Unable to Resolve PKIX Path Building Failed

Question

I try to connect to https web service using below code.

adapter.xml:

<connectivity>
    <connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
        <protocol>https</protocol>
        <domain>somewhere.com</domain>
        <port>443</port>    
        <connectionTimeoutInMilliseconds>30000</connectionTimeoutInMilliseconds>
        <socketTimeoutInMilliseconds>30000</socketTimeoutInMilliseconds>
        <maxConcurrentConnectionsPerNode>50</maxConcurrentConnectionsPerNode>
    </connectionPolicy>
</connectivity>

impl.js:

function getTest() {
    var input = {
        method : 'GET',
        returnedContentType : 'json',
        path : "WS.svc"
    };

    return WL.Server.invokeHttp(input);
}

Unfortunately, this error appears when I try to call the adapter:

{
   "errors": [
      "Runtime: Http request failed: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
   ],
   "info": [
   ],
   "isSuccessful": false,
   "warnings": [
   ]
}

I have added the public certificate of the WS (accessed from browser and get it from certificate details) into my Java folder in Program Files (C:\Program Files\Java\jdk_version\jre\lib\security), however the issue still persists.

Is there any advise?

Here is the reference http://stackoverflow.com/questions/6659360/how-to-solve-javax-net-ssl-sslhandshakeexception-error — Rendy, Jun 07 '15 at 17:36

score 0 · Accepted Answer · answered Jun 07 '15 at 17:42

0

The instructions you've followed are incorrect when using MobileFirst Platform.
Follow the steps described in this user documentation topic (for Worklight 6.2, but valid for MFPF 6.3 and above as well).

Do not export the certificate from a browser because this action adds browser metadata and other artifacts which shouldn't be there. Instead use a tool such as OpenSSL to get the certificate (described in the documentation)
The certificate should then be stored in the keystore of the application server and not in your Java's JVM.

answered Jun 07 '15 at 17:42

Idan Adar

44,156
13
50
89

Yes Idan I agree. I have removed cert from my JVM and added cert to MFP default keystore inside conf folder. But I used the cert extracted from browser. I will let you know the result after imported the cert by using openSSL. – Rendy Jun 07 '15 at 17:50
Idan, it works with both of solution but as you suggest, I import the certificate that extracted by using OpenSSL. Thanks! – Rendy Jun 07 '15 at 18:27
I exported my certificate using the command line in http://serverfault.com/a/129505 and using Firefox, then imported and verified it's in my mfp keystore as mentioned in http://www.ibm.com/support/knowledgecenter/SSZH4A_6.2.0/com.ibm.worklight.installconfig.doc/admin/t_configuring_SSL_WL_adapters_backend_servers_certificates.html but I am still having the javax.net.ssl.SSLHandshakeException exception. Anything wrong ? – WiPhone May 10 '16 at 23:00

Unable to Resolve PKIX Path Building Failed

1 Answers1