OAAM - OAM in simple mode Integration unable to find valid certification path to requested target
(Doc ID 2092553.1)
Last updated on OCTOBER 11, 2019
Applies to:
Oracle Access Manager - Version 11.1.2.0.0 and laterOracle Adaptive Access Manager - Version 11.1.2.0.0 and later
Information in this document applies to any platform.
OAAM Server cannot connect to OAM server for TAP Integration
SSL handshake error sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targe
Goal
During OAAM OAM integration via simple mode we observe certificate errors.
We see ultimately a CertPathBuilder error looking for a target:
oaam SSL handshake error sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
OAAM complains:
OAM also records the failed handshake.
2015-10-28T06:55:00.309-04:00] [<OAM_SERVER>] [ERROR] [OAM-04020] [oracle.oam.proxy.oam] [tid: NioProcessor-1] [userId: ] [ecid: <ECID>] [APP: oam_server#11.1.2.0.0] Exception encountered while processing the request message:[[
javax.net.ssl.SSLHandshakeException: SSL handshake failed.
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:426)
at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
at org.apache.mina.common.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:40)
at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:823)
at org.apache.mina.common.DefaultIoFilterChain$HeadFilter.messageReceived(DefaultIoFilterChain.java:607)
at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
at org.apache.mina.common.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:399)
at org.apache.mina.common.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:425)
at org.apache.mina.common.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:387)
at org.apache.mina.common.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:379)
at org.apache.mina.common.AbstractPollingIoProcessor.access$400(AbstractPollingIoProcessor.java:43)
at org.apache.mina.common.AbstractPollingIoProcessor$Worker.run(AbstractPollingIoProcessor.java:678)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)
at oracle.security.am.proxy.oam.mina.CommonJWorkImpl.run(CommonJWorkImpl.java:41)
at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:184)
at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
Caused by: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1639)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1607)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1776)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1068)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:890)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:764)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.mina.filter.ssl.SslHandler.unwrap0(SslHandler.java:644)
at org.apache.mina.filter.ssl.SslHandler.unwrapHandshake(SslHandler.java:591)
at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:461)
at org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:286)
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:407)
We suspect that the OAAM certificates are corrupt, and we would like to rebuild them.
When we did our OAM Tap integration we specified the location of these certs in this file: oaam_cli.properties.
oam.uio.oam.rootcertificate.keystore.filepath=<DOMAIN_HOME>/output/webgate-ssl/oamclient-keystore.jks
oam.uio.oam.privatekeycertificate.keystore.filepath=<DOMAIN_HOME>/output/webgate-ssl/oamclient-truststore.jks
How can we regenerate OAAM client key and truststore?
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Goal |
Solution |