How to work custom CA Service Desk Manager (CA SDM) Java programs when CA SDM Tomcat is configured with SSL.

Document ID : KB000048490
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

When CA SDM Tomcat is configured with SSL, the SSL certificate comes into play when a custom Java program needs to access the CA SDM Tomcat layer.

This document provides steps or a methodology on how to import the SSL certificate for the Java program to function properly.

Usually an error similar to the one below appears when the SSL certificate is not read properly or is not in the Java keystore that is being used by the Java program:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.
provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
exception = javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: s
un.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Solution:

  1. Ensure the Java environment is set correctly (ex: JAVA_HOME and PATH etc.). You could open a command prompt and type the below commands or create a batch file/script using Notepad and execute it late.

    REM set JAVA env
    SET JAVA_HOME=C:\jre
    ECHO "JAVA_HOME: %JAVA_HOME%"
    SET PATH=%PATH%;%JAVA_HOME%\bin


  • Import the CA SDM Certificate

    1. One option would be to work with the site administrator to get the SSL certificate. This certificate could then be imported to the JRE keystore (see further steps in this document)
    2. Another option is to try saving the certificate using a web browser

      1. Login CA SDM SSL Tomcat URL (ex: https://sdmhost:8443/CAisd/pdmweb.exe)
      2. Click on the SSL button or the LOCK icon on the browser URL

        Figure 1

      3. Browser will launch certificate details option (more details or certificate details)
      4. Click View Certificates
      5. Go to the Details tab
      6. Select Copy to File or Export options
      7. Save it to a file on the machine where the Java program needs to be executed (ex: c:\JRE\CA_SDM_Tomcat_CertFile.cer)

    3. Run the keytool command with below options where -file is the SSL certificate file that was saved earlier (-keystore is a Java keystore that will store that certificate for later use by the CA SDM Java program). The command will also prompt for a password for the Java keystore - if its an existing keystore you need to provide the password for that keystore, if not you will need to create a password.

      echo "************************"
      echo "when prompted for password, provide a password. changeit is the default password <and hit enter>"
      echo " when prompted for Trust this certificate? type: yes <and hit enter>"
      echo "************************"
      keytool -importcert -file c:\JRE\CA_SDM_Tomcat_CertFile.cer -keystore C:\JRE\.keystore


  • Run the keytool command with -list option to ensure that the SSL certificate got imported properly into the keystore.

    echo "************************"
    echo "now verifying the keystore again"
    echo "when prompted for password, provide a password. changeit is the default password <and hit enter>"
    echo "************************"
    keytool -list -keystore c:\JRE\.keystore
    pause


  • Utilize the keystore when running the CA SDM Java program (use appropriate keystore password if it is not the default 'changeit')

    java -Djavax.net.ssl.trustStore=c:\JRE\.keystore -Djavax.net.ssl.trustStorePassword=changeit -jar MyJavaProgram.jar