Support Article

Upon quick search, certificate Chaining Error is getting thrown

SA-37285

Summary



The user is unable to search the work object from the search bar.


Error Messages



Error on the UI:

** Singleton: Set Initialization/UniqueActivityTerminateExceptions for unique exceptions

Log entries:

2017-02-24 08:52:40,093 [ WebContainer : 10] [OpenPortal] [your_app:01.01.01] (ility.CPM_Search_Result.Action) ERROR _yourHost|_yourIP _yourUser - Search failed due to problems connecting to the search SOAP service. Please review the Data-Admin-System-Setting for 'SearchSoapURI' to ensure a valid endpoint URL, or try again after some time.

Upon enabling logger in InvokeAxis2, found the following entries:

2017-03-22 14:55:58,386 [ WebContainer : 1] [OpenPortal] [DMBNAAD_BAU:01.01.01] (Axis2.Rule_Connect_SOAP.Action) ERROR _yourHost|_yourIP _yourUser|Rule-Connect-SOAP.Data-Find-Search.pzConnectLuceneSearch majuma3 - Invoke Axis 2: Meesage com.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=_yourUser, OU=Root Certificate, OU=your01_cell, OU=your01_dmgr, O=_yourCompany, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error


Steps to Reproduce

  1. Search any work object in the search text box.
  2. Expected result: Work object is displayed
  3. Actual result: 'No matching data is found'


Root Cause



A defect or configuration issue in the operating environment:

Based on the error it looks like two nodes are not able to communicate as it is on HTTPS.
In the past, as per SA article SA-107, a similar issue was resolved by giving Pega the necessary trust keystore inside pzConnectLuceneSearchWorkConnect-SOAP rule. Since this Rule is final, a hotfix is required to make this rule available so that it can be modified to suit user's SSL handshake requirements.

Resolution

  1. Install the HFIX-9559.
  2. Restart the server
  3. Install the HFIX-9627.
  4. Restart the server
  5. Test the changes

Changes in the HFIX-9627 are:

pyConnectLuceneSearchWorkgets added as available which internally replaces the final pzConnectLuceneSearchWorkrule.

After the hotfixes are install, under the advance tab of pyConnectLuceneSearchWork rule, add the security profile in order to make the keystore / certificates available for the handshake.

Published April 28, 2017 - Updated May 5, 2017


100% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.