Process Manager v8

Recently I have solved one issue.

It looked as (SystemOut.log):

Caused by: com.lombardisoftware.core.TeamWorksException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by OU=..., O=..., O=domain, C=ru is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
 

And visually I could not open Process Inspector through https, for example.

I found this article by Dave Hay (thanks a lot to him!):

http://portal2portal.blogspot.ru/2012/12/javasecuritycertcertpathvalidatorexcept.html

Unfortunately Dave did not describe of full "how-to" of his solution.
He wrote only:

Once we imported ONLY the root and intermediate certificates, and restarted the Process Center and Process Server JVMs, our ability to publish processes improved 100% :-)

I decided to add my step-by-step solution to his article.
So:

1. Run /<WAS_INSTALL_ROOT>/java/jre/bin/ikeyman

2. Click Key Database File - Open. Change Key database type to PKS12. Browse to /<Profile_folder>/config/cells/<cellName>/nodes/<nodeName>/key.p12 and press OK.



3. Enter the password ("WebAS" by default).
4. Change Personal Certificates - default. Press Export/Import.
5. Choose Action Type - Export Key - CMS - bpm.key - <Path> - OK 
 
 
6. Enter some password.
 
Now we need add our key to Java Store.
 
7.  Click Key Database File - Open. Change Key database type to JKS. Browse to /<WAS_INSTALL_ROOT>/java/jre/lib/security/cacerts and press OK
 
8. Enter the password ("changeit" by default).
 
9. Press Import. Choose CMS - bpm.key - <Path> - OK
 
10. Enter the password from Step 6. Select 2 keys in the next window and press OK. Press OK in the next window.
 
11. Now, we have one key (default) in Personal Certificates and the another key in Signer Certificates.
 
12. And a last restart our WAS.
 

6 comments:

  1. I am facing this issue since last two days and not able to solve it. I configured .cer in cacerts file and restarted the server even though problem didnt get resolved. I will try this steps tomorrow. Hope it works this time.

    ReplyDelete
  2. Hi,
    This solution really works. It was tested on different environments.
    Check your environment. It is possible your certificates' service has some problems.

    ReplyDelete
  3. I followed your all steps and they went fine. But my error remains there. Even there is no change in exception that leads to some other pointer. I don't know how to proceed on it.

    ReplyDelete
  4. Hello, I'm having this issue but I'm not able to get the default profile when I select the p12 key and, without that, I can't continue with the process. Any keys to that? Many thanks!

    Pau

    ReplyDelete
    Replies
    1. 1. Your certificate has another name
      2. It was not created
      3. It was deleted.
      4. Your WAS uses another keystore.
      In 2 and 3 way you can create it (self-signed) and setup your SSL configuration.
      In 4 - look at your SSL configuration in ISConsole > Security.

      Delete
  5. Thanks for detailed how-to.

    Your solution worked for me.

    Regards

    ReplyDelete