Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Krishna Rai (KrishnaR2370)
Citigroup Inc
Technology Project Manager
Citigroup Inc
IN
KrishnaR2370 Member since 2017 9 posts
Citigroup Inc
Posted: Feb 12, 2018
Last activity: May 7, 2018
Posted: 12 Feb 2018 1:26 EST
Last activity: 7 May 2018 12:27 EDT
Closed
Solved

Certificate invalid path error

Problem Summary –

  • As part of CICD implementation using prpcserviceutils command line tool, we are not able to establish operator connectivity using secure http.

For e.g. – we have used serviceConnection.properties file with contents like below –

  • cat serviceConnection.properties

DefaultSystem1.pega.rest.server.url=https://hostname:port/prweb/PRRestService  Must to use secure http URl for UAT and PROD env

  1. The error which we receive while performing product export –
  • Using command - sh prpcServiceUtils.sh export --connPropFile serviceConnection.properties
  • With above command the build fais with error as –

[java] java.security.cert.CertPathValidatorException: The certificate issued by CN=Citi Root CA G2 UAT, O=Citigroup Inc., C=US is not trusted; internal cause is: [java] java.security.cert.CertPathValidatorException: Certificate chaining error

[java] Error Messages : REQUEST_EXECUTION_ERROR com.pega.pegarules.serviceclient.exception.PRPCServiceException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Steps to reproduce the error –

Show More

Problem Summary –

  • As part of CICD implementation using prpcserviceutils command line tool, we are not able to establish operator connectivity using secure http.

For e.g. – we have used serviceConnection.properties file with contents like below –

  • cat serviceConnection.properties

DefaultSystem1.pega.rest.server.url=https://hostname:port/prweb/PRRestService  Must to use secure http URl for UAT and PROD env

  1. The error which we receive while performing product export –
  • Using command - sh prpcServiceUtils.sh export --connPropFile serviceConnection.properties
  • With above command the build fais with error as –

[java] java.security.cert.CertPathValidatorException: The certificate issued by CN=Citi Root CA G2 UAT, O=Citigroup Inc., C=US is not trusted; internal cause is: [java] java.security.cert.CertPathValidatorException: Certificate chaining error

[java] Error Messages : REQUEST_EXECUTION_ERROR com.pega.pegarules.serviceclient.exception.PRPCServiceException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Steps to reproduce the error –

  • Very much possible – the CICD setup is available on DEV servers and problem can be reproduced when required

Troubleshooting steps performed so far –

  • Ordered JKS certificate and imported on server successfully. No issues here
  • Added following JVMs at WebSphere application server to establish imported JKS connectivity with Pega application and UI (https URL)
  • -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.keyStore=/CPR/app2app/cert/keystore.jks -Djavax.net.ssl.keyStorePassword=xxxxx -Djavax.net.ssl.trustStore=/CPR/app2app/cert/truststore.jks -Djavax.net.ssl.trustStorePassword=xxxxx
  • After updating above JVMs we have restarted the application instance on websphere server. During node startup we get following error –

Present status -

  • CICD pipeline works well with http however it is failing for certificate errors for HTTPS operator connectivity as highlighted above.

Also, the Pega SR – C10592 has been updated with details and awaiting a response.


Show Less
To see attachments, please log in.
DevOps
Support Case Exists

Posted: 6 years ago
Posted: 13 Feb 2018 0:57 EST
Sudhakar Reddy Yaparla (YSudhakarReddy)
JPMorgan Chase & Company

JPMorgan Chase & Company
US

Hi,

From the log we can see you are running from the command line, it seems you haven't imported the certificates  in {JAVA_HOME}\jre\lib\security\cacerts file which is used by the command line. Please import and try to export.

To see attachments, please log in.
Posted: 6 years ago
Updated: 6 years ago
Posted: 14 Feb 2018 4:38 EST
Updated: 14 Feb 2018 10:22 EST
Krishna Rai (KrishnaR2370)
Citigroup Inc
Technology Project Manager
Citigroup Inc
IN

Hi Sudhakar,

I completed cert impor using following commands to the jre/lib/security (at WebSphere java as well as the generic OS java) but no luck. 

/opt/java64/ Proprietary information hidden/bin/keytool -import -keystore cacerts -file hostname.cer -alias hostname

and

/opt/java64/ Proprietary information hidden/bin/keytool -import \
        -v -trustcacerts -alias hostname-fqdn -file hostname.cer -keystore cacerts -keypass cxxx -storepass cxxxxx

I have created SHA2RSA key pair using following commands -

/opt/openv/java/jre/bin/keytool -genkey \
-alias hostname-fqdn -keyalg RSA -keypass cxxxxxxx -storepass cxxxxx -keystore keystore.jks <-- this command will prompt for CN, OU , Organization name etc ..

/opt/openv/java/jre/bin/keytool -export \
-alias hostname-fqdn -storepass xxxx -file hostname.cer -keystore keystore.jks --> to generate certificate (.cer) file. 

Also, I am able to verify the certificate using keytool -list command. 

Any advise/suggestion will be highly appreciated. 

thank you for the initial response !

Regards

krishna Rai

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice