10.7 EM log shows "Cannot send EM topology due: 'SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed ..."

Document ID : KB000101474
Last Modified Date : 14/06/2018
Show Technical Document Details
Issue:
The EM log contains repeated INFO level message:
[INFO] [Thread-ClusterTopologyPoller] [Manager.AppMap] Cannot send EM topology due: 'SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target' Will retry.
However there does not appear to be any visible impact on any APM functionality.
Environment:
APM 10.7
Cause:
In 10.7 the security is more strict, with new functionality to make the EM behave like an http-client to the same/another EM which when secure web server is being used causes the errors in the case of an invalid/untrusted certificate.
This message occurs when configure the 10.7 EM Web Server with just the secure connector enabled in file em-jetty-config.xml (if secure & unsecure connectors both enabled the exception does not occur).
The default private key "caapm" used in the default EM_HOME/config/internal/server/keystore file for the secure EM jetty server is causing a "certificate_unknown" on the SSL handshake, which is visible in the EM log if enable JSSE trace by adding additional EM JVM property "-Djavax.net.debug=all".
The "caapm" private key has a self-signed certificate and is therefore untrustworthy which is why the errors are seen when secure http transport is being used to send the topology. 
Resolution:
1. The following link outlines how to configure the Jetty Web server for SSL with a key which has a trusted certicate to prevent the exceptions:
https://docops.ca.com/ca-apm/10-7/en/administrating/configure-enterprise-manager/configure-enterprise-manager-communications#ConfigureEnterpriseManagerCommunications-JettyConfigurationOptionsforSSL

2. As of June 7 10.7 SP1 is released which provides the ability to disable certificate hostname validation in the em-jetty-config.xml which will also prevent the above exception. The required setting is: 
<Set name="verifyHostnames">false</Set>
Additional Information:
The exception covered in this KB appears to not cause any functionality problems, but a similar message reported in this existing KB can cause probems :
KB: "Cannot send EM topology due: SSLPeerUnverifiedException" message in the EM log after upgrading to 10.7:
https://comm.support.ca.com/kb/cannot-send-em-topology-due-sslpeerunverifiedexception/KB000093503