License Type | On-Premise |
Agent Mode | N/A |
Main Product Category | Contrast UI |
Sub Category | Administration |
Issue
When enabling "Contrast Hub" connectivity in System Settings->Internet Settings the Test Connection fails and the resulting log reports an error similar to the following:
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Cause
The most likely cause of this error is that traffic from the Contrast Server is being directed through a proxy which is rewriting the certificate presented by the Contrast Hub Server. The Contrast EOP Server runs under Tomcat which is a Java Application Server and, by default, all JREs come with a set of trusted CAs that contains the usual commercial CA certificates - DigiCert, GlobalSign etc. If the CA is being replaced by one that is not in this list then the JVM will be unable to build the chain of trust, resulting in a handshaking failure when connecting.
Resolution
Acquire the certificate
You can do that using openssl like so (creates a file named hub.pem):
openssl s_client -showcerts -connect hub.contrastsecurity.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > hub.pem
Trust the certificate
From the {contrast home} directory, you can either add the certificate to the default JRE Trust Store:
jre/bin/keytool -import -trustcacerts -alias ldapserver -file hub.pem -keystore jre/lib/security/cacerts
(This assumes you're using the embedded JRE - if not then replace the paths as necessary to reference the cacerts file for JRE in use.)
Alternatively you can create a new Trust Store as in the following example, and import the certificate:
mkdir data/conf/ssl
jre/bin/keytool -import -alias ldapserver -file hub.pem -keystore data/conf/ssl/truststore.jks
then reference the keystore in the bin/contrast-server.vmoptions
file by adding the following lines:
-Djavax.net.ssl.trustStore=<full path to truststore>
-Djavax.net.ssl.trustStorePassword=<password you set for the trust store, if any>