Action Start Workflow fails with error Code(-9194)

  • 7008878
  • 21-Jun-2011
  • 26-Apr-2012


Novell Identity Manager 3.6.1
Novell Roles Based Provisioning Module 3.7


Trying to start a workflow from an IDM driver fails with error code -9194. Complete error stack:

DirXML Log Event -------------------
     Driver:   \NTSLAB078-TREE\NTS\Services\DriverSet\DupIssue
     Channel:  Subscriber
     Status:   Error
     Message:  Code(-9194) Error in : Couldn't start workflow 'cn=LabUserAccountEntitlement,cn=RequestDefs,cn=AppConfig,cn=UserApplication,cn=DriverSet,ou=services,o=nts' for recipient 'CN=testuser001,ou=users,o=nts': java.lang.RuntimeException: PKIX path building failed: unable to find valid certification path to requested target


Key issue here is pointed by the error "unable to find valid certification path to requested target". This indicates that RBPM is running with an URL like (using SSL over HTTP) and that the Java Virtual Machine used by IDM does not have the trusted root certificate necessary to accept the server's certificate.

First step to solve this issue is to export the trusted root certificate from the Certificate Authority that signed the server's SSL certificate. Next we need to import the certificate into IDM's JVM keystore. To perform the import we can use the Java tool 'keytool'. On the example commands below replace the text "/path_to_certificate/trusted_root_certificate_file" by the actual filesystem path and name of the .pem or .b64 file with the trusted root certificate.

On x32 bits Linux the command would be:
/opt/novell/eDirectory/lib/nds-modules/jre/bin/keytool -importcert -file /path_to_certificate/trusted_root_certificate_file -keystore /opt/novell/eDirectory/lib/nds-modules/jre/lib/security/cacerts -storepass changeit

On x64 bits Linux the command would be:
/opt/novell/eDirectory/lib64/nds-modules/jre/bin/keytool -importcert -file /path_to_certificate/trusted_root_certificate_file -keystore /opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts -storepass changeit

On Windows 2008/2008R2 the command would be:
C:\Novell\NDS\jre\bin\keytool.exe -importcert -file C:\path_to_certificate\trusted_root_certificate_file -keystore C:\Novell\NDS\jre\lib\security\cacerts -storepass changeit

Of course if eDirectory is not in the default locations, the paths above need to be adjusted according to the eDirectory's location.

After importing the certificate in the correct keystore, eDirectory needs to be restarted for the change to have effect.