Thanks for your continuous support but it is still not working :-(
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
I have shared the step I followed :
1. Created self signed certificate - key.pem (private) , certificate.pem(public) and certificate.pk12 (contains both public and private)
2. Created a key store , and imported certificate.pk12 into it, as it contains both public and private key
3.Created TLS server profile , with TLS Version 1.2, Mutual Authentication - None,Allow Renegotiation - Limit Renegotiation - enabled , KeyStore same as created above , Truststore - left un selected
4.Updated the TLS server profile in Gateway , with SNI HostName as * , Client Profile as Default, Management End point URL
https://<hostname>:3000 , API Invocation End Point URL
https://<hostname>:443-------------------------------------------------------------------------------------------
openssl s_client -connect apigw-dx1935.etisalat.corp.ae:443 -showcerts
Certificate available in Gateway -------------------------------------------------------------------------------------------
Now I ran below command to fetch the certificate deployed in Gateway
openssl s_client -connect apigw-dx1935.etisalat.corp.ae:443 -showcertsCONNECTED(00000004)
depth=0 C = UE, ST = EMIRATES, L = DUBAI, O = ETISALAT, OU = IT, CN = apigw-dx1935.etisalat.corp.ae, emailAddress =
psidana@etisalat.aeverify error:num=18:self signed certificate
verify return:1
depth=0 C = UE, ST = EMIRATES, L = DUBAI, O = ETISALAT, OU = IT, CN = apigw-dx1935.etisalat.corp.ae, emailAddress =
psidana@etisalat.aeverify return:1
---
Certificate chain
0 s:/C=UE/ST=EMIRATES/L=DUBAI/O=ETISALAT/OU=IT/CN=apigw-dx1935.etisalat.corp.ae/emailAddress=
psidana@etisalat.ae i:/C=UE/ST=EMIRATES/L=DUBAI/O=ETISALAT/OU=IT/CN=apigw-dx1935.etisalat.corp.ae/emailAddress=
psidana@etisalat.ae-----BEGIN CERTIFICATE-----
MIIEDTCCAvWgAwIBAgIJAKc2aEGg4MoGMA0GCSqGSIb3DQEBCwUAMIGcMQswCQYD
VQQGEwJVRTERMA8GA1UECAwIRU1JUkFURVMxDjAMBgNVBAcMBURVQkFJMREwDwYD
VQQKDAhFVElTQUxBVDELMAkGA1UECwwCSVQxJjAkBgNVBAMMHWFwaWd3LWR4MTkz
NS5ldGlzYWxhdC5jb3JwLmFlMSIwIAYJKoZIhvcNAQkBFhNwc2lkYW5hQGV0aXNh
bGF0LmFlMB4XDTE5MDEzMDE4NTk1MVoXDTIwMDEzMDE4NTk1MVowgZwxCzAJBgNV
BAYTAlVFMREwDwYDVQQIDAhFTUlSQVRFUzEOMAwGA1UEBwwFRFVCQUkxETAPBgNV
BAoMCEVUSVNBTEFUMQswCQYDVQQLDAJJVDEmMCQGA1UEAwwdYXBpZ3ctZHgxOTM1
LmV0aXNhbGF0LmNvcnAuYWUxIjAgBgkqhkiG9w0BCQEWE3BzaWRhbmFAZXRpc2Fs
YXQuYWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4QTpf4RiVYeeb
uZ7S0QomNWy/ItPpq/TUnnD+JfRU9Mq5ET6Fz4f/0naHZ4UIoXsoq1CDt60Ckje2
STZ6iu/CBb+/MbDNYlnH0w29k545VHuG4LILMSkEI1hFYSVlJA85yt5gMoAQ7mEx
Fvf9pP9hofZLIDxYlkPt8/fH0MIbDwVpRMhQ3pqRT7jv52i4/cpFauwJT3dFr36B
Uwa45SnuoC2b+L/nRM72hOTseanf0aHZ0ugfHex1hCkt9rqmilseKJ6s9VGTG7Ic
yulSiVhmPCjKvxjuM3e7I5Gs2+5TJ61oASva6C4F3IvwUg9PptTPglDIWdg3j0iA
P2CTE1a/AgMBAAGjUDBOMB0GA1UdDgQWBBRwKVffpoKSqFkjBETsgkPdy1RrXjAf
BgNVHSMEGDAWgBRwKVffpoKSqFkjBETsgkPdy1RrXjAMBgNVHRMEBTADAQH/MA0G
CSqGSIb3DQEBCwUAA4IBAQBU5TlfNamd1cZKM3m1rh4ajYibmGymXSOFOZ/UlJp0
y3cS7W+SmBm/wJSiUw6gfzK01pWDAK6TC4vjZ29xBpCNDOIIMiU4pqJsI7+JJcsx
fvbzdfrYXsWoI9KwK3DhmQKmw3LbvSyq1/D29ePsIECeLtf2atgs+XxpmSqGLhQv
6BLUUa80J6ppXfLHsWWLqB5PCWLgHDHEion3spzTqj3wh7iQ8teH5vsi37BwEypa
l/BGDmmMqaAYlNqmWPrjsNPJsIvFitEoAQS6MUztxr478PUdXw/paId+q7FW1cV7
ruNPu19xhaZULB7r1/v6RVakKaBlsfbZRFTpmiW1oGbf
