IBM Support

"CertPathBuilderException: unable to find valid certification path to requested target" when connecting to Rule Team Server/Decision Center or Rule Execution Server over HTTPS

Question & Answer


Question

How do I resolve the "[java.security.cert.CertPathBuilderException or sun.security.provider.certpath.SunCertPathBuilderException]: unable to find valid certification path to requested target" error I get when connecting to Rule Team Server (RTS)/Decision Center(DC) or Rule Execution Server over HTTPS/SSL?

Cause

If your application server is using a non-trusted certificate and because by default only trusted certificates are supported for HTTPS/SSL, you will get this type of error when trying to connect to RTS/DC or Rule Execution Server:

ilog.rules.res.util.http.IlrConnectionException: IO error when contacting "/res/repositoryService" [or "https://<hostname>:<port>/teamserver"]
...
Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target
...

This is the case, for example, for WebSphere Application Server (WAS) until version 6.1.

Starting in 7.0, WAS default certificate is signed by a default server root certificate, the error and solution are then different. Refer to technote CertPathValidatorException when connection to Rule Team Server /Decision Center or Rule Execution Server over HTTPS in such case.


Notes :
  • With a Sun JVM the root error would be:
    sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  • When connecting from within Rule Studio/Designer, Eclipse may not show the root error in its logs, in which case you will need to refer to technote Connection with Rule Team Server/Decision Center has failed to see a stack trace like the above.

Answer

In order to resolve this problem, set the following Java system property on the client side to allow HTTPS/SSL connections with non-trusted certificates:

  • to connect to Rule Execution Server:
    -Dilog.rules.res.allowSelfSignedCertificate=true
  • to connect to Rule Team Server/Decision Center:
    -Dilog.rules.teamserver.allowSelfSignedCertificate=true


Whether you connect to RTS/DC or Rule Execution Server:

[{"Product":{"code":"SS6MTS","label":"WebSphere ILOG JRules"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1;7.0;6.7;6.6;6.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSQP76","label":"IBM Operational Decision Manager"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":null,"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0;7.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Historical Number

jrules/FAQ/372

Document Information

Modified date:
15 June 2018

UID

swg21400817