"CertPathBuilderException: unable to find valid certification path to requested target" when connecting to Rule Team Server/Decision Center or Rule Execution Server over HTTPS

Technote (FAQ)


Question

How do I resolve the "[java.security.cert.CertPathBuilderException or sun.security.provider.certpath.SunCertPathBuilderException]: unable to find valid certification path to requested target" error I get when connecting to Rule Team Server (RTS)/Decision Center(DC) or Rule Execution Server over HTTPS/SSL?

Cause

If your application server is using a non-trusted certificate and because by default only trusted certificates are supported for HTTPS/SSL, you will get this type of error when trying to connect to RTS/DC or Rule Execution Server:
ilog.rules.res.util.http.IlrConnectionException: IO error when contacting "/res/repositoryService" [or "https://<hostname>:<port>/teamserver"]
...
Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target
...

This is the case, for example, for WebSphere Application Server (WAS) until version 6.1.

Starting in 7.0, WAS default certificate is signed by a default server root certificate, the error and solution are then different. Refer to technote CertPathValidatorException when connection to Rule Team Server /Decision Center or Rule Execution Server over HTTPS in such case.


Notes :

  • With a Sun JVM the root error would be:
    sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  • When connecting from within Rule Studio/Designer, Eclipse may not show the root error in its logs, in which case you will need to refer to technote Connection with Rule Team Server/Decision Center has failed to see a stack trace like the above.

Answer

In order to resolve this problem, set the following Java system property on the client side to allow HTTPS/SSL connections with non-trusted certificates:

  • to connect to Rule Execution Server:
    -Dilog.rules.res.allowSelfSignedCertificate=true
  • to connect to Rule Team Server/Decision Center:
    -Dilog.rules.teamserver.allowSelfSignedCertificate=true


Whether you connect to RTS/DC or Rule Execution Server:

Related information

Deploying a RuleApp over HTTPS to RES on WAS7
WODM V7.5 doc on Communication protocols
WODM V8.0 doc on Communication protocols

Cross reference information
Segment Product Component Platform Version Edition
Business Integration IBM Operational Decision Manager Platform Independent 8.0, 7.5

Historical Number

jrules/FAQ/372

Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere ILOG JRules
General

Software version:

6.5, 6.6, 6.7, 7.0, 7.1

Operating system(s):

Platform Independent

Reference #:

1400817

Modified date:

2010-10-28

Translate my page

Machine Translation

Content navigation