-----END CERTIFICATE-----
---
Server certificate
subject=/C=UE/ST=EMIRATES/L=DUBAI/O=ETISALAT/OU=IT/CN=apigw-dx1935.etisalat.corp.ae/emailAddress=
psidana@etisalat.aeissuer=/C=UE/ST=EMIRATES/L=DUBAI/O=ETISALAT/OU=IT/CN=apigw-dx1935.etisalat.corp.ae/emailAddress=
psidana@etisalat.ae---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 1990 bytes and written 499 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: B279D7AB889EBF9CF094B1A0C1B2A1317783D398133829D8B4F2923AE549BBD2
Session-ID-ctx:
Master-Key: B6B76FF36BC0A8D8B603107BF85CCA317D120C20FDE91D1443FF026B0702E179D6470FCFB5754363CF33CDD61CEB300A
Key-Arg : None
SRP username: None
Start Time: 1548951898
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
----------------------------------------------------------------------------------------
Used certificate -certificate.p12 in my Java client and mentioned below is the content available in this certificate--------------------------------------------------------------------------------------------
-----BEGIN CERTIFICATE-----
MIIEDTCCAvWgAwIBAgIJAKc2aEGg4MoGMA0GCSqGSIb3DQEBCwUAMIGcMQswCQYD
VQQGEwJVRTERMA8GA1UECAwIRU1JUkFURVMxDjAMBgNVBAcMBURVQkFJMREwDwYD
VQQKDAhFVElTQUxBVDELMAkGA1UECwwCSVQxJjAkBgNVBAMMHWFwaWd3LWR4MTkz
NS5ldGlzYWxhdC5jb3JwLmFlMSIwIAYJKoZIhvcNAQkBFhNwc2lkYW5hQGV0aXNh
bGF0LmFlMB4XDTE5MDEzMDE4NTk1MVoXDTIwMDEzMDE4NTk1MVowgZwxCzAJBgNV
BAYTAlVFMREwDwYDVQQIDAhFTUlSQVRFUzEOMAwGA1UEBwwFRFVCQUkxETAPBgNV
BAoMCEVUSVNBTEFUMQswCQYDVQQLDAJJVDEmMCQGA1UEAwwdYXBpZ3ctZHgxOTM1
LmV0aXNhbGF0LmNvcnAuYWUxIjAgBgkqhkiG9w0BCQEWE3BzaWRhbmFAZXRpc2Fs
YXQuYWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4QTpf4RiVYeeb
uZ7S0QomNWy/ItPpq/TUnnD+JfRU9Mq5ET6Fz4f/0naHZ4UIoXsoq1CDt60Ckje2
STZ6iu/CBb+/MbDNYlnH0w29k545VHuG4LILMSkEI1hFYSVlJA85yt5gMoAQ7mEx
Fvf9pP9hofZLIDxYlkPt8/fH0MIbDwVpRMhQ3pqRT7jv52i4/cpFauwJT3dFr36B
Uwa45SnuoC2b+L/nRM72hOTseanf0aHZ0ugfHex1hCkt9rqmilseKJ6s9VGTG7Ic
yulSiVhmPCjKvxjuM3e7I5Gs2+5TJ61oASva6C4F3IvwUg9PptTPglDIWdg3j0iA
P2CTE1a/AgMBAAGjUDBOMB0GA1UdDgQWBBRwKVffpoKSqFkjBETsgkPdy1RrXjAf
BgNVHSMEGDAWgBRwKVffpoKSqFkjBETsgkPdy1RrXjAMBgNVHRMEBTADAQH/MA0G
CSqGSIb3DQEBCwUAA4IBAQBU5TlfNamd1cZKM3m1rh4ajYibmGymXSOFOZ/UlJp0
y3cS7W+SmBm/wJSiUw6gfzK01pWDAK6TC4vjZ29xBpCNDOIIMiU4pqJsI7+JJcsx
fvbzdfrYXsWoI9KwK3DhmQKmw3LbvSyq1/D29ePsIECeLtf2atgs+XxpmSqGLhQv
6BLUUa80J6ppXfLHsWWLqB5PCWLgHDHEion3spzTqj3wh7iQ8teH5vsi37BwEypa
l/BGDmmMqaAYlNqmWPrjsNPJsIvFitEoAQS6MUztxr478PUdXw/paId+q7FW1cV7
ruNPu19xhaZULB7r1/v6RVakKaBlsfbZRFTpmiW1oGbf
-----END CERTIFICATE-----
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
I compared the content for both the certificates , one available in gateway and the one that i used in the client key stores and I didnt find any difference its the same.
Hence no solution yet :-(
I am unable to attach the files so typed everything here.
Regards
Susant
------------------------------
Susant Kumar Palai
------------------------------
Original Message:
Sent: 01-31-2019 08:54 AM
From: Devin Richards
Subject: Getting Error : unable to find valid certification path to requested target
Gateway should be loading the cert from the profile without restarting, you can test with the openssl command from above.
In the past when we see the PKIX Path errors it is due to not trusting the cert or cert chain.
