Hub Connectivity Error: PKIX path building failed

Issue

When enabling "Contrast Hub" connectivity in System Settings->Internet Settings the Test Connection fails and the resulting log reports an error similar to the following:

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

The most likely cause of this error is that traffic from the Contrast Server is being directed through a proxy which is rewriting the certificate presented by the Contrast Hub Server.  The Contrast EOP Server runs under Tomcat which is a Java Application Server and, by default, all JREs come with a set of trusted CAs that contains the usual commercial CA certificates - DigiCert, GlobalSign etc.  If the CA is being replaced by one that is not in this list then the JVM will be unable to build the chain of trust, resulting in a handshaking failure when connecting.

Resolution

Acquire the certificate

You can do that using openssl like so (creates a file named hub.pem):

openssl s_client -showcerts -connect hub.contrastsecurity.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > hub.pem

Trust the certificate

From the {contrast home} directory, you can either add the certificate to the default JRE Truststore:

jre/bin/keytool -import -trustcacerts -alias ldapserver -file hub.pem -keystore jre/lib/security/cacerts

(This assumes you're using the embedded JRE - if not then replace the paths as necessary to reference the cacerts file for JRE in use.)

Alternatively you can create a new Truststore as in the following example, and import the certificate:

mkdir data/conf/ssl
jre/bin/keytool -import -alias ldapserver -file hub.pem -keystore data/conf/ssl/truststore.jks

then reference the Truststore in the bin/contrast-server.vmoptions file by adding the following lines:

-Djavax.net.ssl.trustStore=<full path to truststore>
-Djavax.net.ssl.trustStorePassword=<password you set for the trust store, if any>