Starting JBoss on Windows 2008R2 causes error BuilderException: unable to find valid certification path to requested target

  • 7007870
  • 10-Feb-2011
  • 27-Apr-2012

Environment

Novell Identity Manager 3.6.1
Novell RBPM 4.0
Windows 2008 R2

Situation

Completed a component install of IDM4 RBPM on Windows 2008R2 using the JBoss/PostgreSQL and User Application.  The install was performed by the 2008 administrator with Full Control of the file system (default setting).  The User Application install completes without an error.

When starting JBoss, 'start-jboss.bat', in the server log it throws the following error:

[STDOUT] FATAL [RBPM] [com.sssw.fw.directory.api.EboDirectory
Factory:<clinit>] An unexpected exception occurred in the directory layer.
com.sssw.fw.exception.EboUnrecoverableSystemException: An unexpected exception o
ccurred in the directory layer.
        at com.sssw.fw.directory.realm.impl.jndildap.EboLdapDirectoryConnection.
createBaseContext(EboLdapDirectoryConnection.java:309)
        at com.sssw.fw.directory.realm.impl.jndildap.EboLdapDirectoryConnection.
authenticate(EboLdapDirectoryConnection.java:167)
        at com.sssw.fw.directory.realm.impl.jndildap.EboLdapDirectoryConnectionM
anager.createConnectionArray(EboLdapDirectoryConnectionManager.java:324)
        at com.sssw.fw.directory.realm.impl.jndildap.EboLdapDirectoryConnectionM
anager.<init>(EboLdapDirectoryConnectionManager.java:100)
        at com.sssw.fw.directory.realm.impl.jndildap.EboJndiLdapDirectoryFactory
.createConnectionMgrInstance(EboJndiLdapDirectoryFactory.java:119)
        at com.sssw.fw.directory.api.EboDirectoryFactory$ConnMgrHolder.<clinit>(
EboDirectoryFactory.java:75)
        at com.sssw.fw.directory.api.EboDirectoryFactory.getConnMgr(EboDirectory
Factory.java:108)
        at com.sssw.fw.core.SystemConfig$1.run(SystemConfig.java:141)
        at com.sssw.fw.core.SystemConfig$1.run(SystemConfig.java:138)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.sssw.fw.core.SystemConfig.loadReadWriteSettings(SystemConfig.java
:138)
        at com.sssw.fw.core.SystemConfigBase.<init>(SystemConfigBase.java:218)
        at com.sssw.fw.core.SystemConfig.<init>(SystemConfig.java:122)
        at com.sssw.fw.core.SystemConfig.<init>(SystemConfig.java:51)
        at com.sssw.fw.core.SystemConfig$SingletonHolder.<clinit>(SystemConfig.j
ava:83)
        at com.sssw.fw.core.SystemConfig.getInstance(SystemConfig.java:104)
        at com.sssw.fw.servlet.InitListener.contextInitialized(InitListener.java
:108)
        at org.apache.catalina.core.StandardContext.listenerStart(StandardContex
t.java:3910)
        at org.apache.catalina.core.StandardContext.start(StandardContext.java:4
393)
        at org.jboss.web.tomcat.service.deployers.TomcatDeployment.performDeploy
Internal(TomcatDeployment.java:310)
        at org.jboss.web.tomcat.service.deployers.TomcatDeployment.performDeploy
(TomcatDeployment.java:142)
        at org.jboss.web.deployers.AbstractWarDeployment.start(AbstractWarDeploy
ment.java:461)
        at org.jboss.web.deployers.WebModule.startModule(WebModule.java:118)
        at org.jboss.web.deployers.WebModule.start(WebModule.java:97)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatch
er.java:157)
        at org.jboss.mx.server.Invocation.dispatch(Invocation.java:96)
        at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
        at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.
java:264)
        at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)
        at org.jboss.system.microcontainer.ServiceProxy.invoke(ServiceProxy.java
:206)
        at $Proxy38.start(Unknown Source)
        at org.jboss.system.microcontainer.StartStopLifecycleAction.installActio
n(StartStopLifecycleAction.java:42)
        at org.jboss.system.microcontainer.StartStopLifecycleAction.installActio
n(StartStopLifecycleAction.java:37)
        at org.jboss.dependency.plugins.action.SimpleControllerContextAction.sim
pleInstallAction(SimpleControllerContextAction.java:62)
        at org.jboss.dependency.plugins.action.AccessControllerContextAction.ins
tall(AccessControllerContextAction.java:71)
        at org.jboss.dependency.plugins.AbstractControllerContextActions.install
(AbstractControllerContextActions.java:51)
        at org.jboss.dependency.plugins.AbstractControllerContext.install(Abstra
ctControllerContext.java:348)
        at org.jboss.system.microcontainer.ServiceControllerContext.install(Serv
iceControllerContext.java:286)
        at org.jboss.dependency.plugins.AbstractController.install(AbstractContr
oller.java:1631)
        at org.jboss.dependency.plugins.AbstractController.incrementState(Abstra
