Technical Blog Post
Abstract
Troubleshooting: nco_p_email probe unable to connect to the email server using SSL
Body
If a nco_p_email probe (with SSL being enabled) user encountered the following error message in their probe debug log, this indicates that the SSL client does not trust the SSL server.
Error: E-JPR-000-000: Failed to connect to mail server: javax.mail.MessagingException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target;
nested exception is:
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target
In order to troubleshoot and confirm the above issue, user are required to
-
Edit $OMNIHOME/probes/nco_jprobe, and replace the following line
exec "$nonnative" "$JAVA" $NCO_JPROBE_JAVA_FLAGS -cp "$CLASSPATH" $NCO_JPROBE_JAVA_XFLAGS -DOMNIHOME="$OMNIHOME" $PROGRAM "$@"
with
exec "$nonnative" $JAVA -Djavax.net.debug=all $NCO_JPROBE_JAVA_FLAGS -cp $CLASSPATH $NCO_JPROBE_JAVA_XFLAGS -DOMNIHOME="$OMNIHOME" $PROGRAM "$@"
-
Turn on Nonnative log
NDE_DEFAULT_LOG_LEVEL=debug
NDE_FORCE_LOG_MODULE=$OMNIHOME/log/nonnative_forced.log
NCO_P_NONNATIVE_TRANSCRIPT=$OMNIHOME/log/nonnative_debug.log
export NDE_DEFAULT_LOG_LEVEL
export NDE_FORCE_LOG_MODULE
export NCO_P_NONNATIVE_TRANSCRIPT
-
Reproduce the issue.
From the nonnative_debug.log file generated, identify the certificate chain sent from the server; for instance
*** Certificate chain
*** -19 "Unknown command"
chain [0] = [
chain -19 "Unknown command"
[
Version: V3
Subject: CN=09XCH
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Signature -19 "Unknown command"
...
...
Validity: [From: Tue Nov 29 15:51:15 SAST 2011,
Validity: -19 "Unknown command"
To: Mon Nov 29 15:51:15 SAST 2016]
To: -19 "Unknown command"
Issuer: CN=09XCH
SerialNumber: [12880247898]
...
However, during the truststore initialization process, the server side certificate as indicated above cannot be found. Thus, this result in the exception highlighted in red to occur.
...
init truststore
adding as trusted cert:
adding -19 "Unknown command"
Subject: CN=25XCH
Issuer: CN=25XCH
Algorithm: RSA; Serial number: 0x4b6086581fb2aa9348166ccd32fb
Algorithm: -19 "Unknown command"
Valid from Tue Nov 29 15:51:15 SAST 2011 until Mon Nov 29 15:51:15 SAST 2016
Valid -19 "Unknown command"
...
Therefore, in order to resolve this issue, import the server certificate into the SSL client's truststore.
UID
ibm11082289