IBM Support

Troubleshooting: nco_p_email probe unable to connect to the email server using SSL

Technical Blog Post


Abstract

Troubleshooting: nco_p_email probe unable to connect to the email server using SSL

Body

If a nco_p_email probe (with SSL being enabled) user encountered the following error message in their probe debug log, this indicates that the SSL client does not trust the SSL server.

 

Error: E-JPR-000-000: Failed to connect to mail server: javax.mail.MessagingException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target;
  nested exception is:
    javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target

 

In order to troubleshoot and confirm the above issue, user are required to
 

  1. Edit $OMNIHOME/probes/nco_jprobe, and replace the following line
     

    exec "$nonnative" "$JAVA" $NCO_JPROBE_JAVA_FLAGS -cp "$CLASSPATH" $NCO_JPROBE_JAVA_XFLAGS -DOMNIHOME="$OMNIHOME" $PROGRAM "$@"

    with

    exec "$nonnative" $JAVA -Djavax.net.debug=all $NCO_JPROBE_JAVA_FLAGS -cp $CLASSPATH $NCO_JPROBE_JAVA_XFLAGS -DOMNIHOME="$OMNIHOME" $PROGRAM "$@"
     

  2. Turn on Nonnative log
     

    NDE_DEFAULT_LOG_LEVEL=debug
    NDE_FORCE_LOG_MODULE=$OMNIHOME/log/nonnative_forced.log
    NCO_P_NONNATIVE_TRANSCRIPT=$OMNIHOME/log/nonnative_debug.log
    export NDE_DEFAULT_LOG_LEVEL
    export NDE_FORCE_LOG_MODULE
    export NCO_P_NONNATIVE_TRANSCRIPT
     

  3. Reproduce the issue.
     

From the nonnative_debug.log file generated, identify the certificate chain sent from the server; for instance
 

*** Certificate chain
*** -19 "Unknown command"
chain [0] = [
chain -19 "Unknown command"
[
  Version: V3
  Subject: CN=09XCH
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Signature -19 "Unknown command"

 ...
 ...

  Validity: [From: Tue Nov 29 15:51:15 SAST 2011,
Validity: -19 "Unknown command"
               To: Mon Nov 29 15:51:15 SAST 2016]
To: -19 "Unknown command"
  Issuer: CN=09XCH
  SerialNumber: [12880247898]
...
 

However, during the truststore initialization process, the server side certificate as indicated above cannot be found. Thus, this result in the exception highlighted in red to occur.


...
init truststore

adding as trusted cert:
adding -19 "Unknown command"
  Subject: CN=25XCH
  Issuer:  CN=25XCH
  Algorithm: RSA; Serial number: 0x4b6086581fb2aa9348166ccd32fb
Algorithm: -19 "Unknown command"
  Valid from Tue Nov 29 15:51:15 SAST 2011 until Mon Nov 29 15:51:15 SAST 2016
Valid -19 "Unknown command"

...

 

Therefore, in order to resolve this issue, import the server certificate into the SSL client's truststore.

 

 

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"","label":""},"Component":"","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}}]

UID

ibm11082289

Page Feedback