Validate that the correct cert is on the DataPower and verify it matches against your Java client. (Also make sure your TLS Profile is NOT requiring two way or mutual TLS)
------------------------------
Devin
IBM Champion - Cloud 2019
Original Message:
Sent: 01-30-2019 04:42 PM
From: Susant Kumar Palai
Subject: Getting Error : unable to find valid certification path to requested target
DO I need to restart the Gateway service after changing the TLS profile ?
created the key store assuming key.pem as private key and certificate.pem as public key . I guess is it the correct way to create it?
This time getting different error .
Connection closed by remote host.
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:149)
I guess either the TLS profile has wrongly got created .Otherwise I dont see any issue .
What would be your inputs for the same.?
------------------------------
Susant Kumar Palai
Original Message:
Sent: 01-30-2019 03:14 PM
From: Susant Kumar Palai
Subject: Getting Error : unable to find valid certification path to requested target
Error on Gateway reads as
Request processing failed: Connection terminated before request headers read because of the connection error occurs, from URL: 10.56.16.175:64824
------------------------------
Susant Kumar Palai
Original Message:
Sent: 01-30-2019 02:39 PM
From: Susant Kumar Palai
Subject: Getting Error : unable to find valid certification path to requested target
I created the key store assuming key.pem as private key and certificate.pem as public key . I guess is it the correct way to create it .
Further to this I was successful in updating the Gateway service.
Now, when I tested it again using certificate.pk12 file in my trusted store I am getting below error.
Sorry for being the pain , but can you please assist here as well.
caused by: javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:287)
at org.glassfish.jersey.client.ClientRuntime.invoke(ClientRuntime.java:252)
at org.glassfish.jersey.client.JerseyInvocation$2.call(JerseyInvocation.java:701)
at org.glassfish.jersey.internal.Errors.process(Errors.java:315)
at org.glassfish.jersey.internal.Errors.process(Errors.java:297)
at org.glassfish.jersey.internal.Errors.process(Errors.java:228)
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:444)
at org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:697)
at org.glassfish.jersey.client.JerseyInvocation$Builder.method(JerseyInvocation.java:448)
at com.tibco.plugin.json.activities.RestActivity.sendReqeustWithBody(RestActivity.java:472)
at com.tibco.plugin.json.activities.RestActivity.doPostAlike(RestActivity.java:452)
at com.tibco.plugin.json.activities.RestActivity.doService(RestActivity.java:417)
at com.tibco.plugin.json.activities.RestActivity$1.run(RestActivity.java:366)
at com.tibco.pe.util.ThreadPool$ThreadPoolThread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
------------------------------
Susant Kumar Palai
Original Message:
Sent: 01-30-2019 02:00 PM
From: Devin Richards
Subject: Getting Error : unable to find valid certification path to requested target
No need to register a new API Gateway Service just update the TLS Profile on the existing one to use the new TLS Profile you created with the self-signed certs.
