Handling https SSLHandshake Exception

The Enterprise Gateway product with version 17.2.8 or higher uses JDK 1.8.0_141.  JDK 1.8.0_141 restricts algorithms that are used in the chain of trust of the server certificate presented by a web server and requires the chain of trust to use a well known trusted certificate authorities (CA). If these criteria are not met you will receive the following exception when you attempt to establish an https connection. 

SSLHandshakeException

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 

The workaround is not applicable to the following Enterprise Gateway products

VxWorks products

  • MESInteface-IT
  • deviceWISE Enterprise Gateway for ERPC

Do one of the following to handle this exception:

  • Contact your web server administrator to update the server certificate to one that uses a certificate chain signed by a well known trusted Certificate Authority (CA).
  • Specify a customized java keystore in the transport definition. To achieve it:
    • Specify this keystore in the transport panel Keystore and TrustStore fields as described in the following links for HTTP or WS_SOAP transports
  • Import the certificate chain into the Enterprise Gateway's default trust store. To achieve it:
    • Contact your IT administrator to get all the certificates in the chain of trust required to verify the authenticity of your web server certificate
    • Import these certificates into the default trust store file called cacerts. The location of this file depends on the Enterprise Gateway product you are working with 
      • For Windows and Linux the file is located in the [ Runtime Installation root ]/jre/lib/security directory.   
      • For AIX the file is located within your JRE directory. For instance,  /usr/java8/jre/lib/security directory. 

        This is a less preferred option for the following reasons

          • Impacts all other Java applications running on that AIX system. 
          • The cacerts file will be overwritten when the Enterprise Gateway product is reinstalled for Windows or Linux or when the JRE is re-installed for AIX.