My Oracle Support Banner

OAM 11g X509Plugin Custom Authentication Module Fails With Error "Cert path validation failed.... the trustAnchors parameter must be non-empty" (Doc ID 1462689.1)

Last updated on FEBRUARY 28, 2019

Applies to:

Oracle Access Manager - Version and later
Information in this document applies to any platform.


Oracle Access Manager (OAM) has been configured to use the X509Plugin custom authentication module for client certificate SSO login using Subject Alternative Name value. For supported use of certificate SubjectAltName for OAM authentication see OAM 11g - X.509 Authentication - How to leverage the SubjectAltName extension data and integrate with multiple OCSP Endpoints (Doc ID 1411853.1).

When the protected resource is accessed in the browser and a valid user certificate is provided for authentication, OAM login fails and the following error is seen in the OAM managed server log:




The WebLogic (OAM) Managed Server keystore and the OAM keystore (.oamkeystore) have been checked and they do contain the root CA and subCA certificates for validation of the client certificate.


If KEY_IS_CERT_VALIDATION_ENABLED is set to false in the X509CredentialExtractor step in the custom X509Plugin module then the error no longer occurs.





To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.