------------------------------
Devin
IBM Champion - Cloud 2019
Original Message:
Sent: 01-30-2019 01:09 PM
From: Susant Kumar Palai
Subject: Getting Error : unable to find valid certification path to requested target
One more question please.
The existing setup for Gateway in CMC is referring to the available gateways through default profile.
Now as per the solution If I have to add one more Gateway with the profile that we have created then what shall we do with the existing Gateway , shall I delete it or both can work in parallel. If both can work in parallel then how does it identify at runtime which one to use for connection .
Regards
Susant
------------------------------
Susant Kumar Palai
Original Message:
Sent: 01-30-2019 09:31 AM
From: Devin Richards
Subject: Getting Error : unable to find valid certification path to requested target
yes it does :)
In the K8s deployment of APIC we use apicup subsys set gwy api-gateway to define the DNS name of the API endpoint and have APIC auto generate a certificate that matches. We can also use apicup certs set gwy CERT_NAME to upload our own certificate. This is possible as with the K8s deployment APIC manages the DataPower Docker containers for us.
However...
You are using the OVA deployment, which only deploys the management, analytics and portal resources, you are expected to already have a fully configured and ready DataPower, and part of that is the certificates. When you registered your API Gateway Service, you selected the built-in default TLS cert that APIC has (and thus the self-signed cert you get from the openssl command.) This is all working as designed, sorry.
That being said we have a better understanding of what your issue is and how to resolve it. :-)
My suggestion to you is to create a self-signed cert with the "correct" DNS name (that being whatever your Java client is going to use) by following something like:
https://www.ibm.com/support/knowledgecenter/SSMNED_2018/com.ibm.apic.cmc.doc/task_apionprem_gernerate_self_signed_openSSL.html
Then you can go into the CMC and create a new TLS Server Profile:
https://www.ibm.com/support/knowledgecenter/SSMNED_2018/com.ibm.apic.cmc.doc/capic_cmc_tlsprofiles_concepts.html
Then reconfigure your API Gateway Service to use the the TLS Server Profile you just created:
https://www.ibm.com/support/knowledgecenter/SSMNED_2018/com.ibm.apic.cmc.doc/config_gateway.html
Then use the certificate.pem file (or the certificate.p12) to create a keystore/truststore for your Java clients just like you did before.
Good luck!
------------------------------
Devin
IBM Champion - Cloud 2019
Original Message:
Sent: 01-30-2019 02:10 AM
From: Susant Kumar Palai
Subject: Getting Error : unable to find valid certification path to requested target
Also, as per the certificate the issuer is
CN = IBM API Connect
O = IBM Corporation
L = Armonk
S = NY
C = US
but I am hitting to the service at "https://dx1935:443/" or https://apigw-dx1935... so can this be the issue ? which is as per the certificate CN = IBM API Connect and what we are hitting to the different server .
Does this makes any sense ?
Regards
Susant
------------------------------
Susant Kumar Palai
Original Message:
Sent: 01-30-2019 02:02 AM
From: Susant Kumar Palai
Subject: Getting Error : unable to find valid certification path to requested target
Hi Devin,
Thanks for your response.
we have tried with openssl s_client -connect api-gw-server-name:443 -showcerts and getting certificate from the server - details mentioned below. Now we copied the certificate details and stored into trusted folder as x.csr.
But while testing we are getting below error.
