We are having an application that connects to the LDAP through JNDI ssl/non-ssl. When it tries to connect through SSL it throws the following exception in Windows (uses sun JRE)
Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
For this exception, I have tried quite a bit of things from internet. Most of them say that I have to install the rootCA certificate. Nothing helped.
The value of the trust store is assigned at the run-time (in the JNDI code) using the api
In AIX (using IBM JRE), the same code throws the following exception.
Root exception is javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:java.security.cert.CertPathValidatorException: The certificate issued by <DN of the CA> is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error
Our application has a application server, webserver and a database. To isolate the problem, I wrote a standalone JNDI program. It connects to the same LDAP with same set of certs from the same machine (both Windows and AIX) through SSL.
Finally I found out 2 ways to make the application work.
1. When I import the certificates in to jssecacerts iniside the jre\lib\security I am able to connect through SSL. The trust store path is not necessary here.
2. When I give the path of the trust store along with the Java VM options in my appserver configuration file and reboot, it works. I think it is similar to giving the keystore path in the command line, i.e.,
c:\> java -Djavax.net.ssl.trustStore=c:\\certificates\\mystore
From this I would say the certificates are not the problem. My app is not able to get the trust store path when I set the path at runtime or the value of the path gets overwritten at some point.
Unfortunately I can resort to any of the above 2 solutions. Have anyone come across these kind of problems? Any help would be appreciated.