ctController.java:934)
        at org.jboss.dependency.plugins.AbstractController.resolveContexts(Abstr
actController.java:1082)
        at org.jboss.dependency.plugins.AbstractController.resolveContexts(Abstr
actController.java:984)
        at org.jboss.dependency.plugins.AbstractController.change(AbstractContro
ller.java:822)
        at org.jboss.dependency.plugins.AbstractController.change(AbstractContro
ller.java:553)
        at org.jboss.system.ServiceController.doChange(ServiceController.java:68
8)
        at org.jboss.system.ServiceController.start(ServiceController.java:460)
        at org.jboss.system.deployers.ServiceDeployer.start(ServiceDeployer.java
:163)
        at org.jboss.system.deployers.ServiceDeployer.deploy(ServiceDeployer.jav
a:99)
        at org.jboss.system.deployers.ServiceDeployer.deploy(ServiceDeployer.jav
a:46)
        at org.jboss.deployers.spi.deployer.helpers.AbstractSimpleRealDeployer.i
nternalDeploy(AbstractSimpleRealDeployer.java:62)
        at org.jboss.deployers.spi.deployer.helpers.AbstractRealDeployer.deploy(
AbstractRealDeployer.java:50)
        at org.jboss.deployers.plugins.deployers.DeployerWrapper.deploy(Deployer
Wrapper.java:171)
        at org.jboss.deployers.plugins.deployers.DeployersImpl.doDeploy(Deployer
sImpl.java:1439)
        at org.jboss.deployers.plugins.deployers.DeployersImpl.doInstallParentFi
rst(DeployersImpl.java:1157)
        at org.jboss.deployers.plugins.deployers.DeployersImpl.doInstallParentFi
rst(DeployersImpl.java:1178)
        at org.jboss.deployers.plugins.deployers.DeployersImpl.install(Deployers
Impl.java:1098)
        at org.jboss.dependency.plugins.AbstractControllerContext.install(Abstra
ctControllerContext.java:348)
        at org.jboss.dependency.plugins.AbstractController.install(AbstractContr
oller.java:1631)
        at org.jboss.dependency.plugins.AbstractController.incrementState(Abstra
ctController.java:934)
        at org.jboss.dependency.plugins.AbstractController.resolveContexts(Abstr
actController.java:1082)
        at org.jboss.dependency.plugins.AbstractController.resolveContexts(Abstr
actController.java:984)
        at org.jboss.dependency.plugins.AbstractController.change(AbstractContro
ller.java:822)
        at org.jboss.dependency.plugins.AbstractController.change(AbstractContro
ller.java:553)
        at org.jboss.deployers.plugins.deployers.DeployersImpl.process(Deployers
Impl.java:781)
        at org.jboss.deployers.plugins.main.MainDeployerImpl.process(MainDeploye
rImpl.java:702)
        at org.jboss.system.server.profileservice.repository.MainDeployerAdapter
.process(MainDeployerAdapter.java:117)
        at org.jboss.system.server.profileservice.repository.ProfileDeployAction
.install(ProfileDeployAction.java:70)
        at org.jboss.system.server.profileservice.repository.AbstractProfileActi
on.install(AbstractProfileAction.java:53)
        at org.jboss.system.server.profileservice.repository.AbstractProfileServ
ice.install(AbstractProfileService.java:361)
        at org.jboss.dependency.plugins.AbstractControllerContext.install(Abstra
ctControllerContext.java:348)
        at org.jboss.dependency.plugins.AbstractController.install(AbstractContr
oller.java:1631)
        at org.jboss.dependency.plugins.AbstractController.incrementState(Abstra
ctController.java:934)
        at org.jboss.dependency.plugins.AbstractController.resolveContexts(Abstr
actController.java:1082)
        at org.jboss.dependency.plugins.AbstractController.resolveContexts(Abstr
actController.java:984)
        at org.jboss.dependency.plugins.AbstractController.change(AbstractContro
ller.java:822)
        at org.jboss.dependency.plugins.AbstractController.change(AbstractContro
ller.java:553)
        at org.jboss.system.server.profileservice.repository.AbstractProfileServ
ice.activateProfile(AbstractProfileService.java:306)
        at org.jboss.system.server.profileservice.ProfileServiceBootstrap.start(
ProfileServiceBootstrap.java:271)
        at org.jboss.bootstrap.AbstractServerImpl.start(AbstractServerImpl.java:
461)
        at org.jboss.Main.boot(Main.java:221)
        at org.jboss.Main$1.run(Main.java:556)
        at java.lang.Thread.run(Thread.java:619)
Caused by: javax.naming.CommunicationException: simple bind failed: 10.10.240.24
7:636 [Root exception is javax.net.ssl.SSLHands
11:40:55,147 INFO  [STDOUT] hakeException: sun.security.validator.ValidatorExcep
tion: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuild
erException: unable to find valid certification path to requested target]
        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)

