OAAM - OAM in simple mode Integration unable to find valid certification path to requested target (Doc ID 2092553.1)

Last updated on OCTOBER 11, 2019

Applies to:

Goal

During OAAM OAM integration via simple mode we observe certificate errors.

We see ultimately a CertPathBuilder error looking for a target:

oaam SSL handshake error sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

OAAM complains:

OAM also records the failed handshake.

2015-10-28T06:55:00.309-04:00] [<OAM_SERVER>] [ERROR] [OAM-04020] [oracle.oam.proxy.oam] [tid: NioProcessor-1] [userId: ] [ecid: <ECID>] [APP: oam_server#11.1.2.0.0] Exception encountered while processing the request message:[[
javax.net.ssl.SSLHandshakeException: SSL handshake failed.
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:426)
at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
at org.apache.mina.common.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:40)
at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:823)
at org.apache.mina.common.DefaultIoFilterChain$HeadFilter.messageReceived(DefaultIoFilterChain.java:607)
at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
at org.apache.mina.common.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:399)
at org.apache.mina.common.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:425)
at org.apache.mina.common.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:387)
at org.apache.mina.common.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:379)
at org.apache.mina.common.AbstractPollingIoProcessor.access$400(AbstractPollingIoProcessor.java:43)
at org.apache.mina.common.AbstractPollingIoProcessor$Worker.run(AbstractPollingIoProcessor.java:678)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)
at oracle.security.am.proxy.oam.mina.CommonJWorkImpl.run(CommonJWorkImpl.java:41)
at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:184)
at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
Caused by: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1639)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1607)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1776)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1068)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:890)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:764)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.mina.filter.ssl.SslHandler.unwrap0(SslHandler.java:644)
at org.apache.mina.filter.ssl.SslHandler.unwrapHandshake(SslHandler.java:591)
at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:461)
at org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:286)
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:407)

We suspect that the OAAM certificates are corrupt, and we would like to rebuild them.
When we did our OAM Tap integration we specified the location of these certs in this file: oaam_cli.properties.

oam.uio.oam.rootcertificate.keystore.filepath=<DOMAIN_HOME>/output/webgate-ssl/oamclient-keystore.jks
oam.uio.oam.privatekeycertificate.keystore.filepath=<DOMAIN_HOME>/output/webgate-ssl/oamclient-truststore.jks

How can we regenerate OAAM client key and truststore?

Solution

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.