Environment
Novell Teaming 2.x
Novell Vibe OnPrem
Situation
When the WebDAV server that Teaming exposes through a mirrored folder has a valid CA certificate, SSL connections work without problem. A connection failure occurs when the following two conditions are true:
com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by O=CARTTLAB2, OU=Organizational CA is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error
Note: The facility that accepts self-signed certificates works well when Teaming is running with Sun JDK, regardless of OS platform.
- The server has only self-signed certificate.
- The Teaming server is setup with IBM JDK
com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by O=CARTTLAB2, OU=Organizational CA is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error
Note: The facility that accepts self-signed certificates works well when Teaming is running with Sun JDK, regardless of OS platform.
Resolution
Perform these steps on the Teaming server:
- View the certificate by connecting over SSL (https) using a browser
- Export the certificate as a .der file
- Open the IBM Certificate Management utility iKeyman located at:
<JDK_INSTALL_DIR>/jre/bin/ikeyman - Using the File Open icon, open the system-wide keystore (cacerts file) on your system located at:
<JDK_INSTALL_DIR>/jre/lib/security/cacerts
(Key Database type: JKS) - When you are prompted for a password, use 'changeit' which is the default password the JDK is shipped with. If the default password was changed, please use that password instead.
- From the dropdown under 'Key Database Content', select 'Signer Certificates'.
- Use the 'Add' button on the right to import the new certificate saved in step 2 above, and give it an appropriate alias.
- Close the system-wide keystore which will automatically save the changes
- Restart your Teaming service (as per instructions for your Server OS) for the changes to take effect.
- Perform a manual sync of the Mirrored Folder to verify that the above changes have fixed the connection problem.