10.7 EM log shows "Cannot send EM topology due: 'SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed ..."

Document ID : KB000101474
Last Modified Date : 14/06/2018
Show Technical Document Details
The EM log contains repeated INFO level message:
[INFO] [Thread-ClusterTopologyPoller] [Manager.AppMap] Cannot send EM topology due: 'SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target' Will retry.
However there does not appear to be any visible impact on any APM functionality.
APM 10.7
In 10.7 the security is more strict, with new functionality to make the EM behave like an http-client to the same/another EM which when secure web server is being used causes the errors in the case of an invalid/untrusted certificate.
This message occurs when configure the 10.7 EM Web Server with just the secure connector enabled in file em-jetty-config.xml (if secure & unsecure connectors both enabled the exception does not occur).
The default private key "caapm" used in the default EM_HOME/config/internal/server/keystore file for the secure EM jetty server is causing a "certificate_unknown" on the SSL handshake, which is visible in the EM log if enable JSSE trace by adding additional EM JVM property "-Djavax.net.debug=all".
The "caapm" private key has a self-signed certificate and is therefore untrustworthy which is why the errors are seen when secure http transport is being used to send the topology. 
1. The following link outlines how to configure the Jetty Web server for SSL with a key which has a trusted certicate to prevent the exceptions:

2. As of June 7 10.7 SP1 is released which provides the ability to disable certificate hostname validation in the em-jetty-config.xml which will also prevent the above exception. The required setting is: 
<Set name="verifyHostnames">false</Set>
Additional Information:
The exception covered in this KB appears to not cause any functionality problems, but a similar message reported in this existing KB can cause probems :
KB: "Cannot send EM topology due: SSLPeerUnverifiedException" message in the EM log after upgrading to 10.7: