unable to find valid certification path to requested target

Document ID : KB000072833
Last Modified Date : 09/03/2018
Show Technical Document Details
AFM fails to connect to State Manager on HTTPS
arcotafm.log shows following error :

2018-03-06 17:25:38,859 [https-jsse-nio-8443-exec-6] ERROR toksvr.client.SimpleTSClientImpl(324)  -> Unable to send request to server!
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
CA AA : 9.0
App Server : Apache Tomcat
Customer had the following set in arcotafm.properties :
  • ArcotSMTrustStore=/certs/tsclient.truststore 
  • ArcotSMTrustStorePassword=123456 
ArcotSMTrustStore specifies the path where the root  CA SSL certificate of State Manager needs to be present.

Customer did import the root CA SSL certificate to the tsclient.truststore file but at the wrong location.
They did import the root CA SSL certs to the tsclient.truststore file located at : <ARCOT_HOME>/adapterAFM/certs

[root@shruj01-I4491 certs]# pwd
[root@shruj01-I4491 certs]# ls -ltr
total 8
-rwxr-xr-x. 1 root root 2402 Jan 30 00:23 tsclient.keystore
-rwxr-xr-x. 1 root root 1024 Jan 30 00:23 tsclient.truststore

However, this is not the place the app server looks for.
The root CA certs needs to be imported to <tomcat>/webapps/arcotafm/WEB-INF/classes/certs/tsclient.truststore file.

[root@shruj01-I4491 certs]# ls -latr
total 40
-rw-r-----. 1 root root 1024 Jul 21  2017 tsclient.truststore
-rw-r-----. 1 root root 2402 Jul 21  2017 tsclient.keystore

Import the root CA SSL certificate of State Manager into tsclient.truststore that is located at