FYI , attached is the certificate
Kindly assist us in analyzing the issue.
caused by: javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching dx1935 found
Cerificate Details:
bash-3.2$ openssl s_client -connect dx1935:443 -showcerts
CONNECTED(00000004)
depth=0 C = US, ST = NY, L = Armonk, O = IBM Corporation, CN = IBM API Connect
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = NY, L = Armonk, O = IBM Corporation, CN = IBM API Connect
verify return:1
---
Certificate chain
0 s:/C=US/ST=NY/L=Armonk/O=IBM Corporation/CN=IBM API Connect
i:/C=US/ST=NY/L=Armonk/O=IBM Corporation/CN=IBM API Connect
-----BEGIN CERTIFICATE-----
MIIDOjCCAiICCQDeQRx/AVa4fzANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCTlkxDzANBgNVBAcMBkFybW9uazEYMBYGA1UECgwPSUJNIENv
cnBvcmF0aW9uMRgwFgYDVQQDDA9JQk0gQVBJIENvbm5lY3QwHhcNMTgxMjMwMTE0
OTUyWhcNMjQwMTAzMTE0OTUyWjBfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTlkx
DzANBgNVBAcMBkFybW9uazEYMBYGA1UECgwPSUJNIENvcnBvcmF0aW9uMRgwFgYD
VQQDDA9JQk0gQVBJIENvbm5lY3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC2LPgP+BgQXERLklNb7CNAwgIIxNGGpeki2bb/uEuUHC5EGjo8hF3tVWYv
eD7Wm0JegAkvU7t+gCuenXFT9JMOEjduHGzV8igwXxnRzg+Ok6DiG9S+Ravfm6Uu
Qp5FfOZ222Xyc38qwW3CzFc93x3VRVIqqE+PHF4mYHhoUZU6KTjMzq11zCRabo7m
GdDVvVubvRpzflAYsr3r2TPACQUF+3hqwYBTE4z0h66xFrbYDR3UzddQvMTm+TRL
BBYPijNy+g1rxmPi0PB8YnT+MqkTqjfc0xXZ2Qnw5TeN0SA01R5MSodzx6HWl0vc
iOBCHJ762nJj2QcrGv/mHulVaO4BAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEvx
aVPwiWaf+hWIlvXid08zcveO5sPpJdaYuDVt4IEjeFU90sIuveEGVNA+CPIkdHyl
RdMqxy/6/aLoa8KYNWvZ97irBJ4UR/P1TrGeJQ3exsQ2V86JzpHCpPMHM9k/n6xJ
0i2IebF1x1iXKS487e+DVR8Q3QQI+vVygLbWC0fl9NOTa4a/Mqjw19nR8rCrLkec
5cfWB1qbnpSszIjXbXHIWllWILFLl5ilsci6otgReLlMHfJ97O5Jm9CiEcxV8XKW
SbPbLcyCm/RtbUnQeBY3RdyAUhhALxwY5zFNIJFlIeFfQib3AggUZgo5k83LyjuE
xCQ5tYoNEyPdueEauHs=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=NY/L=Armonk/O=IBM Corporation/CN=IBM API Connect
issuer=/C=US/ST=NY/L=Armonk/O=IBM Corporation/CN=IBM API Connect
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 1779 bytes and written 499 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: 4307F16B63BD31DEEE321305A91141BC382F0BB520355465F0BFCF289FFF0BE5
Session-ID-ctx:
Master-Key: C19B00629C741DABD285EB6D1E792C41768B7EF5660CCD32889E5F739C4FE1EA 15F002F5B224AEB345DB4E35019EBC90
Key-Arg : None
SRP username: None
Start Time: 1548829286
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
closed
Thanks
Susant Kumar Palai
------------------------------
Susant Kumar Palai
Original Message:
Sent: 01-29-2019 04:00 PM
From: Devin Richards
Subject: Getting Error : unable to find valid certification path to requested target
Sorry my comments were based on the K8s deployment not OVA, however the concepts should be there, just not sure of the names. :-)
The apicup certs set command would be used be before you run the apicup subsys install commands, which creates the ISO you use in the OVA deployments. Then your internal CA certs would be placed into the ISO and loaded when the OVA boots. (This assumes that your Java clients already trust your internal CA certs.)
Or if you want you can leave the default certs for all of the "internal" APIC endpoints but when registring the Gateway Service you can add your own custom TLS Profile and make it the default.
https://www.ibm.com/support/knowledgecenter/SSMNED_2018/com.ibm.apic.cmc.doc/ssl.html
and
https://www.ibm.com/support/knowledgecenter/SSMNED_2018/com.ibm.apic.cmc.doc/config_gateway.html
Again this assumes that your clients trust your internal CA.
