CA APM 10.7 EM log shows "Cannot send EM topology due: 'SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed ..."

Document ID : KB000101474
Last Modified Date : 03/07/2018
Show Technical Document Details
Issue:
The EM log contains repeated INFO level message:
[INFO] [Thread-ClusterTopologyPoller] [Manager.AppMap] Cannot send EM topology due: 'SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target' Will retry.
Data visibility under Team Center Map layers "APM Infrastructure Layer" & "Infrastructure Layer" will also likely be impacted.
Environment:
APM 10.7
Cause:
This message occurs when the 10.7 EM Web Server is configured to use the secure connector enabled in the em-jetty-config.xml file.
When the Introscope_Enterprise_Manager.lax or EMService.conf file is configured to add JSSE tracing property "-Djavax.net.debug=all" the EM log shows a "certificate_unknown" for the SSL handshake every 10 seconds.
In 10.7 there is new functionality to make the EM behave like an http-client to the same/another EM and the security is more strict i.e. when a secure EM web server is being used an invalid/untrusted certificate will cause the error.
Resolution:
There are 2 options:
1. When the em-jetty-config.xml file has been configured to use a certAlias corresponding to the private key/public certificate pair that has been imported into the EM_HOME/config/internal/server/keystore file then the corresponding public certificate also needs to be exported and imported it into the EM_HOME/jre/lib/security/cacerts file. The following 10.7 documentation ink covers this:
https://docops.ca.com/ca-apm/10-7/en/administrating/configure-enterprise-manager/configure-enterprise-manager-communications#ConfigureEnterpriseManagerCommunications-JettyConfigurationOptionsforSSL
NOTE: The default em-jetty-config.xml file uses certAlias "caapm" issued by www.ca.com which is a self-signed certificate which is normally replaced by the end user when implementing SSL. If "caapm" is used even if its public certificate is exported from EM_HOME/config/internal/server/keystore file and imported into the EM_HOME/jre/lib/security/cacerts file, that will still cause an exception due to the hostname not matching the certificate e.g.
[INFO] [RemoteHttpCallServiceExecutor-15] [Manager.AppMap.RemoteHttp] SSLPeerUnverifiedException: Host name 'xxxxxxxxxx' does not match the certificate subject provided by the peer (CN=www.ca.com, OU=Agile Operations, O=CA, L=Santa Clara, ST=California, C=US) 

2. As of June 7 10.7 SP1 is released which provides the ability to disable certificate hostname validation in the em-jetty-config.xml which will also prevent the original exception. The required setting is: <Set name="verifyHostnames">false</Set>
NOTE:
10.7 GA also had this property but it did not prevent the exception in that release. 
Additional Information:
A similar exception message is reported in this existing KB which can also cause problems :
KB: "Cannot send EM topology due: SSLPeerUnverifiedException" message in the EM log after upgrading to 10.7:
https://comm.support.ca.com/kb/cannot-send-em-topology-due-sslpeerunverifiedexception/KB000093503