MAF Client Cannot Build - Certificate Chain For SSL Connection With Custom Root Certificate Authority-PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException (Doc ID 2068992.1)

Last updated on APRIL 06, 2017

Applies to:

Mobile Application Framework - Version 2.1.2 and later
Information in this document applies to any platform.

Goal

Trying to have an Android MAF client connect to an internal WebLogic server over an HTTPS connection.Because this is for internal development use,
we have a internal Certificate Authority, and the WebLogic server is using a certificate signed by this certificate authority.We are building their client in Eclipse OEPE (Luna 4.4.2) with the MAF 2.1.2 library.

Eclipse Platform
Version: Luna SR2 (4.4.2)
Build id: M20150204-1700

Oracle MAF 2.1.2.201508311025
WebLogic Server Version: 12.1.3.0.0

  Noticing the following error message when trying to connect (REST call): 

ERROR [oracle.adfmf.framework.exception.AdfException] - sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at oracle.adfmf.dc.ws.rest.RestTransportLayer.sendReceiveBytes(Unknown Source)
at oracle.adfmf.dc.ws.rest.RestTransportLayer.sendReceive(Unknown Source)
at oracle.adfmf.dc.ws.rest.RestServiceAdapterImpl.sendReceive(Unknown Source)
at oracle.adfmf.dc.ws.rest.RestServiceAdapterImpl.send(Unknown Source)
.....
at oracle.adfmf.framework.api.Model.evaluateMethodExpression(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at oracle.adfmf.util.Utility.invoke(Unknown Source)
at oracle.adfmf.util.Utility.invoke(Unknown Source)
at oracle.adfmf.framework.api.Model.processBatchRequests(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

.......

As per the MAF 2.1.2. documentation,they have a lib/security/cacerts file.We tried importing both their internal root CA and the certificate of the WebLogic server itself into the cacerts keystore with keytool.  


Both are there when inspected with keytool -list -v.

The same cacerts file (with both certificates, confirmed the same way) is available in the Android build directory for the target. There is no cacerts file listed in any of the APKs that are generated.

It is not a problem with the certificate chain itself, as the following combinations are fully trusted (i.e. valid certificate chain):

Root CA imported in to Chrome, connected to WebLogic web console.
Root CA imported in to Windows, connected to WebLogic web console in web browser.
Root CA imported in to Android keystore (same device that the MAF client is running on), connected to WebLogic web console in web browser.
Root CA imported in to system Java keystore, connected to Oracle 12c DB with SQL Developer (different server certificate, but same root CA)

Is there anything that they can do to verify that the cacerts file is actually getting packaged for the Android client, and if it is, a way to inspect this keystore?
 

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms