Emails No Longer being sent by IDM Drivers - STARTTLS

  • 7024246
  • 07-Nov-2019
  • 14-May-2020


Identity Manager 4.7.x


If you have Start TLS enabled on your Mail Relay Server (i.e Exchange Relay Server), after upgrading to Identity Manager 4.7.x or later from an earlier version of Identity Manager, emails are no longer being sent by the drivers, and a Certificate error is showing up in the logs:
Couldn't send email: PKIX path building failed: unable to find valid certification path to requested target


You need to export the Root Certificate of the mail relay server (i.e. AD Root Certificate) and import it into the cacerts used by eDirectory and IDM.
When retrieving the certificate from the relay server, make sure it's exported in the .der format.
To add this certificate to the cacerts keystore on the IDM server, you can do the following on Linux Servers:
  1. Export the root certificate from your mail server to a file.
  2. Move the certificate to any directory on the server, i.e. /tmp/.
  3. Navigate to /opt/netiq/common/jre/bin/
  4. Run the following command: ./keytool -importcert -v -file <path_to_mail_server_root_certificate> -keystore /opt/netiq/common/jre/lib/security/cacerts -alias "<alias_you_wish_to_give_this_certificate>"
    • Example: ./keytool -importcert -v -file /tmp/rootcert.der -keystore /opt/netiq/common/jre/lib/security/cacerts -alias "mailrootcertificate"
  5. Enter in the password of the keystore.
  6. When prompted to trust the certificate, say yes.
  7. Certificate is now in the keystore.
  8. You will need to restart the server that you made this change on.

Steps on Windows Servers can be implemented multiple ways. The keytool command will work in a cmd prompt with slightly different syntax, or you can use a 3rd party application called Portecle. Here's some examples on how you can get it done on Windows.

Note: Any servers that you are running IDM Drivers setup for Email Notifications will need to have the above steps completed.


Changes were made to IDM 4.7 to allow for START TLS (which is configured on the mail server) to require certificates on the IDM server in order for that to function properly. If you are not concerned about having START TLS functional, then you can, as an alternative to the above steps, simply disable that feature on the mail server.

Additional Information

The following command can be used to get the certificate the mail server is using.  You can then check whether that certificate is the cacerts file or not.

Replace the server and port to match customer’s mail server.

openssl s_client -connect -starttls smtp

Some additional details can be found here, from the Micro Focus forums.