Emails No Longer being sent by IDM Drivers - STARTTLS

Couldn't send email: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

1. Export the root certificate from your mail server to a file.
2. Move the certificate to any directory on the server, i.e. /tmp/.
3. Navigate to /opt/netiq/common/jre/bin/
4. Run the following command: ./keytool -importcert -v -file <path_to_mail_server_root_certificate> -keystore /opt/netiq/common/jre/lib/security/cacerts -alias "<alias_you_wish_to_give_this_certificate>"
• Example: ./keytool -importcert -v -file /tmp/rootcert.der -keystore /opt/netiq/common/jre/lib/security/cacerts -alias "mailrootcertificate"
5. Enter in the password of the keystore.
6. When prompted to trust the certificate, say yes.
7. Certificate is now in the keystore.
8. You will need to restart the server that you made this change on.

Steps on Windows Servers can be implemented multiple ways. The keytool command will work in a cmd prompt with slightly different syntax, or you can use a 3rd party application called Portecle. Here's some examples on how you can get it done on Windows.

Note: Any servers that you are running IDM Drivers setup for Email Notifications will need to have the above steps completed.

Changes were made to IDM 4.7 to allow for START TLS (which is configured on the mail server) to require certificates on the IDM server in order for that to function properly. If you are not concerned about having START TLS functional, then you can, as an alternative to the above steps, simply disable that feature on the mail server.