Java Agent Fails to Connect to Contrast UI: javax.net.ssl.SSLHandshakeException – Contrast Security Support Portal

License Type	SaaS & EOP
Agent Mode	Assess & Protect
Main Product Category	Java Agent
Sub Category	Connectivity

Issue

The following error is seen when starting the application with the Contrast Java agent.

ERROR - Problem resolving features with com.contrastsecurity.agent.features.%
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:

Cause

There can be many causes for this error but generally it is a failure to recognize the root CA. The cause can variously be reported as some of the following:

Unable to find valid certification path to requested target

PKIXCertPathBuilderImpl could not build a valid CertPath

One possible reason for this is that the CA is being replaced during the package inspection of a firewall or proxy server.

Resolution

To check that this is the case, one can run a simple curl command to the Contrast UI and validate the CA:

curl -v https://app.contrastsecurity.com/Contrast/api/applications

Or explicitly via a proxy

curl -v https://app.contrastsecurity.com/Contrast/api/applications --proxy http://proxyserver.company.com:8080

Check the Server Certificate response in the returned example:

Server certificate:
*  subject: CN=*.contrastsecurity.com
*  start date: Sep 10 00:00:00 2018 GMT
*  expire date: Oct 10 12:00:00 2019 GMT
*  subjectAltName: host "app.contrastsecurity.com" matched cert's "*.contrastsecurity.com"
*  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
*  SSL certificate verify ok.

If curl is unavailable on a Windows machine, the following PowerShell commands will write the certificate to a file named Contrast.cer:

$webRequest = [Net.WebRequest]::Create("https://app.contrastsecurity.com")
try { $webRequest.GetResponse() } catch {}
$cert = $webRequest.ServicePoint.Certificate
$bytes = $cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert)
set-content -value $bytes -encoding byte -path "$pwd\Contrast.cer"

You can then double click the certificate file to inspect the details.

For Contrast SaaS customers, the issuer should be Amazon. For EOP customers, the issuer should match the CA who signed the server certificate. If the issuer is another party then it is likely that a device is inspecting SSL traffic between the agent and server and modifying the certificate.

Option One - Obtain an exception

Contact the admin of the proxy/firewall (for example: BlueCoat) to see if a bypass can be added for this application server.

Option Two - Trust the certificate

Import the certificate into the Truststore being used by the application server's JVM.

Option Three - Ignore certificate exceptions

If using JVM system properties, certificate errors can be ignored by setting:

-Dcontrast.api.ignore_cert_errors=true

If using a yaml configuration file, the equivalent is:

api:
  ignore_cert_errors: true

Java Agent articles: