Support Article
Certificate chaining errors
Summary
Certificate chaining errors are received. Unable to duplicate the chaining errors in Java at the system level.
Error Messages
com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error
Steps to Reproduce
Configure TLS / SSL security protocol on Connect-SOAP. Submit a request through Connect-SOAP integration to a secure service.
EXPLANATION
Pega does not take certificate or keystore configuration performed in application server into consideration, whether it is Websphere or Weblogic, due to vendor specific implementations by Application servers.
It goes directly against the JVM and uses its keystore configuration. Default truststore for JVM is 'cacerts' and hence it uses that by default for SSL handshake. To specify your own keystores for Pega to use, you can use the following JVM arguments:
-Djavax.net.ssl.keyStore=<Path>/client_keystore.keystore
-Djavax.net.ssl.keyStorePassword=client_keystore_pw_mypassword
-Djavax.net.ssl.trustStore=<Path>/client_truststore.keystore
-Djavax.net.ssl.trustStorePassword=client_truststore_pw_mypassword
Published August 21, 2015 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.