TSCO 11.3.01: After installing site-signed certificate errors, getting error "javax.net.ssl.SSLHandshakeException

Version 3
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    TrueSight Capacity Optimization


    COMPONENT:

    Capacity Optimization


    APPLIES TO:

    TrueSight Capacity Optimization 11.3.01



    PROBLEM:

    After enabling certificate validation between the TSCO components following this KA:
      https://docs.bmc.com/docs/display/btco113/Enabling+TLS+server+certificate+validation+among+the+internal+product+components

    The TSCO Component Status Checker system task is unable to check the status of the TSCO Datahub and is reporting the following errors every interval in the Scheduler cpit.log:


    2019-03-01 22:30:00,074 FAILED [taskid=49]- BCO_TASK_FAIL005: Exception occurred during execution of task 49
    StackTrace: javax.ws.rs.ProcessingException: RESTEASY004655: Unable to invoke request
            at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:316)
    <-- cut -->
            at com.neptuny.scheduler.task.AbstractTask$InnerThread.run(AbstractTask.java:896)
    Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
            at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    <-- cut -->
            at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
            at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:312)
            ... 12 more
    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
            at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
    <-- cut -->
            at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
            ... 32 more
    Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
            at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
            at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
            at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
            at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
            ... 38 more

     


    SOLUTION:

    This error message generally means that TSCO isn't able to validate the certificate due to a problem following the authentication chain.

    One possible reason for this error is that when importing a site-signed certificate it is necessary to concatenate the intermediate certificate chain into the certificate if it has been provided and then the full certificate needs to be imported into the truststore via the commands in 'II. Install the security certificate'.

    1.The concatenation of the certificate with the intermediate certificate is described in the "Installing a CA-signed certificate into the embedded web server" documentation:
      https://docs.bmc.com/docs/display/btco113/Installing+a+CA-signed+certificate+into+the+embedded+web+server

    2.Then you need to import certs for TSPS and RSSO in CO trust store as per below documentation page:
    https://docs.bmc.com/docs/btco113/securing-communication-between-product-components-775472768.html

       3. After following above steps you need to Import the TSCO CA Signed Certificate to the TrueSight Presentation Server  “TrueSightPServer Linux: /truesightpserver/modules/jre/lib/security/cacerts
    Windows: TrueSightPServer\truesightpserver\modules\jre\lib\securit\cacaerts

    -Restart TSPS service on TSPS server



     

      

     


    Article Number:

    000165265


    Article Type:

    Solutions to a Product Problem



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles