• Find us:
    +1 415 655 1723   |   +91-844-844-8901
  • Free Newsletter

     
     

  • Archive

  • Categories


  • Solution for – SunCertPathBuilderException: unable to find valid certification path to requested target

    Posted by "" in "FMW, OIM, WebLogic" on 2014-09-18

    Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someone

    In a production environment, it is highly recommended that you use SSL certificates provided by CA.
    To know more about SSL Configuration with custom certificates in WebLogic Server, follow these very useful posts by Atul Kumar at http://onlineappsdba.com/index.php/2013/02/05/ssl-in-weblogic-ca-keystore-identity-trust-store-things-you-must-know-part-i/ and http://onlineappsdba.com/index.php/2013/02/10/ssl-in-weblogic-server-part-ii-create-keystore-generate-csr-import-cert-and-configure-keystore-with-weblogic/.

    This post is to discuss one issue that I faced recently in OIM-OAM High Availability enterprise deployment. The user accounts which are registered via self-service user registration are sent for approval by system administrators by default. If you have not imported the root and intermediate certificates in the WebLogic trust store and Java key store –cacerts, you will probably hit the following error. You will find this error in diagnostics log file at <DOMAIN_NAME>/servers/<SOA_MANAGED_SERVER_NAME>/<SOA_MANAGED_SERVER_NAME>-diagnostics.log.

    2014-09-05T08:40:35.152+01:00] [WLS_SOA1] [NOTIFICATION] [] [oracle.integration.platform.blocks.soap] [tid: orabpel.invoke.pool-4.thread-5] [userId: weblogic] [ecid: 00iOEBU16v4E4UWFLzmJOA0001j00001LK,1:31035] [APP: soa-infra] [composite_instance_id: 30001] [composite_name: DefaultRequestApproval!3.0] [component_name: CallbackService_2] Endpoint with address ” https://<HOST_NAME>:443/workflowservice/CallbackService” is not suitable for local invocation.
    [2014-09-05T08:40:35.249+01:00] [WLS_SOA1] [WARNING] [] [oracle.integration.platform.blocks.soap] [tid: orabpel.invoke.pool-4.thread-5] [userId: weblogic] [ecid: 00iOEBU16v4E4UWFLzmJOA0001j00001LK,1:31035] [APP: soa-infra] [composite_instance_id: 30001] [composite_name: DefaultRequestApproval!3.0] [component_name: CallbackService_2] Unable to invoke endpoint URI “https://<HOST_NAME>:443/workflowservice/CallbackService” successfully due to: Unable to invoke endpoint URI “https://<HOST_NAME>:443/workflowservice/CallbackService” successfully due to: javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    [2014-09-05T08:40:35.250+01:00] [WLS_SOA1] [ERROR] [] [oracle.soa.bpel.engine.ws] [tid: orabpel.invoke.pool-4.thread-5] [userId: weblogic] [ecid: 00iOEBU16v4E4UWFLzmJOA0001j00001LK,1:31035] [APP: soa-infra] [composite_instance_id: 30001] [component_instance_id: 30005] [composite_name: DefaultRequestApproval!3.0] [component_name: ApprovalProcess] got FabricInvocationException[[
    sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217)
    at sun.security.validator.Validator.validate(Validator.java:218)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)

    As mentioned above, this error can be solved by importing the root and intermediate certificates in the WebLogic trust store and java trust store – cacerts. Follow the links provided at the beginning of this post to get step by step approach on how to do so.

    In a nutshell, you would most likely be using following commands:

    Assumptions:

    • Java is present in the PATH environment variable
    • JAVA_HOME is set
    • Certificates are exported in .cer format
    • You know the passwords of the trust stores
    • The commands are executed from the locations where trust stores are present

     

    Import certificates in WebLogic trust store:
    The default trust store that comes with WebLogic server is DemoTrust.jks. In production environment, you should use custom trust store.

    DemoTrust.jks location : <MW_HOME>/wlserver_10.3/server/lib

    • keytool -import -trustcacerts -alias rootcacert -keystore DemoTrust.jks -file /tmp/rootca.cer -storepass DemoTrustKeyStorePassPhrase
    • keytool -import -trustcacerts -alias intermediatecacert -keystore DemoTrust.jks -file /tmp/intermediateca.cer -storepass DemoTrustKeyStorePassPhrase

    Import certificates in carets:
    These certificates must also be installed in the java trust store as follows:

    cacerts location : <JAVA_HOME>/jre/lib/security

    • keytool -import -alias rootcacert -keystore cacerts -trustcacerts -file /tmp/rootca.cer -storepass changeit
    • keytool -import -alias intermediatecacert -keystore cacerts -trustcacerts -file /tmp/intermediateca.cer -storepass changeit

    To view the list of certificates installed :

    • keytool -list -keystore DemoTrust.jks
    • keytool -list -keystore cacerts

    Note here:
    The default password for DemoTrust.jks – DemoTrustKeyStorePassPhrase
    The default password for cacerts – changeit

    I hope it helps. Leave a comment and if you need more information and we will be happy to help.

    Ganesh Kamble works as Oracle Fusion Middleware Consultant and is an Oracle Certified Specialist in Access Management. Having started his career in product development at Oracle, Ganesh got excellent exposure to the middleware technologies during his work in integration of Tier-1 banking product Oracle Banking Platform with Oracle Fusion Middleware products. He was honored with Outstanding Contribution award by Oracle.
    His key areas of interest are Oracle Identity and Access Management, Oracle Service Oriented Architecture and Java with passion for blogging on various encounters with Oracle products. He publishes blogs regularly on http://k21technologies.com/blog/. He can be reached at ganesh.kamble@k21technologies.com and http://twitter.com/ganeshk_8
    Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someone

    Leave a Reply

    Your email address will not be published. Required fields are marked *



  • K21 Technologies is among the most experienced Oracle Gold Partner for Identity Access Management service providers. We work with application development companies and in-house technology division to help achieve significant returns on their IT security investment. Our clientele includes some of the globally renowned corporate, which speaks of our expertise in our field.

    We have the most talented and experienced team that can swiftly deploy security solutions even in complex IT ecosystem. Our clients highly appreciate our timely implementation, interactive training, on-demand support and community resources.
  • CONTACTS

    K21 Technologies
    128 Uxbridge Road, Hatchend,,
    London, HA5 4DS

    US: +1 415 655 1723
    India: +91-844-844-8901

  • Copyright 2019, K21 Technologies. All rights reserved
  • TOP
    TOP