Support Article
Upon quick search, certificate Chaining Error is getting thrown
SA-37285
Summary
The user is unable to search the work object from the search bar.
Error Messages
Error on the UI:
** Singleton: Set Initialization/UniqueActivityTerminateExceptions for unique exceptions
Log entries:
2017-02-24 08:52:40,093 [ WebContainer : 10] [OpenPortal] [your_app:01.01.01] (ility.CPM_Search_Result.Action) ERROR _yourHost|_yourIP _yourUser - Search failed due to problems connecting to the search SOAP service. Please review the Data-Admin-System-Setting for 'SearchSoapURI' to ensure a valid endpoint URL, or try again after some time.
Upon enabling logger in InvokeAxis2, found the following entries:
2017-03-22 14:55:58,386 [ WebContainer : 1] [OpenPortal] [DMBNAAD_BAU:01.01.01] (Axis2.Rule_Connect_SOAP.Action) ERROR _yourHost|_yourIP _yourUser|Rule-Connect-SOAP.Data-Find-Search.pzConnectLuceneSearch majuma3 - Invoke Axis 2: Meesage com.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=_yourUser, OU=Root Certificate, OU=your01_cell, OU=your01_dmgr, O=_yourCompany, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
Steps to Reproduce
- Search any work object in the search text box.
- Expected result: Work object is displayed
- Actual result: 'No matching data is found'
Root Cause
A defect or configuration issue in the operating environment:
Based on the error it looks like two nodes are not able to communicate as it is on HTTPS. In the past, as per SA article SA-107, a similar issue was resolved by giving Pega the necessary trust keystore inside pzConnectLuceneSearchWork Connect-SOAP rule. Since this Rule is final, a hotfix is required to make this rule available so that it can be modified to suit user's SSL handshake requirements.
Resolution
- Install the HFIX-9559.
- Restart the server
- Install the HFIX-9627.
- Restart the server
- Test the changes
Changes in the HFIX-9627 are:
pyConnectLuceneSearchWork gets added as available which internally replaces the final pzConnectLuceneSearchWork rule.
After the hotfixes are install, under the advance tab of pyConnectLuceneSearchWork rule, add the security profile in order to make the keystore / certificates available for the handshake.
Published May 6, 2017 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.