        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193
)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.ja
va:136)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.jav
a:66)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:6
67)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288
)
        at javax.naming.InitialContext.init(InitialContext.java:223)
        at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:1
34)
        at com.sssw.fw.directory.realm.impl.jndildap.EboLdapDirectoryConnection.
createBaseContext(EboLdapDirectoryConnection.java:297)
        ... 85 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.Validator
Exception: PKIX path building failed: sun.security.provider.certpath.SunCertPath
BuilderException: unable to find valid certification path to requested target
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1
611)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Clien
tHandshaker.java:1035)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHa
ndshaker.java:124)
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:5
16)
        at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.jav
a:454)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.j
ava:884)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SS
LSocketImpl.java:1112)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.
java:623)
        at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.ja
va:59)
        at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65
)
        at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
        at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:396)
        at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:334)
        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:192)
        ... 96 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed:
 sun.security.provider.certpath.SunCertPathBuilderException: unable to find vali
d certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.jav
a:200)
        at sun.security.validator.Validator.validate(Validator.java:218)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustM
anagerImpl.java:126)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(
X509TrustManagerImpl.java:209)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(
X509TrustManagerImpl.java:249)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Clien
tHandshaker.java:1014)
        ... 108 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to
 find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCert
PathBuilder.java:174)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)
        ... 114 more

Resolution

The problem is though the JBoss/User App install was performed by the Windows administrator, the administrator does not actually have Full Control of the file structure of the JBoss install ie ...\novell\idm and all subfolders.

So when JBoss starts, it attempts to read and write to the 'cacerts' in the Keystore path, the administrator does not actually have Full Control of the idm subfolder directories and files.

To Resolve:
1. Delete the ...\novell\idm folder and all subdirectories
2. In Explore,  right click on the ...\novell folder > Properties >  Security > Permissions for System > check the Full Control Allow and Allow permissions from parent to all child objects
3. Reinstall JBoss/PostgreSQL and User Application
4. Verify all children folders below ...\novell the Administrator has Full Control permissions
5. Start JBoss
6. JBoss will start successfully