If you don't want to go with the option of disabling all TLS validation in the client, then another option for getting the default cert from DataPower would be to just pull the cert from the gateway with:
openssl s_client -connect api-gw-server-name:443 -showcerts
This will show you the certs used by APIC, and then you could use that output to add to your Java keystore/truststore.
------------------------------
Devin
IBM Champion - Cloud 2019
Original Message:
Sent: 01-29-2019 03:39 PM
From: Susant Kumar Palai
Subject: Getting Error : unable to find valid certification path to requested target
Thanks Devin for quick response
When you say
"If you have an internal Certificate Authority (CA) then the easiest way would be for you to use a Subject Alternative Name (SAN) SSL/TLS certificate from your CA and then use the apicup certs set commands to have them deployed to APIC"
Do you mean that I should run this command "apicup certs set" while creating an ISO image for the installation?
Also in this case do i need to provide the certificates to the clients to consume the service ?
Regarding
"If that is not an option and you are just testing out APIC you could have your Java developers add the APIC root.ca certificate to their CLASSPATH and have them use it as in their keystore/truststore when connecting to APIC. That cert is Base64 encoded in the apiconnect-common-secrets.yml generated file."
When you say "apiconnect-common-secrets.yml" are you referring to common-secrets.yml file for API Manager ? which gets created during ISO file creation ?
Regards
Susant
------------------------------
Susant Kumar Palai
Original Message:
Sent: 01-29-2019 03:12 PM
From: Devin Richards
Subject: Getting Error : unable to find valid certification path to requested target
You can resolve this one of two ways:
1. Use trusted certs in APIC
2. Update the client to trust the default certs
If you have an internal Certificate Authority (CA) then the easiest way would be for you to use a Subject Alternative Name (SAN) SSL/TLS certificate from your CA and then use the apicup certs set commands to have them deployed to APIC
If that is not an option and you are just testing out APIC you could have your Java developers add the APIC root.ca certificate to their CLASSPATH and have them use it as in their keystore/truststore when connecting to APIC. That cert is Base64 encoded in the apiconnect-common-secrets.yml generated file.
Another option would be to reduce the security of the Java clients to trust all certificates (not recommend in production for obvious reasons.) See this SO article
https://stackoverflow.com/questions/2893819/accept-servers-self-signed-ssl-certificate-in-java-client
HTH
------------------------------
Devin
IBM Champion - Cloud 2019
Original Message:
Sent: 01-29-2019 02:48 PM
From: Susant Kumar Palai
Subject: Getting Error : unable to find valid certification path to requested target
Hi Devin,
I am using the default certs that APIC generated.
In my gateway I am using Default TLS certificate , which is the one generated by the Gateway.
"In similar situations we just had to add our internal CA's public key to our `CLASSPATH` so that it was perceived as trusted" -> Did not understand this , please assist. Do mean the windows class path ? How can I add it to my API Connect servers ? Or I am thinking in the wrong direction . Kindly correct me.
------------------------------
Susant Kumar Palai
Original Message:
Sent: 01-28-2019 09:51 AM
From: Devin Richards
Subject: Getting Error : unable to find valid certification path to requested target
This could be an indicator the the client does not "trust" the SSL cert that APIC is presenting.
Did you generate and use internally signed certs from your own CA?
Did you use the default certs that APIC generated?
Are you using a proxy that might terminate the SSL connection between the client and APIC?
In similar situations we just had to add our internal CA's public key to our `CLASSPATH` so that it was perceived as trusted.
------------------------------
Devin
IBM Champion - Cloud 2019
Original Message:
Sent: 01-27-2019 11:51 AM
From: Susant Kumar Palai
Subject: Getting Error : unable to find valid certification path to requested target
Hi all,
I have created a plain proxy service in API Connect v2018 and my client is trying to consume it service through ecllipse client but he is getting an error saying
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
Can someone please suggest how to get this fixed. I am new to API Management
Note: While installation I have configured the gateways with default TLS server profile , I guess which means my clients does not require any certificates to access my API.
Regards
Susant
------------------------------
Susant Kumar Palai
------------------------------