IBM Support

IBM Content Navigator - Unable to open and view PDF/TIFF documents when HTTPS is enabled

Troubleshooting


Problem

When attempting to view PDF/TIFF documents using IBM Daeja ViewOne Professional in IBM Content Navigator (ICN), the document will not load and the following error message appears: "Unable to page due to repository access error."

Symptom

The application server logs show the following:

[Date Time] 00000097 SystemOut     O CWPKI0022E: SSL HANDSHAKE FAILURE:  A np

signer with SubjectDN "CN=XXXXXXXXXXXX, O=OUSample" was sent from target host:port "<Server>:<port>".  The signer may need to be added to local trust store "<WAS INSTALL>/WebSphere/AppServer/profiles/AppSrv01/config/cells/NODECell/nodes/Node/trust.p12" located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml".  The extended error message from the SSL handshake exception is: "PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
  java.security.cert.CertPathValidatorException: The certificate issued by CN=CNSample, DC=DCSample, DC=local is not trusted; internal cause is:
  java.security.cert.CertPathValidatorException: Certificate chaining error".

Followed by:


[Date Time] 00000097 SystemOut     O ViewOne:  ji.streamer.splitter.f: Unable to generate page due to repository access error.
  at ji.streamer.servlet.jiAbstractStreamerServlet.aa(Unknown Source)
  at ji.streamer.servlet.jiAbstractStreamerServlet.a6(Unknown Source)

    ...

Cause

A possible cause for this issue is that the signer might need to be added to the trust store. Often, this will appear as a message prompt for the user.

Environment

IBM Content Navigator systems using HTTPS on Websphere Application Server

Diagnosing The Problem

Check the logs for the error: CWPKI0428I: The signer might need to be added to the local trust store.

Resolving The Problem

  • Log into the administrative console.
  • Expand Security and click SSL certificate and key management. Under Configuration settings, click Manage endpoint security configurations.
  • Select the appropriate outbound configuration to get to the (cell):Node01Cell:(node):Node01 management scope.
  • Under Related Items, click Key stores and certificates and click the NodeDefaultTrustStore key store.
  • Under Additional Properties, click Signer certificates and Retrieve From Port.
  • In the Host field, enter <ICN server name> in the host name field, enter 9443 in the Port field, and <ICN server name>_cert in the Alias field.
  • Click Retrieve Signer Information.
  • Verify that the certificate information is for a certificate that you can trust.
  • Click Apply and Save.

[{"Product":{"code":"SSEUEX","label":"IBM Content Navigator"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"ICN and Case Manager","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"2.0;2.0.1;2.0.2;2.0.3","Edition":"","Line of Business":{"code":"LOB18","label":"Miscellaneous LOB"}}]

Document Information

Modified date:
17 June 2018

UID

swg21961618

Page Feedback