|License Type||SaaS & EOP|
|Agent Mode||Assess & Protect|
|Main Product Category||Java Agent|
The following error is seen when starting the application with the Contrast Java agent.
ERROR - Problem resolving features with com.contrastsecurity.agent.features.%
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
There can be many causes for this error but generally it is a failure to recognize the root CA. The
cause can variously be reported as some of the following:
Unable to find valid certification path to requested target
PKIXCertPathBuilderImpl could not build a valid CertPath
One possible reason for this is that the CA is being replaced during the package inspection of a firewall or proxy server.
To check that this is the case, one can run a simple curl command to the Contrast UI and validate the CA
curl -HAccept:application/json -HAuthorization:test -HAPI-Key:test https://app.contrastsecurity.com/Contrast/api/applications -v
Or with a proxy
curl -HAccept:application/json -HAuthorization:test -HAPI-Key:test https://app.contrastsecurity.com/Contrast/api/applications -v --proxy http://proxyserver.company.com:8080
* subject: CN=*.contrastsecurity.com
* start date: Sep 10 00:00:00 2018 GMT
* expire date: Oct 10 12:00:00 2019 GMT
* subjectAltName: host "app.contrastsecurity.com" matched cert's "*.contrastsecurity.com"
* issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
* SSL certificate verify ok.
Option One - Obtain an exception
Contact the admin of the proxy/firewall (for example: BlueCoat) to see if a bypass can be added for this application server.
Option Two - Trust the certificate
Option Three - Ignore certificate exceptions
If using JVM system properties, certificate errors can be ignored by setting:
If using a yaml configuration file, the equivalent is: