JDBC SSL Connection Error: PKIX Path Failed, Path Does Not Chain With Any Of The Trust Anchors with Oracle Wallet (Doc ID 2051317.1)

Last updated on AUGUST 16, 2016

Applies to:

JDBC - Version 11.1.0.6 and later
Java SE JDK and JRE - Version 7 and later
Information in this document applies to any platform.

Symptoms

On : Java 7 using Oracle Wallet

When attempting to use Oracle JDBC SSL with TCPS on Java 7, the following error occurs :

ERROR
-----------------------
certpath: PKIXCertPathValidator.engineValidate()...
certpath: PKIXCertPathValidator.engineValidate() reversing certpath...
certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null
certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...
certpath: X509CertSelector.match(SN: 228b81a19d8191ae49997d3ddaff9a93
  Issuer: CN=rootCA
  Subject: CN=rootCA)
certpath: X509CertSelector.match: subject key IDs don't match
certpath: NO - don't try this trustedCert
%% Invalidated: [Session-2, TLS_RSA_WITH_AES_128_CBC_SHA]
main, SEND TLSv1 ALERT: fatal, description = certificate_unknown
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
main, called close()
main, called closeInternal(true)
Exception in thread "main" java.sql.SQLRecoverableException: IO Error: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:816)
at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:789)
at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:33)
at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:608)
at java.sql.DriverManager.getConnection(DriverManager.java:571)
at java.sql.DriverManager.getConnection(DriverManager.java:187)
at Test.main(SSLMain.java:95)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
at oracle.net.ns.Packet.send(Packet.java:421)
at oracle.net.ns.ConnectPacket.send(ConnectPacket.java:242)
at oracle.net.ns.NSProtocolStream.negotiateConnection(NSProtocolStream.java:166)
at oracle.net.ns.NSProtocol.connect(NSProtocol.java:275)
at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1606)
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:539)
... 6 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:350)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:249)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
... 19 more
Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:208)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345)
... 25 more
Process exited with exit code 1.


This works fine on Java 6.


The issue can be reproduced at will with the following steps:
1. Use Oracle Wallet and install OraclePKIProvider with Java 7.
2. Set up Oracle Wallet as a Trust Store.


Changes

 This happens with Java 7 and not with Java 6. Also the SSL is using the OraclePKIProvider.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms