OAAM - OAM in simple mode Integration unable to find valid certification path to requested target (Doc ID 2092553.1)

Last updated on SEPTEMBER 19, 2016

Applies to:

Oracle Access Manager - Version 11.1.2.0.0 and later
Oracle Adaptive Access Manager - Version 11.1.2.0.0 and later
Information in this document applies to any platform.
OAAM Server cannot connect to OAM server for TAP Integration

SSL handshake error sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targe

Goal

During OAAM OAM integration via simple mode we observe certificate errors.

We see ultimately a CertPathBuilder error looking for a target.

oaam SSL handshake error sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

OAAM complains:


oaam_server_server1.out


OAM also records the failed handshake.

2015-10-28T06:55:00.309-04:00] [oam_server1] [ERROR] [OAM-04020] [oracle.oam.proxy.oam] [tid: NioProcessor-1] [userId: ] [ecid: e69911b52c4478ba:2e1a6fae:150a55fbb33:-8000-000000000006abfc,0] [APP: oam_server#11.1.2.0.0] Exception encountered while processing the request message:[[
javax.net.ssl.SSLHandshakeException: SSL handshake failed.
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:426)
at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
at org.apache.mina.common.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:40)
at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:823)
at org.apache.mina.common.DefaultIoFilterChain$HeadFilter.messageReceived(DefaultIoFilterChain.java:607)
at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
at org.apache.mina.common.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:399)
at org.apache.mina.common.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:425)
at org.apache.mina.common.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:387)
at org.apache.mina.common.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:379)
at org.apache.mina.common.AbstractPollingIoProcessor.access$400(AbstractPollingIoProcessor.java:43)
at org.apache.mina.common.AbstractPollingIoProcessor$Worker.run(AbstractPollingIoProcessor.java:678)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)
at oracle.security.am.proxy.oam.mina.CommonJWorkImpl.run(CommonJWorkImpl.java:41)
at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:184)
at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
Caused by: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1639)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1607)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1776)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1068)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:890)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:764)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.mina.filter.ssl.SslHandler.unwrap0(SslHandler.java:644)
at org.apache.mina.filter.ssl.SslHandler.unwrapHandshake(SslHandler.java:591)
at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:461)
at org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:286)
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:407)



We suspect that the OAAM certificates are corrupt, and we would like to rebuild them

When we did our OAM Tap integration we specified the location of these certs in this file: oaam_cli.properties.


oam.uio.oam.rootcertificate.keystore.filepath=/prodapps/oracle/config/domains/IAMAccessDomain/output/webgate-ssl/oamclient-keystore.jks
oam.uio.oam.privatekeycertificate.keystore.filepath=/prodapps/oracle/config/domains/IAMAccessDomain/output/webgate-ssl/oamclient-truststore.jks

How can we regenerate OAAM client key and truststore?
 

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms