The EM log contains repeated INFO level message:
[INFO] [Thread-ClusterTopologyPoller] [Manager.AppMap] Cannot send EM topology due: 'SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target' Will retry.
However there does not appear to be any visible impact on any APM functionality.
In 10.7 the security is more strict, with new functionality to make the EM behave like an http-client to the same/another EM which when secure web server is being used causes the errors in the case of an invalid/untrusted certificate.
This message occurs when configure the 10.7 EM Web Server with just the secure connector enabled in file em-jetty-config.xml (if secure & unsecure connectors both enabled the exception does not occur).
The default private key "caapm" used in the default EM_HOME/config/internal/server/keystore file for the secure EM jetty server is causing a "certificate_unknown" on the SSL handshake, which is visible in the EM log if enable JSSE trace by adding additional EM JVM property "-Djavax.net.debug=all".
The "caapm" private key has a self-signed certificate and is therefore untrustworthy which is why the errors are seen when secure http transport is being used to send the topology.