Title

Unable to See Scan Server / SSLHandshakeException: PKIX path building failed

This article provides instructions for resolving the HTTP invoker remote service SSLHandshakeException when connecting the core server to the scan server over HTTPS.

Symptoms

Could not access HTTP invoker remote service. Nested exception is:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by:

NOTE: In versions of Palamida EE > 6.6.2, the core server communicates with the scan server over http or https protocol instead of RMI. If the scan server is set up to communicate over https, or if this is a standalone server, then it will be necessary to import the certificate being served by Tomcat from the scan server to be imported into the JDK of the core server to be trusted.

Cause

The core server does not trust the SSL certificate presented by the scan server because it is not in the JDK truststore.

Resolution

On the Scan Server

Read the file tomcat/conf/server.xml to make note of the alias of the certificate served by the keystore on that server:
```
keystoreFile="codeinsight.jks"
keyAlias="codeinsight"
keypass="<your keystore/key password>"
```
Export the certificate from the keystore into a .crt file which can be used to import into another keystore:
```
$JAVA_HOME/bin/keytool -export -file codeinsight.crt -alias codeinsight -keystore codeinsight.jks
```
Copy this ,.crt file to the core server to a known location like /tmp.

On the Core Server

As a user with root privileges, navigate to the path defined as $JAVA_HOME and copy the palamida.crt file from the scan server to the jre/lib/security location. For example, if $JAVA_HOME is /usr/bin/java/jdk1.8.0_411:
```
cd /usr/bin/java/jdk1.8.0_411/jre/lib/security
cp /tmp/codeinsight.crt 
cp cacerts cacerts.original
../../bin/keytool -import -file codeinsight.crt -keystore cacerts -storepass changeit -alias codeinsight
```
Type yes when prompted to trust the certificate.
After making these changes, change to the user running the Code Insight process and restart the Code Insight core server.
```
su - codeinsight
cd $CODEINSIGHT_HOME/tomcat/bin
./shutdown.sh
./startup.sh
```

Was this helpful?

Support Hub

Product

Code Insight

Visibility

Guest

URL Name

unable-to-see-scan-server-sslhandshakeexception-pkix-path-building-failed

Are you sure you want to cancel the case creation?

Case closed successfully

Action performed successfully

Upload Attachment

Maximum file size allowed is 3 MB.

File type not supported.

Supported file types:

Documents (.txt, .doc, .docx, .pdf), Images (.jpg, .png), Comma Separated Files (.csv) Speadsheets (.xlsx, .xls)

Are you sure you want to close this case

Get Hotline support

Products	Region	Phone Numbers
FlexNet Operations FlexNet Embedded FlexNet Publisher FlexNet Connect FlexNet Code Insight InstallAnywhere InstallShield	North America *	+1 630-332-2513 (toll) +1 877-279-2853 (toll-free in North America)
	Europe *	+44 1925 944367 (toll) +44 800 047 8642 (toll-free in Europe)
	Japan *	+81 3-4540-5335 (select option 2)
	Australia *	+61 3 9895 2177 +61 1800 560 603 (toll-free in Australia)
Usage Intelligence (formerly Revulytics) Compliance Intelligence	Please use the Case Portal to submit your support ticket or reach out to your Revenera contact.

Symptoms

Cause

Resolution

On the Scan Server

On the Core Server

Related Articles

Please wait...

Case id: 00001065