OAM 11g X509Plugin Custom Authentication Module Fails With Error "Cert path validation failed.... the trustAnchors parameter must be non-empty" (Doc ID 1462689.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Access Manager - Version 11.1.1.5.0 and later
Information in this document applies to any platform.

Symptoms

Oracle Access Manager (OAM) 11.1.1.5 has been configured to use the X509Plugin custom authentication module for client certificate SSO login using Subject Alternative Name value. For supported use of certificate SubjectAltName for OAM authentication see OAM 11g - X.509 Authentication - How to leverage the SubjectAltName extension data and integrate with multiple OCSP Endpoints (Doc ID 1411853.1).

When the protected resource is accessed in the browser and a valid user certificate is provided for authentication, OAM login fails and the following error is seen in the OAM managed server log:

 

 

 

The WebLogic (OAM) Managed Server keystore and the OAM keystore (.oamkeystore) have been checked and they do contain the root CA and subCA certificates for validation of the client certificate.

 

If KEY_IS_CERT_VALIDATION_ENABLED is set to false in the X509CredentialExtractor step in the custom X509Plugin module then the error no longer occurs.

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms