PKIX Path Building Failed While Configuring CA Release Automation Plugin For CDD To Use SSL

Document ID : KB000112648
Last Modified Date : 05/09/2018
Show Technical Document Details
Issue:
We are attempting to configure the CA Release Automation (CARA) Plugin for CDD to connect to CARA using SSL but get the following error: 
Failed to ping or connect the server due to javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException unable to find valid certification path to requested target.
Environment:
CA Release Automation v6.6.0.9640
CA Continuous Delivery Director (CDD) v6.6-116
Cause:
The RA Plugin for CDD doesn’t hard code any ports. In order for an application (in this case cdd) to establish a connection with the SSL endpoint (CARA) you need a truststore with the certificate for a successful SSL Handshake. Java’s default truststore is jre/lib/security/cacerts.
Resolution:
  1. Obtain a copy of the certificate used by the CARA server. 
  2. Import the certificate from #1 into Java's lib/security/cacerts truststore. Specifically, it should be imported into the cacerts truststore for the Java used by Tomcat. 
  3. Configure the plugin to use SSL, test connection, verify it reflects "Connected" and then save. 
Additional Information:
To get the certificate(s) from IE: 
  1. Open the URL. When the secured site appears click on the Lock icon and click view certificates. 
  2. The first certificate shown is the server certificate. Click on the details tab. This should give you a button/option to “Copy To File”. Click on that button. When prompted for the “Export File Format”, be sure to select the option “Base-64 encoded X.509 (.CER). Then give it a file name and export. 
  3. Export the server’s certificate described in step 2. Once done, click on the Certification Path tab (this tab is available after you click on the Lock icon in IE and click on view certificates). From the Certification Path tab we want to select the certificate immediately above the servers certificate (often this is considered the intermediate certificate authority). Then click on the “View Certificate” button. Then go to the details tab, click the “Copy To File” option, select the same “Base-64 encoded” export file format that we used in step 2, give it a unique filename and extract. 
  4. Proceed extracting each certificate shown in the Certification Path tab. 
  5. After all of the certificates have been exported you will be able to import them into Java’s truststore (cacerts). The certificates we extracted on in a format suitable to directly import them into Java’s truststore (cacerts). 
  6. To import the certificates, run: keytool -importcert -file <filename of certificate you exported from IE> -alias “meaningful alias name” -keystore <path to Java’s lib\security\cacerts file>